zgrat | 30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face

Analysis

max time kernel
293s
max time network
297s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
26/11/2023, 22:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe
Size

1.7MB
MD5

70c2aed9dbc97b5246846aed8e6cbe92
SHA1

4a4958cabd319d4015094b1fd7c01ee5e92584b2
SHA256

30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face
SHA512

6d2cd2b422dabf1a668753664e9679cb8f0172b859d41a80a832047c41594e8cf4b08ba438815a83f9d4555d7c66c7baf7430bd142fb792d9c32606422b91aa5
SSDEEP

24576:rQa+rRep38knZGbO4oFya8ZbRxaiXvnEc3Suvb7sNPwEFfTPCRi4Vz:rZ+rRe3zn4ioa8ZbRMiXO07sNPwERWV

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 22 IoCs

resource	yara_rule
behavioral1/memory/2280-0-0x0000000001110000-0x00000000012D0000-memory.dmp	family_zgrat_v1
behavioral1/files/0x0007000000015cf1-26.dat	family_zgrat_v1
behavioral1/files/0x001d000000015c5c-81.dat	family_zgrat_v1
behavioral1/files/0x001d000000015c5c-80.dat	family_zgrat_v1
behavioral1/memory/436-83-0x0000000000060000-0x0000000000220000-memory.dmp	family_zgrat_v1
behavioral1/files/0x001d000000015c5c-102.dat	family_zgrat_v1
behavioral1/memory/2812-103-0x0000000000820000-0x00000000009E0000-memory.dmp	family_zgrat_v1
behavioral1/files/0x001d000000015c5c-123.dat	family_zgrat_v1
behavioral1/files/0x001d000000015c5c-143.dat	family_zgrat_v1
behavioral1/files/0x001d000000015c5c-164.dat	family_zgrat_v1
behavioral1/files/0x001d000000015c5c-185.dat	family_zgrat_v1
behavioral1/files/0x001d000000015c5c-211.dat	family_zgrat_v1
behavioral1/files/0x001d000000015c5c-232.dat	family_zgrat_v1
behavioral1/files/0x001d000000015c5c-253.dat	family_zgrat_v1
behavioral1/files/0x001d000000015c5c-275.dat	family_zgrat_v1
behavioral1/files/0x001d000000015c5c-297.dat	family_zgrat_v1
behavioral1/files/0x001d000000015c5c-319.dat	family_zgrat_v1
behavioral1/files/0x001d000000015c5c-341.dat	family_zgrat_v1
behavioral1/files/0x001d000000015c5c-362.dat	family_zgrat_v1
behavioral1/files/0x001d000000015c5c-383.dat	family_zgrat_v1
behavioral1/files/0x001d000000015c5c-404.dat	family_zgrat_v1
behavioral1/files/0x001d000000015c5c-425.dat	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Executes dropped EXE 17 IoCs

pid	Process
436	explorer.exe
2812	explorer.exe
2872	explorer.exe
1316	explorer.exe
1368	explorer.exe
2184	explorer.exe
2648	explorer.exe
1820	explorer.exe
1300	explorer.exe
2384	explorer.exe
1552	explorer.exe
1608	explorer.exe
2864	explorer.exe
1144	explorer.exe
2860	explorer.exe
2712	explorer.exe
1400	explorer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Internet Explorer\en-US\csrss.exe	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe
File created	C:\Program Files\Internet Explorer\en-US\886983d96e3d3e	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\7a0fd90576e088	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\lsass.exe	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\6203df4a6bafc7	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe
File created	C:\Program Files\Internet Explorer\en-US\csrss.exe	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\tracing\lsm.exe	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe
File created	C:\Windows\tracing\101b941d020240	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	explorer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	explorer.exe

