zgrat | 95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

Analysis

max time kernel
300s
max time network
303s
platform
windows10-1703_x64
resource
win10-20231025-en
resource tags

arch:x64arch:x86image:win10-20231025-enlocale:en-usos:windows10-1703-x64system
submitted
22-11-2023 04:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
Size

1.7MB
MD5

85503a298f3d3680349b8f956f335ba6
SHA1

25557850af352dd22f7f4a8e2392bd30d700e624
SHA256

95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93
SHA512

1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3
SSDEEP

24576:rQa+rRep38knZGbO4oFya8ZbRxaiXvnEc3Suvb7sNPwEFfTPCRi4Vz:rZ+rRe3zn4ioa8ZbRMiXO07sNPwERWV

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 31 IoCs

resource	yara_rule
behavioral2/memory/4188-0-0x00000000000B0000-0x0000000000270000-memory.dmp	family_zgrat_v1
behavioral2/files/0x000600000001abce-26.dat	family_zgrat_v1
behavioral2/files/0x000c00000001aaf4-285.dat	family_zgrat_v1
behavioral2/files/0x000c00000001aaf4-286.dat	family_zgrat_v1
behavioral2/files/0x000c00000001aaf4-307.dat	family_zgrat_v1
behavioral2/files/0x000c00000001aaf4-329.dat	family_zgrat_v1
behavioral2/files/0x000c00000001aaf4-349.dat	family_zgrat_v1
behavioral2/files/0x000c00000001aaf4-369.dat	family_zgrat_v1
behavioral2/files/0x000c00000001aaf4-389.dat	family_zgrat_v1
behavioral2/files/0x000c00000001aaf4-409.dat	family_zgrat_v1
behavioral2/files/0x000c00000001aaf4-429.dat	family_zgrat_v1
behavioral2/files/0x000c00000001aaf4-449.dat	family_zgrat_v1
behavioral2/files/0x000c00000001aaf4-469.dat	family_zgrat_v1
behavioral2/files/0x000c00000001aaf4-489.dat	family_zgrat_v1
behavioral2/files/0x000c00000001aaf4-509.dat	family_zgrat_v1
behavioral2/files/0x000c00000001aaf4-530.dat	family_zgrat_v1
behavioral2/files/0x000c00000001aaf4-550.dat	family_zgrat_v1
behavioral2/files/0x000c00000001aaf4-571.dat	family_zgrat_v1
behavioral2/files/0x000c00000001aaf4-591.dat	family_zgrat_v1
behavioral2/files/0x000c00000001aaf4-611.dat	family_zgrat_v1
behavioral2/files/0x000c00000001aaf4-631.dat	family_zgrat_v1
behavioral2/files/0x000c00000001aaf4-651.dat	family_zgrat_v1
behavioral2/files/0x000c00000001aaf4-671.dat	family_zgrat_v1
behavioral2/files/0x000c00000001aaf4-692.dat	family_zgrat_v1
behavioral2/files/0x000c00000001aaf4-712.dat	family_zgrat_v1
behavioral2/files/0x000c00000001aaf4-732.dat	family_zgrat_v1
behavioral2/files/0x000c00000001aaf4-752.dat	family_zgrat_v1
behavioral2/files/0x000c00000001aaf4-772.dat	family_zgrat_v1
behavioral2/files/0x000c00000001aaf4-792.dat	family_zgrat_v1
behavioral2/files/0x000c00000001aaf4-813.dat	family_zgrat_v1
behavioral2/files/0x000c00000001aaf4-833.dat	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Executes dropped EXE 33 IoCs

pid	Process
4772	ApplicationFrameHost.exe
1372	ApplicationFrameHost.exe
2452	ApplicationFrameHost.exe
4316	ApplicationFrameHost.exe
4352	ApplicationFrameHost.exe
4468	ApplicationFrameHost.exe
2904	ApplicationFrameHost.exe
3796	ApplicationFrameHost.exe
4356	ApplicationFrameHost.exe
4880	ApplicationFrameHost.exe
2472	ApplicationFrameHost.exe
2996	ApplicationFrameHost.exe
4348	ApplicationFrameHost.exe
5056	ApplicationFrameHost.exe
4828	ApplicationFrameHost.exe
3384	ApplicationFrameHost.exe
4788	ApplicationFrameHost.exe
4560	ApplicationFrameHost.exe
4500	ApplicationFrameHost.exe
1160	ApplicationFrameHost.exe
4032	ApplicationFrameHost.exe
4784	ApplicationFrameHost.exe
4376	ApplicationFrameHost.exe
3300	ApplicationFrameHost.exe
2676	ApplicationFrameHost.exe
2700	ApplicationFrameHost.exe
3104	ApplicationFrameHost.exe
1732	ApplicationFrameHost.exe
2812	ApplicationFrameHost.exe
4476	ApplicationFrameHost.exe
4800	ApplicationFrameHost.exe
4072	ApplicationFrameHost.exe
2052	ApplicationFrameHost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Java\29c1c3cc0f7685	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
File created	C:\Program Files\Uninstall Information\sppsvc.exe	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
File created	C:\Program Files\Uninstall Information\0a1fd5f707cd16	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
File created	C:\Program Files (x86)\Windows Media Player\sysmon.exe	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
File created	C:\Program Files (x86)\Windows Media Player\121e5b5079f7c0	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
File created	C:\Program Files\Java\unsecapp.exe	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\ImmersiveControlPanel\microsoft.system.package.metadata\Autogen\886983d96e3d3e	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
File created	C:\Windows\diagnostics\system\Apps\de-DE\sihost.exe	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
File created	C:\Windows\Migration\WTR\ApplicationFrameHost.exe	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
File opened for modification	C:\Windows\Migration\WTR\ApplicationFrameHost.exe	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
File created	C:\Windows\Migration\WTR\6dd19aba3e2428	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
File created	C:\Windows\ImmersiveControlPanel\microsoft.system.package.metadata\Autogen\csrss.exe	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 33 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings	ApplicationFrameHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings	ApplicationFrameHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings	ApplicationFrameHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings	ApplicationFrameHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings	ApplicationFrameHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings	ApplicationFrameHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings	ApplicationFrameHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings	ApplicationFrameHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings	ApplicationFrameHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings	ApplicationFrameHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings	ApplicationFrameHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings	ApplicationFrameHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings	ApplicationFrameHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings	ApplicationFrameHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings	ApplicationFrameHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings	ApplicationFrameHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings	ApplicationFrameHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings	ApplicationFrameHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings	ApplicationFrameHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings	ApplicationFrameHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings	ApplicationFrameHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings	ApplicationFrameHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings	ApplicationFrameHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings	ApplicationFrameHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings	ApplicationFrameHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings	ApplicationFrameHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings	ApplicationFrameHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings	ApplicationFrameHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings	ApplicationFrameHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings	ApplicationFrameHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings	ApplicationFrameHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings	ApplicationFrameHost.exe

