zgrat | f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97

Analysis

max time kernel
299s
max time network
300s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
28-01-2024 22:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
Size

1.7MB
MD5

596404d266d7105282abdc1c6ad1ad25
SHA1

9ba501299f1f8930e705d2deaad6c2fd896ffb5b
SHA256

f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97
SHA512

884dbb24455fae479e3351a1a28b4ae13635ed3c0ff5c0e1a822837bff6a53891a332e6fef14e933c34d358ef91edc742ca73294c06bf33426436972967574ce
SSDEEP

24576:rQa+rRep38knZGbO4oFya8ZbRxaiXvnEc3Suvb7sNPwEFfTPCRi4Vz:rZ+rRe3zn4ioa8ZbRMiXO07sNPwERWV

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 18 IoCs

resource	yara_rule
behavioral2/memory/1932-0-0x0000000000450000-0x0000000000610000-memory.dmp	family_zgrat_v1
behavioral2/files/0x000600000001ac1a-26.dat	family_zgrat_v1
behavioral2/files/0x000c00000001ab45-286.dat	family_zgrat_v1
behavioral2/files/0x000c00000001ab45-285.dat	family_zgrat_v1
behavioral2/files/0x000c00000001ab45-308.dat	family_zgrat_v1
behavioral2/files/0x000c00000001ab45-330.dat	family_zgrat_v1
behavioral2/files/0x000c00000001ab45-352.dat	family_zgrat_v1
behavioral2/files/0x000c00000001ab45-373.dat	family_zgrat_v1
behavioral2/files/0x000c00000001ab45-394.dat	family_zgrat_v1
behavioral2/files/0x000c00000001ab45-415.dat	family_zgrat_v1
behavioral2/files/0x000c00000001ab45-709.dat	family_zgrat_v1
behavioral2/files/0x000c00000001ab45-730.dat	family_zgrat_v1
behavioral2/files/0x000c00000001ab45-751.dat	family_zgrat_v1
behavioral2/files/0x000c00000001ab45-772.dat	family_zgrat_v1
behavioral2/files/0x000c00000001ab45-793.dat	family_zgrat_v1
behavioral2/files/0x000c00000001ab45-814.dat	family_zgrat_v1
behavioral2/files/0x000c00000001ab45-835.dat	family_zgrat_v1
behavioral2/files/0x000c00000001ab45-856.dat	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Executes dropped EXE 37 IoCs

pid	Process
4916	fontdrvhost.exe
1564	fontdrvhost.exe
4152	fontdrvhost.exe
1860	fontdrvhost.exe
5076	fontdrvhost.exe
3956	fontdrvhost.exe
3348	fontdrvhost.exe
1628	fontdrvhost.exe
2688	fontdrvhost.exe
5112	fontdrvhost.exe
4928	fontdrvhost.exe
4020	fontdrvhost.exe
1248	fontdrvhost.exe
980	fontdrvhost.exe
2680	fontdrvhost.exe
4964	fontdrvhost.exe
3000	fontdrvhost.exe
4480	fontdrvhost.exe
1504	fontdrvhost.exe
2260	fontdrvhost.exe
2408	fontdrvhost.exe
3040	fontdrvhost.exe
500	fontdrvhost.exe
4676	fontdrvhost.exe
4540	fontdrvhost.exe
3972	fontdrvhost.exe
4136	fontdrvhost.exe
352	fontdrvhost.exe
3980	fontdrvhost.exe
952	fontdrvhost.exe
2740	fontdrvhost.exe
2296	fontdrvhost.exe
4424	fontdrvhost.exe
2744	fontdrvhost.exe
640	fontdrvhost.exe
4104	fontdrvhost.exe
4240	fontdrvhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 38 IoCs