Runs ping.exe 1 TTPs 11 IoCs

Remote System Discovery

T1018

pid	Process
612	PING.EXE
2652	PING.EXE
1076	PING.EXE
2776	PING.EXE
2184	PING.EXE
2156	PING.EXE
1420	PING.EXE
1984	PING.EXE
2120	PING.EXE
2660	PING.EXE
2096	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2280	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe
2280	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe
2280	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe
2280	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe
2280	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe
2280	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe
2280	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe
2280	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe
2280	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe
2280	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe
2280	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe
2280	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe
2280	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe
2280	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe
2280	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe
2280	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe
2280	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe
2280	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe
2280	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe
2280	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe
2280	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe
2280	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe
2280	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe
2280	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe
2280	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe
2280	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe
2280	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe
2280	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe
2280	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe
2280	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe
2280	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe
2280	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe
2280	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe
2280	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe
2280	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe
2280	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe
2280	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe
2280	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe
2280	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe
2280	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe
2280	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe
2280	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe
2280	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe
2280	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe
2280	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe
2280	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe
2280	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe
2280	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe
2280	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe
2280	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe
2280	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe
2280	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe
2280	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe
2280	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe
2280	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe
2280	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe
2280	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe
2280	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe
2280	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe
3008	powershell.exe
2696	powershell.exe
2692	powershell.exe
2632	powershell.exe
2708	powershell.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	2280	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeDebugPrivilege	2692	powershell.exe
Token: SeDebugPrivilege	2632	powershell.exe
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeDebugPrivilege	436	explorer.exe
Token: SeDebugPrivilege	2812	explorer.exe
Token: SeDebugPrivilege	2872	explorer.exe
Token: SeDebugPrivilege	1316	explorer.exe
Token: SeDebugPrivilege	1368	explorer.exe
Token: SeDebugPrivilege	2184	explorer.exe
Token: SeDebugPrivilege	2648	explorer.exe
Token: SeDebugPrivilege	1820	explorer.exe
Token: SeDebugPrivilege	1300	explorer.exe
Token: SeDebugPrivilege	2384	explorer.exe
Token: SeDebugPrivilege	1552	explorer.exe
Token: SeDebugPrivilege	1608	explorer.exe
Token: SeDebugPrivilege	2864	explorer.exe
Token: SeDebugPrivilege	1144	explorer.exe
Token: SeDebugPrivilege	2860	explorer.exe
Token: SeDebugPrivilege	2712	explorer.exe
Token: SeDebugPrivilege	1400	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 3008	2280	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe	28
PID 2280 wrote to memory of 3008	2280	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe	28
PID 2280 wrote to memory of 3008	2280	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe	28
PID 2280 wrote to memory of 2632	2280	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe	29
PID 2280 wrote to memory of 2632	2280	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe	29
PID 2280 wrote to memory of 2632	2280	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe	29
PID 2280 wrote to memory of 2692	2280	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe	30
PID 2280 wrote to memory of 2692	2280	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe	30
PID 2280 wrote to memory of 2692	2280	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe	30
PID 2280 wrote to memory of 2696	2280	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe	34
PID 2280 wrote to memory of 2696	2280	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe	34
PID 2280 wrote to memory of 2696	2280	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe	34
PID 2280 wrote to memory of 2708	2280	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe	32
PID 2280 wrote to memory of 2708	2280	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe	32
PID 2280 wrote to memory of 2708	2280	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe	32
PID 2280 wrote to memory of 2624	2280	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe	38
PID 2280 wrote to memory of 2624	2280	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe	38
PID 2280 wrote to memory of 2624	2280	30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe	38
PID 2624 wrote to memory of 2428	2624	cmd.exe	40
PID 2624 wrote to memory of 2428	2624	cmd.exe	40
PID 2624 wrote to memory of 2428	2624	cmd.exe	40
PID 2624 wrote to memory of 1648	2624	cmd.exe	41
PID 2624 wrote to memory of 1648	2624	cmd.exe	41
PID 2624 wrote to memory of 1648	2624	cmd.exe	41
PID 2624 wrote to memory of 436	2624	cmd.exe	42
PID 2624 wrote to memory of 436	2624	cmd.exe	42
PID 2624 wrote to memory of 436	2624	cmd.exe	42
PID 436 wrote to memory of 1384	436	explorer.exe	43
PID 436 wrote to memory of 1384	436	explorer.exe	43
PID 436 wrote to memory of 1384	436	explorer.exe	43
PID 1384 wrote to memory of 1188	1384	cmd.exe	45
PID 1384 wrote to memory of 1188	1384	cmd.exe	45
PID 1384 wrote to memory of 1188	1384	cmd.exe	45
PID 1384 wrote to memory of 1420	1384	cmd.exe	46
PID 1384 wrote to memory of 1420	1384	cmd.exe	46
PID 1384 wrote to memory of 1420	1384	cmd.exe	46
PID 1384 wrote to memory of 2812	1384	cmd.exe	47
PID 1384 wrote to memory of 2812	1384	cmd.exe	47
PID 1384 wrote to memory of 2812	1384	cmd.exe	47
PID 2812 wrote to memory of 2932	2812	explorer.exe	48
PID 2812 wrote to memory of 2932	2812	explorer.exe	48
PID 2812 wrote to memory of 2932	2812	explorer.exe	48
PID 2932 wrote to memory of 2384	2932	cmd.exe	50
PID 2932 wrote to memory of 2384	2932	cmd.exe	50
PID 2932 wrote to memory of 2384	2932	cmd.exe	50
PID 2932 wrote to memory of 612	2932	cmd.exe	51
PID 2932 wrote to memory of 612	2932	cmd.exe	51
PID 2932 wrote to memory of 612	2932	cmd.exe	51
PID 2932 wrote to memory of 2872	2932	cmd.exe	54
PID 2932 wrote to memory of 2872	2932	cmd.exe	54
PID 2932 wrote to memory of 2872	2932	cmd.exe	54
PID 2872 wrote to memory of 280	2872	explorer.exe	55
PID 2872 wrote to memory of 280	2872	explorer.exe	55
PID 2872 wrote to memory of 280	2872	explorer.exe	55
PID 280 wrote to memory of 1728	280	cmd.exe	57
PID 280 wrote to memory of 1728	280	cmd.exe	57
PID 280 wrote to memory of 1728	280	cmd.exe	57
PID 280 wrote to memory of 1984	280	cmd.exe	58
PID 280 wrote to memory of 1984	280	cmd.exe	58
PID 280 wrote to memory of 1984	280	cmd.exe	58
PID 280 wrote to memory of 1316	280	cmd.exe	59
PID 280 wrote to memory of 1316	280	cmd.exe	59
PID 280 wrote to memory of 1316	280	cmd.exe	59
PID 1316 wrote to memory of 2412	1316	explorer.exe	60

