zgrat | 975033d24044a83505ee98f9f3b857e114ccb5f6179db6dce90804af911eea8f

Analysis

max time kernel
142s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
27/01/2024, 06:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c124f00908309cd17feca68030e5d58e.exe
Size

3.6MB
MD5

c124f00908309cd17feca68030e5d58e
SHA1

7b3b43803a22887c780e545d1b480d56c573819d
SHA256

975033d24044a83505ee98f9f3b857e114ccb5f6179db6dce90804af911eea8f
SHA512

8df041a00ae350f74e12e91a6b6050ab0b64a45c3606b483fe2f43a4c9a2ad35e09a6aab9da4a73fb70bf21c84d4e3dc230aa52cfeff884eabd8ff5434356e05
SSDEEP

98304:CQAY9x3ZQXzWyzoYqxL24dUVOOFHxKf0/0sa:CQAYvpQXr8Yqx3dunqcs

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 10 IoCs

resource	yara_rule
behavioral2/memory/1012-0-0x0000000000A00000-0x0000000000D98000-memory.dmp	family_zgrat_v1
behavioral2/files/0x000b000000023214-89.dat	family_zgrat_v1
behavioral2/files/0x000b000000023214-102.dat	family_zgrat_v1
behavioral2/files/0x000b000000023214-101.dat	family_zgrat_v1
behavioral2/files/0x000b000000023214-170.dat	family_zgrat_v1
behavioral2/files/0x000b000000023214-236.dat	family_zgrat_v1
behavioral2/files/0x000b000000023214-300.dat	family_zgrat_v1
behavioral2/files/0x000b000000023214-430.dat	family_zgrat_v1
behavioral2/files/0x000b000000023214-494.dat	family_zgrat_v1
behavioral2/files/0x000b000000023214-558.dat	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	c124f00908309cd17feca68030e5d58e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	dwm.exe

Executes dropped EXE 14 IoCs

pid	Process
4308	dwm.exe
3356	dwm.exe
4696	dwm.exe
1968	dwm.exe
4816	dwm.exe
3016	dwm.exe
3360	dwm.exe
2308	dwm.exe
4276	dwm.exe
2372	dwm.exe
2644	dwm.exe
4324	dwm.exe
4564	dwm.exe
2132	dwm.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\WindowsPowerShell\Configuration\System.exe	c124f00908309cd17feca68030e5d58e.exe
File created	C:\Program Files\WindowsPowerShell\Configuration\27d1bcfc3c54e0	c124f00908309cd17feca68030e5d58e.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\dwm.exe	c124f00908309cd17feca68030e5d58e.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\6cb0b6c459d5d3	c124f00908309cd17feca68030e5d58e.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Resources\RuntimeBroker.exe	c124f00908309cd17feca68030e5d58e.exe
File created	C:\Windows\Resources\9e8d7a4ca61bd9	c124f00908309cd17feca68030e5d58e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings	c124f00908309cd17feca68030e5d58e.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings	dwm.exe