Web Service

T1102

flow	ioc
20	raw.githubusercontent.com
21	raw.githubusercontent.com
31	raw.githubusercontent.com
32	raw.githubusercontent.com
37	raw.githubusercontent.com
42	raw.githubusercontent.com
9	raw.githubusercontent.com
19	raw.githubusercontent.com
52	raw.githubusercontent.com
46	raw.githubusercontent.com
6	raw.githubusercontent.com
45	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
35	raw.githubusercontent.com
36	raw.githubusercontent.com
40	raw.githubusercontent.com
53	raw.githubusercontent.com
10	raw.githubusercontent.com
11	raw.githubusercontent.com
41	raw.githubusercontent.com
50	raw.githubusercontent.com
51	raw.githubusercontent.com
15	raw.githubusercontent.com
30	raw.githubusercontent.com
17	raw.githubusercontent.com
49	raw.githubusercontent.com
3	raw.githubusercontent.com
8	raw.githubusercontent.com
43	raw.githubusercontent.com
47	raw.githubusercontent.com
48	raw.githubusercontent.com
7	raw.githubusercontent.com
33	raw.githubusercontent.com
34	raw.githubusercontent.com
44	raw.githubusercontent.com
2	raw.githubusercontent.com
18	raw.githubusercontent.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\ApplicationFrameHost.exe	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\6dd19aba3e2428	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\d9b0099e078381	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ModemLogs\f3b6ecef712a24	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
File created	C:\Windows\ModemLogs\spoolsv.exe	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 38 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Local Settings	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
Key created	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Local Settings	fontdrvhost.exe