C:\Users\Admin\AppData\Local\Temp\30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe
"C:\Users\Admin\AppData\Local\Temp\30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\en-US\csrss.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2632
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\tracing\lsm.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\lsass.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\lsass.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2696
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\76L9w2BeVU.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2428
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1648
- - C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe
    "C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe"
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:436
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hQfvaPZ4NL.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1384
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:1188
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        Runs ping.exe
        
        PID:1420
    - - C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2812
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NcI1AeIbpc.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2384
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        Runs ping.exe
        
        PID:612
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Z6jdsJyxgU.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:280
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:1728
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        Runs ping.exe
        
        PID:1984
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1316
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LsGNVHQP6j.bat"
        10⤵
        
        PID:2412
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:1932
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1612
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1368
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F7CrwxjwXa.bat"
        12⤵
        
        PID:2600
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:2508
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2552
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2184
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4MZx53eLuH.bat"
        14⤵
        
        PID:2860
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:768
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2704
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2648
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\T6xLp4JQ8y.bat"
        16⤵
        
        PID:1908
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:1644
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        Runs ping.exe
        
        PID:2652
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1820
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U2rmp5bpWK.bat"
        18⤵
        
        PID:1016
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:320
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2556
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1300
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RE9Vp3kbLE.bat"
        20⤵
        
        PID:2884
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:2016
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1112
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2384
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p6i2Y3psmC.bat"
        22⤵
        
        PID:1996
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:1084
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        Runs ping.exe
        
        PID:1076
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1552
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fVhKC50lXd.bat"
        24⤵
        
        PID:240
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:1504
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        Runs ping.exe
        
        PID:2776
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\04fYIssV3e.bat"
        26⤵
        
        PID:2136
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:1168
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        Runs ping.exe
        
        PID:2120
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2864
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZzsG8LzQBI.bat"
        28⤵
        
        PID:1296
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:2912
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        29⤵
        Runs ping.exe
        
        PID:2660
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1144
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UMorhJGzBL.bat"
        30⤵
        
        PID:768
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:2172
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        31⤵
        Runs ping.exe
        
        PID:2184
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2860
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N7B3lpetaR.bat"
        32⤵
        
        PID:2160
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        33⤵
        
        PID:2624
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        33⤵
        Runs ping.exe
        
        PID:2096
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2712
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oHf0I0Wzs1.bat"
        34⤵
        
        PID:1468
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        35⤵
        
        PID:1536
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        35⤵
        
        PID:568
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1400
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9YD2Vui68H.bat"
        36⤵
        
        PID:1372
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        37⤵
        Runs ping.exe
        
        PID:2156
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        37⤵
        
        PID:1432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\lsass.exe

Filesize
1.7MB

MD5
70c2aed9dbc97b5246846aed8e6cbe92

SHA1
4a4958cabd319d4015094b1fd7c01ee5e92584b2

SHA256
30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face

SHA512
6d2cd2b422dabf1a668753664e9679cb8f0172b859d41a80a832047c41594e8cf4b08ba438815a83f9d4555d7c66c7baf7430bd142fb792d9c32606422b91aa5

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe

Filesize
1.7MB

MD5
70c2aed9dbc97b5246846aed8e6cbe92

SHA1
4a4958cabd319d4015094b1fd7c01ee5e92584b2

SHA256
30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face

SHA512
6d2cd2b422dabf1a668753664e9679cb8f0172b859d41a80a832047c41594e8cf4b08ba438815a83f9d4555d7c66c7baf7430bd142fb792d9c32606422b91aa5

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe

Filesize
1.7MB

MD5
70c2aed9dbc97b5246846aed8e6cbe92

SHA1
4a4958cabd319d4015094b1fd7c01ee5e92584b2

SHA256
30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face

SHA512
6d2cd2b422dabf1a668753664e9679cb8f0172b859d41a80a832047c41594e8cf4b08ba438815a83f9d4555d7c66c7baf7430bd142fb792d9c32606422b91aa5

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe

Filesize
1.7MB

MD5
70c2aed9dbc97b5246846aed8e6cbe92

SHA1
4a4958cabd319d4015094b1fd7c01ee5e92584b2

SHA256
30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face

SHA512
6d2cd2b422dabf1a668753664e9679cb8f0172b859d41a80a832047c41594e8cf4b08ba438815a83f9d4555d7c66c7baf7430bd142fb792d9c32606422b91aa5

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe

Filesize
1.7MB

MD5
70c2aed9dbc97b5246846aed8e6cbe92

SHA1
4a4958cabd319d4015094b1fd7c01ee5e92584b2

SHA256
30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face

SHA512
6d2cd2b422dabf1a668753664e9679cb8f0172b859d41a80a832047c41594e8cf4b08ba438815a83f9d4555d7c66c7baf7430bd142fb792d9c32606422b91aa5