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
1956	PING.EXE
4952	PING.EXE
2172	PING.EXE
516	PING.EXE
1396	PING.EXE
4380	PING.EXE
3232	PING.EXE
2996	PING.EXE
3960	PING.EXE
2536	PING.EXE
4744	PING.EXE
4588	PING.EXE
4256	PING.EXE
3520	PING.EXE
2104	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4188	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
4188	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
4188	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
4188	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
4188	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
4188	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
4188	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
4188	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
4188	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
4188	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
4188	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
4188	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
4188	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
4188	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
4188	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
4188	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
4188	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
4188	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
4188	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
4188	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
4188	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
4188	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
4188	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
4188	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
4188	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
4188	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
4188	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
4188	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
4188	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
4188	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
4188	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
4188	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
4188	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
4188	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
4188	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
4188	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
4188	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
4188	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
4188	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
4188	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
4188	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
4188	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
4188	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
4188	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
4188	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
4188	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
4188	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
4188	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
4188	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
4188	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
4188	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
4188	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
4188	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
4188	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
4188	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
4188	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
4188	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
4188	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
4188	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
4188	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
4188	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
4188	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
4188	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
4736	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4188	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
Token: SeDebugPrivilege	4736	powershell.exe
Token: SeDebugPrivilege	4732	powershell.exe
Token: SeDebugPrivilege	2904	powershell.exe
Token: SeDebugPrivilege	2660	powershell.exe
Token: SeDebugPrivilege	4728	powershell.exe
Token: SeIncreaseQuotaPrivilege	2660	powershell.exe
Token: SeSecurityPrivilege	2660	powershell.exe
Token: SeTakeOwnershipPrivilege	2660	powershell.exe
Token: SeLoadDriverPrivilege	2660	powershell.exe
Token: SeSystemProfilePrivilege	2660	powershell.exe
Token: SeSystemtimePrivilege	2660	powershell.exe
Token: SeProfSingleProcessPrivilege	2660	powershell.exe
Token: SeIncBasePriorityPrivilege	2660	powershell.exe
Token: SeCreatePagefilePrivilege	2660	powershell.exe
Token: SeBackupPrivilege	2660	powershell.exe
Token: SeRestorePrivilege	2660	powershell.exe
Token: SeShutdownPrivilege	2660	powershell.exe
Token: SeDebugPrivilege	2660	powershell.exe
Token: SeSystemEnvironmentPrivilege	2660	powershell.exe
Token: SeRemoteShutdownPrivilege	2660	powershell.exe
Token: SeUndockPrivilege	2660	powershell.exe
Token: SeManageVolumePrivilege	2660	powershell.exe
Token: 33	2660	powershell.exe
Token: 34	2660	powershell.exe
Token: 35	2660	powershell.exe
Token: 36	2660	powershell.exe
Token: SeIncreaseQuotaPrivilege	4736	powershell.exe
Token: SeSecurityPrivilege	4736	powershell.exe
Token: SeTakeOwnershipPrivilege	4736	powershell.exe
Token: SeLoadDriverPrivilege	4736	powershell.exe
Token: SeSystemProfilePrivilege	4736	powershell.exe
Token: SeSystemtimePrivilege	4736	powershell.exe
Token: SeProfSingleProcessPrivilege	4736	powershell.exe
Token: SeIncBasePriorityPrivilege	4736	powershell.exe
Token: SeCreatePagefilePrivilege	4736	powershell.exe
Token: SeBackupPrivilege	4736	powershell.exe
Token: SeRestorePrivilege	4736	powershell.exe
Token: SeShutdownPrivilege	4736	powershell.exe
Token: SeDebugPrivilege	4736	powershell.exe
Token: SeSystemEnvironmentPrivilege	4736	powershell.exe
Token: SeRemoteShutdownPrivilege	4736	powershell.exe
Token: SeUndockPrivilege	4736	powershell.exe
Token: SeManageVolumePrivilege	4736	powershell.exe
Token: 33	4736	powershell.exe
Token: 34	4736	powershell.exe
Token: 35	4736	powershell.exe
Token: 36	4736	powershell.exe
Token: SeIncreaseQuotaPrivilege	2904	powershell.exe
Token: SeSecurityPrivilege	2904	powershell.exe
Token: SeTakeOwnershipPrivilege	2904	powershell.exe
Token: SeLoadDriverPrivilege	2904	powershell.exe
Token: SeSystemProfilePrivilege	2904	powershell.exe
Token: SeSystemtimePrivilege	2904	powershell.exe
Token: SeProfSingleProcessPrivilege	2904	powershell.exe
Token: SeIncBasePriorityPrivilege	2904	powershell.exe
Token: SeCreatePagefilePrivilege	2904	powershell.exe
Token: SeBackupPrivilege	2904	powershell.exe
Token: SeRestorePrivilege	2904	powershell.exe
Token: SeShutdownPrivilege	2904	powershell.exe
Token: SeDebugPrivilege	2904	powershell.exe
Token: SeSystemEnvironmentPrivilege	2904	powershell.exe
Token: SeRemoteShutdownPrivilege	2904	powershell.exe
Token: SeUndockPrivilege	2904	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4188 wrote to memory of 4736	4188	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe	80
PID 4188 wrote to memory of 4736	4188	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe	80
PID 4188 wrote to memory of 4732	4188	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe	79
PID 4188 wrote to memory of 4732	4188	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe	79
PID 4188 wrote to memory of 4728	4188	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe	78
PID 4188 wrote to memory of 4728	4188	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe	78
PID 4188 wrote to memory of 2904	4188	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe	76
PID 4188 wrote to memory of 2904	4188	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe	76
PID 4188 wrote to memory of 2660	4188	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe	75
PID 4188 wrote to memory of 2660	4188	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe	75
PID 4188 wrote to memory of 4472	4188	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe	81
PID 4188 wrote to memory of 4472	4188	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe	81
PID 4472 wrote to memory of 1272	4472	cmd.exe	83
PID 4472 wrote to memory of 1272	4472	cmd.exe	83
PID 4472 wrote to memory of 4448	4472	cmd.exe	84
PID 4472 wrote to memory of 4448	4472	cmd.exe	84
PID 4472 wrote to memory of 4772	4472	cmd.exe	86
PID 4472 wrote to memory of 4772	4472	cmd.exe	86
PID 4772 wrote to memory of 2136	4772	ApplicationFrameHost.exe	87
PID 4772 wrote to memory of 2136	4772	ApplicationFrameHost.exe	87
PID 2136 wrote to memory of 816	2136	cmd.exe	89
PID 2136 wrote to memory of 816	2136	cmd.exe	89
PID 2136 wrote to memory of 1956	2136	cmd.exe	90
PID 2136 wrote to memory of 1956	2136	cmd.exe	90
PID 2136 wrote to memory of 1372	2136	cmd.exe	91
PID 2136 wrote to memory of 1372	2136	cmd.exe	91
PID 1372 wrote to memory of 3644	1372	ApplicationFrameHost.exe	92
PID 1372 wrote to memory of 3644	1372	ApplicationFrameHost.exe	92
PID 3644 wrote to memory of 3492	3644	cmd.exe	94
PID 3644 wrote to memory of 3492	3644	cmd.exe	94
PID 3644 wrote to memory of 5020	3644	cmd.exe	95
PID 3644 wrote to memory of 5020	3644	cmd.exe	95
PID 3644 wrote to memory of 2452	3644	cmd.exe	96
PID 3644 wrote to memory of 2452	3644	cmd.exe	96
PID 2452 wrote to memory of 4560	2452	ApplicationFrameHost.exe	98
PID 2452 wrote to memory of 4560	2452	ApplicationFrameHost.exe	98
PID 4560 wrote to memory of 2856	4560	cmd.exe	99
PID 4560 wrote to memory of 2856	4560	cmd.exe	99
PID 4560 wrote to memory of 1448	4560	cmd.exe	100
PID 4560 wrote to memory of 1448	4560	cmd.exe	100
PID 4560 wrote to memory of 4316	4560	cmd.exe	101
PID 4560 wrote to memory of 4316	4560	cmd.exe	101
PID 4316 wrote to memory of 4816	4316	ApplicationFrameHost.exe	102
PID 4316 wrote to memory of 4816	4316	ApplicationFrameHost.exe	102
PID 4816 wrote to memory of 4252	4816	cmd.exe	104
PID 4816 wrote to memory of 4252	4816	cmd.exe	104
PID 4816 wrote to memory of 4380	4816	cmd.exe	105
PID 4816 wrote to memory of 4380	4816	cmd.exe	105
PID 4816 wrote to memory of 4352	4816	cmd.exe	106
PID 4816 wrote to memory of 4352	4816	cmd.exe	106
PID 4352 wrote to memory of 1304	4352	ApplicationFrameHost.exe	107
PID 4352 wrote to memory of 1304	4352	ApplicationFrameHost.exe	107
PID 1304 wrote to memory of 1864	1304	cmd.exe	109
PID 1304 wrote to memory of 1864	1304	cmd.exe	109
PID 1304 wrote to memory of 4952	1304	cmd.exe	110
PID 1304 wrote to memory of 4952	1304	cmd.exe	110
PID 1304 wrote to memory of 4468	1304	cmd.exe	111
PID 1304 wrote to memory of 4468	1304	cmd.exe	111
PID 4468 wrote to memory of 1708	4468	ApplicationFrameHost.exe	112
PID 4468 wrote to memory of 1708	4468	ApplicationFrameHost.exe	112
PID 1708 wrote to memory of 628	1708	cmd.exe	114
PID 1708 wrote to memory of 628	1708	cmd.exe	114
PID 1708 wrote to memory of 3232	1708	cmd.exe	115
PID 1708 wrote to memory of 3232	1708	cmd.exe	115