Runs ping.exe 1 TTPs 7 IoCs

Remote System Discovery

T1018

pid	Process
4584	PING.EXE
3528	PING.EXE
4888	PING.EXE
3888	PING.EXE
4012	PING.EXE
2608	PING.EXE
4480	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1012	c124f00908309cd17feca68030e5d58e.exe
1012	c124f00908309cd17feca68030e5d58e.exe
1012	c124f00908309cd17feca68030e5d58e.exe
1012	c124f00908309cd17feca68030e5d58e.exe
1012	c124f00908309cd17feca68030e5d58e.exe
1012	c124f00908309cd17feca68030e5d58e.exe
1012	c124f00908309cd17feca68030e5d58e.exe
1012	c124f00908309cd17feca68030e5d58e.exe
1012	c124f00908309cd17feca68030e5d58e.exe
1012	c124f00908309cd17feca68030e5d58e.exe
1012	c124f00908309cd17feca68030e5d58e.exe
1012	c124f00908309cd17feca68030e5d58e.exe
1012	c124f00908309cd17feca68030e5d58e.exe
1012	c124f00908309cd17feca68030e5d58e.exe
1012	c124f00908309cd17feca68030e5d58e.exe
1012	c124f00908309cd17feca68030e5d58e.exe
1012	c124f00908309cd17feca68030e5d58e.exe
1012	c124f00908309cd17feca68030e5d58e.exe
1012	c124f00908309cd17feca68030e5d58e.exe
1012	c124f00908309cd17feca68030e5d58e.exe
1012	c124f00908309cd17feca68030e5d58e.exe
1012	c124f00908309cd17feca68030e5d58e.exe
1012	c124f00908309cd17feca68030e5d58e.exe
1012	c124f00908309cd17feca68030e5d58e.exe
1012	c124f00908309cd17feca68030e5d58e.exe
1012	c124f00908309cd17feca68030e5d58e.exe
1012	c124f00908309cd17feca68030e5d58e.exe
1012	c124f00908309cd17feca68030e5d58e.exe
1012	c124f00908309cd17feca68030e5d58e.exe
1012	c124f00908309cd17feca68030e5d58e.exe
1012	c124f00908309cd17feca68030e5d58e.exe
1012	c124f00908309cd17feca68030e5d58e.exe
1012	c124f00908309cd17feca68030e5d58e.exe
1012	c124f00908309cd17feca68030e5d58e.exe
1012	c124f00908309cd17feca68030e5d58e.exe
1012	c124f00908309cd17feca68030e5d58e.exe
1012	c124f00908309cd17feca68030e5d58e.exe
1012	c124f00908309cd17feca68030e5d58e.exe
1012	c124f00908309cd17feca68030e5d58e.exe
1012	c124f00908309cd17feca68030e5d58e.exe
1012	c124f00908309cd17feca68030e5d58e.exe
1012	c124f00908309cd17feca68030e5d58e.exe
1012	c124f00908309cd17feca68030e5d58e.exe
1012	c124f00908309cd17feca68030e5d58e.exe
1012	c124f00908309cd17feca68030e5d58e.exe
1012	c124f00908309cd17feca68030e5d58e.exe
1012	c124f00908309cd17feca68030e5d58e.exe
1012	c124f00908309cd17feca68030e5d58e.exe
1012	c124f00908309cd17feca68030e5d58e.exe
1012	c124f00908309cd17feca68030e5d58e.exe
1012	c124f00908309cd17feca68030e5d58e.exe
1012	c124f00908309cd17feca68030e5d58e.exe
1012	c124f00908309cd17feca68030e5d58e.exe
1012	c124f00908309cd17feca68030e5d58e.exe
1012	c124f00908309cd17feca68030e5d58e.exe
1012	c124f00908309cd17feca68030e5d58e.exe
1012	c124f00908309cd17feca68030e5d58e.exe
1012	c124f00908309cd17feca68030e5d58e.exe
1012	c124f00908309cd17feca68030e5d58e.exe
1012	c124f00908309cd17feca68030e5d58e.exe
1012	c124f00908309cd17feca68030e5d58e.exe
1012	c124f00908309cd17feca68030e5d58e.exe
1012	c124f00908309cd17feca68030e5d58e.exe
1012	c124f00908309cd17feca68030e5d58e.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	1012	c124f00908309cd17feca68030e5d58e.exe
Token: SeDebugPrivilege	4308	dwm.exe
Token: SeDebugPrivilege	3356	dwm.exe
Token: SeDebugPrivilege	4696	dwm.exe
Token: SeDebugPrivilege	1968	dwm.exe
Token: SeDebugPrivilege	4816	dwm.exe
Token: SeDebugPrivilege	3016	dwm.exe
Token: SeDebugPrivilege	3360	dwm.exe
Token: SeDebugPrivilege	2308	dwm.exe
Token: SeDebugPrivilege	4276	dwm.exe
Token: SeDebugPrivilege	2372	dwm.exe
Token: SeDebugPrivilege	2644	dwm.exe
Token: SeDebugPrivilege	4324	dwm.exe
Token: SeDebugPrivilege	4564	dwm.exe
Token: SeDebugPrivilege	2132	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1012 wrote to memory of 3484	1012	c124f00908309cd17feca68030e5d58e.exe	92
PID 1012 wrote to memory of 3484	1012	c124f00908309cd17feca68030e5d58e.exe	92
PID 3484 wrote to memory of 3692	3484	cmd.exe	89
PID 3484 wrote to memory of 3692	3484	cmd.exe	89
PID 3484 wrote to memory of 4008	3484	cmd.exe	90
PID 3484 wrote to memory of 4008	3484	cmd.exe	90
PID 3484 wrote to memory of 4308	3484	cmd.exe	97
PID 3484 wrote to memory of 4308	3484	cmd.exe	97
PID 4308 wrote to memory of 1636	4308	dwm.exe	104
PID 4308 wrote to memory of 1636	4308	dwm.exe	104
PID 1636 wrote to memory of 788	1636	cmd.exe	102
PID 1636 wrote to memory of 788	1636	cmd.exe	102
PID 1636 wrote to memory of 1432	1636	cmd.exe	101
PID 1636 wrote to memory of 1432	1636	cmd.exe	101
PID 1636 wrote to memory of 3356	1636	cmd.exe	105
PID 1636 wrote to memory of 3356	1636	cmd.exe	105
PID 3356 wrote to memory of 3764	3356	dwm.exe	109
PID 3356 wrote to memory of 3764	3356	dwm.exe	109
PID 3764 wrote to memory of 1796	3764	cmd.exe	107
PID 3764 wrote to memory of 1796	3764	cmd.exe	107
PID 3764 wrote to memory of 3464	3764	cmd.exe	106
PID 3764 wrote to memory of 3464	3764	cmd.exe	106
PID 3764 wrote to memory of 4696	3764	cmd.exe	110
PID 3764 wrote to memory of 4696	3764	cmd.exe	110
PID 4696 wrote to memory of 2952	4696	dwm.exe	111
PID 4696 wrote to memory of 2952	4696	dwm.exe	111
PID 2952 wrote to memory of 788	2952	cmd.exe	113
PID 2952 wrote to memory of 788	2952	cmd.exe	113
PID 2952 wrote to memory of 4888	2952	cmd.exe	114
PID 2952 wrote to memory of 4888	2952	cmd.exe	114
PID 2952 wrote to memory of 1968	2952	cmd.exe	116
PID 2952 wrote to memory of 1968	2952	cmd.exe	116
PID 1968 wrote to memory of 924	1968	dwm.exe	117
PID 1968 wrote to memory of 924	1968	dwm.exe	117
PID 924 wrote to memory of 3192	924	cmd.exe	119
PID 924 wrote to memory of 3192	924	cmd.exe	119
PID 924 wrote to memory of 3888	924	cmd.exe	120
PID 924 wrote to memory of 3888	924	cmd.exe	120
PID 924 wrote to memory of 4816	924	cmd.exe	121
PID 924 wrote to memory of 4816	924	cmd.exe	121
PID 4816 wrote to memory of 1876	4816	dwm.exe	123
PID 4816 wrote to memory of 1876	4816	dwm.exe	123
PID 1876 wrote to memory of 3612	1876	cmd.exe	124
PID 1876 wrote to memory of 3612	1876	cmd.exe	124
PID 1876 wrote to memory of 4012	1876	cmd.exe	125
PID 1876 wrote to memory of 4012	1876	cmd.exe	125
PID 1876 wrote to memory of 3016	1876	cmd.exe	126
PID 1876 wrote to memory of 3016	1876	cmd.exe	126
PID 3016 wrote to memory of 3308	3016	dwm.exe	127
PID 3016 wrote to memory of 3308	3016	dwm.exe	127
PID 3308 wrote to memory of 3932	3308	cmd.exe	129
PID 3308 wrote to memory of 3932	3308	cmd.exe	129
PID 3308 wrote to memory of 2608	3308	cmd.exe	130
PID 3308 wrote to memory of 2608	3308	cmd.exe	130
PID 3308 wrote to memory of 3360	3308	cmd.exe	131
PID 3308 wrote to memory of 3360	3308	cmd.exe	131
PID 3360 wrote to memory of 944	3360	dwm.exe	132
PID 3360 wrote to memory of 944	3360	dwm.exe	132
PID 944 wrote to memory of 4504	944	cmd.exe	134
PID 944 wrote to memory of 4504	944	cmd.exe	134
PID 944 wrote to memory of 440	944	cmd.exe	135
PID 944 wrote to memory of 440	944	cmd.exe	135
PID 944 wrote to memory of 2308	944	cmd.exe	136
PID 944 wrote to memory of 2308	944	cmd.exe	136

