zgrat | f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44

Analysis

max time kernel
300s
max time network
299s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
16-10-2023 04:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe
Size

1.7MB
MD5

031c1c644a831931aa5040d5fa4b3e59
SHA1

01e542f520d43d27607f6d257523e3e25afa8d54
SHA256

f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44
SHA512

9ecc6cdf1f7d0eaa670a518eba914022fd4f3a086eb2da9ad3218ea069f907dda84c0d075ad3aa1691f4379822b6a1e9dc6636b8535b22a86154b80d48a85787
SSDEEP

24576:rQa+rRep38knZGbO4oFya8ZbRxaiXvnEc3Suvb7sNPwEFfTPCRi4Vz:rZ+rRe3zn4ioa8ZbRMiXO07sNPwERWV

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 32 IoCs

resource	yara_rule
behavioral2/memory/2212-0-0x0000000000920000-0x0000000000AE0000-memory.dmp	family_zgrat_v1
behavioral2/files/0x000600000001afc2-26.dat	family_zgrat_v1
behavioral2/files/0x000600000001afbc-292.dat	family_zgrat_v1
behavioral2/files/0x000600000001afbc-293.dat	family_zgrat_v1
behavioral2/files/0x000600000001afbc-317.dat	family_zgrat_v1
behavioral2/files/0x000600000001afbc-339.dat	family_zgrat_v1
behavioral2/files/0x000600000001afbc-360.dat	family_zgrat_v1
behavioral2/files/0x000600000001afbc-381.dat	family_zgrat_v1
behavioral2/files/0x000600000001afbc-402.dat	family_zgrat_v1
behavioral2/files/0x000600000001afbc-423.dat	family_zgrat_v1
behavioral2/files/0x000600000001afbc-444.dat	family_zgrat_v1
behavioral2/files/0x000600000001afbc-465.dat	family_zgrat_v1
behavioral2/files/0x000600000001afbc-486.dat	family_zgrat_v1
behavioral2/files/0x000600000001afbc-507.dat	family_zgrat_v1
behavioral2/files/0x000600000001afbc-529.dat	family_zgrat_v1
behavioral2/files/0x000600000001afbc-550.dat	family_zgrat_v1
behavioral2/files/0x000600000001afbc-571.dat	family_zgrat_v1
behavioral2/files/0x000600000001afbc-593.dat	family_zgrat_v1
behavioral2/files/0x000600000001afbc-614.dat	family_zgrat_v1
behavioral2/files/0x000600000001afbc-635.dat	family_zgrat_v1
behavioral2/files/0x000600000001afbc-656.dat	family_zgrat_v1
behavioral2/files/0x000600000001afbc-677.dat	family_zgrat_v1
behavioral2/files/0x000600000001afbc-698.dat	family_zgrat_v1
behavioral2/files/0x000600000001afbc-720.dat	family_zgrat_v1
behavioral2/files/0x000600000001afbc-741.dat	family_zgrat_v1
behavioral2/files/0x000600000001afbc-762.dat	family_zgrat_v1
behavioral2/files/0x000600000001afbc-783.dat	family_zgrat_v1
behavioral2/files/0x000600000001afbc-805.dat	family_zgrat_v1
behavioral2/files/0x000600000001afbc-826.dat	family_zgrat_v1
behavioral2/files/0x000600000001afbc-847.dat	family_zgrat_v1
behavioral2/files/0x000600000001afbc-868.dat	family_zgrat_v1
behavioral2/files/0x000600000001afbc-891.dat	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Executes dropped EXE 31 IoCs

pid	Process
3400	Idle.exe
3384	Idle.exe
4740	Idle.exe
192	Idle.exe
3556	Idle.exe
2280	Idle.exe
2964	Idle.exe
4184	Idle.exe
4816	Idle.exe
3244	Idle.exe
4112	Idle.exe
4176	Idle.exe
5012	Idle.exe
2488	Idle.exe
4300	Idle.exe
1616	Idle.exe
1924	Idle.exe
1028	Idle.exe
3024	Idle.exe
3724	Idle.exe
4644	Idle.exe
368	Idle.exe
4460	Idle.exe
3080	Idle.exe
1560	Idle.exe
4140	Idle.exe
1492	Idle.exe
3892	Idle.exe
1416	Idle.exe
3992	Idle.exe
4412	Idle.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\SearchUI.exe	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\SearchUI.exe	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\dab4d89cac03ec	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Media\Delta\6ccacd8608530f	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe
File created	C:\Windows\es-ES\dllhost.exe	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe
File created	C:\Windows\es-ES\5940a34987c991	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe
File created	C:\Windows\Media\Delta\Idle.exe	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 31 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe
Key created	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings	Idle.exe

