112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d

Analysis

max time kernel
299s
max time network
308s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
09/10/2023, 04:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe
Size

1.7MB
MD5

8a6e052190852c548257228bdee5dc93
SHA1

aeb51c07086a8f4e058e5f35a619978adee1af7f
SHA256

112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d
SHA512

a04bfdc7fe102f7b476bf12a1f6b5c52fc1a37b7c63b3cb928176d253249cd256b82d51481adc9121288982a791b59035a3d383f768b12d20b0af0ed1cf01e71
SSDEEP

24576:rQa+rRep38knZGbO4oFya8ZbRxaiXvnEc3Suvb7sNPwEFfTPCRi4Vz:rZ+rRe3zn4ioa8ZbRMiXO07sNPwERWV

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 33 IoCs

pid	Process
2172	spoolsv.exe
5024	spoolsv.exe
2992	spoolsv.exe
1016	spoolsv.exe
2752	spoolsv.exe
2736	spoolsv.exe
4368	spoolsv.exe
4780	spoolsv.exe
4616	spoolsv.exe
4576	spoolsv.exe
4940	spoolsv.exe
3976	spoolsv.exe
1424	spoolsv.exe
5048	spoolsv.exe
2972	spoolsv.exe
2928	spoolsv.exe
4184	spoolsv.exe
4808	spoolsv.exe
2880	spoolsv.exe
3424	spoolsv.exe
1484	spoolsv.exe
5084	spoolsv.exe
1888	spoolsv.exe
3964	spoolsv.exe
316	spoolsv.exe
5024	spoolsv.exe
3140	spoolsv.exe
2108	spoolsv.exe
1020	spoolsv.exe
296	spoolsv.exe
920	spoolsv.exe
4292	spoolsv.exe
2860	spoolsv.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\DESIGNER\lsass.exe	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe
File created	C:\Program Files\Common Files\DESIGNER\6203df4a6bafc7	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe
File created	C:\Program Files\Windows Photo Viewer\en-US\SearchUI.exe	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe
File created	C:\Program Files\Windows Photo Viewer\en-US\dab4d89cac03ec	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 33 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings	spoolsv.exe

Runs ping.exe 1 TTPs 16 IoCs

Remote System Discovery

T1018

pid	Process
2140	PING.EXE
5092	PING.EXE
1440	PING.EXE
3808	PING.EXE
4116	PING.EXE
2072	PING.EXE
600	PING.EXE
2696	PING.EXE
3716	PING.EXE
4452	PING.EXE
4244	PING.EXE
3700	PING.EXE
4616	PING.EXE
920	PING.EXE
5000	PING.EXE
3736	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4852	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe
4852	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe
4852	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe
4852	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe
4852	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe
4852	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe
4852	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe
4852	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe
4852	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe
4852	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe
4852	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe
4852	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe
4852	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe
4852	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe
4852	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe
4852	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe
4852	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe
4852	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe
4852	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe
4852	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe
4852	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe
4852	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe
4852	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe
4852	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe
4852	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe
4852	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe
4852	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe
4852	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe
4852	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe
4852	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe
4852	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe
4852	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe
4852	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe
4852	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe
4852	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe
4852	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe
4852	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe
4852	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe
4852	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe
4852	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe
4852	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe
4852	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe
4852	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe
4852	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe
4852	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe
4852	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe
4852	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe
4852	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe
4852	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe
4852	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe
4852	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe
4852	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe
4852	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe
4852	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe
4852	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe
4852	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe
4852	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe
4852	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe
4852	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe
4852	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe
4852	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe
4852	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe
4852	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe
4852	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4852	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe
Token: SeDebugPrivilege	4396	powershell.exe
Token: SeDebugPrivilege	1328	powershell.exe
Token: SeDebugPrivilege	4812	powershell.exe
Token: SeDebugPrivilege	4848	powershell.exe
Token: SeDebugPrivilege	3112	powershell.exe
Token: SeIncreaseQuotaPrivilege	4848	powershell.exe
Token: SeSecurityPrivilege	4848	powershell.exe
Token: SeTakeOwnershipPrivilege	4848	powershell.exe
Token: SeLoadDriverPrivilege	4848	powershell.exe
Token: SeSystemProfilePrivilege	4848	powershell.exe
Token: SeSystemtimePrivilege	4848	powershell.exe
Token: SeProfSingleProcessPrivilege	4848	powershell.exe
Token: SeIncBasePriorityPrivilege	4848	powershell.exe
Token: SeCreatePagefilePrivilege	4848	powershell.exe
Token: SeBackupPrivilege	4848	powershell.exe
Token: SeRestorePrivilege	4848	powershell.exe
Token: SeShutdownPrivilege	4848	powershell.exe
Token: SeDebugPrivilege	4848	powershell.exe
Token: SeSystemEnvironmentPrivilege	4848	powershell.exe
Token: SeRemoteShutdownPrivilege	4848	powershell.exe
Token: SeUndockPrivilege	4848	powershell.exe
Token: SeManageVolumePrivilege	4848	powershell.exe
Token: 33	4848	powershell.exe
Token: 34	4848	powershell.exe
Token: 35	4848	powershell.exe
Token: 36	4848	powershell.exe
Token: SeIncreaseQuotaPrivilege	4396	powershell.exe
Token: SeSecurityPrivilege	4396	powershell.exe
Token: SeTakeOwnershipPrivilege	4396	powershell.exe
Token: SeLoadDriverPrivilege	4396	powershell.exe
Token: SeSystemProfilePrivilege	4396	powershell.exe
Token: SeSystemtimePrivilege	4396	powershell.exe
Token: SeProfSingleProcessPrivilege	4396	powershell.exe
Token: SeIncBasePriorityPrivilege	4396	powershell.exe
Token: SeCreatePagefilePrivilege	4396	powershell.exe
Token: SeBackupPrivilege	4396	powershell.exe
Token: SeRestorePrivilege	4396	powershell.exe
Token: SeShutdownPrivilege	4396	powershell.exe
Token: SeDebugPrivilege	4396	powershell.exe
Token: SeSystemEnvironmentPrivilege	4396	powershell.exe
Token: SeRemoteShutdownPrivilege	4396	powershell.exe
Token: SeUndockPrivilege	4396	powershell.exe
Token: SeManageVolumePrivilege	4396	powershell.exe
Token: 33	4396	powershell.exe
Token: 34	4396	powershell.exe
Token: 35	4396	powershell.exe
Token: 36	4396	powershell.exe
Token: SeIncreaseQuotaPrivilege	3112	powershell.exe
Token: SeSecurityPrivilege	3112	powershell.exe
Token: SeTakeOwnershipPrivilege	3112	powershell.exe
Token: SeLoadDriverPrivilege	3112	powershell.exe
Token: SeSystemProfilePrivilege	3112	powershell.exe
Token: SeSystemtimePrivilege	3112	powershell.exe
Token: SeProfSingleProcessPrivilege	3112	powershell.exe
Token: SeIncBasePriorityPrivilege	3112	powershell.exe
Token: SeCreatePagefilePrivilege	3112	powershell.exe
Token: SeBackupPrivilege	3112	powershell.exe
Token: SeRestorePrivilege	3112	powershell.exe
Token: SeShutdownPrivilege	3112	powershell.exe
Token: SeDebugPrivilege	3112	powershell.exe
Token: SeSystemEnvironmentPrivilege	3112	powershell.exe
Token: SeRemoteShutdownPrivilege	3112	powershell.exe
Token: SeUndockPrivilege	3112	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4852 wrote to memory of 4396	4852	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe	69
PID 4852 wrote to memory of 4396	4852	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe	69
PID 4852 wrote to memory of 1328	4852	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe	70
PID 4852 wrote to memory of 1328	4852	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe	70
PID 4852 wrote to memory of 3112	4852	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe	71
PID 4852 wrote to memory of 3112	4852	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe	71
PID 4852 wrote to memory of 4848	4852	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe	75
PID 4852 wrote to memory of 4848	4852	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe	75
PID 4852 wrote to memory of 4812	4852	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe	74
PID 4852 wrote to memory of 4812	4852	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe	74
PID 4852 wrote to memory of 2696	4852	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe	79
PID 4852 wrote to memory of 2696	4852	112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe	79
PID 2696 wrote to memory of 1468	2696	cmd.exe	81
PID 2696 wrote to memory of 1468	2696	cmd.exe	81
PID 2696 wrote to memory of 2072	2696	cmd.exe	82
PID 2696 wrote to memory of 2072	2696	cmd.exe	82
PID 2696 wrote to memory of 2172	2696	cmd.exe	84
PID 2696 wrote to memory of 2172	2696	cmd.exe	84
PID 2172 wrote to memory of 3104	2172	spoolsv.exe	85
PID 2172 wrote to memory of 3104	2172	spoolsv.exe	85
PID 3104 wrote to memory of 3408	3104	cmd.exe	87
PID 3104 wrote to memory of 3408	3104	cmd.exe	87
PID 3104 wrote to memory of 4616	3104	cmd.exe	88
PID 3104 wrote to memory of 4616	3104	cmd.exe	88
PID 3104 wrote to memory of 5024	3104	cmd.exe	89
PID 3104 wrote to memory of 5024	3104	cmd.exe	89
PID 5024 wrote to memory of 4124	5024	spoolsv.exe	90
PID 5024 wrote to memory of 4124	5024	spoolsv.exe	90
PID 4124 wrote to memory of 4912	4124	cmd.exe	92
PID 4124 wrote to memory of 4912	4124	cmd.exe	92
PID 4124 wrote to memory of 4896	4124	cmd.exe	93
PID 4124 wrote to memory of 4896	4124	cmd.exe	93
PID 4124 wrote to memory of 2992	4124	cmd.exe	94
PID 4124 wrote to memory of 2992	4124	cmd.exe	94
PID 2992 wrote to memory of 4160	2992	spoolsv.exe	95
PID 2992 wrote to memory of 4160	2992	spoolsv.exe	95
PID 4160 wrote to memory of 4068	4160	cmd.exe	97
PID 4160 wrote to memory of 4068	4160	cmd.exe	97
PID 4160 wrote to memory of 4956	4160	cmd.exe	98
PID 4160 wrote to memory of 4956	4160	cmd.exe	98
PID 4160 wrote to memory of 1016	4160	cmd.exe	99
PID 4160 wrote to memory of 1016	4160	cmd.exe	99
PID 1016 wrote to memory of 512	1016	spoolsv.exe	100
PID 1016 wrote to memory of 512	1016	spoolsv.exe	100
PID 512 wrote to memory of 5016	512	cmd.exe	102
PID 512 wrote to memory of 5016	512	cmd.exe	102
PID 512 wrote to memory of 3720	512	cmd.exe	103
PID 512 wrote to memory of 3720	512	cmd.exe	103
PID 512 wrote to memory of 2752	512	cmd.exe	104
PID 512 wrote to memory of 2752	512	cmd.exe	104
PID 2752 wrote to memory of 1424	2752	spoolsv.exe	105
PID 2752 wrote to memory of 1424	2752	spoolsv.exe	105
PID 1424 wrote to memory of 296	1424	cmd.exe	107
PID 1424 wrote to memory of 296	1424	cmd.exe	107
PID 1424 wrote to memory of 600	1424	cmd.exe	108
PID 1424 wrote to memory of 600	1424	cmd.exe	108
PID 1424 wrote to memory of 2736	1424	cmd.exe	109
PID 1424 wrote to memory of 2736	1424	cmd.exe	109
PID 2736 wrote to memory of 796	2736	spoolsv.exe	110
PID 2736 wrote to memory of 796	2736	spoolsv.exe	110
PID 796 wrote to memory of 5064	796	cmd.exe	112
PID 796 wrote to memory of 5064	796	cmd.exe	112
PID 796 wrote to memory of 920	796	cmd.exe	113
PID 796 wrote to memory of 920	796	cmd.exe	113