C:\Users\Admin\AppData\Local\Temp\c124f00908309cd17feca68030e5d58e.exe
"C:\Users\Admin\AppData\Local\Temp\c124f00908309cd17feca68030e5d58e.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1012
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5ZEeXowevh.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3484
- - C:\Program Files (x86)\Common Files\Java\Java Update\dwm.exe
    "C:\Program Files (x86)\Common Files\Java\Java Update\dwm.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4308
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Cq054WUQlS.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1636
    - - C:\Program Files (x86)\Common Files\Java\Java Update\dwm.exe
        
        "C:\Program Files (x86)\Common Files\Java\Java Update\dwm.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3356
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Cq054WUQlS.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3764
        
        C:\Program Files (x86)\Common Files\Java\Java Update\dwm.exe
        
        "C:\Program Files (x86)\Common Files\Java\Java Update\dwm.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4696
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IhWEZABO4r.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:788
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        Runs ping.exe
        
        PID:4888
        
        C:\Program Files (x86)\Common Files\Java\Java Update\dwm.exe
        
        "C:\Program Files (x86)\Common Files\Java\Java Update\dwm.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\e96MM2hRMu.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:924
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:3192
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        Runs ping.exe
        
        PID:3888
        
        C:\Program Files (x86)\Common Files\Java\Java Update\dwm.exe
        
        "C:\Program Files (x86)\Common Files\Java\Java Update\dwm.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4816
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qi3SEoFf8b.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1876
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:3612
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        Runs ping.exe
        
        PID:4012
        
        C:\Program Files (x86)\Common Files\Java\Java Update\dwm.exe
        
        "C:\Program Files (x86)\Common Files\Java\Java Update\dwm.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wuC6fcDv5B.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:3308
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:3932
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        Runs ping.exe
        
        PID:2608
        
        C:\Program Files (x86)\Common Files\Java\Java Update\dwm.exe
        
        "C:\Program Files (x86)\Common Files\Java\Java Update\dwm.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3360
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KvMN3vAFGm.bat"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:944
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:4504
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:440
        
        C:\Program Files (x86)\Common Files\Java\Java Update\dwm.exe
        
        "C:\Program Files (x86)\Common Files\Java\Java Update\dwm.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2308
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YyxiuEiAPJ.bat"
        18⤵
        