Runs ping.exe 1 TTPs 17 IoCs

Remote System Discovery

T1018

pid	Process
3748	PING.EXE
4148	PING.EXE
504	PING.EXE
3880	PING.EXE
4152	PING.EXE
1880	PING.EXE
3744	PING.EXE
3024	PING.EXE
1368	PING.EXE
2216	PING.EXE
4064	PING.EXE
3560	PING.EXE
2540	PING.EXE
4248	PING.EXE
4740	PING.EXE
520	PING.EXE
956	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1932	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
1932	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
1932	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
1932	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
1932	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
1932	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
1932	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
1932	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
1932	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
1932	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
1932	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
1932	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
1932	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
1932	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
1932	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
1932	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
1932	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
1932	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
1932	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
1932	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
1932	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
1932	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
1932	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
1932	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
1932	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
1932	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
1932	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
1932	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
1932	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
1932	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
1932	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
1932	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
1932	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
1932	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
1932	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
1932	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
1932	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
1932	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
1932	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
1932	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
1932	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
1932	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
1932	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
1932	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
1932	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
1932	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
1932	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
1932	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
1932	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
1932	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
1932	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
1932	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
1932	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
1932	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
1932	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
1932	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
1932	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
1932	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
1932	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
1932	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
1932	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
1932	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
1932	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
1932	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1932	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
Token: SeDebugPrivilege	4368	powershell.exe
Token: SeDebugPrivilege	3540	powershell.exe
Token: SeDebugPrivilege	588	powershell.exe
Token: SeDebugPrivilege	2528	powershell.exe
Token: SeDebugPrivilege	1936	powershell.exe
Token: SeIncreaseQuotaPrivilege	2528	powershell.exe
Token: SeSecurityPrivilege	2528	powershell.exe
Token: SeTakeOwnershipPrivilege	2528	powershell.exe
Token: SeLoadDriverPrivilege	2528	powershell.exe
Token: SeSystemProfilePrivilege	2528	powershell.exe
Token: SeSystemtimePrivilege	2528	powershell.exe
Token: SeProfSingleProcessPrivilege	2528	powershell.exe
Token: SeIncBasePriorityPrivilege	2528	powershell.exe
Token: SeCreatePagefilePrivilege	2528	powershell.exe
Token: SeBackupPrivilege	2528	powershell.exe
Token: SeRestorePrivilege	2528	powershell.exe
Token: SeShutdownPrivilege	2528	powershell.exe
Token: SeDebugPrivilege	2528	powershell.exe
Token: SeSystemEnvironmentPrivilege	2528	powershell.exe
Token: SeRemoteShutdownPrivilege	2528	powershell.exe
Token: SeUndockPrivilege	2528	powershell.exe
Token: SeManageVolumePrivilege	2528	powershell.exe
Token: 33	2528	powershell.exe
Token: 34	2528	powershell.exe
Token: 35	2528	powershell.exe
Token: 36	2528	powershell.exe
Token: SeIncreaseQuotaPrivilege	4368	powershell.exe
Token: SeSecurityPrivilege	4368	powershell.exe
Token: SeTakeOwnershipPrivilege	4368	powershell.exe
Token: SeLoadDriverPrivilege	4368	powershell.exe
Token: SeSystemProfilePrivilege	4368	powershell.exe
Token: SeSystemtimePrivilege	4368	powershell.exe
Token: SeProfSingleProcessPrivilege	4368	powershell.exe
Token: SeIncBasePriorityPrivilege	4368	powershell.exe
Token: SeCreatePagefilePrivilege	4368	powershell.exe
Token: SeBackupPrivilege	4368	powershell.exe
Token: SeRestorePrivilege	4368	powershell.exe
Token: SeShutdownPrivilege	4368	powershell.exe
Token: SeDebugPrivilege	4368	powershell.exe
Token: SeSystemEnvironmentPrivilege	4368	powershell.exe
Token: SeRemoteShutdownPrivilege	4368	powershell.exe
Token: SeUndockPrivilege	4368	powershell.exe
Token: SeManageVolumePrivilege	4368	powershell.exe
Token: 33	4368	powershell.exe
Token: 34	4368	powershell.exe
Token: 35	4368	powershell.exe
Token: 36	4368	powershell.exe
Token: SeIncreaseQuotaPrivilege	3540	powershell.exe
Token: SeSecurityPrivilege	3540	powershell.exe
Token: SeTakeOwnershipPrivilege	3540	powershell.exe
Token: SeLoadDriverPrivilege	3540	powershell.exe
Token: SeSystemProfilePrivilege	3540	powershell.exe
Token: SeSystemtimePrivilege	3540	powershell.exe
Token: SeProfSingleProcessPrivilege	3540	powershell.exe
Token: SeIncBasePriorityPrivilege	3540	powershell.exe
Token: SeCreatePagefilePrivilege	3540	powershell.exe
Token: SeBackupPrivilege	3540	powershell.exe
Token: SeRestorePrivilege	3540	powershell.exe
Token: SeShutdownPrivilege	3540	powershell.exe
Token: SeDebugPrivilege	3540	powershell.exe
Token: SeSystemEnvironmentPrivilege	3540	powershell.exe
Token: SeRemoteShutdownPrivilege	3540	powershell.exe
Token: SeUndockPrivilege	3540	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 2528	1932	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe	35
PID 1932 wrote to memory of 2528	1932	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe	35
PID 1932 wrote to memory of 1936	1932	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe	34
PID 1932 wrote to memory of 1936	1932	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe	34
PID 1932 wrote to memory of 3540	1932	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe	33
PID 1932 wrote to memory of 3540	1932	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe	33
PID 1932 wrote to memory of 588	1932	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe	31
PID 1932 wrote to memory of 588	1932	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe	31
PID 1932 wrote to memory of 4368	1932	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe	30
PID 1932 wrote to memory of 4368	1932	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe	30
PID 1932 wrote to memory of 4232	1932	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe	26
PID 1932 wrote to memory of 4232	1932	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe	26
PID 4232 wrote to memory of 4736	4232	cmd.exe	36
PID 4232 wrote to memory of 4736	4232	cmd.exe	36
PID 4232 wrote to memory of 1880	4232	cmd.exe	37
PID 4232 wrote to memory of 1880	4232	cmd.exe	37
PID 4232 wrote to memory of 4916	4232	cmd.exe	88
PID 4232 wrote to memory of 4916	4232	cmd.exe	88
PID 4916 wrote to memory of 4332	4916	fontdrvhost.exe	92
PID 4916 wrote to memory of 4332	4916	fontdrvhost.exe	92
PID 4332 wrote to memory of 8	4332	cmd.exe	90
PID 4332 wrote to memory of 8	4332	cmd.exe	90
PID 4332 wrote to memory of 2540	4332	cmd.exe	89
PID 4332 wrote to memory of 2540	4332	cmd.exe	89
PID 4332 wrote to memory of 1564	4332	cmd.exe	93
PID 4332 wrote to memory of 1564	4332	cmd.exe	93
PID 1564 wrote to memory of 4552	1564	fontdrvhost.exe	97
PID 1564 wrote to memory of 4552	1564	fontdrvhost.exe	97
PID 4552 wrote to memory of 2148	4552	cmd.exe	95
PID 4552 wrote to memory of 2148	4552	cmd.exe	95
PID 4552 wrote to memory of 3744	4552	cmd.exe	94
PID 4552 wrote to memory of 3744	4552	cmd.exe	94
PID 4552 wrote to memory of 4152	4552	cmd.exe	98
PID 4552 wrote to memory of 4152	4552	cmd.exe	98
PID 4152 wrote to memory of 1668	4152	fontdrvhost.exe	102
PID 4152 wrote to memory of 1668	4152	fontdrvhost.exe	102
PID 1668 wrote to memory of 5092	1668	cmd.exe	100
PID 1668 wrote to memory of 5092	1668	cmd.exe	100
PID 1668 wrote to memory of 3884	1668	cmd.exe	99
PID 1668 wrote to memory of 3884	1668	cmd.exe	99
PID 1668 wrote to memory of 1860	1668	cmd.exe	103
PID 1668 wrote to memory of 1860	1668	cmd.exe	103
PID 1860 wrote to memory of 4928	1860	fontdrvhost.exe	107
PID 1860 wrote to memory of 4928	1860	fontdrvhost.exe	107
PID 4928 wrote to memory of 2464	4928	cmd.exe	105
PID 4928 wrote to memory of 2464	4928	cmd.exe	105
PID 4928 wrote to memory of 2292	4928	cmd.exe	104
PID 4928 wrote to memory of 2292	4928	cmd.exe	104
PID 4928 wrote to memory of 5076	4928	cmd.exe	108
PID 4928 wrote to memory of 5076	4928	cmd.exe	108
PID 5076 wrote to memory of 772	5076	fontdrvhost.exe	112
PID 5076 wrote to memory of 772	5076	fontdrvhost.exe	112
PID 772 wrote to memory of 2840	772	cmd.exe	110
PID 772 wrote to memory of 2840	772	cmd.exe	110
PID 772 wrote to memory of 5116	772	cmd.exe	109
PID 772 wrote to memory of 5116	772	cmd.exe	109
PID 772 wrote to memory of 3956	772	cmd.exe	113
PID 772 wrote to memory of 3956	772	cmd.exe	113
PID 3956 wrote to memory of 3972	3956	fontdrvhost.exe	117
PID 3956 wrote to memory of 3972	3956	fontdrvhost.exe	117
PID 3972 wrote to memory of 1864	3972	cmd.exe	116
PID 3972 wrote to memory of 1864	3972	cmd.exe	116
PID 3972 wrote to memory of 2300	3972	cmd.exe	115
PID 3972 wrote to memory of 2300	3972	cmd.exe	115