C:\Users\Admin\AppData\Local\Temp\112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe
"C:\Users\Admin\AppData\Local\Temp\112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe"
1⤵
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4852
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4396
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\DESIGNER\lsass.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1328
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\spoolsv.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Cookies\spoolsv.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4812
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\en-US\SearchUI.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4848
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\R3LCJ8E699.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1468
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - Runs ping.exe
    PID:2072
- - C:\Users\Admin\Cookies\spoolsv.exe
    "C:\Users\Admin\Cookies\spoolsv.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2172
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2zd9hDRpsN.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3104
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:3408
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        Runs ping.exe
        
        PID:4616
    - - C:\Users\Admin\Cookies\spoolsv.exe
        
        "C:\Users\Admin\Cookies\spoolsv.exe"
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5024
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oUlhQHDc2p.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4124
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:4912
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:4896
        
        C:\Users\Admin\Cookies\spoolsv.exe
        
        "C:\Users\Admin\Cookies\spoolsv.exe"
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fYr4aOzGbc.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4160
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:4068
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:4956
        
        C:\Users\Admin\Cookies\spoolsv.exe
        
        "C:\Users\Admin\Cookies\spoolsv.exe"
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1016
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oUlhQHDc2p.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:512
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:5016
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:3720
        
        C:\Users\Admin\Cookies\spoolsv.exe
        
        "C:\Users\Admin\Cookies\spoolsv.exe"
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mtjCtAJTq7.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1424
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:296
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        Runs ping.exe
        
        PID:600
        
        C:\Users\Admin\Cookies\spoolsv.exe
        
        "C:\Users\Admin\Cookies\spoolsv.exe"
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hvmsyECndV.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:796
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:5064
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        Runs ping.exe
        
        PID:920
        
        C:\Users\Admin\Cookies\spoolsv.exe
        
        "C:\Users\Admin\Cookies\spoolsv.exe"
        15⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4368
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PSx7mMsuZM.bat"
        16⤵
        
        PID:4292
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:2692
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:4864
        
        C:\Users\Admin\Cookies\spoolsv.exe
        
        "C:\Users\Admin\Cookies\spoolsv.exe"
        17⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4780
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N51JOWfNXS.bat"
        18⤵
        
        PID:4428
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:4236
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        Runs ping.exe
        
        PID:1440
        
        C:\Users\Admin\Cookies\spoolsv.exe
        
        "C:\Users\Admin\Cookies\spoolsv.exe"
        19⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4616
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CY6B1XXruX.bat"
        20⤵
        
        PID:4120
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:2804
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:4184
        
        C:\Users\Admin\Cookies\spoolsv.exe
        
        "C:\Users\Admin\Cookies\spoolsv.exe"
        21⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4576
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fMhC4n1i0S.bat"
        22⤵
        
        PID:3636
        
        C:\Users\Admin\Cookies\spoolsv.exe
        
        "C:\Users\Admin\Cookies\spoolsv.exe"
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4940
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Qe7zIwqSAW.bat"
        24⤵
        
        PID:2820
        
        C:\Users\Admin\Cookies\spoolsv.exe
        
        "C:\Users\Admin\Cookies\spoolsv.exe"
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3976
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jWoOVK6woD.bat"
        26⤵
        
        PID:4548
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:4504
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:1620
        
        C:\Users\Admin\Cookies\spoolsv.exe
        
        "C:\Users\Admin\Cookies\spoolsv.exe"
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1424
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AjNu1VgdjQ.bat"
        28⤵
        
        PID:2272
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:920
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:4740
        
        C:\Users\Admin\Cookies\spoolsv.exe
        
        "C:\Users\Admin\Cookies\spoolsv.exe"
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5048
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8MS6cfT7hX.bat"
        30⤵
        
        PID:4336
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:4952
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        31⤵
        Runs ping.exe
        
        PID:2696
        
        C:\Users\Admin\Cookies\spoolsv.exe
        
        "C:\Users\Admin\Cookies\spoolsv.exe"
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2972
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1nTHBcTHHD.bat"
        32⤵
        
        PID:3856
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        33⤵
        
        PID:1176
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        33⤵
        
        PID:3984
        
        C:\Users\Admin\Cookies\spoolsv.exe
        
        "C:\Users\Admin\Cookies\spoolsv.exe"
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2928
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J59ArupckC.bat"
        34⤵
        
        PID:2856
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        35⤵
        
        PID:704
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        35⤵
        
        PID:4404
        
        C:\Users\Admin\Cookies\spoolsv.exe
        
        "C:\Users\Admin\Cookies\spoolsv.exe"
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4184
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fMhC4n1i0S.bat"
        36⤵
        