Runs ping.exe 1 TTPs 14 IoCs

Remote System Discovery

T1018

pid	Process
668	PING.EXE
3628	PING.EXE
5000	PING.EXE
2264	PING.EXE
1260	PING.EXE
448	PING.EXE
3380	PING.EXE
2628	PING.EXE
4296	PING.EXE
3944	PING.EXE
3544	PING.EXE
2644	PING.EXE
3704	PING.EXE
612	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2212	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe
2212	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe
2212	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe
2212	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe
2212	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe
2212	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe
2212	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe
2212	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe
2212	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe
2212	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe
2212	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe
2212	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe
2212	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe
2212	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe
2212	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe
2212	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe
2212	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe
2212	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe
2212	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe
2212	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe
2212	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe
2212	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe
2212	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe
2212	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe
2212	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe
2212	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe
2212	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe
2212	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe
2212	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe
2212	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe
2212	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe
2212	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe
2212	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe
2212	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe
2212	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe
2212	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe
2212	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe
2212	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe
2212	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe
2212	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe
2212	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe
2212	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe
2212	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe
2212	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe
2212	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe
2212	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe
2212	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe
2212	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe
2212	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe
2212	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe
2212	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe
2212	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe
2212	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe
2212	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe
2212	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe
2212	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe
2212	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe
2212	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe
2212	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe
2212	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe
2212	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe
2212	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe
2212	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe
2212	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2212	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe
Token: SeDebugPrivilege	708	powershell.exe
Token: SeDebugPrivilege	772	powershell.exe
Token: SeDebugPrivilege	4200	powershell.exe
Token: SeDebugPrivilege	800	powershell.exe
Token: SeDebugPrivilege	880	powershell.exe
Token: SeIncreaseQuotaPrivilege	4200	powershell.exe
Token: SeSecurityPrivilege	4200	powershell.exe
Token: SeTakeOwnershipPrivilege	4200	powershell.exe
Token: SeLoadDriverPrivilege	4200	powershell.exe
Token: SeSystemProfilePrivilege	4200	powershell.exe
Token: SeSystemtimePrivilege	4200	powershell.exe
Token: SeProfSingleProcessPrivilege	4200	powershell.exe
Token: SeIncBasePriorityPrivilege	4200	powershell.exe
Token: SeCreatePagefilePrivilege	4200	powershell.exe
Token: SeBackupPrivilege	4200	powershell.exe
Token: SeRestorePrivilege	4200	powershell.exe
Token: SeShutdownPrivilege	4200	powershell.exe
Token: SeDebugPrivilege	4200	powershell.exe
Token: SeSystemEnvironmentPrivilege	4200	powershell.exe
Token: SeRemoteShutdownPrivilege	4200	powershell.exe
Token: SeUndockPrivilege	4200	powershell.exe
Token: SeManageVolumePrivilege	4200	powershell.exe
Token: 33	4200	powershell.exe
Token: 34	4200	powershell.exe
Token: 35	4200	powershell.exe
Token: 36	4200	powershell.exe
Token: SeIncreaseQuotaPrivilege	772	powershell.exe
Token: SeSecurityPrivilege	772	powershell.exe
Token: SeTakeOwnershipPrivilege	772	powershell.exe
Token: SeLoadDriverPrivilege	772	powershell.exe
Token: SeSystemProfilePrivilege	772	powershell.exe
Token: SeSystemtimePrivilege	772	powershell.exe
Token: SeProfSingleProcessPrivilege	772	powershell.exe
Token: SeIncBasePriorityPrivilege	772	powershell.exe
Token: SeCreatePagefilePrivilege	772	powershell.exe
Token: SeBackupPrivilege	772	powershell.exe
Token: SeRestorePrivilege	772	powershell.exe
Token: SeShutdownPrivilege	772	powershell.exe
Token: SeDebugPrivilege	772	powershell.exe
Token: SeSystemEnvironmentPrivilege	772	powershell.exe
Token: SeRemoteShutdownPrivilege	772	powershell.exe
Token: SeUndockPrivilege	772	powershell.exe
Token: SeManageVolumePrivilege	772	powershell.exe
Token: 33	772	powershell.exe
Token: 34	772	powershell.exe
Token: 35	772	powershell.exe
Token: 36	772	powershell.exe
Token: SeIncreaseQuotaPrivilege	880	powershell.exe
Token: SeSecurityPrivilege	880	powershell.exe
Token: SeTakeOwnershipPrivilege	880	powershell.exe
Token: SeLoadDriverPrivilege	880	powershell.exe
Token: SeSystemProfilePrivilege	880	powershell.exe
Token: SeSystemtimePrivilege	880	powershell.exe
Token: SeProfSingleProcessPrivilege	880	powershell.exe
Token: SeIncBasePriorityPrivilege	880	powershell.exe
Token: SeCreatePagefilePrivilege	880	powershell.exe
Token: SeBackupPrivilege	880	powershell.exe
Token: SeRestorePrivilege	880	powershell.exe
Token: SeShutdownPrivilege	880	powershell.exe
Token: SeDebugPrivilege	880	powershell.exe
Token: SeSystemEnvironmentPrivilege	880	powershell.exe
Token: SeRemoteShutdownPrivilege	880	powershell.exe
Token: SeUndockPrivilege	880	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 708	2212	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe	70
PID 2212 wrote to memory of 708	2212	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe	70
PID 2212 wrote to memory of 4200	2212	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe	71
PID 2212 wrote to memory of 4200	2212	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe	71
PID 2212 wrote to memory of 880	2212	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe	79
PID 2212 wrote to memory of 880	2212	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe	79
PID 2212 wrote to memory of 772	2212	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe	78
PID 2212 wrote to memory of 772	2212	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe	78
PID 2212 wrote to memory of 800	2212	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe	77
PID 2212 wrote to memory of 800	2212	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe	77
PID 2212 wrote to memory of 4824	2212	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe	80
PID 2212 wrote to memory of 4824	2212	f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe	80
PID 4824 wrote to memory of 4976	4824	cmd.exe	82
PID 4824 wrote to memory of 4976	4824	cmd.exe	82
PID 4824 wrote to memory of 448	4824	cmd.exe	83
PID 4824 wrote to memory of 448	4824	cmd.exe	83
PID 4824 wrote to memory of 3400	4824	cmd.exe	85
PID 4824 wrote to memory of 3400	4824	cmd.exe	85
PID 3400 wrote to memory of 2540	3400	Idle.exe	86
PID 3400 wrote to memory of 2540	3400	Idle.exe	86
PID 2540 wrote to memory of 928	2540	cmd.exe	88
PID 2540 wrote to memory of 928	2540	cmd.exe	88
PID 2540 wrote to memory of 4936	2540	cmd.exe	89
PID 2540 wrote to memory of 4936	2540	cmd.exe	89
PID 2540 wrote to memory of 3384	2540	cmd.exe	90
PID 2540 wrote to memory of 3384	2540	cmd.exe	90
PID 3384 wrote to memory of 1260	3384	Idle.exe	91
PID 3384 wrote to memory of 1260	3384	Idle.exe	91
PID 1260 wrote to memory of 2144	1260	cmd.exe	93
PID 1260 wrote to memory of 2144	1260	cmd.exe	93
PID 1260 wrote to memory of 208	1260	cmd.exe	94
PID 1260 wrote to memory of 208	1260	cmd.exe	94
PID 1260 wrote to memory of 4740	1260	cmd.exe	95
PID 1260 wrote to memory of 4740	1260	cmd.exe	95
PID 4740 wrote to memory of 2264	4740	Idle.exe	96
PID 4740 wrote to memory of 2264	4740	Idle.exe	96
PID 2264 wrote to memory of 3264	2264	cmd.exe	98
PID 2264 wrote to memory of 3264	2264	cmd.exe	98
PID 2264 wrote to memory of 2644	2264	cmd.exe	99
PID 2264 wrote to memory of 2644	2264	cmd.exe	99
PID 2264 wrote to memory of 192	2264	cmd.exe	100
PID 2264 wrote to memory of 192	2264	cmd.exe	100
PID 192 wrote to memory of 392	192	Idle.exe	101
PID 192 wrote to memory of 392	192	Idle.exe	101
PID 392 wrote to memory of 4428	392	cmd.exe	103
PID 392 wrote to memory of 4428	392	cmd.exe	103
PID 392 wrote to memory of 2192	392	cmd.exe	104
PID 392 wrote to memory of 2192	392	cmd.exe	104
PID 392 wrote to memory of 3556	392	cmd.exe	105
PID 392 wrote to memory of 3556	392	cmd.exe	105
PID 3556 wrote to memory of 4952	3556	Idle.exe	106
PID 3556 wrote to memory of 4952	3556	Idle.exe	106
PID 4952 wrote to memory of 3980	4952	cmd.exe	108
PID 4952 wrote to memory of 3980	4952	cmd.exe	108
PID 4952 wrote to memory of 668	4952	cmd.exe	109
PID 4952 wrote to memory of 668	4952	cmd.exe	109
PID 4952 wrote to memory of 2280	4952	cmd.exe	110
PID 4952 wrote to memory of 2280	4952	cmd.exe	110
PID 2280 wrote to memory of 448	2280	Idle.exe	111
PID 2280 wrote to memory of 448	2280	Idle.exe	111
PID 448 wrote to memory of 4912	448	cmd.exe	113
PID 448 wrote to memory of 4912	448	cmd.exe	113
PID 448 wrote to memory of 3704	448	cmd.exe	114
PID 448 wrote to memory of 3704	448	cmd.exe	114

C:\Users\Admin\AppData\Local\Temp\f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe
"C:\Users\Admin\AppData\Local\Temp\f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\SearchUI.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Media\Delta\Idle.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4200
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sysmon.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\fontdrvhost.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\es-ES\dllhost.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:880
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RCATIQ8vzm.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4824
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:4976
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - Runs ping.exe
    PID:448
- - C:\Windows\Media\Delta\Idle.exe
    "C:\Windows\Media\Delta\Idle.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3400
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9TWO8Gj4g3.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2540
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:928
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:4936
    - - C:\Windows\Media\Delta\Idle.exe
        
        "C:\Windows\Media\Delta\Idle.exe"
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3384
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OC6cu7vKWz.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1260
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2144
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:208
        
        C:\Windows\Media\Delta\Idle.exe
        
        "C:\Windows\Media\Delta\Idle.exe"
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4740
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZxjVk2zv8J.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:3264
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        Runs ping.exe
        
        PID:2644
        
        C:\Windows\Media\Delta\Idle.exe
        
        "C:\Windows\Media\Delta\Idle.exe"
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:192
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N1wkOWwnvp.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:392
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:4428
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2192
        
        C:\Windows\Media\Delta\Idle.exe
        
        "C:\Windows\Media\Delta\Idle.exe"
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3556
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\38FLB8gIG8.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4952
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:3980
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        Runs ping.exe
        
        PID:668
        
        C:\Windows\Media\Delta\Idle.exe
        
        "C:\Windows\Media\Delta\Idle.exe"
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3vYZhDjEHk.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:4912
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        Runs ping.exe
        
        PID:3704
        
        C:\Windows\Media\Delta\Idle.exe
        
        "C:\Windows\Media\Delta\Idle.exe"
        15⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2964
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8IMWcflW5t.bat"
        16⤵
        
        PID:1500
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:4956
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        Runs ping.exe
        
        PID:5000
        
        C:\Windows\Media\Delta\Idle.exe
        
        "C:\Windows\Media\Delta\Idle.exe"
        17⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4184
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OC6cu7vKWz.bat"
        18⤵
        
        PID:408
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:2768
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:4980
        
        C:\Windows\Media\Delta\Idle.exe
        
        "C:\Windows\Media\Delta\Idle.exe"
        19⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4816
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OC6cu7vKWz.bat"
        20⤵
        
        PID:4444
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:1376
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:5028
        
        C:\Windows\Media\Delta\Idle.exe
        
        "C:\Windows\Media\Delta\Idle.exe"
        21⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3244
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8IMWcflW5t.bat"
        22⤵
        
        PID:1420
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:4792
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        Runs ping.exe
        
        PID:2264
        
        C:\Windows\Media\Delta\Idle.exe
        
        "C:\Windows\Media\Delta\Idle.exe"
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4112
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J2zQTaq6hD.bat"
        24⤵
        
        PID:4288
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:4876
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2276
        
        C:\Windows\Media\Delta\Idle.exe
        
        "C:\Windows\Media\Delta\Idle.exe"
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4176
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n1oUPmZQqe.bat"
        26⤵
        
        PID:4584
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:2148
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:3728
        