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe

Filesize
1.7MB

MD5
70c2aed9dbc97b5246846aed8e6cbe92

SHA1
4a4958cabd319d4015094b1fd7c01ee5e92584b2

SHA256
30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face

SHA512
6d2cd2b422dabf1a668753664e9679cb8f0172b859d41a80a832047c41594e8cf4b08ba438815a83f9d4555d7c66c7baf7430bd142fb792d9c32606422b91aa5

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe

Filesize
1.7MB

MD5
70c2aed9dbc97b5246846aed8e6cbe92

SHA1
4a4958cabd319d4015094b1fd7c01ee5e92584b2

SHA256
30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face

SHA512
6d2cd2b422dabf1a668753664e9679cb8f0172b859d41a80a832047c41594e8cf4b08ba438815a83f9d4555d7c66c7baf7430bd142fb792d9c32606422b91aa5

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe

Filesize
1.7MB

MD5
70c2aed9dbc97b5246846aed8e6cbe92

SHA1
4a4958cabd319d4015094b1fd7c01ee5e92584b2

SHA256
30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face

SHA512
6d2cd2b422dabf1a668753664e9679cb8f0172b859d41a80a832047c41594e8cf4b08ba438815a83f9d4555d7c66c7baf7430bd142fb792d9c32606422b91aa5

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe

Filesize
1.7MB

MD5
70c2aed9dbc97b5246846aed8e6cbe92

SHA1
4a4958cabd319d4015094b1fd7c01ee5e92584b2

SHA256
30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face

SHA512
6d2cd2b422dabf1a668753664e9679cb8f0172b859d41a80a832047c41594e8cf4b08ba438815a83f9d4555d7c66c7baf7430bd142fb792d9c32606422b91aa5

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe

Filesize
1.7MB

MD5
70c2aed9dbc97b5246846aed8e6cbe92

SHA1
4a4958cabd319d4015094b1fd7c01ee5e92584b2

SHA256
30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face

SHA512
6d2cd2b422dabf1a668753664e9679cb8f0172b859d41a80a832047c41594e8cf4b08ba438815a83f9d4555d7c66c7baf7430bd142fb792d9c32606422b91aa5

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe

Filesize
1.7MB

MD5
70c2aed9dbc97b5246846aed8e6cbe92

SHA1
4a4958cabd319d4015094b1fd7c01ee5e92584b2

SHA256
30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face

SHA512
6d2cd2b422dabf1a668753664e9679cb8f0172b859d41a80a832047c41594e8cf4b08ba438815a83f9d4555d7c66c7baf7430bd142fb792d9c32606422b91aa5

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe

Filesize
1.7MB

MD5
70c2aed9dbc97b5246846aed8e6cbe92

SHA1
4a4958cabd319d4015094b1fd7c01ee5e92584b2

SHA256
30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face

SHA512
6d2cd2b422dabf1a668753664e9679cb8f0172b859d41a80a832047c41594e8cf4b08ba438815a83f9d4555d7c66c7baf7430bd142fb792d9c32606422b91aa5

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe

Filesize
1.7MB

MD5
70c2aed9dbc97b5246846aed8e6cbe92

SHA1
4a4958cabd319d4015094b1fd7c01ee5e92584b2

SHA256
30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face

SHA512
6d2cd2b422dabf1a668753664e9679cb8f0172b859d41a80a832047c41594e8cf4b08ba438815a83f9d4555d7c66c7baf7430bd142fb792d9c32606422b91aa5

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe

Filesize
1.7MB

MD5
70c2aed9dbc97b5246846aed8e6cbe92

SHA1
4a4958cabd319d4015094b1fd7c01ee5e92584b2

SHA256
30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face

SHA512
6d2cd2b422dabf1a668753664e9679cb8f0172b859d41a80a832047c41594e8cf4b08ba438815a83f9d4555d7c66c7baf7430bd142fb792d9c32606422b91aa5

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe

Filesize
1.7MB

MD5
70c2aed9dbc97b5246846aed8e6cbe92

SHA1
4a4958cabd319d4015094b1fd7c01ee5e92584b2

SHA256
30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face

SHA512
6d2cd2b422dabf1a668753664e9679cb8f0172b859d41a80a832047c41594e8cf4b08ba438815a83f9d4555d7c66c7baf7430bd142fb792d9c32606422b91aa5

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe

Filesize
1.7MB

MD5
70c2aed9dbc97b5246846aed8e6cbe92

SHA1
4a4958cabd319d4015094b1fd7c01ee5e92584b2

SHA256
30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face

SHA512
6d2cd2b422dabf1a668753664e9679cb8f0172b859d41a80a832047c41594e8cf4b08ba438815a83f9d4555d7c66c7baf7430bd142fb792d9c32606422b91aa5

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe

Filesize
1.7MB

MD5
70c2aed9dbc97b5246846aed8e6cbe92

SHA1
4a4958cabd319d4015094b1fd7c01ee5e92584b2

SHA256
30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face

SHA512
6d2cd2b422dabf1a668753664e9679cb8f0172b859d41a80a832047c41594e8cf4b08ba438815a83f9d4555d7c66c7baf7430bd142fb792d9c32606422b91aa5