        PID:3712
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        37⤵
        
        PID:4080
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        37⤵
        Runs ping.exe
        
        PID:3736
        
        C:\Users\Admin\Cookies\spoolsv.exe
        
        "C:\Users\Admin\Cookies\spoolsv.exe"
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4808
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yEObGBIDe9.bat"
        38⤵
        
        PID:1604
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        39⤵
        
        PID:1016
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        39⤵
        
        PID:4112
        
        C:\Users\Admin\Cookies\spoolsv.exe
        
        "C:\Users\Admin\Cookies\spoolsv.exe"
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2880
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jKeWzk8OD4.bat"
        40⤵
        
        PID:368
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        41⤵
        
        PID:2444
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        41⤵
        Runs ping.exe
        
        PID:2140
        
        C:\Users\Admin\Cookies\spoolsv.exe
        
        "C:\Users\Admin\Cookies\spoolsv.exe"
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3424
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GW3UwTeX78.bat"
        42⤵
        
        PID:4216
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        43⤵
        
        PID:4884
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        43⤵
        
        PID:4340
        
        C:\Users\Admin\Cookies\spoolsv.exe
        
        "C:\Users\Admin\Cookies\spoolsv.exe"
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1484
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jKeWzk8OD4.bat"
        44⤵
        
        PID:2128
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        45⤵
        
        PID:4792
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        45⤵
        Runs ping.exe
        
        PID:3716
        
        C:\Users\Admin\Cookies\spoolsv.exe
        
        "C:\Users\Admin\Cookies\spoolsv.exe"
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5084
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7AIE64VZ5N.bat"
        46⤵
        
        PID:3692
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        47⤵
        
        PID:2176
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        47⤵
        
        PID:3432
        
        C:\Users\Admin\Cookies\spoolsv.exe
        
        "C:\Users\Admin\Cookies\spoolsv.exe"
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1888
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hvmsyECndV.bat"
        48⤵
        
        PID:3416
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        49⤵
        
        PID:1468
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        49⤵
        Runs ping.exe
        
        PID:5092
        
        C:\Users\Admin\Cookies\spoolsv.exe
        
        "C:\Users\Admin\Cookies\spoolsv.exe"
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3964
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DjG3X7WPVh.bat"
        50⤵
        
        PID:5076
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        51⤵
        
        PID:5044
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        51⤵
        Runs ping.exe
        
        PID:4452
        
        C:\Users\Admin\Cookies\spoolsv.exe
        
        "C:\Users\Admin\Cookies\spoolsv.exe"
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:316
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6lQa6YaxVp.bat"
        52⤵
        
        PID:4540
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        53⤵
        
        PID:4836
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        53⤵
        
        PID:4080
        
        C:\Users\Admin\Cookies\spoolsv.exe
        
        "C:\Users\Admin\Cookies\spoolsv.exe"
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5024
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\i7wkUpBKEf.bat"
        54⤵
        
        PID:224
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        55⤵
        
        PID:1368
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        55⤵
        
        PID:3036
        
        C:\Users\Admin\Cookies\spoolsv.exe
        
        "C:\Users\Admin\Cookies\spoolsv.exe"
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3140
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3CLvB8Otsl.bat"
        56⤵
        
        PID:1552
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        57⤵
        
        PID:2156
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        57⤵
        
        PID:828
        
        C:\Users\Admin\Cookies\spoolsv.exe
        
        "C:\Users\Admin\Cookies\spoolsv.exe"
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2108
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7AIE64VZ5N.bat"
        58⤵
        
        PID:1184
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        59⤵
        
        PID:3588
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        59⤵
        
        PID:3720
        
        C:\Users\Admin\Cookies\spoolsv.exe
        
        "C:\Users\Admin\Cookies\spoolsv.exe"
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1020
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6lQa6YaxVp.bat"
        60⤵
        
        PID:4076
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        61⤵
        
        PID:3900
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        61⤵
        
        PID:868
        
        C:\Users\Admin\Cookies\spoolsv.exe
        
        "C:\Users\Admin\Cookies\spoolsv.exe"
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:296
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OEGMIRuqZy.bat"
        62⤵
        
        PID:4796
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        63⤵
        
        PID:1920
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        63⤵
        Runs ping.exe
        
        PID:4244
        
        C:\Users\Admin\Cookies\spoolsv.exe
        
        "C:\Users\Admin\Cookies\spoolsv.exe"
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:920
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CY6B1XXruX.bat"
        64⤵
        
        PID:2180
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        65⤵
        
        PID:2208
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        65⤵
        
        PID:4368
        
        C:\Users\Admin\Cookies\spoolsv.exe
        
        "C:\Users\Admin\Cookies\spoolsv.exe"
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4292
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nIbptgF5Rf.bat"
        66⤵
        
        PID:1888
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        67⤵
        
        PID:2172
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        67⤵
        Runs ping.exe
        
        PID:4116
        
        C:\Users\Admin\Cookies\spoolsv.exe
        
        "C:\Users\Admin\Cookies\spoolsv.exe"
        67⤵
        Executes dropped EXE
        
        PID:2860
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dxpZ3I66Pu.bat"
        68⤵
        
        PID:4428
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        69⤵
        
        PID:1756
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        69⤵
        Runs ping.exe
        
        PID:3700

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:5000

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:1776

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:3808

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:1220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\spoolsv.exe.log

Filesize
1KB

MD5
d9fbbda32f03209ae8e2d8e1ce595b32

SHA1
04996e2efdd89a0a7f5172690f96d34abe28ccc6

SHA256
d3f038da27a23a26f88df2466c10c4a846acfdbb323987d5cdd235ade8c16a60

SHA512
5ff8493732d18f6439e548a8149d291e619ad98d4d2280367add07e8fcf38d55803bf2396dba897a239ae0ed1455b157f3a7f827432196c52bc94c5f4154db6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\spoolsv.exe

Filesize
1.7MB

MD5
8a6e052190852c548257228bdee5dc93

SHA1
aeb51c07086a8f4e058e5f35a619978adee1af7f

SHA256
112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d

SHA512
a04bfdc7fe102f7b476bf12a1f6b5c52fc1a37b7c63b3cb928176d253249cd256b82d51481adc9121288982a791b59035a3d383f768b12d20b0af0ed1cf01e71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\spoolsv.exe

Filesize
1.7MB

MD5
8a6e052190852c548257228bdee5dc93

SHA1
aeb51c07086a8f4e058e5f35a619978adee1af7f

SHA256
112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d

SHA512
a04bfdc7fe102f7b476bf12a1f6b5c52fc1a37b7c63b3cb928176d253249cd256b82d51481adc9121288982a791b59035a3d383f768b12d20b0af0ed1cf01e71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\spoolsv.exe

Filesize
1.7MB

MD5
8a6e052190852c548257228bdee5dc93

SHA1
aeb51c07086a8f4e058e5f35a619978adee1af7f

SHA256
112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d

SHA512
a04bfdc7fe102f7b476bf12a1f6b5c52fc1a37b7c63b3cb928176d253249cd256b82d51481adc9121288982a791b59035a3d383f768b12d20b0af0ed1cf01e71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\spoolsv.exe

Filesize
1.7MB

MD5
8a6e052190852c548257228bdee5dc93

SHA1
aeb51c07086a8f4e058e5f35a619978adee1af7f

SHA256
112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d

SHA512
a04bfdc7fe102f7b476bf12a1f6b5c52fc1a37b7c63b3cb928176d253249cd256b82d51481adc9121288982a791b59035a3d383f768b12d20b0af0ed1cf01e71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\spoolsv.exe

Filesize
1.7MB

MD5
8a6e052190852c548257228bdee5dc93

SHA1
aeb51c07086a8f4e058e5f35a619978adee1af7f

SHA256
112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d

SHA512
a04bfdc7fe102f7b476bf12a1f6b5c52fc1a37b7c63b3cb928176d253249cd256b82d51481adc9121288982a791b59035a3d383f768b12d20b0af0ed1cf01e71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\spoolsv.exe