C:\Users\Admin\AppData\Local\Temp\95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
"C:\Users\Admin\AppData\Local\Temp\95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4188
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\unsecapp.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2660
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\sysmon.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\sppsvc.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4728
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ImmersiveControlPanel\microsoft.system.package.metadata\Autogen\csrss.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4732
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\WTR\ApplicationFrameHost.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4736
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xNB0saDiwW.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4472
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1272
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4448
- - C:\Windows\Migration\WTR\ApplicationFrameHost.exe
    "C:\Windows\Migration\WTR\ApplicationFrameHost.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4772
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LWAYFjljOj.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2136
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:816
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        Runs ping.exe
        
        PID:1956
    - - C:\Windows\Migration\WTR\ApplicationFrameHost.exe
        
        "C:\Windows\Migration\WTR\ApplicationFrameHost.exe"
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1372
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\G7Plib0M1v.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3644
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:3492
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:5020
        
        C:\Windows\Migration\WTR\ApplicationFrameHost.exe
        
        "C:\Windows\Migration\WTR\ApplicationFrameHost.exe"
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8BV8simzah.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:2856
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1448
        
        C:\Windows\Migration\WTR\ApplicationFrameHost.exe
        
        "C:\Windows\Migration\WTR\ApplicationFrameHost.exe"
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4316
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\O5FEA9wo1n.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4816
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:4252
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        Runs ping.exe
        
        PID:4380
        
        C:\Windows\Migration\WTR\ApplicationFrameHost.exe
        
        "C:\Windows\Migration\WTR\ApplicationFrameHost.exe"
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4352
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lkj4ltLQIw.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1304
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:1864
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        Runs ping.exe
        
        PID:4952
        
        C:\Windows\Migration\WTR\ApplicationFrameHost.exe
        
        "C:\Windows\Migration\WTR\ApplicationFrameHost.exe"
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4468
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TS4B5cy6px.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:628
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        Runs ping.exe
        
        PID:3232
        
        C:\Windows\Migration\WTR\ApplicationFrameHost.exe
        
        "C:\Windows\Migration\WTR\ApplicationFrameHost.exe"
        15⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2904
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4DYpxlgJN6.bat"
        16⤵
        
        PID:2096
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:2224
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1084
        
        C:\Windows\Migration\WTR\ApplicationFrameHost.exe
        
        "C:\Windows\Migration\WTR\ApplicationFrameHost.exe"
        17⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3796
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eDg5wW3gSH.bat"
        18⤵
        
        PID:4752
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:1780
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        Runs ping.exe
        
        PID:2172
        
        C:\Windows\Migration\WTR\ApplicationFrameHost.exe
        
        "C:\Windows\Migration\WTR\ApplicationFrameHost.exe"
        19⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4356
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dopRv074rj.bat"
        20⤵
        
        PID:3204
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:2576
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        Runs ping.exe
        
        PID:516
        
        C:\Windows\Migration\WTR\ApplicationFrameHost.exe
        
        "C:\Windows\Migration\WTR\ApplicationFrameHost.exe"
        21⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4880
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4RGbRhdNMU.bat"
        22⤵
        
        PID:2076
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:2308
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        Runs ping.exe
        
        PID:4588
        
        C:\Windows\Migration\WTR\ApplicationFrameHost.exe
        
        "C:\Windows\Migration\WTR\ApplicationFrameHost.exe"
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2472
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FyBjogktzP.bat"
        24⤵
        
        PID:4316
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:4816
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:4808
        
        C:\Windows\Migration\WTR\ApplicationFrameHost.exe
        
        "C:\Windows\Migration\WTR\ApplicationFrameHost.exe"
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2996
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PU7rAfrPcL.bat"
        26⤵
        
        PID:4804
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:2864
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        Runs ping.exe
        
        PID:3960
        
        C:\Windows\Migration\WTR\ApplicationFrameHost.exe
        
        "C:\Windows\Migration\WTR\ApplicationFrameHost.exe"
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4348
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ugdhbmYnkA.bat"
        28⤵
        
        PID:2568
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:1708
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        29⤵
        Runs ping.exe
        
        PID:2536
        
        C:\Windows\Migration\WTR\ApplicationFrameHost.exe
        
        "C:\Windows\Migration\WTR\ApplicationFrameHost.exe"
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5056
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DYK5nApHOr.bat"
        30⤵
        
        PID:2972
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:4376
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        31⤵
        
        PID:4660
        
        C:\Windows\Migration\WTR\ApplicationFrameHost.exe
        
        "C:\Windows\Migration\WTR\ApplicationFrameHost.exe"
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4828
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XFqcUy7ESP.bat"
        32⤵
        