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe

Filesize
1.7MB

MD5
70c2aed9dbc97b5246846aed8e6cbe92

SHA1
4a4958cabd319d4015094b1fd7c01ee5e92584b2

SHA256
30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face

SHA512
6d2cd2b422dabf1a668753664e9679cb8f0172b859d41a80a832047c41594e8cf4b08ba438815a83f9d4555d7c66c7baf7430bd142fb792d9c32606422b91aa5

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe

Filesize
1.7MB

MD5
70c2aed9dbc97b5246846aed8e6cbe92

SHA1
4a4958cabd319d4015094b1fd7c01ee5e92584b2

SHA256
30e2e3c9d48bcf3fb5b5fb0b6ea7edf076ff68e4f11ffb55753a71b3c863face

SHA512
6d2cd2b422dabf1a668753664e9679cb8f0172b859d41a80a832047c41594e8cf4b08ba438815a83f9d4555d7c66c7baf7430bd142fb792d9c32606422b91aa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\04fYIssV3e.bat

Filesize
196B

MD5
35bf48a4fd6044b6a57ba176dfa7f7b7

SHA1
2e6b093857cf7db16de9e7afe83d434be50406fa

SHA256
3f7048e253db73b31e99c1d42a4a42c90ba621129d4d4caf52b7c2bfe743c2a0

SHA512
b580ba2949200841813fd42f8f08884603c1fe3484a8f5637cf91a6614a3fea9bb5c04d0dc77e28b1a35d5da9abf36df4d426f9dcf6e7d6d6370cefe69ae28a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\4MZx53eLuH.bat

Filesize
244B

MD5
2264b21b6c22dda361001b2bebb73f5b

SHA1
01e149afadabf26ef6e11270ffaae582e80a7079

SHA256
361cf5d7c7110aa2d2ea93a44b4aec6d427ba2587423b94026096fa87cb89205

SHA512
1330c0fe4881619aab28a5fbd62ad75b8c1b119bcf21e967fd5f4c43a8e11f503b7ffb1ec3c73ed4d9f4597e868f3c36e755e1d29eb6697306c6d7c5e153a2c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\76L9w2BeVU.bat

Filesize
244B

MD5
25358e35a4d310496b3f023f5ce6cdb0

SHA1
abcdef1a31abee3f2918ca95666d07610f48cdf6

SHA256
0ba78d9681640a285125e3e520d681e59a93911103198d190d04a7066a4c54f8

SHA512
cdab76153acd01b0cef9b58908fb4e197e631fc484e62c150d01aa041a25ed9aaf6ca252c7eab3c1f2bb0d8dfc26c88416843b2b8d745b523c3c5b19a73f1dae

Download Submit
C:\Users\Admin\AppData\Local\Temp\9YD2Vui68H.bat

Filesize
196B

MD5
52e737b1be50e4f098566a9e48beae85

SHA1
b52e60d954a65aa9136eec2750a452cbe554a02d

SHA256
0ae841bec7000b88172a73014113cead26898f4c6d36a1d56d9f32c355b8cc5f

SHA512
e6d7e5ffeee305d9c8c50e8bd42b93ac7ffb1ac268034a58bdd30df0dd70b78bb383948906a461271bba1a416ba0681092c2b3c03eeb438296f18455b85be075

Download Submit
C:\Users\Admin\AppData\Local\Temp\F7CrwxjwXa.bat

Filesize
244B

MD5
edd46679df20d3d3c8f5d3ec37d9c9f0

SHA1
06a165323190cca7782e2fe4d31bc4c530dd1332

SHA256
22148508afb64c7f9aaec25ae36ba79eb4c479e9b722f4146358cffb6a22de3d

SHA512
6ba6cb8dc3f68854f54b60c5de0e1a60d895d8f5b225832a6d25d0c131d509da58a4c6b34a2e1470999f9227e54bc27ced654e16f9385b555c5a782ad6556c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\LsGNVHQP6j.bat

Filesize
244B

MD5
1bae6d7901a8b664aec84b5fbb259431

SHA1
9b83f1ff7b6d89b9cb90811464635cdd12086dd8

SHA256
e2719c4b2a8bee1a43ccffebf69487f36df2ed900d660611921b02cbf6b9bd72

SHA512
a58497ae9d5f7a3308de3ff03b6c98131d6e04dc74a1da9c990d8f407c407ecd6889e55909fc50f81619d6a9ac747c16565727851c8ffa69644b256f2f528c13

Download Submit
C:\Users\Admin\AppData\Local\Temp\N7B3lpetaR.bat

Filesize
196B

MD5
edceab85fccb3e277cf2297b7f0727a1

SHA1
989a737aa2065dace005a8c3c09e7f1223ab6398

SHA256
60444a229b32eb65fc169d1aabdaef4aa9d893b4286cfb4d32d0e8c046e02dde

SHA512
23353ed20ea47c647af7f58d31730f619f4ac65edb48b829a7afde2c581d2cf1633da60168693b40fa736ac600441c1ded502e28e9ede025136e307292b49cdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\NcI1AeIbpc.bat