Filesize
1.7MB

MD5
8a6e052190852c548257228bdee5dc93

SHA1
aeb51c07086a8f4e058e5f35a619978adee1af7f

SHA256
112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d

SHA512
a04bfdc7fe102f7b476bf12a1f6b5c52fc1a37b7c63b3cb928176d253249cd256b82d51481adc9121288982a791b59035a3d383f768b12d20b0af0ed1cf01e71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\spoolsv.exe

Filesize
1.7MB

MD5
8a6e052190852c548257228bdee5dc93

SHA1
aeb51c07086a8f4e058e5f35a619978adee1af7f

SHA256
112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d

SHA512
a04bfdc7fe102f7b476bf12a1f6b5c52fc1a37b7c63b3cb928176d253249cd256b82d51481adc9121288982a791b59035a3d383f768b12d20b0af0ed1cf01e71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\spoolsv.exe

Filesize
1.7MB

MD5
8a6e052190852c548257228bdee5dc93

SHA1
aeb51c07086a8f4e058e5f35a619978adee1af7f

SHA256
112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d

SHA512
a04bfdc7fe102f7b476bf12a1f6b5c52fc1a37b7c63b3cb928176d253249cd256b82d51481adc9121288982a791b59035a3d383f768b12d20b0af0ed1cf01e71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\spoolsv.exe

Filesize
1.7MB

MD5
8a6e052190852c548257228bdee5dc93

SHA1
aeb51c07086a8f4e058e5f35a619978adee1af7f

SHA256
112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d

SHA512
a04bfdc7fe102f7b476bf12a1f6b5c52fc1a37b7c63b3cb928176d253249cd256b82d51481adc9121288982a791b59035a3d383f768b12d20b0af0ed1cf01e71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\spoolsv.exe

Filesize
1.7MB

MD5
8a6e052190852c548257228bdee5dc93

SHA1
aeb51c07086a8f4e058e5f35a619978adee1af7f

SHA256
112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d

SHA512
a04bfdc7fe102f7b476bf12a1f6b5c52fc1a37b7c63b3cb928176d253249cd256b82d51481adc9121288982a791b59035a3d383f768b12d20b0af0ed1cf01e71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\spoolsv.exe

Filesize
1.7MB

MD5
8a6e052190852c548257228bdee5dc93

SHA1
aeb51c07086a8f4e058e5f35a619978adee1af7f

SHA256
112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d

SHA512
a04bfdc7fe102f7b476bf12a1f6b5c52fc1a37b7c63b3cb928176d253249cd256b82d51481adc9121288982a791b59035a3d383f768b12d20b0af0ed1cf01e71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\spoolsv.exe

Filesize
1.7MB

MD5
8a6e052190852c548257228bdee5dc93

SHA1
aeb51c07086a8f4e058e5f35a619978adee1af7f

SHA256
112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d

SHA512
a04bfdc7fe102f7b476bf12a1f6b5c52fc1a37b7c63b3cb928176d253249cd256b82d51481adc9121288982a791b59035a3d383f768b12d20b0af0ed1cf01e71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\spoolsv.exe

Filesize
1.7MB

MD5
8a6e052190852c548257228bdee5dc93

SHA1
aeb51c07086a8f4e058e5f35a619978adee1af7f

SHA256
112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d

SHA512
a04bfdc7fe102f7b476bf12a1f6b5c52fc1a37b7c63b3cb928176d253249cd256b82d51481adc9121288982a791b59035a3d383f768b12d20b0af0ed1cf01e71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\spoolsv.exe

Filesize
1.7MB

MD5
8a6e052190852c548257228bdee5dc93

SHA1
aeb51c07086a8f4e058e5f35a619978adee1af7f

SHA256
112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d

SHA512
a04bfdc7fe102f7b476bf12a1f6b5c52fc1a37b7c63b3cb928176d253249cd256b82d51481adc9121288982a791b59035a3d383f768b12d20b0af0ed1cf01e71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\spoolsv.exe

Filesize
1.7MB

MD5
8a6e052190852c548257228bdee5dc93

SHA1
aeb51c07086a8f4e058e5f35a619978adee1af7f

SHA256
112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d

SHA512
a04bfdc7fe102f7b476bf12a1f6b5c52fc1a37b7c63b3cb928176d253249cd256b82d51481adc9121288982a791b59035a3d383f768b12d20b0af0ed1cf01e71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\spoolsv.exe

Filesize
1.7MB

MD5
8a6e052190852c548257228bdee5dc93

SHA1
aeb51c07086a8f4e058e5f35a619978adee1af7f

SHA256
112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d

SHA512
a04bfdc7fe102f7b476bf12a1f6b5c52fc1a37b7c63b3cb928176d253249cd256b82d51481adc9121288982a791b59035a3d383f768b12d20b0af0ed1cf01e71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\spoolsv.exe

Filesize
1.7MB

MD5
8a6e052190852c548257228bdee5dc93

SHA1
aeb51c07086a8f4e058e5f35a619978adee1af7f

SHA256
112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d

SHA512
a04bfdc7fe102f7b476bf12a1f6b5c52fc1a37b7c63b3cb928176d253249cd256b82d51481adc9121288982a791b59035a3d383f768b12d20b0af0ed1cf01e71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\spoolsv.exe

Filesize
1.7MB

MD5
8a6e052190852c548257228bdee5dc93

SHA1
aeb51c07086a8f4e058e5f35a619978adee1af7f

SHA256
112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d

SHA512
a04bfdc7fe102f7b476bf12a1f6b5c52fc1a37b7c63b3cb928176d253249cd256b82d51481adc9121288982a791b59035a3d383f768b12d20b0af0ed1cf01e71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\spoolsv.exe

Filesize
1.7MB

MD5
8a6e052190852c548257228bdee5dc93

SHA1
aeb51c07086a8f4e058e5f35a619978adee1af7f

SHA256
112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d

SHA512
a04bfdc7fe102f7b476bf12a1f6b5c52fc1a37b7c63b3cb928176d253249cd256b82d51481adc9121288982a791b59035a3d383f768b12d20b0af0ed1cf01e71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\spoolsv.exe

Filesize
1.7MB

MD5
8a6e052190852c548257228bdee5dc93

SHA1
aeb51c07086a8f4e058e5f35a619978adee1af7f

SHA256
112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d

SHA512
a04bfdc7fe102f7b476bf12a1f6b5c52fc1a37b7c63b3cb928176d253249cd256b82d51481adc9121288982a791b59035a3d383f768b12d20b0af0ed1cf01e71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\spoolsv.exe

Filesize
1.7MB

MD5
8a6e052190852c548257228bdee5dc93

SHA1
aeb51c07086a8f4e058e5f35a619978adee1af7f

SHA256
112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d

SHA512
a04bfdc7fe102f7b476bf12a1f6b5c52fc1a37b7c63b3cb928176d253249cd256b82d51481adc9121288982a791b59035a3d383f768b12d20b0af0ed1cf01e71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\spoolsv.exe

Filesize
1.7MB

MD5
8a6e052190852c548257228bdee5dc93

SHA1
aeb51c07086a8f4e058e5f35a619978adee1af7f

SHA256
112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d

SHA512
a04bfdc7fe102f7b476bf12a1f6b5c52fc1a37b7c63b3cb928176d253249cd256b82d51481adc9121288982a791b59035a3d383f768b12d20b0af0ed1cf01e71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\spoolsv.exe

Filesize
1.7MB

MD5
8a6e052190852c548257228bdee5dc93

SHA1
aeb51c07086a8f4e058e5f35a619978adee1af7f

SHA256
112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d

SHA512
a04bfdc7fe102f7b476bf12a1f6b5c52fc1a37b7c63b3cb928176d253249cd256b82d51481adc9121288982a791b59035a3d383f768b12d20b0af0ed1cf01e71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\spoolsv.exe

Filesize
1.7MB

MD5
8a6e052190852c548257228bdee5dc93

SHA1
aeb51c07086a8f4e058e5f35a619978adee1af7f

SHA256
112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d

SHA512
a04bfdc7fe102f7b476bf12a1f6b5c52fc1a37b7c63b3cb928176d253249cd256b82d51481adc9121288982a791b59035a3d383f768b12d20b0af0ed1cf01e71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\spoolsv.exe