        C:\Windows\Media\Delta\Idle.exe
        
        "C:\Windows\Media\Delta\Idle.exe"
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5012
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OC6cu7vKWz.bat"
        28⤵
        
        PID:4200
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:4456
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:1472
        
        C:\Windows\Media\Delta\Idle.exe
        
        "C:\Windows\Media\Delta\Idle.exe"
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2488
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AhDAdBh8fS.bat"
        30⤵
        
        PID:3528
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:2504
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        31⤵
        
        PID:3960
        
        C:\Windows\Media\Delta\Idle.exe
        
        "C:\Windows\Media\Delta\Idle.exe"
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4300
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\q0hdwOOBcu.bat"
        32⤵
        
        PID:2892
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        33⤵
        
        PID:4936
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        33⤵
        Runs ping.exe
        
        PID:612
        
        C:\Windows\Media\Delta\Idle.exe
        
        "C:\Windows\Media\Delta\Idle.exe"
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1616
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Id7nS4uU7f.bat"
        34⤵
        
        PID:4988
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        35⤵
        
        PID:2112
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        35⤵
        
        PID:4444
        
        C:\Windows\Media\Delta\Idle.exe
        
        "C:\Windows\Media\Delta\Idle.exe"
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1924
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lraSVrJxn8.bat"
        36⤵
        
        PID:4156
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        37⤵
        
        PID:244
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        37⤵
        Runs ping.exe
        
        PID:4296
        
        C:\Windows\Media\Delta\Idle.exe
        
        "C:\Windows\Media\Delta\Idle.exe"
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1028
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j3rBUpSkc2.bat"
        38⤵
        
        PID:2056
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        39⤵
        
        PID:828
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        39⤵
        
        PID:2844
        
        C:\Windows\Media\Delta\Idle.exe
        
        "C:\Windows\Media\Delta\Idle.exe"
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3024
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gUlVaPHfzy.bat"
        40⤵
        
        PID:3600
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        41⤵
        
        PID:4568
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        41⤵
        
        PID:3836
        
        C:\Windows\Media\Delta\Idle.exe
        
        "C:\Windows\Media\Delta\Idle.exe"
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3724
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EfATY8not3.bat"
        42⤵
        
        PID:4840
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        43⤵
        
        PID:2392
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        43⤵
        
        PID:4932
        
        C:\Windows\Media\Delta\Idle.exe
        
        "C:\Windows\Media\Delta\Idle.exe"
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4644
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\38FLB8gIG8.bat"
        44⤵
        
        PID:3684
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        45⤵
        
        PID:4748
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        45⤵
        Runs ping.exe
        
        PID:3944
        
        C:\Windows\Media\Delta\Idle.exe
        
        "C:\Windows\Media\Delta\Idle.exe"
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:368
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b6xYfwFNBo.bat"
        46⤵
        
        PID:4232
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        47⤵
        
        PID:880
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        47⤵
        
        PID:5056
        
        C:\Windows\Media\Delta\Idle.exe
        
        "C:\Windows\Media\Delta\Idle.exe"
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4460
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xMZkGAiOsQ.bat"
        48⤵
        
        PID:1584
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        49⤵
        
        PID:1804
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        49⤵
        Runs ping.exe
        
        PID:3380
        
        C:\Windows\Media\Delta\Idle.exe
        
        "C:\Windows\Media\Delta\Idle.exe"
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3080
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HEG9SYztW7.bat"
        50⤵
        
        PID:2524
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        51⤵
        
        PID:2500
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        51⤵
        Runs ping.exe
        
        PID:1260
        
        C:\Windows\Media\Delta\Idle.exe
        
        "C:\Windows\Media\Delta\Idle.exe"
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1560
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TZuYpZxcK9.bat"
        52⤵
        
        PID:2656
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        53⤵
        
        PID:4524
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        53⤵
        
        PID:3928
        
        C:\Windows\Media\Delta\Idle.exe
        
        "C:\Windows\Media\Delta\Idle.exe"
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4140
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JpHfzfs2ip.bat"
        54⤵
        
        PID:4188
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        55⤵
        
        PID:2184
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        55⤵
        
        PID:2568
        
        C:\Windows\Media\Delta\Idle.exe
        
        "C:\Windows\Media\Delta\Idle.exe"
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1492
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xMZkGAiOsQ.bat"
        56⤵
        
        PID:3844
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        57⤵
        
        PID:2156
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        57⤵
        Runs ping.exe
        
        PID:2628
        
        C:\Windows\Media\Delta\Idle.exe
        
        "C:\Windows\Media\Delta\Idle.exe"
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3892
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N1wkOWwnvp.bat"
        58⤵
        
        PID:4396
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        59⤵
        
        PID:4144
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        59⤵
        
        PID:4512
        
        C:\Windows\Media\Delta\Idle.exe
        
        "C:\Windows\Media\Delta\Idle.exe"
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1416
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xMZkGAiOsQ.bat"
        60⤵
        
        PID:200
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        61⤵
        
        PID:2304
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        61⤵
        Runs ping.exe
        
        PID:3628
        
        C:\Windows\Media\Delta\Idle.exe
        
        "C:\Windows\Media\Delta\Idle.exe"
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3992
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\q0hdwOOBcu.bat"
        62⤵
        
        PID:5060
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        63⤵
        
        PID:3488
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        63⤵
        Runs ping.exe
        
        PID:3544
        
        C:\Windows\Media\Delta\Idle.exe
        
        "C:\Windows\Media\Delta\Idle.exe"
        63⤵
        Executes dropped EXE
        
        PID:4412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\sysmon.exe

Filesize
1.7MB

MD5
031c1c644a831931aa5040d5fa4b3e59

SHA1
01e542f520d43d27607f6d257523e3e25afa8d54

SHA256
f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44

SHA512
9ecc6cdf1f7d0eaa670a518eba914022fd4f3a086eb2da9ad3218ea069f907dda84c0d075ad3aa1691f4379822b6a1e9dc6636b8535b22a86154b80d48a85787

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Idle.exe.log

Filesize
1KB

MD5
d9fbbda32f03209ae8e2d8e1ce595b32

SHA1
04996e2efdd89a0a7f5172690f96d34abe28ccc6

SHA256
d3f038da27a23a26f88df2466c10c4a846acfdbb323987d5cdd235ade8c16a60

SHA512
5ff8493732d18f6439e548a8149d291e619ad98d4d2280367add07e8fcf38d55803bf2396dba897a239ae0ed1455b157f3a7f827432196c52bc94c5f4154db6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bddf3b5d1f682f3b4464a846c241a4a3

SHA1
b5894ab3bf8bc9f8803db9313f16e142a833c3db

SHA256
84dc0d47f0853e37c0a1a29592527d0e443f5df76212c6bd2e03d7f98b1bf0af

SHA512
a41620927d150a2da3f78f73b347e8242fa299db116fc73b0ce4cf793a77fd2cf0342cf2e7d4850b22f6d9e86eaa2b121ae0a4b4b0234d7bac972dcfd5c435c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bddf3b5d1f682f3b4464a846c241a4a3

SHA1
b5894ab3bf8bc9f8803db9313f16e142a833c3db

SHA256
84dc0d47f0853e37c0a1a29592527d0e443f5df76212c6bd2e03d7f98b1bf0af

SHA512
a41620927d150a2da3f78f73b347e8242fa299db116fc73b0ce4cf793a77fd2cf0342cf2e7d4850b22f6d9e86eaa2b121ae0a4b4b0234d7bac972dcfd5c435c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\38FLB8gIG8.bat

Filesize
159B

MD5
7df5d4360af18f6813bd0ce9ea0e2831

SHA1
fdfbd15d4af81b1a62fc30db71734600ef3680ca

SHA256
e09e3328b0dff896b6520bbb52301cacb8e3ae96886198ca37e428ba990305ae

SHA512
c36ea6b447bc94ea8eefb5393272121c9b6eb155cabc7a254a81557b13a502b05c1fac26f5560ed46abbdce80ea2f0258d5d13d5b70f683bffd0a21182ceca80

Download Submit
C:\Users\Admin\AppData\Local\Temp\38FLB8gIG8.bat

Filesize
159B

MD5
7df5d4360af18f6813bd0ce9ea0e2831

SHA1
fdfbd15d4af81b1a62fc30db71734600ef3680ca

SHA256
e09e3328b0dff896b6520bbb52301cacb8e3ae96886198ca37e428ba990305ae

SHA512
c36ea6b447bc94ea8eefb5393272121c9b6eb155cabc7a254a81557b13a502b05c1fac26f5560ed46abbdce80ea2f0258d5d13d5b70f683bffd0a21182ceca80