        PID:1376
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        33⤵
        
        PID:4912
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        33⤵
        
        PID:2716
        
        C:\Windows\Migration\WTR\ApplicationFrameHost.exe
        
        "C:\Windows\Migration\WTR\ApplicationFrameHost.exe"
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3384
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\23Kn3rQqKa.bat"
        34⤵
        
        PID:2576
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        35⤵
        
        PID:232
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        35⤵
        
        PID:4860
        
        C:\Windows\Migration\WTR\ApplicationFrameHost.exe
        
        "C:\Windows\Migration\WTR\ApplicationFrameHost.exe"
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4788
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\r7X1gMNi76.bat"
        36⤵
        
        PID:2760
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        37⤵
        
        PID:3272
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        37⤵
        Runs ping.exe
        
        PID:1396
        
        C:\Windows\Migration\WTR\ApplicationFrameHost.exe
        
        "C:\Windows\Migration\WTR\ApplicationFrameHost.exe"
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4560
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\r7X1gMNi76.bat"
        38⤵
        
        PID:2080
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        39⤵
        
        PID:3112
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        39⤵
        Runs ping.exe
        
        PID:4744
        
        C:\Windows\Migration\WTR\ApplicationFrameHost.exe
        
        "C:\Windows\Migration\WTR\ApplicationFrameHost.exe"
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4500
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\v5UKbIUPKi.bat"
        40⤵
        
        PID:336
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        41⤵
        
        PID:452
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        41⤵
        Runs ping.exe
        
        PID:2996
        
        C:\Windows\Migration\WTR\ApplicationFrameHost.exe
        
        "C:\Windows\Migration\WTR\ApplicationFrameHost.exe"
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1160
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\quqFCQQe7i.bat"
        42⤵
        
        PID:2816
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        43⤵
        
        PID:3080
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        43⤵
        
        PID:4016
        
        C:\Windows\Migration\WTR\ApplicationFrameHost.exe
        
        "C:\Windows\Migration\WTR\ApplicationFrameHost.exe"
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4032
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4DYpxlgJN6.bat"
        44⤵
        
        PID:3936
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        45⤵
        
        PID:3820
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        45⤵
        
        PID:628
        
        C:\Windows\Migration\WTR\ApplicationFrameHost.exe
        
        "C:\Windows\Migration\WTR\ApplicationFrameHost.exe"
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4784
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cPyovVCSHA.bat"
        46⤵
        
        PID:2164
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        47⤵
        
        PID:3480
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        47⤵
        Runs ping.exe
        
        PID:4256
        
        C:\Windows\Migration\WTR\ApplicationFrameHost.exe
        
        "C:\Windows\Migration\WTR\ApplicationFrameHost.exe"
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4376
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5cQTyHbvxe.bat"
        48⤵
        
        PID:4392
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        49⤵
        
        PID:1380
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        49⤵
        
        PID:2736
        
        C:\Windows\Migration\WTR\ApplicationFrameHost.exe
        
        "C:\Windows\Migration\WTR\ApplicationFrameHost.exe"
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3300
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QtyVABn1Ct.bat"
        50⤵
        
        PID:3764
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        51⤵
        
        PID:4492
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        51⤵
        Runs ping.exe
        
        PID:3520
        
        C:\Windows\Migration\WTR\ApplicationFrameHost.exe
        
        "C:\Windows\Migration\WTR\ApplicationFrameHost.exe"
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2676
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OJxze5tr1B.bat"
        52⤵
        
        PID:3524
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        53⤵
        
        PID:2304
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        53⤵
        
        PID:5020
        
        C:\Windows\Migration\WTR\ApplicationFrameHost.exe
        
        "C:\Windows\Migration\WTR\ApplicationFrameHost.exe"
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2700
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0TJHXkWh8s.bat"
        54⤵
        
        PID:3932
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        55⤵
        
        PID:1552
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        55⤵
        Runs ping.exe
        
        PID:2104
        
        C:\Windows\Migration\WTR\ApplicationFrameHost.exe
        
        "C:\Windows\Migration\WTR\ApplicationFrameHost.exe"
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3104
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8BV8simzah.bat"
        56⤵
        
        PID:860
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        57⤵
        
        PID:1680
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        57⤵
        
        PID:4764
        
        C:\Windows\Migration\WTR\ApplicationFrameHost.exe
        
        "C:\Windows\Migration\WTR\ApplicationFrameHost.exe"
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1732
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8BV8simzah.bat"
        58⤵
        
        PID:3680
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        59⤵
        
        PID:4308
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        59⤵
        
        PID:2748
        
        C:\Windows\Migration\WTR\ApplicationFrameHost.exe
        
        "C:\Windows\Migration\WTR\ApplicationFrameHost.exe"
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2812
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MVEid32eq5.bat"
        60⤵
        
        PID:1696
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        61⤵
        
        PID:3016
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        61⤵
        
        PID:1148
        
        C:\Windows\Migration\WTR\ApplicationFrameHost.exe
        
        "C:\Windows\Migration\WTR\ApplicationFrameHost.exe"
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4476
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\23Kn3rQqKa.bat"
        62⤵
        
        PID:4868
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        63⤵
        
        PID:4732
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        63⤵
        
        PID:5080
        
        C:\Windows\Migration\WTR\ApplicationFrameHost.exe
        
        "C:\Windows\Migration\WTR\ApplicationFrameHost.exe"
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4800
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VqzzTSBcrr.bat"
        64⤵
        
        PID:2784
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        65⤵
        
        PID:2904
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        65⤵
        
        PID:4660
        
        C:\Windows\Migration\WTR\ApplicationFrameHost.exe
        
        "C:\Windows\Migration\WTR\ApplicationFrameHost.exe"
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4072
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1eT93LUFj2.bat"
        66⤵
        
        PID:856
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        67⤵
        
        PID:2716
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        67⤵
        
        PID:4396
        
        C:\Windows\Migration\WTR\ApplicationFrameHost.exe
        
        "C:\Windows\Migration\WTR\ApplicationFrameHost.exe"
        67⤵
        Executes dropped EXE
        
        PID:2052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\unsecapp.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ApplicationFrameHost.exe.log

Filesize
1KB

MD5
d9fbbda32f03209ae8e2d8e1ce595b32

SHA1
04996e2efdd89a0a7f5172690f96d34abe28ccc6

SHA256
d3f038da27a23a26f88df2466c10c4a846acfdbb323987d5cdd235ade8c16a60

SHA512
5ff8493732d18f6439e548a8149d291e619ad98d4d2280367add07e8fcf38d55803bf2396dba897a239ae0ed1455b157f3a7f827432196c52bc94c5f4154db6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5ae6f0f620cf9ce16151dcc10681960a

SHA1
bdf55f4fd97ba5b49bb0b973bdfd59612c80eb1c

SHA256
859ad953a6804b021ddc01ee2f32b2d597849a2a480b4f38b0e45d67b673d911

SHA512
97bf6274791f75e8943129095b82150094b789e268f98960114837a2b0c2776c1ddd5c394c8e4b04bd4af684c4af4f4caea42d07134af3e2611d02571ada36fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2f9eaf776be7d032047f91f7c2cbd66a