Filesize
1.7MB

MD5
8a6e052190852c548257228bdee5dc93

SHA1
aeb51c07086a8f4e058e5f35a619978adee1af7f

SHA256
112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d

SHA512
a04bfdc7fe102f7b476bf12a1f6b5c52fc1a37b7c63b3cb928176d253249cd256b82d51481adc9121288982a791b59035a3d383f768b12d20b0af0ed1cf01e71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\spoolsv.exe

Filesize
1.7MB

MD5
8a6e052190852c548257228bdee5dc93

SHA1
aeb51c07086a8f4e058e5f35a619978adee1af7f

SHA256
112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d

SHA512
a04bfdc7fe102f7b476bf12a1f6b5c52fc1a37b7c63b3cb928176d253249cd256b82d51481adc9121288982a791b59035a3d383f768b12d20b0af0ed1cf01e71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\spoolsv.exe

Filesize
1.7MB

MD5
8a6e052190852c548257228bdee5dc93

SHA1
aeb51c07086a8f4e058e5f35a619978adee1af7f

SHA256
112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d

SHA512
a04bfdc7fe102f7b476bf12a1f6b5c52fc1a37b7c63b3cb928176d253249cd256b82d51481adc9121288982a791b59035a3d383f768b12d20b0af0ed1cf01e71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\spoolsv.exe

Filesize
1.7MB

MD5
8a6e052190852c548257228bdee5dc93

SHA1
aeb51c07086a8f4e058e5f35a619978adee1af7f

SHA256
112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d

SHA512
a04bfdc7fe102f7b476bf12a1f6b5c52fc1a37b7c63b3cb928176d253249cd256b82d51481adc9121288982a791b59035a3d383f768b12d20b0af0ed1cf01e71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\spoolsv.exe

Filesize
1.7MB

MD5
8a6e052190852c548257228bdee5dc93

SHA1
aeb51c07086a8f4e058e5f35a619978adee1af7f

SHA256
112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d

SHA512
a04bfdc7fe102f7b476bf12a1f6b5c52fc1a37b7c63b3cb928176d253249cd256b82d51481adc9121288982a791b59035a3d383f768b12d20b0af0ed1cf01e71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a3afb35eac65590018a218b5bf7be753

SHA1
ac43475bc5b081e905a59baaab3c2611f29eec78

SHA256
3ae4c1b313ed2d74d5d0814d64d4accf94d66237f01df0d71380c114e3cd88fd

SHA512
07fc235740b68cf88428dd0531323c0938fdfd57cdf41e7826ab34bdb2714c5375df1279f10c23357d2dbb7a60070f9f79a234f06209eaa9fda92aa49d6bc9de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a3afb35eac65590018a218b5bf7be753

SHA1
ac43475bc5b081e905a59baaab3c2611f29eec78

SHA256
3ae4c1b313ed2d74d5d0814d64d4accf94d66237f01df0d71380c114e3cd88fd

SHA512
07fc235740b68cf88428dd0531323c0938fdfd57cdf41e7826ab34bdb2714c5375df1279f10c23357d2dbb7a60070f9f79a234f06209eaa9fda92aa49d6bc9de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a90f4e1b0898b8b277dad6efb3b3b7f4

SHA1
4df6e08aae55e79856840bc56ea5923ef63471eb

SHA256
7c290e79580a7a932332753043ac7ae8b7de1478e4ec54e0b25793a6cb237b75

SHA512
2fd81ad1172853ffaff663fd3ff8d1881b4abf290e24cd4dc261fe1e22a0a85021236cc6f88750596a98e4f1e63e873452a3ea850de1a3d0d08a797e7270c6d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a90f4e1b0898b8b277dad6efb3b3b7f4

SHA1
4df6e08aae55e79856840bc56ea5923ef63471eb

SHA256
7c290e79580a7a932332753043ac7ae8b7de1478e4ec54e0b25793a6cb237b75

SHA512
2fd81ad1172853ffaff663fd3ff8d1881b4abf290e24cd4dc261fe1e22a0a85021236cc6f88750596a98e4f1e63e873452a3ea850de1a3d0d08a797e7270c6d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1nTHBcTHHD.bat

Filesize
210B

MD5
f940d43dba58f0451e4c1b1c1d95c262

SHA1
25fc9ed59d990f022837075cac7110fc42014f32

SHA256
6495a28f1ccf66238e37b8b9965953f9ee3b32bc0d4e676e89168668968fd538

SHA512
1279ed34763bee686884c8cd493ca7a9c93df0609623eab11a9785db760edf80af2d01e8bbe2959b7b315c5e4c2934de8a28ae027371316505cc3b9eeef06581

Download Submit
C:\Users\Admin\AppData\Local\Temp\2zd9hDRpsN.bat

Filesize
162B

MD5
1e7c0e3d71c3bfe0b25eebbc04ada1a0

SHA1
62f3754c299f34dee7a8f1983c10d0b1583827eb

SHA256
fef578886e725a1bea90032c0980d29eb9a2f70248e527c3cf8fb7628b5024d6

SHA512
7a7c83c99e0d02f5afd3c7a051643c5449cf87faf891d7df665ba9c6fef89704dc3598814f168f02a7d70771f04fdf1d1a927e02bdb91c8eb2a9fb020d1a21f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\3CLvB8Otsl.bat

Filesize
210B

MD5
20791730b10ef7bd9a8a32c3bb756a66

SHA1
ac248937d3359ceed111b7e9ea0f2c4a76b70202

SHA256
e5ee8a36ed22196d5083d9c4984626679c6c65821832a2fff72adfe870656adc

SHA512
3284e15cefa55b8561a4f79dfae35037e4676088e3e5697a986ea50b05d5d219e659e7aa818a6cd99be0599f4a9ace738e573944606b2cb469506110fa78ae4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\6lQa6YaxVp.bat

Filesize
210B

MD5
0543f50f8da308c4c87c1d82693155f8

SHA1
5be974a2342f2c1e3631ccb7ab07ae366ae9d0bd

SHA256
322e27ebed9862e9adac5b09cb591bb26713757cda88984b99217e00bcd04606

SHA512
576e85b5893616f9ce7265181ceb127afb65bf00db18b0d52738a234e19c4c781e4203eec647adcef8da5d3b7573ce216707dff5807e1417fa98957f8d1e27d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7AIE64VZ5N.bat

Filesize
210B

MD5
eda2205fb9882912c905d0aaf70dc301

SHA1
b4d518331aab6181f202d910dc2b1b7942824a20

SHA256
23b0e819cdff5762f9ac3ac9b387a08015735d73af1688580c801537bf356f68

SHA512
de8831b13170f83ad7fde00a5e1ebbf65bdefd869b2fd3fec120df73876360cba7c25f29fe3f7b5264a6ec01c1c13ea8211912fd188ee68fd0d1bea642070195

Download Submit
C:\Users\Admin\AppData\Local\Temp\7AIE64VZ5N.bat

Filesize
210B

MD5
eda2205fb9882912c905d0aaf70dc301

SHA1
b4d518331aab6181f202d910dc2b1b7942824a20

SHA256
23b0e819cdff5762f9ac3ac9b387a08015735d73af1688580c801537bf356f68

SHA512
de8831b13170f83ad7fde00a5e1ebbf65bdefd869b2fd3fec120df73876360cba7c25f29fe3f7b5264a6ec01c1c13ea8211912fd188ee68fd0d1bea642070195

Download Submit
C:\Users\Admin\AppData\Local\Temp\8MS6cfT7hX.bat

Filesize
162B

MD5
109c14a95861725d8ebad7d43c26198d

SHA1
8d45d3cac3cf6abeff16d19d58ae82030801a210

SHA256
eb806ba054c327d28ced901eb2e3f05df39d7ca936eb0ad71381aee7fd647bd8

SHA512
1133f315f5868d31a423b5ace29fa0d77013388601661b3e0ced61b0027c64ece8f88e289968ba04d16c4c9e2e1b9cee731671f9d739edcf13cac2ee917e8b2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AjNu1VgdjQ.bat

Filesize
210B

MD5
f76b2f8def4a73709280c81c920f1282

SHA1
e22dead0f5b37fb91345c3ac3e5266e9ad860570

SHA256
89983c98f5ca864f4a15dc089df28691364e69870c0aca93c099ead94ea3d5bc

SHA512
3e9c8aa10c0d189c3e4cd36c697c5e61e19212f6dfe5d80581f49e737bfddc3aa971b714bbff63719bcefffd077a23bd0632a04f52c57709500bb136262de8b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\CY6B1XXruX.bat