Download Submit
C:\Users\Admin\AppData\Local\Temp\3vYZhDjEHk.bat

Filesize
159B

MD5
62380e42f9f9219a0aa3d5060d2ebe79

SHA1
e83b532e0641235edd22c74142c7b4d283f1d80e

SHA256
1db8b7dc7b389ca8562b1e9ac1339b418e119e4186610d7a7d125eaef156e1a4

SHA512
8bdd0571d3173a08fdce44f1aa0da24cc4403d19f24dd39c5fc5634c0210f5c9dfd83e6601fdbaee59a44998dc8240256598600fe7b97b90e2d757f186df209c

Download Submit
C:\Users\Admin\AppData\Local\Temp\8IMWcflW5t.bat

Filesize
159B

MD5
cb7c006fea4af715b69b4565931a57a9

SHA1
9404ddc161c7c5cffc56dc02163e2e1a7da47095

SHA256
e1af93bc616b6d1c89f8e60611236ce64e61db1f86735afac61a9c98e4707c77

SHA512
15b0d1f386a460b61096ad95cad60e6f87504d7528f19e58adb66cb1013d4037cd6050f818cf5847a01802a238017d72e9cbf47c78d7c22dc808bdba8cf6d503

Download Submit
C:\Users\Admin\AppData\Local\Temp\8IMWcflW5t.bat

Filesize
159B

MD5
cb7c006fea4af715b69b4565931a57a9

SHA1
9404ddc161c7c5cffc56dc02163e2e1a7da47095

SHA256
e1af93bc616b6d1c89f8e60611236ce64e61db1f86735afac61a9c98e4707c77

SHA512
15b0d1f386a460b61096ad95cad60e6f87504d7528f19e58adb66cb1013d4037cd6050f818cf5847a01802a238017d72e9cbf47c78d7c22dc808bdba8cf6d503

Download Submit
C:\Users\Admin\AppData\Local\Temp\9TWO8Gj4g3.bat

Filesize
207B

MD5
7163735c4618073b56fe4ddfafbb8f73

SHA1
b5af8c8abb26ddacee2b76177230bc7b54e5f95a

SHA256
07cb6afca77baa7d007916a99d7222429b646d9eee0f8cbf431b5e4cb4c558e4

SHA512
195ce960bcbadfdfcba113fb19f0a9dd7b9f6d1e4fb76f7255236439e253df00720854b1db1a09436814e836cfd8c983d28989ff2bcd09fbf20732c9eed65726

Download Submit
C:\Users\Admin\AppData\Local\Temp\AhDAdBh8fS.bat

Filesize
207B

MD5
3b261ebeef8f971d7444854c70536f90

SHA1
20ed1b2fa3bc8e7e121045be7987438a583215c0

SHA256
6160818d5154b089d4dcb4277f72ad97d9452ff51a7a38f82a71e70a5372da72

SHA512
0ca1d3aefb57453092e877227949c066b6675cfcabb7d1e94bf3310ba6182767a348dce3570163ec552dbf25bc3ef64b7a0d77f605234fe250729ccd28b67946

Download Submit
C:\Users\Admin\AppData\Local\Temp\EfATY8not3.bat

Filesize
207B

MD5
cb80219f805204650d4b038baae3fb4e

SHA1
74440f8661170945351347c657343e6f8121b881

SHA256
eb7bffee89f8f6c96830e674f98528397d1749f613c322402eec60cc5c80ec14

SHA512
ffe67a389fe0078fe66c352d3124c698f436c344efd615131dc32963ee7a62059956a8317c8526d9a630e32de5645866e5ae1e78f117312c85dc68741802c78b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HEG9SYztW7.bat

Filesize
159B

MD5
e2a108c654c7f3063e2c1de04f03c3bb

SHA1
ab5ac664e91f5ea9881c3d3a3925f4cfdb858524

SHA256
fe33a1edb83dc915ce5177645861b8075a74902e17d3e1b74d83a1e584223866

SHA512
9058e95be32d4ac9fa893f98b336d93ab2f19595f272eff5df20838b4de87d71594e9747d42b5c6a1b1c5c9e9bb2f878273bafe05e32323efa9cf0dad1d55fbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Id7nS4uU7f.bat

Filesize
207B

MD5
82c25917c5b63057807836b8a5f591fe

SHA1
abc7bff30a9c4d8d8f32e2da0d56b8cff1de8add

SHA256
7b82325d132ba82e2b85844e86ee5171b53cfbcd72f8caac601a92eedb4f59e1

SHA512
1c2afc13bf9487de7d5c640ff2a38a5b8843b7432da468761fbed71fa2d72811f052b3508f01407a5a85d164fd5dbee4b3c35b773115349063574ca61515ccff

Download Submit
C:\Users\Admin\AppData\Local\Temp\J2zQTaq6hD.bat

Filesize
207B

MD5
d7d93ebfc5dc9c2b729b6768d5b3e162

SHA1
f1422927435cc0db4fa99a1bee8777762cf4512e

SHA256
587cfee03e63a47de7268418d2ca6285a308094119a2f327d72cc3d110f36bd8

SHA512
623afce23bec4803b86551e08ae1ee2ebee7535931b8fd7608ef9c5f9843030607d2946d94bf74e05c221221bede91b5dbb1a45202c3151441ad5ecd93efe991

Download Submit
C:\Users\Admin\AppData\Local\Temp\JpHfzfs2ip.bat

Filesize
207B

MD5
04e21f2d096dc9c4c5bf15a26305c1ec

SHA1
911c7aa9aae2591603919a174f343ea5e8ccecf0

SHA256
d3d06715e52010b93964a56eb18b31ea611caf70ee5f4cd3f91aec1df196b95e

SHA512
c3dc21c8cbee9847e2352b99be049faa8852e6c26457dd0281829f3336f5a712ad246434ec1f1d59d8a19f4a470e8521dedee1dbf16df5149cffb2de4a1a2fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\N1wkOWwnvp.bat

Filesize
207B

MD5
5feb04e0021c44ba003a5b8dd69799fd

SHA1
c58cff3a73ee4ea5a9936c95639e59a6c89750e5

SHA256
c6d403d3b492ee1922ad7907bc067b075276c7eb5ad2932a2937410c9cc26dbb

SHA512
8686b8b1aa113aaf684d39ada06d7590271a1eb68bcfdc545757558a93b04f827ba2a6f8f0bb4348c86823d160a71da8e3f3bc5973c8812b91a418bca4a1b2c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\N1wkOWwnvp.bat

Filesize
207B

MD5
5feb04e0021c44ba003a5b8dd69799fd

SHA1
c58cff3a73ee4ea5a9936c95639e59a6c89750e5

SHA256
c6d403d3b492ee1922ad7907bc067b075276c7eb5ad2932a2937410c9cc26dbb

SHA512
8686b8b1aa113aaf684d39ada06d7590271a1eb68bcfdc545757558a93b04f827ba2a6f8f0bb4348c86823d160a71da8e3f3bc5973c8812b91a418bca4a1b2c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\OC6cu7vKWz.bat

Filesize
207B

MD5
ceefcee29fbb266431f1b6254502b674

SHA1
c477a3986c13f4f31d80444e7af4dd98eb7c18f1

SHA256
d6a38e5c4ce9d1205c5af5550dafcc1ae19a031de789a94536769ea38f30d4fe

SHA512
b9e71454f0859988fa48d0b121e64eac4a342713d7dfcd3384e20d8bb0ee483591fee9e6f7847146272f2ecd669d68c5893d19940d57b30bd1e95b4053c80375

Download Submit
C:\Users\Admin\AppData\Local\Temp\OC6cu7vKWz.bat

Filesize
207B

MD5
ceefcee29fbb266431f1b6254502b674

SHA1
c477a3986c13f4f31d80444e7af4dd98eb7c18f1

SHA256
d6a38e5c4ce9d1205c5af5550dafcc1ae19a031de789a94536769ea38f30d4fe

SHA512
b9e71454f0859988fa48d0b121e64eac4a342713d7dfcd3384e20d8bb0ee483591fee9e6f7847146272f2ecd669d68c5893d19940d57b30bd1e95b4053c80375

Download Submit
C:\Users\Admin\AppData\Local\Temp\OC6cu7vKWz.bat

Filesize
207B

MD5
ceefcee29fbb266431f1b6254502b674

SHA1
c477a3986c13f4f31d80444e7af4dd98eb7c18f1

SHA256
d6a38e5c4ce9d1205c5af5550dafcc1ae19a031de789a94536769ea38f30d4fe

SHA512
b9e71454f0859988fa48d0b121e64eac4a342713d7dfcd3384e20d8bb0ee483591fee9e6f7847146272f2ecd669d68c5893d19940d57b30bd1e95b4053c80375