SHA1
91b23cf8bbc065c5c5816dfb5f80f4f332a4c3af

SHA256
426e1852dacfb355cc5876bb432a873af307142c1b8598ef006901ced6e4e1d9

SHA512
fcba50318d420c0ecbeeed14f13c6e9d85b42f382ea931964794472defb8af08473afc3876ea8873cf28e9af7fb63bbd7e33c471f66f7ed00fa2d05cb407dc15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2f9eaf776be7d032047f91f7c2cbd66a

SHA1
91b23cf8bbc065c5c5816dfb5f80f4f332a4c3af

SHA256
426e1852dacfb355cc5876bb432a873af307142c1b8598ef006901ced6e4e1d9

SHA512
fcba50318d420c0ecbeeed14f13c6e9d85b42f382ea931964794472defb8af08473afc3876ea8873cf28e9af7fb63bbd7e33c471f66f7ed00fa2d05cb407dc15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2f9eaf776be7d032047f91f7c2cbd66a

SHA1
91b23cf8bbc065c5c5816dfb5f80f4f332a4c3af

SHA256
426e1852dacfb355cc5876bb432a873af307142c1b8598ef006901ced6e4e1d9

SHA512
fcba50318d420c0ecbeeed14f13c6e9d85b42f382ea931964794472defb8af08473afc3876ea8873cf28e9af7fb63bbd7e33c471f66f7ed00fa2d05cb407dc15

Download Submit
C:\Users\Admin\AppData\Local\Temp\0TJHXkWh8s.bat

Filesize
177B

MD5
c874dd18d4b60d255dde9a0afa4d4212

SHA1
64e0e1211ad040131c605a62701ee188098b3401

SHA256
d3329cdaeed392fe711bba783348cb0f7719557b8530b564a4bb62fdbd954b71

SHA512
5dd0de9ea14aae7c9f1f8841a74e0b0d82a3d7442343b4d5cd0ea78661375364efa41069bc0ee1e88622f176684c4edfd91f45cb3034545402c0b558a67735f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\23Kn3rQqKa.bat

Filesize
225B

MD5
f6c82d7a046dcb9ebfecf0d130338489

SHA1
05f0d38824e472e96eb6d641b316c9ff2c380184

SHA256
2994e2cfb0fb3fb095538530d1033101ad3374ec41b1b6f8b19e67a9774030d3

SHA512
abe1479006763bfe8858eca9cf7e5da02d3b85c165711e3707166f28e9fc243f8a65c46f3f70bb06382b556de6226b7b16f6508eeaccba62deaf20ebcca0b0c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\4DYpxlgJN6.bat

Filesize
225B

MD5
100c2100003c78c536464e287ddae9e4

SHA1
932033baef50d5e825cbdb6e924ad52f4805998c

SHA256
55d5e50962b4b58ca66c4218473103c5cbaf3a28c0f3e4cba4e57473c9cd1fda

SHA512
010cb2abc8c42867be5cdd0aaf21d49e11d7c9db603a303ea0300108f0e3db021c5d02148a635b3fdbeb1d61d47285db75340b93cd502f848db430d6504b152c

Download Submit
C:\Users\Admin\AppData\Local\Temp\4DYpxlgJN6.bat

Filesize
225B

MD5
100c2100003c78c536464e287ddae9e4

SHA1
932033baef50d5e825cbdb6e924ad52f4805998c

SHA256
55d5e50962b4b58ca66c4218473103c5cbaf3a28c0f3e4cba4e57473c9cd1fda

SHA512
010cb2abc8c42867be5cdd0aaf21d49e11d7c9db603a303ea0300108f0e3db021c5d02148a635b3fdbeb1d61d47285db75340b93cd502f848db430d6504b152c

Download Submit
C:\Users\Admin\AppData\Local\Temp\4RGbRhdNMU.bat

Filesize
177B

MD5
80add8915a05613a944f691e4b6bddb1

SHA1
e78224f06a85b73a9652cebc28d8a1df4d5b3ec2

SHA256
6e459813b1c4edee0755e6a66cf5a9958b65803cea83573907ff1082012aad08

SHA512
192d94035627c133d59d7a9cca4f4f4b7bc71d7577ce862c82031d621540a3db7abfc2683e287f17e6b8f31eb251501b4b033237ba944b9327fd6d984bcaa7eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\5cQTyHbvxe.bat

Filesize
225B

MD5
7262197a22018619cb65ad1fd76d3c41

SHA1
55deecace2497e6250b300130170494597f5c7cb

SHA256
7eabd83a622a7bbf30434f3ba449ceefcd7e0db686b89bc7dc2be1ad12c5b8f5

SHA512
b5d6c6f5ad5ff4a7d7a49fa2091424b0371753f3d57a2580a95ba7e0b3ddf0c89c67e8d8f75dc1306d35cb3b889205116644d0a870f790f34ccffbda160217ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\8BV8simzah.bat

Filesize
225B

MD5
de50d5d28590d1ab14956dc8d8bb6d98

SHA1
26fb4476416c6f4062d2844ba8162ff813d2e6bd

SHA256
136d0dbf8c6c4d70ac1e61ecb8c3589f8446df11690febb129193eba44ab0630

SHA512
725e9bbcb9c44f599d81ce605a4dfb656040d9f5cae284864d7b8fffe31f55cced05305c3b436128b12e3acb45fdf0ce0e3e7b7d07d5dafa3e8fe531792b5848

Download Submit
C:\Users\Admin\AppData\Local\Temp\8BV8simzah.bat

Filesize
225B

MD5
de50d5d28590d1ab14956dc8d8bb6d98

SHA1
26fb4476416c6f4062d2844ba8162ff813d2e6bd

SHA256
136d0dbf8c6c4d70ac1e61ecb8c3589f8446df11690febb129193eba44ab0630

SHA512
725e9bbcb9c44f599d81ce605a4dfb656040d9f5cae284864d7b8fffe31f55cced05305c3b436128b12e3acb45fdf0ce0e3e7b7d07d5dafa3e8fe531792b5848

Download Submit
C:\Users\Admin\AppData\Local\Temp\8BV8simzah.bat

Filesize
225B

MD5
de50d5d28590d1ab14956dc8d8bb6d98

SHA1
26fb4476416c6f4062d2844ba8162ff813d2e6bd

SHA256
136d0dbf8c6c4d70ac1e61ecb8c3589f8446df11690febb129193eba44ab0630

SHA512
725e9bbcb9c44f599d81ce605a4dfb656040d9f5cae284864d7b8fffe31f55cced05305c3b436128b12e3acb45fdf0ce0e3e7b7d07d5dafa3e8fe531792b5848

Download Submit
C:\Users\Admin\AppData\Local\Temp\8BV8simzah.bat

Filesize
225B

MD5
de50d5d28590d1ab14956dc8d8bb6d98

SHA1
26fb4476416c6f4062d2844ba8162ff813d2e6bd

SHA256
136d0dbf8c6c4d70ac1e61ecb8c3589f8446df11690febb129193eba44ab0630

SHA512
725e9bbcb9c44f599d81ce605a4dfb656040d9f5cae284864d7b8fffe31f55cced05305c3b436128b12e3acb45fdf0ce0e3e7b7d07d5dafa3e8fe531792b5848