Filesize
210B

MD5
e07fd04fff160839a0efae8d3de75f9f

SHA1
09f35f0eb1b1a66dc526fe6bb3aab52e008f7619

SHA256
e8da915c06df5eabea43f0f1fbca663e57846cd2d78d94152c0209e467a77eaa

SHA512
a51d6a5afda5e4a6435438d16f47cf42073aaa5f70fe2b17126553942536109195076c8b566cca759452f4c1e3bc83102e9af105d7bd99058713c25ddc1e67a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DjG3X7WPVh.bat

Filesize
162B

MD5
47635017194b7542dffc2d0bf0987a72

SHA1
a0e33069ae894be0e812f2b6fef550ad753ece1a

SHA256
613b1ed8d899ad8c262440f54484b15833be98b06338a60acdd413ef2d184de5

SHA512
65d5fdf413e65b9f70d08d55fd948584f55a150c3cef78ee17d120d688c33473290c101bcba5082eb4c9cc93fa0f1fdbb5fdc9693aeda338dcdda430dab407b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\GW3UwTeX78.bat

Filesize
210B

MD5
eef73bb91d780ed9cf303848628710bf

SHA1
50b2e16b6e94eafe4928774694e0bae253bdac96

SHA256
87a2d29221aa6c775aa70487a0b5efa903404f9f2312e199a453ce61aead06bd

SHA512
b9343e814c7dba3769d917c18e55e80d6b0a5503b3ff490cb044bc09ef3dfcfcc3926509f38f36cfd1dad90f06674c32c000bfdefc28fea01dfc5e44e9bf3daf

Download Submit
C:\Users\Admin\AppData\Local\Temp\J59ArupckC.bat

Filesize
210B

MD5
1211b539d81a518abb9aaf64ade68eca

SHA1
8934631cad6834f521c281c840b46af46283c97e

SHA256
a19eaf7bb89c71424801d14b2216c79f4874bc3257330854d05c5b565b543a59

SHA512
ea0413111c0e447ea9cbfcf7579527732776cb2fa2d163e973a0a72bf7456c1544a67004e07ab7b4a70da8a9d03457f08d9d45f045bdd7783d9a4e87d9f2d087

Download Submit
C:\Users\Admin\AppData\Local\Temp\N51JOWfNXS.bat

Filesize
162B

MD5
5ae33880dea2395be7e6af66256ca8f1

SHA1
5b1537206a7cb4ef2105bd25cc45c42513733177

SHA256
52cb17a2ee8ba86e85854ee9fbfc07b4f55349bda2c320189eb0f9bb045050da

SHA512
0bb1f8f0d2016e9f83a36f84f0926ccfdc59b215e633dff24d452af78dad063cac30d7c2800e6bb721fd1cf29477c40c50a063452d02f07f046b2dbe924372ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\PSx7mMsuZM.bat

Filesize
210B

MD5
cb9b7adfb875b41ce8cf035659a83345

SHA1
acbebde17163e85a36eeb73f9d5a2a51e00c9d77

SHA256
487dc23e1f2f1e6d805520365db83ae4575c40f7e9c208381069f940b54c67a4

SHA512
c75d51c809999a4da59f79a6520e6703be504c13b3bc8ee14dff1bb8e46b987be5791367a2b5775a334805141383c0ecb20e2b93d8005dfef415ff2596fdbd94

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qe7zIwqSAW.bat

Filesize
162B

MD5
91a30edcf86fbebb733564f934530145

SHA1
72567dd7bf4a67372f32fc3a4b00759c1ecccfc4

SHA256
d67a1fee85da1032ad6b92d0e45f56125dd0f4ddd929bcbd606757d35c636a06

SHA512
8ef9b593e628eecfee54870b66615252a1bd02a55bb9a4a966dfcadbacf8d5caaa9e906c052fb6dd38f375225c7d117f39ad93b7c7673185d4a1aa45f4ba103b

Download Submit
C:\Users\Admin\AppData\Local\Temp\R3LCJ8E699.bat

Filesize
162B

MD5
0ae2a5722406c2b682e23c6fec4109d3

SHA1
7ec1e55b4984c385f96d2bd0acaeb760a5e678ad

SHA256
a2b69a4d7a8ddb0aacc250338fad22ea943b240bf010343a7c3f5d5860c2b605

SHA512
62f19cab37c621c8dda54506cf6693fffd0282a2167a1c84db7b883ffaa5068c0ab71f6dee1b7fc8692dfa2cbda4fd812d1f813ed101701a18a51a62c2a35dbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_izdbznl4.pg2.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fMhC4n1i0S.bat

Filesize
162B

MD5
80640d9e4c785f3e6972451739dab087

SHA1
99be0d6bab84cd7130cf91355262d0a41e8c074c

SHA256
deb4de58042acf561573cfda897bda845318b3ea6930d11f838d4a7d5aa89609

SHA512
31682fa3cbb375106806b83d8c81192f1f6f2b4249a9a43fdaf1c5d6038971dc69148cc0d0cf18479cf53191937b15884d330a6b3ca8b812747f9ee0521e5f98

Download Submit
C:\Users\Admin\AppData\Local\Temp\fMhC4n1i0S.bat

Filesize
162B

MD5
80640d9e4c785f3e6972451739dab087

SHA1
99be0d6bab84cd7130cf91355262d0a41e8c074c

SHA256
deb4de58042acf561573cfda897bda845318b3ea6930d11f838d4a7d5aa89609

SHA512
31682fa3cbb375106806b83d8c81192f1f6f2b4249a9a43fdaf1c5d6038971dc69148cc0d0cf18479cf53191937b15884d330a6b3ca8b812747f9ee0521e5f98

Download Submit
C:\Users\Admin\AppData\Local\Temp\fYr4aOzGbc.bat

Filesize
210B

MD5
bffad4e4aab46ceb900b4e296ca51c2f

SHA1
5fcfc1261c8ac047a56bf010ac13d2fc579d7430

SHA256
c3d40560a170eae6fbccdc5108952a8088ed700043c8f25ed333f0fadd350114

SHA512
24680e1988fca92d1be94e0ea51749aa04099bd4c55b425c59e153c97e754c54106ae7b060fed3343047fc2db0ba195020ec5a90a0dfb844bc89533f9947e729

Download Submit
C:\Users\Admin\AppData\Local\Temp\hvmsyECndV.bat

Filesize
162B

MD5
85e741611f6efec85c185a6fffbaf499

SHA1
34ebb6a8900417b0ca2f18a7f60c27ab19ff30ef

SHA256
f15916c048d5cfe057ad72427a46a4161f4fb00a9fdaffc0a6db0b8d50bd0615

SHA512
fdc72b8b00ea7576df3bc444773b0a07b3aa03721c6279c4ca5a71728ce507b342168cd414cdbbaa004766873fb7e458ac597b860fef6d303e579666351c4cf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\hvmsyECndV.bat

Filesize
162B

MD5
85e741611f6efec85c185a6fffbaf499

SHA1
34ebb6a8900417b0ca2f18a7f60c27ab19ff30ef

SHA256
f15916c048d5cfe057ad72427a46a4161f4fb00a9fdaffc0a6db0b8d50bd0615

SHA512
fdc72b8b00ea7576df3bc444773b0a07b3aa03721c6279c4ca5a71728ce507b342168cd414cdbbaa004766873fb7e458ac597b860fef6d303e579666351c4cf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\i7wkUpBKEf.bat

Filesize
210B

MD5
fb194d255e031429cab59f299ef03474

SHA1
33360016601cbc13c2dc672d137dfd6c64343f0e

SHA256
9f05d4b3f708c9c758d059a6b97a8eb552915c7b1d2f9a363a9345327ff64c0e

SHA512
d79d627769a0255811bca2e197a55be4faced3a2d0d0439cdd2c2706b43fbbda185ffae871b734fca3d78cc82cc21b9c80306ebc621d36ca10701a5f2f8362c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\jKeWzk8OD4.bat