Download Submit
C:\Users\Admin\AppData\Local\Temp\OC6cu7vKWz.bat

Filesize
207B

MD5
ceefcee29fbb266431f1b6254502b674

SHA1
c477a3986c13f4f31d80444e7af4dd98eb7c18f1

SHA256
d6a38e5c4ce9d1205c5af5550dafcc1ae19a031de789a94536769ea38f30d4fe

SHA512
b9e71454f0859988fa48d0b121e64eac4a342713d7dfcd3384e20d8bb0ee483591fee9e6f7847146272f2ecd669d68c5893d19940d57b30bd1e95b4053c80375

Download Submit
C:\Users\Admin\AppData\Local\Temp\OC6cu7vKWz.bat

Filesize
207B

MD5
ceefcee29fbb266431f1b6254502b674

SHA1
c477a3986c13f4f31d80444e7af4dd98eb7c18f1

SHA256
d6a38e5c4ce9d1205c5af5550dafcc1ae19a031de789a94536769ea38f30d4fe

SHA512
b9e71454f0859988fa48d0b121e64eac4a342713d7dfcd3384e20d8bb0ee483591fee9e6f7847146272f2ecd669d68c5893d19940d57b30bd1e95b4053c80375

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCATIQ8vzm.bat

Filesize
159B

MD5
66a28be1049868ba70021f8e4208acba

SHA1
e2086230e2659ef3f76f026b4da45b6d5691cd8e

SHA256
11bab0b1eabe2a72c58a0a51ad7268b876c2c2d0b59edaacbcee14c1d040a536

SHA512
3e0b52984c0a4f1b715be0ff60f61503dd2fddb06e6d3052bab652c6f9ef213e1d7a09353074cdf54aa6b2d7d2d75a8436e05364fc8d9289532f92d1afde2013

Download Submit
C:\Users\Admin\AppData\Local\Temp\TZuYpZxcK9.bat

Filesize
207B

MD5
2da4e73fece5a8434c818a02ffcbd64b

SHA1
0420715577da4a86a87f07e328ece51a075983a4

SHA256
f33f1565a1a983aa4675316b485fb4d3f8e8e5e609207d68fcd2f7055dcbe694

SHA512
de248b822e3bd1a643878ed136e0ea65600c4da45264341d1be46d2713b90425db468e1ceb71716f96e395ea382a81747310ebbd4810fb74179086ec16a629f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZxjVk2zv8J.bat

Filesize
159B

MD5
fcea1a73886f2e2a45ae67f2838025e5

SHA1
ae1c76a0554283b1efde29a32e08ac94751d51ab

SHA256
d4d55e8bd0578271e62f7a4a3e9f8e1a5070371af0e488e8fb22a2c03289cbc2

SHA512
c9eb424695e713b559c6cb65e23a6d9f5c2fe33e7d9cabe79fb4183f244a401e6ea212ce8c142b05a255eecf76ac4b1b750a857decfdccaa017c763e86e2d3d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vyxqz3tf.hzf.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\b6xYfwFNBo.bat

Filesize
207B

MD5
ceaf7f4ef7b2a97877634d71a368fd39

SHA1
6d17149a19c94c7b6152efa697c0755ba5acc213

SHA256
3286bc3d58397cb0835e8df8414994040a581da3399cd3a1466ac9e86fad6dcc

SHA512
f7772f42e17b477d307087bcf3c0308e510a94e2e8ea4e6d965e0f135e916e8a7debe0b7fba5d3891efe6adfdc76aebfd55fed4fa6f86ac2cd6780a3e931b522

Download Submit
C:\Users\Admin\AppData\Local\Temp\gUlVaPHfzy.bat

Filesize
207B

MD5
d72b6dee8f52c90b5ed19944484e9e5a

SHA1
bb9ae795056fff9d4afed22bd63de048c0ae03e1

SHA256
a379990902b30b8f36f292fc08e53bbb16cf5648de628dea257e4a6b1c1d3f3f

SHA512
2e0dee54cc843a1a17246326c265586b0dc87b1292e1902a0fd3d144082cf45bc72c246fd3ff63c46f3da379959c6c21bac5bb7ffd9d23495064c9f9763e5959

Download Submit
C:\Users\Admin\AppData\Local\Temp\j3rBUpSkc2.bat

Filesize
207B

MD5
5a8e90a416c9b90f228cf455564ee825

SHA1
7d5b03a9147ceac3339f0dfc6c1f4b3dc7e19ca3

SHA256
a84124ca07893cff8af6a786d7c8d07afbde4db8b045468a1c925d52f504404b

SHA512
fae3788c2f3509906331f2ea87096d1b650041a16e59ec7dba1ed3ab8e2ce85c97689e2097b27e40f94f1adcfa1cc9876f632977057e14b25b82b84437850d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\lraSVrJxn8.bat

Filesize
159B

MD5
4ef127f2bb40bf5ec92b37d2964c2661

SHA1
cdee98bda76a824a93a155c1af8c223180f8ff1d

SHA256
dd3bd825e5ec5fe3db609a53176cd2e9ecb0d169852e69f19d050af3ab58edd8

SHA512
8931311745588bf900cf2e4e42a12846712ec57ef6e11283d14402f2cdd38136e2e73ac67c8e3cb49588a4d1d4c9f111227ae9bcd699a3866cda2964c10496e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\n1oUPmZQqe.bat

Filesize
207B

MD5
9a061d68a65fcbdf2abefc1d152f2fb2

SHA1
7eb9233d10da3590560b639b299a588cfcfbad0b

SHA256
9c052f4fc0a70a6ec91f40ba8c3a7657e0cc58542375e313496128fa9051686e

SHA512
1bfdafd368e5718617d4b8afeaa4c9bb2489eafbacaa9a980e3e914f240a30cf3e01587530a92d27bc9924cf41c5b44d6e5644ee58ab6487c8fe4ba5769da79b

Download Submit
C:\Users\Admin\AppData\Local\Temp\q0hdwOOBcu.bat

Filesize
159B

MD5
210743ac0e8cf5209f1074cff20329ce

SHA1
2a7e1f50df3c7f914dd12f738acb7fc6fbc6bfb4

SHA256
0a45cccaec941d7b39ec949edc753109cd0714ac8cda54d7acd258e15261b6e9

SHA512
48b1560440e616574a1d1adccb5915b5afe0a6bf217fb97d413abb18731172a042aba952d2cea4a728a2d793fb4f148e936515174e89a2b56496790850ed98b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\xMZkGAiOsQ.bat

Filesize
159B

MD5
0b64ef901b8304fa6441cee0c622aefd

SHA1
4bd6507066102958034e212a55d5e7cd370a9a4d

SHA256
5fc534c8b8105666ace8985e090ecc88671317987d79927d4cf57e9bfe4d2fad

SHA512
81c20a818fbe8373f8c87f0f3548e5683efea05579c407621a1e7b6a39d33adcec8ed53760b762245c16d57e09d9853baff0de7849adbe81a2f6937e1ea848a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\xMZkGAiOsQ.bat

Filesize
159B

MD5
0b64ef901b8304fa6441cee0c622aefd

SHA1
4bd6507066102958034e212a55d5e7cd370a9a4d

SHA256
5fc534c8b8105666ace8985e090ecc88671317987d79927d4cf57e9bfe4d2fad

SHA512
81c20a818fbe8373f8c87f0f3548e5683efea05579c407621a1e7b6a39d33adcec8ed53760b762245c16d57e09d9853baff0de7849adbe81a2f6937e1ea848a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\xMZkGAiOsQ.bat

Filesize
159B

MD5
0b64ef901b8304fa6441cee0c622aefd

SHA1
4bd6507066102958034e212a55d5e7cd370a9a4d

SHA256
5fc534c8b8105666ace8985e090ecc88671317987d79927d4cf57e9bfe4d2fad

SHA512
81c20a818fbe8373f8c87f0f3548e5683efea05579c407621a1e7b6a39d33adcec8ed53760b762245c16d57e09d9853baff0de7849adbe81a2f6937e1ea848a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\xMZkGAiOsQ.bat

Filesize
159B

MD5
0b64ef901b8304fa6441cee0c622aefd

SHA1
4bd6507066102958034e212a55d5e7cd370a9a4d

SHA256
5fc534c8b8105666ace8985e090ecc88671317987d79927d4cf57e9bfe4d2fad

SHA512
81c20a818fbe8373f8c87f0f3548e5683efea05579c407621a1e7b6a39d33adcec8ed53760b762245c16d57e09d9853baff0de7849adbe81a2f6937e1ea848a5