Download Submit
C:\Users\Admin\AppData\Local\Temp\DYK5nApHOr.bat

Filesize
225B

MD5
4cc011701e105ddd4802c9194892000d

SHA1
f4c4b80536f4f5140f366b67e50567241f90b61e

SHA256
969cd221f0a2bf133e990fa60dc661d2439430fb401fc92a15694371715a7590

SHA512
73f56836a8190a8219c8685e33ebaed639fd9028f81aaad6d7ff4c6340469b85beab9178fa2880c3e777bc9de81fa8e01f03012e80140289392fab11f38887fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\FyBjogktzP.bat

Filesize
225B

MD5
3522a583e7ad4647199b2d8e475ec389

SHA1
bfa69edb85bf94e2ca34e08c0216fe7bacebf13a

SHA256
459840185c4fc4c90b280dce5e9a80ddd64e93aa2d96e9faecbc6ebd40eef9d7

SHA512
752caca316a2bfc48276413cc463dd823923876eb47aa6449a2cb8b5e9ae00405817bc16054cd349bc79c1b8595588621d70d168acf80cb58009024887851123

Download Submit
C:\Users\Admin\AppData\Local\Temp\G7Plib0M1v.bat

Filesize
225B

MD5
238d081b081ec81d35181c75c39f87a8

SHA1
f290ebc1033693b52c94560c60b28890a16f3b49

SHA256
8f16e55c68af651d937506a5378efd6cd7953f0bad9ea17fc506e17384d5a1ae

SHA512
011cfdd50e797d4d5f06be1357216d3752289d11bff12d97febddeb132039488e03c810273a1b3e0128146da28e157c532cab9bbcd61adbff58df51e7a1be188

Download Submit
C:\Users\Admin\AppData\Local\Temp\LWAYFjljOj.bat

Filesize
177B

MD5
8ef1418c6403e46b3985ca012475e172

SHA1
15ec80dbd5eba65651d41b942d83191bdfdcd7eb

SHA256
eaeb4372e3088d9ba3514ecb9e80694389e1fc9f000b48220bec9c6c0ff65752

SHA512
9a11b38a16e6d5e2420cbfcadc5f89bd7f9303779aa8b600941a49a890d3a1641858b4e23753b763bef04210d0b369cc656bc0b0ee18aa5355960850a1e417f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\O5FEA9wo1n.bat

Filesize
177B

MD5
d561785aa63768a21c7d577b045990ff

SHA1
02ec7363870436175c02edb8d22218682a476d8a

SHA256
30d13ae2773a3479f6f3571dabde3ef453e09b2d50e256041bd4289838b776ba

SHA512
efc6880353221fedb9d4f558d9a88cebdc152459430effb4b0c60fa91bde17419c64512d74bb805052fcb0f4c3410b7181783b0c13881a008f3c54b9812a5a00

Download Submit
C:\Users\Admin\AppData\Local\Temp\OJxze5tr1B.bat

Filesize
225B

MD5
5af2fda8095e01c85f54f67f91562f25

SHA1
31fefc19d5044ca89696edf5509064dcecf238a6

SHA256
5ab1334b6e682ccefa746bcb5e84a5f803d8fd67f7a5208e029f8a3fa15ab4e1

SHA512
112910e30f1f9e5343a53a36f3f4fde79b83264a46f1fcffe503f25305630b54006077ceb7e5661b318223beb7943f3f6d78466d75073efb58e5940b663fba1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\PU7rAfrPcL.bat

Filesize
177B

MD5
bc74836a0cf0dd8249ced59ef5691d85

SHA1
7b431436ad8efe8266ebcc04059815d07e545fcd

SHA256
bd16dd5e66d6db4e8fc734491313663b770d9182c4ca0561b8ea58bdfbb1b3a3

SHA512
36d9097a3200ff393182f43d1550d9fcac692111c593f59587032e3e7488254d0fa66386e4c0e729c84ec9b4a6a335cee94e8acdf3549217991af0eb9f7a1735

Download Submit
C:\Users\Admin\AppData\Local\Temp\QtyVABn1Ct.bat

Filesize
177B

MD5
9df059b0787744c548743f80e67e1c85

SHA1
17acf7f6569257f8bd0003bbbc7547ed40b0468a

SHA256
c06f3374a629ca556d56ccb448e6af1c1d36b08843eb0741723f599bfa3ba731

SHA512
fc8669bcbeb63316ea62a9d14772e330f1426d026afeffd0df0d0cf7eb3c538efc058618e601514ed35874d4bf664991f37ec0e95e90ccc8d9f45ea77d0fb14a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TS4B5cy6px.bat

Filesize
177B

MD5
23b8f3c63f26a7219126020ad660ddaf

SHA1
9074b09549c52af752f9b837c51328c894e9c0da

SHA256
1421dcc81d0159e511c9877cca5a77073e041944c3bb910e71950e4102512724

SHA512
e3cc8f4167c22a3639c156d0d4855b9bb153b250ec719696663b2a1449beaac44b8905be4ede007843803a401a552030baf1af83b9c95a5dbef9261537c57035

Download Submit
C:\Users\Admin\AppData\Local\Temp\XFqcUy7ESP.bat

Filesize
225B

MD5
c486c893d0816d5f2ea7004a35523015

SHA1
3a177d6491dae519fc55463c7aa1ad5c11a6e3f6

SHA256
65ca18db15d93c3b127c132cfca936e9c86b6d2f8f1a62aba9a90d7e6c3ca761

SHA512
bd95892f1bf802e155302bab558682f9ecb45579a439dce53a79217e5b49d50fee4de55d44d6fbcb8da7a78bfd2c685d9e18e6e9a241532058b210fb768189cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_krvbvbe1.hvg.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cPyovVCSHA.bat

Filesize
177B

MD5
15ddbb71258c708c0b90509c4fdaa1b7

SHA1
1983a4366b55adcc657b67324c25a2b77e0152b3

SHA256
5c0428e6cbad325ac485f818aeff6408a05517bb7b37fde34c7ea6a1e435b563

SHA512
e4a482bba8d9bf0caf2ab301eac9fcfd22458beb88d2e65a8666575e6cc88d677923fe65733084cec081a34b3ab5f533fd855cca4ee8646320ab56216fceffb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\dopRv074rj.bat

Filesize
177B

MD5
11e711b1d4996d7968a0754e0547263b

SHA1
31942d53f82c23080200a09c6c5089c3cadc3cdd

SHA256
60fd87a099d99c40e8b6f743d4b71d68d858879296b64d948f94c7961cf1161a

SHA512
f7c954eea3c58fabb343ea7eac05f8a2bd9aadf7f5259a944a7f3d06df408908e0dd5e4a7995537f2a160d034afe52b513593b36bf8f0c0cb705bc3955a5bdd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\eDg5wW3gSH.bat