Filesize
196B

MD5
efe4de55100346eaaba3ee1bdf503435

SHA1
9370813acfa718330a5bda96fe135f598a02db91

SHA256
646d94f4e0e671904d55acfa335f916ed7c1a4adbd966492fe5af2e5ad3e6917

SHA512
49d82fb2e11c65207033702203c4c321ac312ff5663cb6c6e3a277ca60c7f9efb98883da930b89f5360874e9628c1ee1558871ece31477a9dd2fe2dca73810c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE9Vp3kbLE.bat

Filesize
244B

MD5
b6b97e2393b639ab1593602885f68ba6

SHA1
2ee1f56f66167eb953bc9dcb078732709f58d7c5

SHA256
5944e691f4755d4ee0696a02c55648af3de0c629f8672192488f433ca5163eb1

SHA512
867f15fae065ec594acf45c2f4f4b7ac314ece16c06bc33e9fad8bfa9fdd20c5d74fbe0ca660f8fb5307fea6e69814876f000609e3e68087ece52d21310ed67d

Download Submit
C:\Users\Admin\AppData\Local\Temp\T6xLp4JQ8y.bat

Filesize
196B

MD5
1d06ba1471da3984867896d5edc476fc

SHA1
37d0f298fc1e976b449f182a91031886483169e0

SHA256
1e4a3237aef26d6c6324e730ce0ea52164675584fc6e55cf1dfa2e3aef0a3509

SHA512
74dcd537965284fe9efb6e391a6ee785caadb7f736ef2a19d566c7b3bcfc5ea8e70d56628e34891e4af401ae17fe837abbf7284a24440163f910da531f33c9e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\U2rmp5bpWK.bat

Filesize
244B

MD5
be3785b93fb17861ad0fdd21b4d6d4c6

SHA1
8769f24303326a0b486112fd0ea18c9b7b3d5ad4

SHA256
12713932dfcf920e8379c4e0df2d06713d1e2bd5dd56fbee0902c55805c1f745

SHA512
747086639e4627e53fb30a9b204a62dad15c673a9bbe3150b101a93d4d3c21d7fa2d23979e5e455a34d7e33329bab793e8ec499ac7baccd3ed7f0be93f10c19c

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMorhJGzBL.bat

Filesize
196B

MD5
c69d56cee0b2345f2ffbb0875554f61f

SHA1
50cc0396e1a13c7011cd45ed83e007e540fcd1b9

SHA256
77435bdfafc071d848d7262152c876b425d5c6709216757190dfb4206482f55f

SHA512
216b903e467d9a9ab442b9d78b608f58f0fef6c81f4e9ba62ecb68a723d49322f02d7f573954767bda69166ed1a37682aa3ac770de29c202874e86edcc17dcb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z6jdsJyxgU.bat

Filesize
196B

MD5
40d30dd1e7841ebb9c0aa90e57c95df0

SHA1
c85972015336efad6e543cbc68269b5c35620b86

SHA256
b7b373d43b782863934310f13434b8a9fbb326ebda56b0128767577a2327e0b6

SHA512
3c0328afe3051208878c352c681a4785bbea6c1b02e59f9d3200f6c707e4bb5b1aaa7e37992e3b40654ea8f6392c622921cbfa11f1ad37bb00a0a3377efd6a34

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZzsG8LzQBI.bat

Filesize
196B

MD5
55f6fcde3c6880249515e30f4cf463bc

SHA1
3d127195d48662e3602b8547a2a26738ffb03c04

SHA256
cc8539331a59daf3e029c120b964f9499d54c547679b75a5f272305f5e9dae99

SHA512
b66404068c524b2ba0a36d2a8e1f8c0e84618be382bfab63a6d7823b6080d9f285258aa61cda5b1afaf839c941ccf473ce2a9d8fec66c718b54cf151adb67648

Download Submit
C:\Users\Admin\AppData\Local\Temp\fVhKC50lXd.bat

Filesize
196B

MD5
9c3c9544d120dbd0d7cb2f0904d78218

SHA1
db90282e1b4573df3035206adc564136346434e0

SHA256
8bbc3dcc68e705182bf0acfbf7585a2c90324f5453f13b6175e9e2a64e0a47bf

SHA512
a780a9e04663e951fd2318d9ee737f19d143628bcedb2d800bc29ae10e1a947e5f711c588d6b32ff6ab5d354e24da748fc7f5c9e9b5b9fcb704735a413a0451e

Download Submit
C:\Users\Admin\AppData\Local\Temp\hQfvaPZ4NL.bat

Filesize
196B

MD5
26ab4b044800f6199fa4f61d4b0dacf4

SHA1
ae1fa08329cd4733a0e3a5ea652fa9e969b5ac17

SHA256
6589efe6c29fdede4185681706b6e0cb7dc9dfd48b016d97d826698cb1bf3520

SHA512
eb2c26d3f47c4ae859b5f47dafb21d8940a32cabf059a7cd5d3275c74ea1c4cf75db25c2d2eabef380dc94cdbdc6b0750b9da79a033bf4e3e6bbf8263d48bbc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\oHf0I0Wzs1.bat