Download Submit
C:\Windows\Media\Delta\Idle.exe

Filesize
1.7MB

MD5
031c1c644a831931aa5040d5fa4b3e59

SHA1
01e542f520d43d27607f6d257523e3e25afa8d54

SHA256
f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44

SHA512
9ecc6cdf1f7d0eaa670a518eba914022fd4f3a086eb2da9ad3218ea069f907dda84c0d075ad3aa1691f4379822b6a1e9dc6636b8535b22a86154b80d48a85787

Download Submit
C:\Windows\Media\Delta\Idle.exe

Filesize
1.7MB

MD5
031c1c644a831931aa5040d5fa4b3e59

SHA1
01e542f520d43d27607f6d257523e3e25afa8d54

SHA256
f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44

SHA512
9ecc6cdf1f7d0eaa670a518eba914022fd4f3a086eb2da9ad3218ea069f907dda84c0d075ad3aa1691f4379822b6a1e9dc6636b8535b22a86154b80d48a85787

Download Submit
C:\Windows\Media\Delta\Idle.exe

Filesize
1.7MB

MD5
031c1c644a831931aa5040d5fa4b3e59

SHA1
01e542f520d43d27607f6d257523e3e25afa8d54

SHA256
f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44

SHA512
9ecc6cdf1f7d0eaa670a518eba914022fd4f3a086eb2da9ad3218ea069f907dda84c0d075ad3aa1691f4379822b6a1e9dc6636b8535b22a86154b80d48a85787

Download Submit
C:\Windows\Media\Delta\Idle.exe

Filesize
1.7MB

MD5
031c1c644a831931aa5040d5fa4b3e59

SHA1
01e542f520d43d27607f6d257523e3e25afa8d54

SHA256
f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44

SHA512
9ecc6cdf1f7d0eaa670a518eba914022fd4f3a086eb2da9ad3218ea069f907dda84c0d075ad3aa1691f4379822b6a1e9dc6636b8535b22a86154b80d48a85787

Download Submit
C:\Windows\Media\Delta\Idle.exe

Filesize
1.7MB

MD5
031c1c644a831931aa5040d5fa4b3e59

SHA1
01e542f520d43d27607f6d257523e3e25afa8d54

SHA256
f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44

SHA512
9ecc6cdf1f7d0eaa670a518eba914022fd4f3a086eb2da9ad3218ea069f907dda84c0d075ad3aa1691f4379822b6a1e9dc6636b8535b22a86154b80d48a85787

Download Submit
C:\Windows\Media\Delta\Idle.exe

Filesize
1.7MB

MD5
031c1c644a831931aa5040d5fa4b3e59

SHA1
01e542f520d43d27607f6d257523e3e25afa8d54

SHA256
f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44

SHA512
9ecc6cdf1f7d0eaa670a518eba914022fd4f3a086eb2da9ad3218ea069f907dda84c0d075ad3aa1691f4379822b6a1e9dc6636b8535b22a86154b80d48a85787

Download Submit
C:\Windows\Media\Delta\Idle.exe

Filesize
1.7MB

MD5
031c1c644a831931aa5040d5fa4b3e59

SHA1
01e542f520d43d27607f6d257523e3e25afa8d54

SHA256
f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44

SHA512
9ecc6cdf1f7d0eaa670a518eba914022fd4f3a086eb2da9ad3218ea069f907dda84c0d075ad3aa1691f4379822b6a1e9dc6636b8535b22a86154b80d48a85787

Download Submit
C:\Windows\Media\Delta\Idle.exe

Filesize
1.7MB

MD5
031c1c644a831931aa5040d5fa4b3e59

SHA1
01e542f520d43d27607f6d257523e3e25afa8d54

SHA256
f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44

SHA512
9ecc6cdf1f7d0eaa670a518eba914022fd4f3a086eb2da9ad3218ea069f907dda84c0d075ad3aa1691f4379822b6a1e9dc6636b8535b22a86154b80d48a85787

Download Submit
C:\Windows\Media\Delta\Idle.exe

Filesize
1.7MB

MD5
031c1c644a831931aa5040d5fa4b3e59

SHA1
01e542f520d43d27607f6d257523e3e25afa8d54

SHA256
f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44

SHA512
9ecc6cdf1f7d0eaa670a518eba914022fd4f3a086eb2da9ad3218ea069f907dda84c0d075ad3aa1691f4379822b6a1e9dc6636b8535b22a86154b80d48a85787

Download Submit
C:\Windows\Media\Delta\Idle.exe

Filesize
1.7MB

MD5
031c1c644a831931aa5040d5fa4b3e59

SHA1
01e542f520d43d27607f6d257523e3e25afa8d54

SHA256
f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44

SHA512
9ecc6cdf1f7d0eaa670a518eba914022fd4f3a086eb2da9ad3218ea069f907dda84c0d075ad3aa1691f4379822b6a1e9dc6636b8535b22a86154b80d48a85787

Download Submit
C:\Windows\Media\Delta\Idle.exe

Filesize
1.7MB

MD5
031c1c644a831931aa5040d5fa4b3e59

SHA1
01e542f520d43d27607f6d257523e3e25afa8d54

SHA256
f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44

SHA512
9ecc6cdf1f7d0eaa670a518eba914022fd4f3a086eb2da9ad3218ea069f907dda84c0d075ad3aa1691f4379822b6a1e9dc6636b8535b22a86154b80d48a85787

Download Submit
C:\Windows\Media\Delta\Idle.exe

Filesize
1.7MB

MD5
031c1c644a831931aa5040d5fa4b3e59

SHA1
01e542f520d43d27607f6d257523e3e25afa8d54

SHA256
f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44

SHA512
9ecc6cdf1f7d0eaa670a518eba914022fd4f3a086eb2da9ad3218ea069f907dda84c0d075ad3aa1691f4379822b6a1e9dc6636b8535b22a86154b80d48a85787

Download Submit
C:\Windows\Media\Delta\Idle.exe

Filesize
1.7MB

MD5
031c1c644a831931aa5040d5fa4b3e59

SHA1
01e542f520d43d27607f6d257523e3e25afa8d54

SHA256
f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44

SHA512
9ecc6cdf1f7d0eaa670a518eba914022fd4f3a086eb2da9ad3218ea069f907dda84c0d075ad3aa1691f4379822b6a1e9dc6636b8535b22a86154b80d48a85787

Download Submit
C:\Windows\Media\Delta\Idle.exe

Filesize
1.7MB

MD5
031c1c644a831931aa5040d5fa4b3e59

SHA1
01e542f520d43d27607f6d257523e3e25afa8d54

SHA256
f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44

SHA512
9ecc6cdf1f7d0eaa670a518eba914022fd4f3a086eb2da9ad3218ea069f907dda84c0d075ad3aa1691f4379822b6a1e9dc6636b8535b22a86154b80d48a85787

Download Submit
C:\Windows\Media\Delta\Idle.exe

Filesize
1.7MB

MD5
031c1c644a831931aa5040d5fa4b3e59

SHA1
01e542f520d43d27607f6d257523e3e25afa8d54

SHA256
f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44

SHA512
9ecc6cdf1f7d0eaa670a518eba914022fd4f3a086eb2da9ad3218ea069f907dda84c0d075ad3aa1691f4379822b6a1e9dc6636b8535b22a86154b80d48a85787

Download Submit
C:\Windows\Media\Delta\Idle.exe

Filesize
1.7MB

MD5
031c1c644a831931aa5040d5fa4b3e59

SHA1
01e542f520d43d27607f6d257523e3e25afa8d54

SHA256
f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44

SHA512
9ecc6cdf1f7d0eaa670a518eba914022fd4f3a086eb2da9ad3218ea069f907dda84c0d075ad3aa1691f4379822b6a1e9dc6636b8535b22a86154b80d48a85787

Download Submit
C:\Windows\Media\Delta\Idle.exe

Filesize
1.7MB

MD5
031c1c644a831931aa5040d5fa4b3e59

SHA1
01e542f520d43d27607f6d257523e3e25afa8d54

SHA256
f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44

SHA512
9ecc6cdf1f7d0eaa670a518eba914022fd4f3a086eb2da9ad3218ea069f907dda84c0d075ad3aa1691f4379822b6a1e9dc6636b8535b22a86154b80d48a85787

Download Submit
C:\Windows\Media\Delta\Idle.exe

Filesize
1.7MB

MD5
031c1c644a831931aa5040d5fa4b3e59

SHA1
01e542f520d43d27607f6d257523e3e25afa8d54

SHA256
f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44

SHA512
9ecc6cdf1f7d0eaa670a518eba914022fd4f3a086eb2da9ad3218ea069f907dda84c0d075ad3aa1691f4379822b6a1e9dc6636b8535b22a86154b80d48a85787