Filesize
177B

MD5
c9abd797a1991fba6174405b94c2eedc

SHA1
87b4c6f29e80f44489997467dcde1b5a0aa1b0cc

SHA256
ee385a1b0dd258e6a54c769271dccc4fbe7db975cde021f43e6480f5234316d0

SHA512
2b86c6a4a570049e4436d9dab4c6fef086b2ba17f801c7642ca6f402a3c9b3c727f7c489811c4b3c0195f3716e8e983d376572500045a3b4f61f77660eb492da

Download Submit
C:\Users\Admin\AppData\Local\Temp\lkj4ltLQIw.bat

Filesize
177B

MD5
552be6ee958ba889830c4610d3db9917

SHA1
e06690adfe06749945a3ecc8e390fb4e977fa2e0

SHA256
1dec3a3ca855e412e01f5bcf296d04b3f0dc483c573d59cb8a6788be133de72e

SHA512
5606e2f5cc2e600eccdb6a6746d83a0783ddde83ffccc60779b0a5f7652a476403949e7d67157fb51b9b89d39c36084bf4d346d06c763697f2aa3bf5c55b8f0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\quqFCQQe7i.bat

Filesize
225B

MD5
3c7deb05b1d414a008866e2ce9ddd426

SHA1
663c8d95233012d065acfafeb768634f6ce9aad7

SHA256
8c027cde37cc1c858deef31c257dee4f27b60c1b63080ad71d5e9a3f49d3272e

SHA512
43cac19a69c3a5557ff9867a18e7888ff1875f65a50bfd1b1e5cea211fbeba10f1065a48fb533475dedaed9d53dc169db42c004491ee7892435eab4395f1954a

Download Submit
C:\Users\Admin\AppData\Local\Temp\r7X1gMNi76.bat

Filesize
177B

MD5
9b1a4c089f56db69e6d77721bef57e05

SHA1
d2e75f26d2e543c308a183d61110a2d7c26e30d8

SHA256
09ca6d4d75a4cebe78f59e2a7e6d1a4bc09849a27ef09086cb95395b6c085d7c

SHA512
ddead9e2073a254009ddaedfa6cb1d03e88905453883b8a61e0f096815d16f8e5d3fcbfa9ed0d65f0afefb28b3511222b1bc910f751bec488ebabbfa85516e10

Download Submit
C:\Users\Admin\AppData\Local\Temp\r7X1gMNi76.bat

Filesize
177B

MD5
9b1a4c089f56db69e6d77721bef57e05

SHA1
d2e75f26d2e543c308a183d61110a2d7c26e30d8

SHA256
09ca6d4d75a4cebe78f59e2a7e6d1a4bc09849a27ef09086cb95395b6c085d7c

SHA512
ddead9e2073a254009ddaedfa6cb1d03e88905453883b8a61e0f096815d16f8e5d3fcbfa9ed0d65f0afefb28b3511222b1bc910f751bec488ebabbfa85516e10

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugdhbmYnkA.bat

Filesize
177B

MD5
c1f8a5f647092252739060d59532d05e

SHA1
faa7b91c1080cc9c3acd338a7cbf0f4aa0701c63

SHA256
ccb675f27a82864af070b9e34b21ea4731dc898f72224d9b9f8c50aa14d711eb

SHA512
1939e297cd5a0acdf7985dc76c8747e4f666138b43fc2645f566d5a373333b793325116336a28edff7aeafc754d1fd6ea32b2154ce650a323e44b3f51a09687f

Download Submit
C:\Users\Admin\AppData\Local\Temp\v5UKbIUPKi.bat

Filesize
177B

MD5
670cfe5b0f85ee46cc597acf2027a6c2

SHA1
cba7d84ea99065439711295281bcbc2ee858a43c

SHA256
e927831b7f37d1f6912343be9af2b95c37d88c6017bf4148999b39eb4a56fbbb

SHA512
27f8fd3b9ab5b6846b5c7b01130fade8ff0193edcc0bfb16cfac2cddfd3269512806490090c3cc36b6c1dcd9fc2fab51b8befc108f6a64d9ae45bf01dd58ddfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\xNB0saDiwW.bat

Filesize
225B

MD5
b4e65e9843a8d09aa92417c3b0ccf298

SHA1
ece1dfe13d9c2f87ae8f1661cc5cdc12c5d2b087

SHA256
0df0cca546cd63d617c0fd268969bd3d276a47d75fe7e776fef3c0e328e411cd

SHA512
8e8cc675c4e2509912ff4598736e9fea9dec4551a69cf3ca7fbddb0db2b529c9de63fc85e9a7ab34e76974e852504472a0eb88475c83beb53c336afcfdd34e30

Download Submit
C:\Windows\Migration\WTR\ApplicationFrameHost.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\Windows\Migration\WTR\ApplicationFrameHost.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\Windows\Migration\WTR\ApplicationFrameHost.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\Windows\Migration\WTR\ApplicationFrameHost.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\Windows\Migration\WTR\ApplicationFrameHost.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\Windows\Migration\WTR\ApplicationFrameHost.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\Windows\Migration\WTR\ApplicationFrameHost.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\Windows\Migration\WTR\ApplicationFrameHost.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\Windows\Migration\WTR\ApplicationFrameHost.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\Windows\Migration\WTR\ApplicationFrameHost.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\Windows\Migration\WTR\ApplicationFrameHost.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\Windows\Migration\WTR\ApplicationFrameHost.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\Windows\Migration\WTR\ApplicationFrameHost.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\Windows\Migration\WTR\ApplicationFrameHost.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\Windows\Migration\WTR\ApplicationFrameHost.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\Windows\Migration\WTR\ApplicationFrameHost.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\Windows\Migration\WTR\ApplicationFrameHost.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\Windows\Migration\WTR\ApplicationFrameHost.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\Windows\Migration\WTR\ApplicationFrameHost.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\Windows\Migration\WTR\ApplicationFrameHost.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\Windows\Migration\WTR\ApplicationFrameHost.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\Windows\Migration\WTR\ApplicationFrameHost.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\Windows\Migration\WTR\ApplicationFrameHost.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\Windows\Migration\WTR\ApplicationFrameHost.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\Windows\Migration\WTR\ApplicationFrameHost.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\Windows\Migration\WTR\ApplicationFrameHost.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\Windows\Migration\WTR\ApplicationFrameHost.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\Windows\Migration\WTR\ApplicationFrameHost.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\Windows\Migration\WTR\ApplicationFrameHost.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
memory/1372-315-0x00007FF925820000-0x00007FF925821000-memory.dmp