Filesize
244B

MD5
f4f13cc9e9b93993db594381d1f4b7ac

SHA1
fec838eafb6907144a4e342a2eb252587d9bcfcb

SHA256
601ce66ed94718a1133aa5de55da52a96a242802b241be36d6bafa5d0a269012

SHA512
bbadc5cc9c4dc178e30b54afcdc66e66abfd52af4adb6433bcd70696ab6b29a6cfe62788c6bd22c172b498cd8d1948a048856d7c01d32895e92c18d68b56d329

Download Submit
C:\Users\Admin\AppData\Local\Temp\p6i2Y3psmC.bat

Filesize
196B

MD5
b5b3d79567b59cdc13130575c4d551b9

SHA1
43a75a392b7406ed62484875c4c646751ea40f14

SHA256
3d6b11be5993dd554f7a070854fcfe19bc35a4da020b54187f9215933ee686fb

SHA512
70bbc5de6b4f92bf99b9b273c3ed8280371234aa824b3d1c27a267a2b9973d26da6103cc4392baf27a9d8f9619ea9cc9fd4d8e960242aaf0663ca38c54fb8d71

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
94d484199f720e986a45d0cd3bf140ce

SHA1
5d133901092be00da5814ea985643189c8f69d42

SHA256
0ca72e8936409aff96359044f53d30f6077f968c79be69f8fcd3edb9ae2767ee

SHA512
61970e19c1492d5c62a868b8fbdfaed5bc79262d473492bf9ee77784b29cef5780032ed9ae88f95a508330fcc55006f160757135ecee94c787f5cfd87111b196

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
94d484199f720e986a45d0cd3bf140ce

SHA1
5d133901092be00da5814ea985643189c8f69d42

SHA256
0ca72e8936409aff96359044f53d30f6077f968c79be69f8fcd3edb9ae2767ee

SHA512
61970e19c1492d5c62a868b8fbdfaed5bc79262d473492bf9ee77784b29cef5780032ed9ae88f95a508330fcc55006f160757135ecee94c787f5cfd87111b196

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
94d484199f720e986a45d0cd3bf140ce

SHA1
5d133901092be00da5814ea985643189c8f69d42

SHA256
0ca72e8936409aff96359044f53d30f6077f968c79be69f8fcd3edb9ae2767ee

SHA512
61970e19c1492d5c62a868b8fbdfaed5bc79262d473492bf9ee77784b29cef5780032ed9ae88f95a508330fcc55006f160757135ecee94c787f5cfd87111b196

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HXQF2H6JF3R6N4CNDUI7.temp

Filesize
7KB

MD5
94d484199f720e986a45d0cd3bf140ce

SHA1
5d133901092be00da5814ea985643189c8f69d42

SHA256
0ca72e8936409aff96359044f53d30f6077f968c79be69f8fcd3edb9ae2767ee

SHA512
61970e19c1492d5c62a868b8fbdfaed5bc79262d473492bf9ee77784b29cef5780032ed9ae88f95a508330fcc55006f160757135ecee94c787f5cfd87111b196

Download Submit
memory/436-93-0x00000000770D0000-0x00000000770D1000-memory.dmp

Filesize
4KB

Download
memory/436-84-0x000000001B3A0000-0x000000001B420000-memory.dmp

Filesize
512KB

Download
memory/436-85-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/436-86-0x000000001B3A0000-0x000000001B420000-memory.dmp

Filesize
512KB

Download
memory/436-87-0x000000001B3A0000-0x000000001B420000-memory.dmp

Filesize
512KB

Download
memory/436-88-0x00000000770F0000-0x00000000770F1000-memory.dmp

Filesize
4KB

Download
memory/436-91-0x00000000770E0000-0x00000000770E1000-memory.dmp

Filesize
4KB

Download
memory/436-82-0x000007FEF4E00000-0x000007FEF57EC000-memory.dmp

Filesize
9.9MB

Download
memory/436-95-0x00000000770C0000-0x00000000770C1000-memory.dmp

Filesize
4KB

Download
memory/436-83-0x0000000000060000-0x0000000000220000-memory.dmp

Filesize
1.8MB

Download
memory/436-101-0x000007FEF4E00000-0x000007FEF57EC000-memory.dmp

Filesize
9.9MB

Download
memory/2280-16-0x0000000000320000-0x000000000032C000-memory.dmp

Filesize
48KB

Download
memory/2280-13-0x0000000000310000-0x000000000031C000-memory.dmp

Filesize
48KB

Download
memory/2280-3-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2280-4-0x000000001B4E0000-0x000000001B560000-memory.dmp