Download Submit
C:\Windows\Media\Delta\Idle.exe

Filesize
1.7MB

MD5
031c1c644a831931aa5040d5fa4b3e59

SHA1
01e542f520d43d27607f6d257523e3e25afa8d54

SHA256
f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44

SHA512
9ecc6cdf1f7d0eaa670a518eba914022fd4f3a086eb2da9ad3218ea069f907dda84c0d075ad3aa1691f4379822b6a1e9dc6636b8535b22a86154b80d48a85787

Download Submit
C:\Windows\Media\Delta\Idle.exe

Filesize
1.7MB

MD5
031c1c644a831931aa5040d5fa4b3e59

SHA1
01e542f520d43d27607f6d257523e3e25afa8d54

SHA256
f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44

SHA512
9ecc6cdf1f7d0eaa670a518eba914022fd4f3a086eb2da9ad3218ea069f907dda84c0d075ad3aa1691f4379822b6a1e9dc6636b8535b22a86154b80d48a85787

Download Submit
C:\Windows\Media\Delta\Idle.exe

Filesize
1.7MB

MD5
031c1c644a831931aa5040d5fa4b3e59

SHA1
01e542f520d43d27607f6d257523e3e25afa8d54

SHA256
f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44

SHA512
9ecc6cdf1f7d0eaa670a518eba914022fd4f3a086eb2da9ad3218ea069f907dda84c0d075ad3aa1691f4379822b6a1e9dc6636b8535b22a86154b80d48a85787

Download Submit
C:\Windows\Media\Delta\Idle.exe

Filesize
1.7MB

MD5
031c1c644a831931aa5040d5fa4b3e59

SHA1
01e542f520d43d27607f6d257523e3e25afa8d54

SHA256
f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44

SHA512
9ecc6cdf1f7d0eaa670a518eba914022fd4f3a086eb2da9ad3218ea069f907dda84c0d075ad3aa1691f4379822b6a1e9dc6636b8535b22a86154b80d48a85787

Download Submit
C:\Windows\Media\Delta\Idle.exe

Filesize
1.7MB

MD5
031c1c644a831931aa5040d5fa4b3e59

SHA1
01e542f520d43d27607f6d257523e3e25afa8d54

SHA256
f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44

SHA512
9ecc6cdf1f7d0eaa670a518eba914022fd4f3a086eb2da9ad3218ea069f907dda84c0d075ad3aa1691f4379822b6a1e9dc6636b8535b22a86154b80d48a85787

Download Submit
C:\Windows\Media\Delta\Idle.exe

Filesize
1.7MB

MD5
031c1c644a831931aa5040d5fa4b3e59

SHA1
01e542f520d43d27607f6d257523e3e25afa8d54

SHA256
f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44

SHA512
9ecc6cdf1f7d0eaa670a518eba914022fd4f3a086eb2da9ad3218ea069f907dda84c0d075ad3aa1691f4379822b6a1e9dc6636b8535b22a86154b80d48a85787

Download Submit
C:\Windows\Media\Delta\Idle.exe

Filesize
1.7MB

MD5
031c1c644a831931aa5040d5fa4b3e59

SHA1
01e542f520d43d27607f6d257523e3e25afa8d54

SHA256
f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44

SHA512
9ecc6cdf1f7d0eaa670a518eba914022fd4f3a086eb2da9ad3218ea069f907dda84c0d075ad3aa1691f4379822b6a1e9dc6636b8535b22a86154b80d48a85787

Download Submit
C:\Windows\Media\Delta\Idle.exe

Filesize
1.7MB

MD5
031c1c644a831931aa5040d5fa4b3e59

SHA1
01e542f520d43d27607f6d257523e3e25afa8d54

SHA256
f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44

SHA512
9ecc6cdf1f7d0eaa670a518eba914022fd4f3a086eb2da9ad3218ea069f907dda84c0d075ad3aa1691f4379822b6a1e9dc6636b8535b22a86154b80d48a85787

Download Submit
C:\Windows\Media\Delta\Idle.exe

Filesize
1.7MB

MD5
031c1c644a831931aa5040d5fa4b3e59

SHA1
01e542f520d43d27607f6d257523e3e25afa8d54

SHA256
f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44

SHA512
9ecc6cdf1f7d0eaa670a518eba914022fd4f3a086eb2da9ad3218ea069f907dda84c0d075ad3aa1691f4379822b6a1e9dc6636b8535b22a86154b80d48a85787

Download Submit
C:\Windows\Media\Delta\Idle.exe

Filesize
1.7MB

MD5
031c1c644a831931aa5040d5fa4b3e59

SHA1
01e542f520d43d27607f6d257523e3e25afa8d54

SHA256
f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44

SHA512
9ecc6cdf1f7d0eaa670a518eba914022fd4f3a086eb2da9ad3218ea069f907dda84c0d075ad3aa1691f4379822b6a1e9dc6636b8535b22a86154b80d48a85787

Download Submit
C:\Windows\Media\Delta\Idle.exe

Filesize
1.7MB

MD5
031c1c644a831931aa5040d5fa4b3e59

SHA1
01e542f520d43d27607f6d257523e3e25afa8d54

SHA256
f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44

SHA512
9ecc6cdf1f7d0eaa670a518eba914022fd4f3a086eb2da9ad3218ea069f907dda84c0d075ad3aa1691f4379822b6a1e9dc6636b8535b22a86154b80d48a85787

Download Submit
C:\Windows\Media\Delta\Idle.exe

Filesize
1.7MB

MD5
031c1c644a831931aa5040d5fa4b3e59

SHA1
01e542f520d43d27607f6d257523e3e25afa8d54

SHA256
f05efbb159feb10d96e61a020a3cd22736ffbb096decd683a03c3445df5c5d44

SHA512
9ecc6cdf1f7d0eaa670a518eba914022fd4f3a086eb2da9ad3218ea069f907dda84c0d075ad3aa1691f4379822b6a1e9dc6636b8535b22a86154b80d48a85787