        PID:1244
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:3872
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        Runs ping.exe
        
        PID:4480
        
        C:\Program Files (x86)\Common Files\Java\Java Update\dwm.exe
        
        "C:\Program Files (x86)\Common Files\Java\Java Update\dwm.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4276
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1Wt8gVv2Cg.bat"
        20⤵
        
        PID:2132
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:1896
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2316
        
        C:\Program Files (x86)\Common Files\Java\Java Update\dwm.exe
        
        "C:\Program Files (x86)\Common Files\Java\Java Update\dwm.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2372
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MP0d2SAwec.bat"
        22⤵
        
        PID:2504
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:1916
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:4976
        
        C:\Program Files (x86)\Common Files\Java\Java Update\dwm.exe
        
        "C:\Program Files (x86)\Common Files\Java\Java Update\dwm.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2644
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rxsaiZFWJV.bat"
        24⤵
        
        PID:1792
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:2168
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        Runs ping.exe
        
        PID:4584
        
        C:\Program Files (x86)\Common Files\Java\Java Update\dwm.exe
        
        "C:\Program Files (x86)\Common Files\Java\Java Update\dwm.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4324
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6EJ44dmIex.bat"
        26⤵
        
        PID:4036
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:4828
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:3080
        
        C:\Program Files (x86)\Common Files\Java\Java Update\dwm.exe
        
        "C:\Program Files (x86)\Common Files\Java\Java Update\dwm.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4564
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oUDKk3Fowg.bat"
        28⤵
        
        PID:4836
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:1432
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:4996
        
        C:\Program Files (x86)\Common Files\Java\Java Update\dwm.exe
        
        "C:\Program Files (x86)\Common Files\Java\Java Update\dwm.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2132
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IhWEZABO4r.bat"
        30⤵
        
        PID:3860
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:1656
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        31⤵
        Runs ping.exe
        
        PID:3528

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:3692

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:4008

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:1432

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:788

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:3464

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:1796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\Java\Java Update\dwm.exe

Filesize
51KB

MD5
bdcaa95a6a92a7ea67a9b76284aa24b9

SHA1
5ed2443abf2b55031bea18d8f2a3bc878ef8b713

SHA256
0ed813ae2b323377d849e7c68b3490b809c9a2f18413b4751782ec6d1cc7a56d

SHA512
6004649dae790cf220a0de1cc8afa933f81ed15313d79d7e037a89f00e728c7143c49b7a854158392b5844f2be4a12bf865c08bbdd284597709a4df362154c04

Download Submit
C:\Program Files (x86)\Common Files\Java\Java Update\dwm.exe

Filesize
18KB

MD5
de613901fb434511e42c0d7309a8b524

SHA1
d6a7cf630352585e298d3963bf46cce298950b54

SHA256
d75ed4f1ad36f631f36172dad8aa6681d325602b0c8fd7a36eb588850ca61c27

SHA512
c44405a68fae5d3fc442650d1487d8b801b1701bf5b51e276167eea0fd4c0fd6be65bca873f578960dfcc169543bd684e1311729dbcf64e94c91876ed56cf922

Download Submit
C:\Program Files (x86)\Common Files\Java\Java Update\dwm.exe

Filesize
3.2MB

MD5
326996b79ee8d0d23a84f23af72b362e

SHA1
29c13ac8e0cd7c2d7caeaeb785087986c5afaeb1

SHA256
08adbc8657bd97c052bd6d837c76947c089dc5bb49f4600fd69109bb6702cb3e

SHA512
969ad5a96f54d1daa5a419aab7503801acc93797315f513347d86abe8605d18c7e0c9b744b2306329478cc44d6b25e624a209f1ac9ad7a3f7b7237fc7ee398c2

Download Submit
C:\Program Files (x86)\Common Files\Java\Java Update\dwm.exe

Filesize
721KB

MD5
dd0b3bc1683018dd612545e77e636cbf

SHA1
9e3f33ec469cdc1722a3ef3efa272c9084adccf4

SHA256
40af5880244a5584d37367a37629ea4ad611b7e7ea5e39fab088936fb1faf7c2

SHA512
2ce549595c1a961d2e91eac0e0fdc33cd623e89eacdc1502307d202211180b3e0099aca36e26d967f78ca5c73a6a8d8dc9cb926b48379a6468bf281876e613ca

Download Submit
C:\Program Files (x86)\Common Files\Java\Java Update\dwm.exe

Filesize
3.6MB

MD5
c124f00908309cd17feca68030e5d58e

SHA1
7b3b43803a22887c780e545d1b480d56c573819d

SHA256
975033d24044a83505ee98f9f3b857e114ccb5f6179db6dce90804af911eea8f

SHA512
8df041a00ae350f74e12e91a6b6050ab0b64a45c3606b483fe2f43a4c9a2ad35e09a6aab9da4a73fb70bf21c84d4e3dc230aa52cfeff884eabd8ff5434356e05