Filesize
162B

MD5
126872227d08199cb0fb329c04b5adc7

SHA1
82bab4d75e5dcd8fb849b01d0c88c93ab5953aba

SHA256
1c6d4fdac706098358c6150166f2f7be5cce36a455d176ed41e0ca0df58692c4

SHA512
85b6923e589dcd567d83fc48611c354d7ce7c2faa5bc0c37fa31cfb2183d5fd8d0eda2117faead44ce62630da86fa0d82d307a69fc7213d25f9bb096ef3570f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\jKeWzk8OD4.bat

Filesize
162B

MD5
126872227d08199cb0fb329c04b5adc7

SHA1
82bab4d75e5dcd8fb849b01d0c88c93ab5953aba

SHA256
1c6d4fdac706098358c6150166f2f7be5cce36a455d176ed41e0ca0df58692c4

SHA512
85b6923e589dcd567d83fc48611c354d7ce7c2faa5bc0c37fa31cfb2183d5fd8d0eda2117faead44ce62630da86fa0d82d307a69fc7213d25f9bb096ef3570f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\jWoOVK6woD.bat

Filesize
210B

MD5
0d83bd15b1993609b35792a086e108eb

SHA1
fb069047468b6405840b1e6ead231e3520648e11

SHA256
b2ea902144d7f1aa0f315c1de4bc8a8ee9f8c4da5b8e03728a2467adc9e5818f

SHA512
7839fd85d40539e441f809083532697a975cc84acae8a8ba702afad2a4a59d23845101d705f73cd093562a6677861503e8f5dc138ba2fdfc80704cb0a2428d5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mtjCtAJTq7.bat

Filesize
162B

MD5
cea41e6e6f924337d90cbc33260a3fad

SHA1
0cf6aca68f6373d6dc9bd3b801832ece00833d35

SHA256
6a31f3b15ffc74acc8407e4a5fbc378c29126ab14d962e555f299feb7a296431

SHA512
488460a6ff559272273dcdebdac189c9a0ffbeba10aedb3b3d842a895107a47e8970d45bc3597143d32d6d9b2126c70f8e4d393b27c3952440a783e770202cd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\oUlhQHDc2p.bat

Filesize
210B

MD5
7b669bee633e101a49a9a3a2c8cc3b23

SHA1
d18fd41dfdfab93df8fd441d4a260aad7718c410

SHA256
8dd4f4dd55f7e1dd3a24cfe536b31882db301fc8969e23c6eee1db7a58cfc759

SHA512
1249c9e7059e8183184b5b5665b26b56f6b64b089f088b466f823ddfa88ce3be53110128b89db493365c0bace51e513b6a0f48c97f24bc332247004bb2b31167

Download Submit
C:\Users\Admin\AppData\Local\Temp\oUlhQHDc2p.bat

Filesize
210B

MD5
7b669bee633e101a49a9a3a2c8cc3b23

SHA1
d18fd41dfdfab93df8fd441d4a260aad7718c410

SHA256
8dd4f4dd55f7e1dd3a24cfe536b31882db301fc8969e23c6eee1db7a58cfc759

SHA512
1249c9e7059e8183184b5b5665b26b56f6b64b089f088b466f823ddfa88ce3be53110128b89db493365c0bace51e513b6a0f48c97f24bc332247004bb2b31167

Download Submit
C:\Users\Admin\AppData\Local\Temp\yEObGBIDe9.bat

Filesize
210B

MD5
59236ba4812e3d45c328e55388a80415

SHA1
f7f31a260be58b81885a3d67b9defeeecb9ff23e

SHA256
2c3ee982eebe1e4ad9a1651e7a88f2cb2cc9b28cc59a1325586d26157f2d933a

SHA512
dbc34e5da3fbd4f2be36e25b6e2aa6ce5d17a4a559aed511b46a7c53c8d60899a8126b9756e56d2ba2d79237762cc723a73695a4b3bd1052349063a19b0c24b7

Download Submit
C:\Users\Admin\Cookies\spoolsv.exe

Filesize
1.7MB

MD5
8a6e052190852c548257228bdee5dc93

SHA1
aeb51c07086a8f4e058e5f35a619978adee1af7f

SHA256
112418a6a6c5a81c3f3aa715e3ff3bd81517b33244427b79f89ad92144d5bb9d

SHA512
a04bfdc7fe102f7b476bf12a1f6b5c52fc1a37b7c63b3cb928176d253249cd256b82d51481adc9121288982a791b59035a3d383f768b12d20b0af0ed1cf01e71