Download Submit
memory/192-378-0x0000000002750000-0x00000000027BC000-memory.dmp

Filesize
432KB

Download
memory/368-759-0x000000001B410000-0x000000001B47C000-memory.dmp

Filesize
432KB

Download
memory/708-33-0x00007FF9BACE0000-0x00007FF9BB6CC000-memory.dmp

Filesize
9.9MB

Download
memory/708-56-0x0000026AD04C0000-0x0000026AD04D0000-memory.dmp

Filesize
64KB

Download
memory/708-285-0x00007FF9BACE0000-0x00007FF9BB6CC000-memory.dmp

Filesize
9.9MB

Download
memory/708-266-0x0000026AD04C0000-0x0000026AD04D0000-memory.dmp

Filesize
64KB

Download
memory/708-248-0x00007FF9BACE0000-0x00007FF9BB6CC000-memory.dmp

Filesize
9.9MB

Download
memory/708-247-0x0000026AD04C0000-0x0000026AD04D0000-memory.dmp

Filesize
64KB

Download
memory/708-46-0x0000026AD04C0000-0x0000026AD04D0000-memory.dmp

Filesize
64KB

Download
memory/708-182-0x0000026AD04C0000-0x0000026AD04D0000-memory.dmp

Filesize
64KB

Download
memory/772-75-0x000001CAEB980000-0x000001CAEB9F6000-memory.dmp

Filesize
472KB

Download
memory/772-70-0x000001CAD3670000-0x000001CAD3680000-memory.dmp

Filesize
64KB

Download
memory/772-257-0x000001CAD3670000-0x000001CAD3680000-memory.dmp

Filesize
64KB

Download
memory/772-59-0x000001CAD3670000-0x000001CAD3680000-memory.dmp

Filesize
64KB

Download
memory/772-286-0x00007FF9BACE0000-0x00007FF9BB6CC000-memory.dmp

Filesize
9.9MB

Download
memory/772-66-0x00007FF9BACE0000-0x00007FF9BB6CC000-memory.dmp

Filesize
9.9MB

Download
memory/772-268-0x000001CAD3670000-0x000001CAD3680000-memory.dmp

Filesize
64KB

Download
memory/772-65-0x000001CAEB7D0000-0x000001CAEB7F2000-memory.dmp

Filesize
136KB

Download
memory/772-114-0x000001CAD3670000-0x000001CAD3680000-memory.dmp

Filesize
64KB

Download
memory/800-264-0x00000164C91D0000-0x00000164C91E0000-memory.dmp

Filesize
64KB

Download
memory/800-281-0x00007FF9BACE0000-0x00007FF9BB6CC000-memory.dmp

Filesize
9.9MB

Download
memory/800-62-0x00000164C91D0000-0x00000164C91E0000-memory.dmp

Filesize
64KB

Download
memory/800-178-0x00000164C91D0000-0x00000164C91E0000-memory.dmp

Filesize
64KB

Download
memory/800-254-0x00007FF9BACE0000-0x00007FF9BB6CC000-memory.dmp

Filesize
9.9MB

Download
memory/800-54-0x00007FF9BACE0000-0x00007FF9BB6CC000-memory.dmp

Filesize
9.9MB

Download
memory/800-72-0x00000164C91D0000-0x00000164C91E0000-memory.dmp

Filesize
64KB

Download
memory/800-265-0x00000164C91D0000-0x00000164C91E0000-memory.dmp

Filesize
64KB

Download
memory/880-63-0x0000028AF3C60000-0x0000028AF3C70000-memory.dmp

Filesize
64KB

Download
memory/880-270-0x0000028AF3C60000-0x0000028AF3C70000-memory.dmp

Filesize
64KB

Download
memory/880-294-0x00007FF9BACE0000-0x00007FF9BB6CC000-memory.dmp

Filesize
9.9MB

Download
memory/880-289-0x0000028AF3C60000-0x0000028AF3C70000-memory.dmp

Filesize
64KB

Download
memory/880-68-0x00007FF9BACE0000-0x00007FF9BB6CC000-memory.dmp

Filesize
9.9MB

Download
memory/880-159-0x0000028AF3C60000-0x0000028AF3C70000-memory.dmp

Filesize
64KB

Download
memory/880-287-0x00007FF9BACE0000-0x00007FF9BB6CC000-memory.dmp

Filesize
9.9MB

Download
memory/880-282-0x0000028AF3C60000-0x0000028AF3C70000-memory.dmp

Filesize
64KB

Download
memory/880-64-0x0000028AF3C60000-0x0000028AF3C70000-memory.dmp

Filesize
64KB

Download
memory/880-275-0x0000028AF3C60000-0x0000028AF3C70000-memory.dmp

Filesize
64KB

Download
memory/1028-674-0x000000001B4C0000-0x000000001B52C000-memory.dmp

Filesize
432KB

Download
memory/1416-909-0x000000001BA20000-0x000000001BA8C000-memory.dmp

Filesize
432KB

Download
memory/1492-865-0x0000000002CC0000-0x0000000002D2C000-memory.dmp

Filesize
432KB

Download
memory/1560-823-0x000000001B800000-0x000000001B86C000-memory.dmp

Filesize
432KB

Download
memory/1616-632-0x000000001BC20000-0x000000001BC8C000-memory.dmp

Filesize
432KB

Download
memory/1924-653-0x000000001B3B0000-0x000000001B41C000-memory.dmp

Filesize
432KB

Download
memory/2212-8-0x00000000012F0000-0x00000000012FE000-memory.dmp

Filesize
56KB

Download
memory/2212-15-0x00007FF9D7440000-0x00007FF9D7441000-memory.dmp

Filesize
4KB

Download
memory/2212-14-0x0000000001350000-0x000000000135C000-memory.dmp

Filesize
48KB

Download
memory/2212-57-0x00007FF9BACE0000-0x00007FF9BB6CC000-memory.dmp

Filesize
9.9MB

Download
memory/2212-5-0x000000001B820000-0x000000001B830000-memory.dmp

Filesize
64KB

Download
memory/2212-2-0x0000000001250000-0x0000000001251000-memory.dmp

Filesize
4KB

Download
memory/2212-3-0x000000001B820000-0x000000001B830000-memory.dmp

Filesize
64KB

Download
memory/2212-9-0x00007FF9D7460000-0x00007FF9D7461000-memory.dmp

Filesize
4KB

Download
memory/2212-4-0x000000001B820000-0x000000001B830000-memory.dmp

Filesize
64KB

Download
memory/2212-6-0x00007FF9D7470000-0x00007FF9D7471000-memory.dmp

Filesize
4KB

Download
memory/2212-0-0x0000000000920000-0x0000000000AE0000-memory.dmp

Filesize
1.8MB

Download
memory/2212-12-0x00007FF9D7450000-0x00007FF9D7451000-memory.dmp

Filesize
4KB

Download
memory/2212-11-0x0000000001340000-0x000000000134E000-memory.dmp

Filesize
56KB

Download
memory/2212-1-0x00007FF9BACE0000-0x00007FF9BB6CC000-memory.dmp

Filesize
9.9MB

Download
memory/2212-17-0x0000000001360000-0x000000000136C000-memory.dmp

Filesize
48KB

Download
memory/2280-420-0x000000001BC70000-0x000000001BCDC000-memory.dmp

Filesize
432KB

Download
memory/2488-590-0x000000001B250000-0x000000001B2BC000-memory.dmp

Filesize
432KB

Download
memory/2964-441-0x0000000002EA0000-0x0000000002F0C000-memory.dmp

Filesize
432KB

Download
memory/3024-695-0x000000001BA50000-0x000000001BABC000-memory.dmp

Filesize
432KB

Download
memory/3080-802-0x000000001B1C0000-0x000000001B22C000-memory.dmp

Filesize
432KB

Download
memory/3244-504-0x000000001B400000-0x000000001B46C000-memory.dmp

Filesize
432KB

Download
memory/3384-336-0x000000001BAC0000-0x000000001BB2C000-memory.dmp

Filesize
432KB

Download
memory/3400-295-0x00007FF9BACE0000-0x00007FF9BB6CC000-memory.dmp

Filesize
9.9MB

Download
memory/3400-298-0x000000001B080000-0x000000001B090000-memory.dmp

Filesize
64KB

Download
memory/3400-296-0x000000001B080000-0x000000001B090000-memory.dmp

Filesize
64KB

Download
memory/3400-314-0x000000001B5B0000-0x000000001B61C000-memory.dmp

Filesize
432KB

Download
memory/3400-297-0x0000000000D80000-0x0000000000D81000-memory.dmp

Filesize
4KB

Download
memory/3556-399-0x000000001B620000-0x000000001B68C000-memory.dmp

Filesize
432KB

Download
memory/3724-717-0x000000001BCF0000-0x000000001BD5C000-memory.dmp

Filesize
432KB

Download
memory/3892-888-0x000000001B0D0000-0x000000001B13C000-memory.dmp

Filesize
432KB

Download
memory/3992-930-0x00000000024E0000-0x000000000254C000-memory.dmp

Filesize
432KB

Download
memory/4112-526-0x000000001AF90000-0x000000001AFFC000-memory.dmp

Filesize
432KB

Download
memory/4140-844-0x00000000014F0000-0x000000000155C000-memory.dmp

Filesize
432KB

Download
memory/4176-547-0x000000001B960000-0x000000001B9CC000-memory.dmp

Filesize
432KB

Download
memory/4184-462-0x000000001B440000-0x000000001B4AC000-memory.dmp

Filesize
432KB

Download
memory/4200-267-0x000002C4CD470000-0x000002C4CD480000-memory.dmp

Filesize
64KB

Download
memory/4200-61-0x000002C4CD470000-0x000002C4CD480000-memory.dmp

Filesize
64KB

Download
memory/4200-288-0x000002C4CD470000-0x000002C4CD480000-memory.dmp

Filesize
64KB

Download
memory/4200-125-0x000002C4CD470000-0x000002C4CD480000-memory.dmp

Filesize
64KB

Download
memory/4200-60-0x000002C4CD470000-0x000002C4CD480000-memory.dmp

Filesize
64KB

Download
memory/4200-41-0x00007FF9BACE0000-0x00007FF9BB6CC000-memory.dmp

Filesize
9.9MB

Download
memory/4200-249-0x00007FF9BACE0000-0x00007FF9BB6CC000-memory.dmp

Filesize
9.9MB

Download
memory/4200-261-0x000002C4CD470000-0x000002C4CD480000-memory.dmp

Filesize
64KB

Download
memory/4200-263-0x000002C4CD470000-0x000002C4CD480000-memory.dmp

Filesize
64KB

Download
memory/4200-291-0x00007FF9BACE0000-0x00007FF9BB6CC000-memory.dmp

Filesize
9.9MB

Download
memory/4300-611-0x000000001BFE0000-0x000000001C04C000-memory.dmp

Filesize
432KB

Download
memory/4460-780-0x000000001B600000-0x000000001B66C000-memory.dmp

Filesize
432KB

Download
memory/4644-738-0x000000001BA60000-0x000000001BACC000-memory.dmp

Filesize
432KB

Download
memory/4740-357-0x000000001AEA0000-0x000000001AF0C000-memory.dmp

Filesize
432KB

Download
memory/4816-483-0x000000001B330000-0x000000001B39C000-memory.dmp

Filesize
432KB

Download
memory/5012-568-0x000000001BA10000-0x000000001BA7C000-memory.dmp

Filesize
432KB

Download