Download Submit
C:\Program Files (x86)\Common Files\Java\Java Update\dwm.exe

Filesize
3.2MB

MD5
ae3e9ece782266867eacae387e5700c0

SHA1
72a9c706900efccf5edf7ed4c867fc1359094735

SHA256
3083ff83c770587c8d29880aab6d033ab50eed1d83f7dcc2232f967cafed5d8c

SHA512
0748c4c7bc984019a5cb36630e1ec8cc8d98d1652fcda83d5210753dca670b4bb52110e6f469fc416a395d69737c67838a70e4364db78827b97ae4cb4388d083

Download Submit
C:\Program Files (x86)\Common Files\Java\Java Update\dwm.exe

Filesize
1.7MB

MD5
59ef197eaad0314ad64bf078e90886bf

SHA1
7f8f348e2ad13f6aa0d9484c5a92896b48915013

SHA256
cd2bcda144c4624bc947edd2c5ba51386c098092a78415d5ea8ece6636409f9a

SHA512
64441985c414b47b65e42755612b8e2621c61223e947dc59aa75ebd4928065be2230ffc848b38155429924d82d41f57ba3e6cf202c70a1d304aeae1dc78ba18b

Download Submit
C:\Program Files (x86)\Common Files\Java\Java Update\dwm.exe

Filesize
156KB

MD5
1e518916c4bda88a59ecfcd160fb8c63

SHA1
2a2d1e348342aad67ecd010f7bfffe36a565a00c

SHA256
986ae859073050143ecc20dcdfa2d01c4ba2947653da89ee05a33af755faaed2

SHA512
35a68aa4fa1a6fa85a823d142a83e11e9e669e3701da4132e573476140d72ea57d4a7371f13271c47859eb487b6282321f7d73dc999aa2081de8fd0a3f2a7508

Download Submit
C:\Program Files (x86)\Common Files\Java\Java Update\dwm.exe

Filesize
623KB

MD5
7b01bea5d91cc9bd356ef301e11d8979

SHA1
538079876a3e6c81c9172bd39dd653e842b4f18a

SHA256
3c9238d9df482617ec948e747ee03c4a77179bb6f0854449d4b7828bab21442a

SHA512
d30f7a0cd10d56a0756851153c10f28e42face560d7f55c836fcc5cf20780ded33039d8dce31d90a12dadabd0c6b403a9a0f32817029e442f56e90cf4e8de290

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dwm.exe.log

Filesize
1KB

MD5
8ee01a9d8d8d1ecf515b687bf5e354ca

SHA1
c3b943dce30e425ae34e6737c7d5c3cdd92f79c5

SHA256
c45f52a36b283b46aae313b5a4fcbfbfb67b3c5ac4ee3ecd921087ddadb691a1

SHA512
6cb43253ddb3d2e5bdedcf76bc299e91ce970c6ccc53a2d9df7ba621435a6a704ce3990bdf59d939e513e609bab3daf8f110c1cca8485e1a9fe8536a67d41dda

Download Submit
C:\Users\Admin\AppData\Local\Temp\1Wt8gVv2Cg.bat

Filesize
236B

MD5
80c93165aaf9427fb22db62a260356a7

SHA1
51fe716ef14a9c7667a64a4a511b4a1577044eef

SHA256
e135724650b16614ba40489cb0e8fe248df904383d96da1282206ba803b6db5b

SHA512
ed7327996e80a8892a96917e406de2b0933112cd22030abe407953daacff6200bcb39da95751552c5e529de5edd37f8b7c0258980215b865a74a67f58283e124

Download Submit
C:\Users\Admin\AppData\Local\Temp\5ZEeXowevh.bat

Filesize
236B

MD5
749e00dca243ced6859ced9d36871bd9

SHA1
af1390f605bff11d2bbdfe505adc7889d9cadd26

SHA256
363e9931d322ce5ee8f7911394afd610da6e437572a2e1cebce08b33dc5b8a51

SHA512
61d55abf6fd0810e827b353f6c800db9ff9b57b4f4cadca3777743d776445d171b0619797efca53e5903b735acea75c33e1a9aedf031b79b351c558e41da8273

Download Submit
C:\Users\Admin\AppData\Local\Temp\6EJ44dmIex.bat

Filesize
236B

MD5
fdda692e035e2899c0de1c0ceb8ba445

SHA1
d04cbf4c7fcbd1769abefa75f2e35a4365582028

SHA256
fe2131d64ec8b6876a465e250d53983197ede4729c95568d3b9c095d483f9285

SHA512
ced4dc5e3faf6b13ebdb2eb55b23346e00027430a0b2fa2ab3798e83ac5919d5e798ace883337350a6f263d1b923d64ae436a8736fd2e24c3073fe9b6d489320

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cq054WUQlS.bat

Filesize
236B

MD5
4b1b7a6145b58d55faee1ff2a93e8e15

SHA1
35e8904ce516fcd3b87f565eafd2b4bdfa89fa91

SHA256
e3462e8620c6113af9e2d1c646aa0f00a59d3bb6194d12bd923b35cdee2c0c19

SHA512
86c961f7d11be1554d07aa0bb597abd6ca231afc787ff541e1613cda70ca13a96f92e81f6817e7d017824d558dbfb29c4fb621e2c412525b7a6b5cc4e7696b46