Filesize
512KB

Download
memory/2280-5-0x000000001B4E0000-0x000000001B560000-memory.dmp

Filesize
512KB

Download
memory/2280-6-0x00000000770F0000-0x00000000770F1000-memory.dmp

Filesize
4KB

Download
memory/2280-8-0x00000000002F0000-0x00000000002FE000-memory.dmp

Filesize
56KB

Download
memory/2280-10-0x0000000000300000-0x000000000030E000-memory.dmp

Filesize
56KB

Download
memory/2280-11-0x00000000770E0000-0x00000000770E1000-memory.dmp

Filesize
4KB

Download
memory/2280-1-0x000007FEF5650000-0x000007FEF603C000-memory.dmp

Filesize
9.9MB

Download
memory/2280-14-0x00000000770D0000-0x00000000770D1000-memory.dmp

Filesize
4KB

Download
memory/2280-42-0x000007FEF5650000-0x000007FEF603C000-memory.dmp

Filesize
9.9MB

Download
memory/2280-2-0x000000001B4E0000-0x000000001B560000-memory.dmp

Filesize
512KB

Download
memory/2280-17-0x00000000770C0000-0x00000000770C1000-memory.dmp

Filesize
4KB

Download
memory/2280-0-0x0000000001110000-0x00000000012D0000-memory.dmp

Filesize
1.8MB

Download
memory/2632-43-0x000000001B260000-0x000000001B542000-memory.dmp

Filesize
2.9MB

Download
memory/2632-71-0x000007FEEE8C0000-0x000007FEEF25D000-memory.dmp

Filesize
9.6MB

Download
memory/2632-75-0x00000000026B0000-0x0000000002730000-memory.dmp

Filesize
512KB

Download
memory/2632-76-0x00000000026B4000-0x00000000026B7000-memory.dmp

Filesize
12KB

Download
memory/2692-66-0x00000000027F0000-0x0000000002870000-memory.dmp

Filesize
512KB

Download
memory/2692-64-0x000007FEEE8C0000-0x000007FEEF25D000-memory.dmp

Filesize
9.6MB

Download
memory/2692-68-0x00000000027F0000-0x0000000002870000-memory.dmp

Filesize
512KB

Download
memory/2692-74-0x00000000027FB000-0x0000000002862000-memory.dmp

Filesize
412KB

Download
memory/2692-70-0x00000000027F4000-0x00000000027F7000-memory.dmp

Filesize
12KB

Download
memory/2696-61-0x000007FEEE8C0000-0x000007FEEF25D000-memory.dmp

Filesize
9.6MB

Download
memory/2696-67-0x00000000027DB000-0x0000000002842000-memory.dmp

Filesize
412KB

Download
memory/2696-65-0x00000000027D4000-0x00000000027D7000-memory.dmp

Filesize
12KB

Download
memory/2708-63-0x000007FEEE8C0000-0x000007FEEF25D000-memory.dmp

Filesize
9.6MB

Download
memory/2708-77-0x000007FEEE8C0000-0x000007FEEF25D000-memory.dmp

Filesize
9.6MB

Download
memory/2708-72-0x0000000002A90000-0x0000000002B10000-memory.dmp

Filesize
512KB

Download
memory/2708-79-0x000007FEEE8C0000-0x000007FEEF25D000-memory.dmp

Filesize
9.6MB

Download
memory/2708-78-0x0000000002A90000-0x0000000002B10000-memory.dmp

Filesize
512KB

Download
memory/2812-108-0x000000001A8C0000-0x000000001A940000-memory.dmp

Filesize
512KB

Download
memory/2812-106-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2812-103-0x0000000000820000-0x00000000009E0000-memory.dmp

Filesize
1.8MB

Download
memory/2812-104-0x000007FEF5650000-0x000007FEF603C000-memory.dmp

Filesize
9.9MB

Download
memory/2812-105-0x000000001A8C0000-0x000000001A940000-memory.dmp

Filesize
512KB

Download
memory/2812-107-0x000000001A8C0000-0x000000001A940000-memory.dmp

Filesize
512KB

Download
memory/2812-110-0x00000000770F0000-0x00000000770F1000-memory.dmp

Filesize
4KB

Download
memory/2812-112-0x00000000770E0000-0x00000000770E1000-memory.dmp

Filesize
4KB

Download
memory/2812-114-0x00000000770D0000-0x00000000770D1000-memory.dmp

Filesize
4KB

Download
memory/2812-122-0x000007FEF5650000-0x000007FEF603C000-memory.dmp

Filesize
9.9MB

Download
memory/2812-116-0x00000000770C0000-0x00000000770C1000-memory.dmp

Filesize
4KB

Download
memory/2872-129-0x00000000770F0000-0x00000000770F1000-memory.dmp

Filesize
4KB

Download
memory/2872-124-0x000007FEF4C60000-0x000007FEF564C000-memory.dmp

Filesize
9.9MB

Download
memory/2872-128-0x000000001B540000-0x000000001B5C0000-memory.dmp

Filesize
512KB

Download
memory/2872-125-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2872-127-0x000000001B540000-0x000000001B5C0000-memory.dmp

Filesize
512KB

Download
memory/3008-69-0x000007FEEE8C0000-0x000007FEEF25D000-memory.dmp

Filesize
9.6MB

Download
memory/3008-54-0x0000000001FA0000-0x0000000001FA8000-memory.dmp

Filesize
32KB

Download
memory/3008-62-0x0000000002904000-0x0000000002907000-memory.dmp

Filesize
12KB

Download
memory/3008-60-0x000007FEEE8C0000-0x000007FEEF25D000-memory.dmp

Filesize
9.6MB

Download
memory/3008-73-0x000000000290B000-0x0000000002972000-memory.dmp

Filesize
412KB

Download