Filesize
4KB

Download
memory/1372-313-0x000000001AE40000-0x000000001AE50000-memory.dmp

Filesize
64KB

Download
memory/1372-312-0x000000001AE40000-0x000000001AE50000-memory.dmp

Filesize
64KB

Download
memory/1372-311-0x0000000000B00000-0x0000000000B01000-memory.dmp

Filesize
4KB

Download
memory/1372-310-0x000000001AE40000-0x000000001AE50000-memory.dmp

Filesize
64KB

Download
memory/1372-309-0x00007FF9154E0000-0x00007FF915ECC000-memory.dmp

Filesize
9.9MB

Download
memory/2660-79-0x000001B56FAB0000-0x000001B56FB26000-memory.dmp

Filesize
472KB

Download
memory/2660-68-0x00007FF9154E0000-0x00007FF915ECC000-memory.dmp

Filesize
9.9MB

Download
memory/2660-261-0x000001B56DA90000-0x000001B56DAA0000-memory.dmp

Filesize
64KB

Download
memory/2660-149-0x000001B56DA90000-0x000001B56DAA0000-memory.dmp

Filesize
64KB

Download
memory/2660-283-0x00007FF9154E0000-0x00007FF915ECC000-memory.dmp

Filesize
9.9MB

Download
memory/2660-63-0x000001B56DA90000-0x000001B56DAA0000-memory.dmp

Filesize
64KB

Download
memory/2660-62-0x000001B56DA90000-0x000001B56DAA0000-memory.dmp

Filesize
64KB

Download
memory/2904-60-0x000001C3ED890000-0x000001C3ED8A0000-memory.dmp

Filesize
64KB

Download
memory/2904-144-0x000001C3ED890000-0x000001C3ED8A0000-memory.dmp

Filesize
64KB

Download
memory/2904-59-0x000001C3ED890000-0x000001C3ED8A0000-memory.dmp

Filesize
64KB

Download
memory/2904-258-0x000001C3ED890000-0x000001C3ED8A0000-memory.dmp

Filesize
64KB

Download
memory/2904-281-0x00007FF9154E0000-0x00007FF915ECC000-memory.dmp

Filesize
9.9MB

Download
memory/2904-45-0x00007FF9154E0000-0x00007FF915ECC000-memory.dmp

Filesize
9.9MB

Download
memory/2904-262-0x00007FF9154E0000-0x00007FF915ECC000-memory.dmp

Filesize
9.9MB

Download
memory/4188-50-0x00007FF9154E0000-0x00007FF915ECC000-memory.dmp

Filesize
9.9MB

Download
memory/4188-13-0x0000000000BA0000-0x0000000000BAC000-memory.dmp

Filesize
48KB

Download
memory/4188-14-0x00007FF925800000-0x00007FF925801000-memory.dmp

Filesize
4KB

Download
memory/4188-16-0x0000000000BB0000-0x0000000000BBC000-memory.dmp

Filesize
48KB

Download
memory/4188-17-0x00007FF9257F0000-0x00007FF9257F1000-memory.dmp

Filesize
4KB

Download
memory/4188-10-0x0000000000A80000-0x0000000000A8E000-memory.dmp

Filesize
56KB

Download
memory/4188-1-0x00007FF9154E0000-0x00007FF915ECC000-memory.dmp

Filesize
9.9MB

Download
memory/4188-4-0x000000001B000000-0x000000001B010000-memory.dmp

Filesize
64KB

Download
memory/4188-6-0x00007FF925820000-0x00007FF925821000-memory.dmp

Filesize
4KB

Download
memory/4188-11-0x00007FF925810000-0x00007FF925811000-memory.dmp

Filesize
4KB

Download
memory/4188-5-0x000000001B000000-0x000000001B010000-memory.dmp

Filesize
64KB

Download
memory/4188-3-0x00000000009D0000-0x00000000009D1000-memory.dmp

Filesize
4KB

Download
memory/4188-2-0x000000001B000000-0x000000001B010000-memory.dmp

Filesize
64KB

Download
memory/4188-0-0x00000000000B0000-0x0000000000270000-memory.dmp

Filesize
1.8MB

Download
memory/4188-8-0x0000000000A70000-0x0000000000A7E000-memory.dmp

Filesize
56KB

Download
memory/4728-279-0x00007FF9154E0000-0x00007FF915ECC000-memory.dmp

Filesize
9.9MB

Download
memory/4728-54-0x00007FF9154E0000-0x00007FF915ECC000-memory.dmp

Filesize
9.9MB

Download
memory/4728-164-0x0000019F8C7D0000-0x0000019F8C7E0000-memory.dmp

Filesize
64KB

Download
memory/4728-256-0x0000019F8C7D0000-0x0000019F8C7E0000-memory.dmp

Filesize
64KB

Download
memory/4728-65-0x0000019F8C7D0000-0x0000019F8C7E0000-memory.dmp

Filesize
64KB

Download
memory/4728-64-0x0000019F8C7D0000-0x0000019F8C7E0000-memory.dmp

Filesize
64KB

Download
memory/4732-58-0x0000017FBBF80000-0x0000017FBBF90000-memory.dmp

Filesize
64KB

Download
memory/4732-67-0x00007FF9154E0000-0x00007FF915ECC000-memory.dmp

Filesize
9.9MB

Download
memory/4732-69-0x0000017FBBF80000-0x0000017FBBF90000-memory.dmp

Filesize
64KB

Download
memory/4732-159-0x0000017FBBF80000-0x0000017FBBF90000-memory.dmp

Filesize
64KB

Download
memory/4732-259-0x0000017FBBF80000-0x0000017FBBF90000-memory.dmp

Filesize
64KB

Download
memory/4732-280-0x00007FF9154E0000-0x00007FF915ECC000-memory.dmp

Filesize
9.9MB

Download
memory/4736-61-0x000001C967FF0000-0x000001C968000000-memory.dmp

Filesize
64KB

Download
memory/4736-66-0x000001C94F9D0000-0x000001C94F9F2000-memory.dmp

Filesize
136KB

Download
memory/4736-55-0x000001C967FF0000-0x000001C968000000-memory.dmp

Filesize
64KB

Download
memory/4736-142-0x000001C967FF0000-0x000001C968000000-memory.dmp

Filesize
64KB

Download
memory/4736-34-0x00007FF9154E0000-0x00007FF915ECC000-memory.dmp

Filesize
9.9MB

Download
memory/4736-260-0x000001C967FF0000-0x000001C968000000-memory.dmp

Filesize
64KB

Download
memory/4736-282-0x00007FF9154E0000-0x00007FF915ECC000-memory.dmp

Filesize
9.9MB

Download
memory/4772-288-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/4772-298-0x00007FF9257F0000-0x00007FF9257F1000-memory.dmp

Filesize
4KB

Download
memory/4772-305-0x00007FF9154E0000-0x00007FF915ECC000-memory.dmp

Filesize
9.9MB

Download
memory/4772-297-0x00007FF925800000-0x00007FF925801000-memory.dmp

Filesize
4KB

Download
memory/4772-294-0x00007FF925810000-0x00007FF925811000-memory.dmp

Filesize
4KB

Download
memory/4772-292-0x00007FF925820000-0x00007FF925821000-memory.dmp

Filesize
4KB

Download
memory/4772-291-0x000000001AF60000-0x000000001AF70000-memory.dmp

Filesize
64KB

Download
memory/4772-290-0x000000001AF60000-0x000000001AF70000-memory.dmp

Filesize
64KB

Download
memory/4772-289-0x000000001AF60000-0x000000001AF70000-memory.dmp

Filesize
64KB

Download
memory/4772-287-0x00007FF9154E0000-0x00007FF915ECC000-memory.dmp

Filesize
9.9MB

Download