Download Submit
C:\Users\Admin\AppData\Local\Temp\IhWEZABO4r.bat

Filesize
188B

MD5
a015659f91268133c43d7366fafb0959

SHA1
6e403357654a5b2c1492017f774ecde7ad788fe2

SHA256
7f1d50746f3d572d17c12a20082077c9b9176327af9eeb4448b7a1dca49ab9db

SHA512
9b73e5eb9af2e01b35e7ff99fa7abed3f372d625dfe575aae0a00a06d0200e6615708ee5112e7abbb023fca973181a3afd20d10b5ed48e8ba1a8d82156a3b932

Download Submit
C:\Users\Admin\AppData\Local\Temp\KvMN3vAFGm.bat

Filesize
236B

MD5
8f159c90ee9376dae359270c357538e6

SHA1
37f85194b4713d3801ed60fc2ccf65d016bc8e16

SHA256
1c0acf0bf3ab3c7f8f33a0559ae471235a3817729146853f1826ac550b82aa3c

SHA512
a168fcaf618df348d731bcaae6fca4c902809e9a0ea18a7acd0633ff2d15d440b5cf70e81f1b468571c764297b1d123efb057d0b5c0ec6f12e52c54d53db028b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MP0d2SAwec.bat

Filesize
236B

MD5
460fad3d412c32ff3c41f7f73691948d

SHA1
9a70aa0d7d46b7b9cb668d3c41310beac17dea0b

SHA256
1b6d623f11bf19be3bdba6ee7f6948ceee5f3872e319f2a292a8fdee07d2d340

SHA512
c29261c809f60ce7733f226424258788985ee867a52932e140c59209745a9ac988eda3751787fcf504dd59524b2a3933a71324f4de9592fc58ae6936a85c3c86

Download Submit
C:\Users\Admin\AppData\Local\Temp\YyxiuEiAPJ.bat

Filesize
188B

MD5
d9cbcc7e2de9f440d3bb0886bda1b3a9

SHA1
ce85e86b9f2139dee15a5290472d605be516dedf

SHA256
1c1c8e0bfb711c8358a2efd87e181c6073ee91e89a78bfb3578f9d61c36f43ab

SHA512
c07d5a841b0a5811002ea2b9793f0031d24bd2ae7db11050878a4efa8d16862556b475c9531828ac1e48272af4e2b07ed994f22eed4ebc6d00744978b755690c

Download Submit
C:\Users\Admin\AppData\Local\Temp\e96MM2hRMu.bat

Filesize
188B

MD5
3d4aeb11526f9e9e83c1c3f90c1398c2

SHA1
5510861487bb3b1f8bd5eb03b33fa261fff280f6

SHA256
d769c26569a80ec53c926169d2e1fc7caaa4aeae6f3b35110e956b068ef9a193

SHA512
e06c0c0a5058c930b09f0a4802f79274c518e8ad4129f2acdbcbd3c4fc5a47da89a2488fcf9a66a06e4c22bd6b408c54834320874fce0374b44bc39b6dd74755

Download Submit
C:\Users\Admin\AppData\Local\Temp\oUDKk3Fowg.bat

Filesize
236B

MD5
98f415c96d7f56106612ed7cec91fff6

SHA1
d84e67c258df0e745d0c59122504d31a185e1a12

SHA256
060d6678654b580483364836fb407422eb566b6fb16729f034a1228c4949b04f

SHA512
c673bb9b9b8921d2cd34a7e78b04acbef6b80f15f48cf8c3a0c3a6483ddb449b8d1d276d4270a1344786af572a7ebb8edc5451700177b2799b074c236deed0ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\qi3SEoFf8b.bat

Filesize
188B

MD5
4e11a7be40c2ed974aa400d03816220d

SHA1
09ed856393ce07aeef3915bac2c91025c5577aba

SHA256
4d77cbcaaf37217f27c19af07e8326887ce17e1ee7b9143bc65fb1538fb7fe31

SHA512
15c8eb93d54fbe252ac95770a47e05dce603938af8cbfa937532c216c9a8b84eb48076f9d565f96808d12952dc0ffd423e883acabb79d58745e1d9e8c7d75a2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\rxsaiZFWJV.bat

Filesize
188B

MD5
d0eeaf775eaac17e3cddb5672a11794b

SHA1
0fc2f32135314197bf6598b64a1710aaeaeca904

SHA256
08da174cf6a09707d017088b58b454b3f99de25982c129cf48b065874f1fd4b1

SHA512
99f33f0df9ff7f9814246eb99b995b3230416eb5749a30f0951e9594afa23e09d85e4a463b0b5444af11d91f51e6362c4b171fdfdaaeff1f66649784381045b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\wuC6fcDv5B.bat