Download Submit
memory/296-929-0x000000001BB20000-0x000000001BBDF000-memory.dmp

Filesize
764KB

Download
memory/316-827-0x000000001BCE0000-0x000000001BD9F000-memory.dmp

Filesize
764KB

Download
memory/920-948-0x000000001C670000-0x000000001C72F000-memory.dmp

Filesize
764KB

Download
memory/1016-384-0x000000001C3A0000-0x000000001C45F000-memory.dmp

Filesize
764KB

Download
memory/1020-910-0x000000001B0A0000-0x000000001B15F000-memory.dmp

Filesize
764KB

Download
memory/1328-295-0x00007FF8A9CD0000-0x00007FF8AA6BC000-memory.dmp

Filesize
9.9MB

Download
memory/1328-62-0x000001CF73D00000-0x000001CF73D10000-memory.dmp

Filesize
64KB

Download
memory/1328-260-0x00007FF8A9CD0000-0x00007FF8AA6BC000-memory.dmp

Filesize
9.9MB

Download
memory/1328-267-0x000001CF73D00000-0x000001CF73D10000-memory.dmp

Filesize
64KB

Download
memory/1328-268-0x000001CF73D00000-0x000001CF73D10000-memory.dmp

Filesize
64KB

Download
memory/1328-265-0x000001CF73D00000-0x000001CF73D10000-memory.dmp

Filesize
64KB

Download
memory/1328-153-0x000001CF73D00000-0x000001CF73D10000-memory.dmp

Filesize
64KB

Download
memory/1328-61-0x000001CF73D00000-0x000001CF73D10000-memory.dmp

Filesize
64KB

Download
memory/1328-47-0x00007FF8A9CD0000-0x00007FF8AA6BC000-memory.dmp

Filesize
9.9MB

Download
memory/1424-573-0x000000001BE80000-0x000000001BF3F000-memory.dmp

Filesize
764KB

Download
memory/1484-743-0x000000001B310000-0x000000001B3CF000-memory.dmp

Filesize
764KB

Download
memory/1888-785-0x000000001BD30000-0x000000001BDEF000-memory.dmp

Filesize
764KB

Download
memory/2108-890-0x000000001BEF0000-0x000000001BFAF000-memory.dmp

Filesize
764KB

Download
memory/2172-302-0x00000000014B0000-0x00000000014B1000-memory.dmp

Filesize
4KB

Download
memory/2172-319-0x000000001C3C0000-0x000000001C47F000-memory.dmp

Filesize
764KB

Download
memory/2172-303-0x000000001B8F0000-0x000000001B900000-memory.dmp

Filesize
64KB

Download
memory/2172-301-0x000000001B8F0000-0x000000001B900000-memory.dmp

Filesize
64KB

Download
memory/2172-300-0x00007FF8A9CD0000-0x00007FF8AA6BC000-memory.dmp

Filesize
9.9MB

Download
memory/2736-426-0x000000001C050000-0x000000001C10F000-memory.dmp

Filesize
764KB

Download
memory/2752-405-0x000000001C2A0000-0x000000001C35F000-memory.dmp

Filesize
764KB

Download
memory/2860-986-0x000000001BAD0000-0x000000001BB8F000-memory.dmp

Filesize
764KB

Download
memory/2880-700-0x000000001B980000-0x000000001BA3F000-memory.dmp

Filesize
764KB

Download
memory/2928-636-0x000000001C2A0000-0x000000001C35F000-memory.dmp

Filesize
764KB

Download
memory/2972-615-0x000000001BD10000-0x000000001BDCF000-memory.dmp

Filesize
764KB

Download
memory/2992-362-0x000000001AD50000-0x000000001AE0F000-memory.dmp

Filesize
764KB

Download
memory/3112-67-0x00007FF8A9CD0000-0x00007FF8AA6BC000-memory.dmp

Filesize
9.9MB

Download
memory/3112-290-0x00007FF8A9CD0000-0x00007FF8AA6BC000-memory.dmp

Filesize
9.9MB

Download
memory/3112-269-0x00000195D6D60000-0x00000195D6D70000-memory.dmp

Filesize
64KB

Download
memory/3112-167-0x00000195D6D60000-0x00000195D6D70000-memory.dmp

Filesize
64KB

Download
memory/3112-272-0x00007FF8A9CD0000-0x00007FF8AA6BC000-memory.dmp

Filesize
9.9MB

Download
memory/3112-273-0x00000195D6D60000-0x00000195D6D70000-memory.dmp

Filesize
64KB

Download
memory/3112-277-0x00000195D6D60000-0x00000195D6D70000-memory.dmp

Filesize
64KB

Download
memory/3112-68-0x00000195D6D60000-0x00000195D6D70000-memory.dmp

Filesize
64KB

Download
memory/3112-69-0x00000195D6D60000-0x00000195D6D70000-memory.dmp

Filesize
64KB

Download
memory/3140-869-0x000000001B9E0000-0x000000001BA9F000-memory.dmp

Filesize
764KB

Download
memory/3424-722-0x000000001BF40000-0x000000001BFFF000-memory.dmp

Filesize
764KB

Download
memory/3964-806-0x000000001C570000-0x000000001C62F000-memory.dmp

Filesize
764KB

Download
memory/3976-552-0x000000001C4E0000-0x000000001C59F000-memory.dmp

Filesize
764KB

Download
memory/4184-657-0x000000001C220000-0x000000001C2DF000-memory.dmp

Filesize
764KB

Download
memory/4292-967-0x000000001C040000-0x000000001C0FF000-memory.dmp

Filesize
764KB

Download
memory/4368-447-0x000000001C4E0000-0x000000001C59F000-memory.dmp

Filesize
764KB

Download
memory/4396-218-0x00007FF8A9CD0000-0x00007FF8AA6BC000-memory.dmp

Filesize
9.9MB

Download
memory/4396-35-0x00007FF8A9CD0000-0x00007FF8AA6BC000-memory.dmp

Filesize
9.9MB

Download
memory/4396-144-0x0000023F6ECE0000-0x0000023F6ECF0000-memory.dmp

Filesize
64KB

Download
memory/4396-296-0x00007FF8A9CD0000-0x00007FF8AA6BC000-memory.dmp

Filesize
9.9MB

Download
memory/4396-64-0x0000023F6EC70000-0x0000023F6EC92000-memory.dmp

Filesize
136KB

Download
memory/4396-63-0x0000023F6ECE0000-0x0000023F6ECF0000-memory.dmp

Filesize
64KB

Download
memory/4396-266-0x0000023F6ECE0000-0x0000023F6ECF0000-memory.dmp

Filesize
64KB

Download
memory/4396-52-0x0000023F6ECE0000-0x0000023F6ECF0000-memory.dmp

Filesize
64KB

Download
memory/4396-261-0x0000023F6ECE0000-0x0000023F6ECF0000-memory.dmp

Filesize
64KB

Download
memory/4576-510-0x000000001C590000-0x000000001C64F000-memory.dmp

Filesize
764KB

Download
memory/4616-489-0x000000001C440000-0x000000001C4FF000-memory.dmp

Filesize
764KB

Download
memory/4780-468-0x000000001C520000-0x000000001C5DF000-memory.dmp

Filesize
764KB

Download
memory/4808-678-0x000000001C530000-0x000000001C5EF000-memory.dmp

Filesize
764KB

Download
memory/4812-171-0x00000137E71C0000-0x00000137E71D0000-memory.dmp

Filesize
64KB

Download
memory/4812-66-0x00000137E71C0000-0x00000137E71D0000-memory.dmp

Filesize
64KB

Download
memory/4812-264-0x00000137E71C0000-0x00000137E71D0000-memory.dmp

Filesize
64KB

Download
memory/4812-57-0x00007FF8A9CD0000-0x00007FF8AA6BC000-memory.dmp

Filesize
9.9MB

Download
memory/4812-262-0x00007FF8A9CD0000-0x00007FF8AA6BC000-memory.dmp

Filesize
9.9MB

Download
memory/4812-65-0x00000137E71C0000-0x00000137E71D0000-memory.dmp

Filesize
64KB

Download
memory/4812-283-0x00007FF8A9CD0000-0x00007FF8AA6BC000-memory.dmp

Filesize
9.9MB

Download
memory/4812-270-0x00000137E71C0000-0x00000137E71D0000-memory.dmp

Filesize
64KB

Download
memory/4848-71-0x000001F1081F0000-0x000001F108200000-memory.dmp

Filesize
64KB

Download
memory/4848-263-0x00007FF8A9CD0000-0x00007FF8AA6BC000-memory.dmp

Filesize
9.9MB

Download
memory/4848-75-0x000001F120520000-0x000001F120596000-memory.dmp

Filesize
472KB

Download
memory/4848-70-0x000001F1081F0000-0x000001F108200000-memory.dmp

Filesize
64KB

Download
memory/4848-282-0x000001F1081F0000-0x000001F108200000-memory.dmp

Filesize
64KB

Download
memory/4848-271-0x000001F1081F0000-0x000001F108200000-memory.dmp

Filesize
64KB

Download
memory/4848-291-0x00007FF8A9CD0000-0x00007FF8AA6BC000-memory.dmp

Filesize
9.9MB

Download
memory/4848-134-0x000001F1081F0000-0x000001F108200000-memory.dmp

Filesize
64KB

Download
memory/4848-60-0x00007FF8A9CD0000-0x00007FF8AA6BC000-memory.dmp

Filesize
9.9MB

Download
memory/4852-43-0x0000000002A60000-0x0000000002B1F000-memory.dmp

Filesize
764KB

Download
memory/4852-1-0x00007FF8A9CD0000-0x00007FF8AA6BC000-memory.dmp

Filesize
9.9MB

Download
memory/4852-11-0x0000000002A20000-0x0000000002A2E000-memory.dmp

Filesize
56KB

Download
memory/4852-14-0x0000000002A30000-0x0000000002A3C000-memory.dmp

Filesize
48KB

Download
memory/4852-9-0x00007FF8B5BD0000-0x00007FF8B5BD1000-memory.dmp

Filesize
4KB

Download
memory/4852-8-0x00000000029D0000-0x00000000029DE000-memory.dmp

Filesize
56KB

Download
memory/4852-0-0x0000000000760000-0x0000000000920000-memory.dmp

Filesize
1.8MB

Download
memory/4852-6-0x00007FF8B5BE0000-0x00007FF8B5BE1000-memory.dmp

Filesize
4KB

Download
memory/4852-5-0x000000001B5F0000-0x000000001B600000-memory.dmp

Filesize
64KB

Download
memory/4852-50-0x00007FF8A9CD0000-0x00007FF8AA6BC000-memory.dmp

Filesize
9.9MB

Download
memory/4852-15-0x00007FF8B5BB0000-0x00007FF8B5BB1000-memory.dmp

Filesize
4KB

Download
memory/4852-4-0x000000001B5F0000-0x000000001B600000-memory.dmp

Filesize
64KB

Download
memory/4852-17-0x0000000002A40000-0x0000000002A4C000-memory.dmp

Filesize
48KB

Download
memory/4852-3-0x000000001B5F0000-0x000000001B600000-memory.dmp

Filesize
64KB

Download
memory/4852-2-0x00000000011A0000-0x00000000011A1000-memory.dmp

Filesize
4KB

Download
memory/4852-40-0x00007FF8A9CD0000-0x00007FF8AA6BC000-memory.dmp

Filesize
9.9MB

Download
memory/4852-12-0x00007FF8B5BC0000-0x00007FF8B5BC1000-memory.dmp

Filesize
4KB

Download
memory/4940-531-0x000000001BC40000-0x000000001BCFF000-memory.dmp

Filesize
764KB

Download
memory/5024-341-0x000000001C4A0000-0x000000001C55F000-memory.dmp

Filesize
764KB

Download
memory/5024-848-0x000000001C1A0000-0x000000001C25F000-memory.dmp

Filesize
764KB

Download
memory/5048-594-0x000000001B8A0000-0x000000001B95F000-memory.dmp

Filesize
764KB

Download
memory/5084-764-0x000000001C7E0000-0x000000001C89F000-memory.dmp

Filesize
764KB

Download