Filesize
188B

MD5
c6ff3a1abf58401c72876fbcd086c586

SHA1
eb845c40d38a6dc1c191d71bb2c0e089d9b43e13

SHA256
014fc1cf410ade529e900de280b0652014336fd4350e2a94041154324968c281

SHA512
f4061db0dd553cfbf022eb192342d8beca28dbb3cfaa3b7aff47ab94f3ed095b82c7ad6cb6e0feb1823b32d59ecde9433cfa28b27cea82f41daf1fc94f66170a

Download Submit
memory/1012-36-0x00007FFE352F0000-0x00007FFE352F1000-memory.dmp

Filesize
4KB

Download
memory/1012-96-0x000000001D980000-0x000000001DA4D000-memory.dmp

Filesize
820KB

Download
memory/1012-0-0x0000000000A00000-0x0000000000D98000-memory.dmp

Filesize
3.6MB

Download
memory/1012-35-0x000000001BA40000-0x000000001BA50000-memory.dmp

Filesize
64KB

Download
memory/1012-34-0x0000000002020000-0x0000000002032000-memory.dmp

Filesize
72KB

Download
memory/1012-39-0x0000000002000000-0x000000000200C000-memory.dmp

Filesize
48KB

Download
memory/1012-41-0x0000000002010000-0x0000000002020000-memory.dmp

Filesize
64KB

Download
memory/1012-43-0x00007FFE352D0000-0x00007FFE352D1000-memory.dmp

Filesize
4KB

Download
memory/1012-42-0x00007FFE355D0000-0x00007FFE3568E000-memory.dmp

Filesize
760KB

Download
memory/1012-45-0x000000001BA10000-0x000000001BA26000-memory.dmp

Filesize
88KB

Download
memory/1012-37-0x00007FFE352E0000-0x00007FFE352E1000-memory.dmp

Filesize
4KB

Download
memory/1012-48-0x000000001CE00000-0x000000001CE12000-memory.dmp

Filesize
72KB

Download
memory/1012-49-0x00007FFE352B0000-0x00007FFE352B1000-memory.dmp

Filesize
4KB

Download
memory/1012-46-0x00007FFE352C0000-0x00007FFE352C1000-memory.dmp

Filesize
4KB

Download
memory/1012-53-0x0000000002040000-0x000000000204E000-memory.dmp

Filesize
56KB

Download
memory/1012-56-0x00007FFE35290000-0x00007FFE35291000-memory.dmp

Filesize
4KB

Download
memory/1012-58-0x000000001BA00000-0x000000001BA10000-memory.dmp

Filesize
64KB

Download
memory/1012-59-0x00007FFE35280000-0x00007FFE35281000-memory.dmp

Filesize
4KB

Download
memory/1012-62-0x000000001CE80000-0x000000001CEDA000-memory.dmp

Filesize
360KB

Download
memory/1012-65-0x00007FFE35260000-0x00007FFE35261000-memory.dmp

Filesize
4KB

Download
memory/1012-71-0x000000001CE30000-0x000000001CE3E000-memory.dmp

Filesize
56KB

Download
memory/1012-74-0x00007FFE35230000-0x00007FFE35231000-memory.dmp

Filesize
4KB

Download
memory/1012-77-0x00007FFE35220000-0x00007FFE35221000-memory.dmp

Filesize
4KB

Download
memory/1012-76-0x000000001CE40000-0x000000001CE4C000-memory.dmp

Filesize
48KB

Download
memory/1012-80-0x000000001CF30000-0x000000001CF7E000-memory.dmp

Filesize
312KB

Download
memory/1012-79-0x00007FFE35210000-0x00007FFE35211000-memory.dmp

Filesize
4KB

Download
memory/1012-73-0x000000001CE60000-0x000000001CE78000-memory.dmp

Filesize
96KB

Download
memory/1012-69-0x00007FFE35240000-0x00007FFE35241000-memory.dmp

Filesize
4KB

Download
memory/1012-68-0x00007FFE35250000-0x00007FFE35251000-memory.dmp

Filesize
4KB

Download
memory/1012-67-0x000000001CE20000-0x000000001CE30000-memory.dmp

Filesize
64KB

Download
memory/1012-64-0x000000001BA30000-0x000000001BA3E000-memory.dmp

Filesize
56KB

Download
memory/1012-60-0x00007FFE35270000-0x00007FFE35271000-memory.dmp

Filesize
4KB

Download
memory/1012-25-0x00007FFE35320000-0x00007FFE35321000-memory.dmp

Filesize
4KB

Download
memory/1012-55-0x000000001B9F0000-0x000000001BA00000-memory.dmp

Filesize
64KB

Download
memory/1012-51-0x00007FFE352A0000-0x00007FFE352A1000-memory.dmp

Filesize
4KB

Download
memory/1012-50-0x000000001D350000-0x000000001D878000-memory.dmp

Filesize
5.2MB

Download
memory/1012-99-0x00007FFE17F80000-0x00007FFE18A41000-memory.dmp

Filesize
10.8MB

Download
memory/1012-29-0x000000001BA40000-0x000000001BA50000-memory.dmp

Filesize
64KB

Download
memory/1012-97-0x00007FFE355D0000-0x00007FFE3568E000-memory.dmp

Filesize
760KB

Download
memory/1012-24-0x00007FFE17F80000-0x00007FFE18A41000-memory.dmp

Filesize
10.8MB

Download
memory/1012-30-0x00007FFE35300000-0x00007FFE35301000-memory.dmp

Filesize
4KB

Download
memory/1012-32-0x0000000001FF0000-0x0000000001FFE000-memory.dmp

Filesize
56KB

Download
memory/1012-1-0x00007FFE17F80000-0x00007FFE18A41000-memory.dmp

Filesize
10.8MB

Download
memory/1012-3-0x000000001BA40000-0x000000001BA50000-memory.dmp

Filesize
64KB

Download
memory/1012-2-0x0000000001530000-0x0000000001531000-memory.dmp

Filesize
4KB

Download
memory/1012-4-0x000000001BA40000-0x000000001BA50000-memory.dmp

Filesize
64KB

Download
memory/1012-6-0x00000000019E0000-0x0000000001A06000-memory.dmp

Filesize
152KB

Download
memory/1012-26-0x00007FFE35310000-0x00007FFE35311000-memory.dmp

Filesize
4KB

Download
memory/1012-28-0x00000000019D0000-0x00000000019E0000-memory.dmp

Filesize
64KB

Download
memory/1012-20-0x0000000001A30000-0x0000000001A48000-memory.dmp

Filesize
96KB

Download
memory/1012-7-0x00007FFE355D0000-0x00007FFE3568E000-memory.dmp

Filesize
760KB

Download
memory/1012-23-0x00000000019C0000-0x00000000019D0000-memory.dmp

Filesize
64KB

Download
memory/1012-8-0x00007FFE35370000-0x00007FFE35371000-memory.dmp

Filesize
4KB

Download
memory/1012-21-0x00007FFE35330000-0x00007FFE35331000-memory.dmp

Filesize
4KB

Download
memory/1012-17-0x00000000019B0000-0x00000000019C0000-memory.dmp

Filesize
64KB

Download
memory/1012-14-0x0000000001A10000-0x0000000001A2C000-memory.dmp

Filesize
112KB

Download
memory/1012-18-0x00007FFE35340000-0x00007FFE35341000-memory.dmp

Filesize
4KB

Download
memory/1012-12-0x00007FFE35350000-0x00007FFE35351000-memory.dmp

Filesize
4KB

Download
memory/1012-15-0x000000001B9A0000-0x000000001B9F0000-memory.dmp

Filesize
320KB

Download
memory/1012-10-0x0000000001950000-0x000000000195E000-memory.dmp

Filesize
56KB

Download
memory/1012-11-0x00007FFE35360000-0x00007FFE35361000-memory.dmp

Filesize
4KB

Download
memory/1968-361-0x000000001C450000-0x000000001C51D000-memory.dmp

Filesize
820KB

Download
memory/2132-1007-0x000000001D7B0000-0x000000001D87D000-memory.dmp

Filesize
820KB

Download
memory/2308-618-0x000000001DDA0000-0x000000001DE6D000-memory.dmp

Filesize
820KB

Download
memory/2372-750-0x000000001D0A0000-0x000000001D16D000-memory.dmp

Filesize
820KB

Download
memory/2644-814-0x000000001D230000-0x000000001D2FD000-memory.dmp

Filesize
820KB

Download
memory/3016-490-0x000000001C820000-0x000000001C8ED000-memory.dmp

Filesize
820KB

Download
memory/3356-232-0x000000001CEA0000-0x000000001CF6D000-memory.dmp

Filesize
820KB

Download
memory/3360-554-0x000000001D760000-0x000000001D82D000-memory.dmp

Filesize
820KB

Download
memory/4276-683-0x000000001DC30000-0x000000001DCFD000-memory.dmp

Filesize
820KB

Download
memory/4308-103-0x00007FFE17F50000-0x00007FFE18A11000-memory.dmp

Filesize
10.8MB

Download
memory/4308-106-0x000000001BDC0000-0x000000001BDD0000-memory.dmp

Filesize
64KB

Download
memory/4308-166-0x000000001CD30000-0x000000001CDFD000-memory.dmp

Filesize
820KB

Download
memory/4308-105-0x00000000018A0000-0x00000000018A1000-memory.dmp

Filesize
4KB

Download
memory/4308-104-0x000000001BDC0000-0x000000001BDD0000-memory.dmp

Filesize
64KB

Download
memory/4324-878-0x000000001DEA0000-0x000000001DF6D000-memory.dmp

Filesize
820KB

Download
memory/4564-943-0x000000001D4E0000-0x000000001D5AD000-memory.dmp

Filesize
820KB

Download
memory/4696-296-0x000000001CB00000-0x000000001CBCD000-memory.dmp

Filesize
820KB

Download
memory/4816-426-0x000000001C980000-0x000000001CA4D000-memory.dmp

Filesize
820KB

Download