C:\Users\Admin\AppData\Local\Temp\f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
"C:\Users\Admin\AppData\Local\Temp\f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5E2IIXQuAr.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4232
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:4736
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - Runs ping.exe
    PID:1880
- - C:\Recovery\WindowsRE\fontdrvhost.exe
    "C:\Recovery\WindowsRE\fontdrvhost.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4916
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hdmdigGiX9.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4332
    - - C:\Recovery\WindowsRE\fontdrvhost.exe
        
        "C:\Recovery\WindowsRE\fontdrvhost.exe"
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1564
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7rL9EqqPRM.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4552
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        "C:\Recovery\WindowsRE\fontdrvhost.exe"
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4152
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0VS1u4WCCr.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        "C:\Recovery\WindowsRE\fontdrvhost.exe"
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1860
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HNGHapxv4I.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4928
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        "C:\Recovery\WindowsRE\fontdrvhost.exe"
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5076
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UI7DLfHyj8.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:772
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        "C:\Recovery\WindowsRE\fontdrvhost.exe"
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3956
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\C0SKfNvdG8.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:3972
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        "C:\Recovery\WindowsRE\fontdrvhost.exe"
        15⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3348
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kPY472Oq9b.bat"
        16⤵
        
        PID:4484
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        "C:\Recovery\WindowsRE\fontdrvhost.exe"
        17⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1628
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kPY472Oq9b.bat"
        18⤵
        
        PID:1428
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:4572
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2236
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        "C:\Recovery\WindowsRE\fontdrvhost.exe"
        19⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2688
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z6bOuYaabJ.bat"
        20⤵
        
        PID:5092
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:4740
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        Runs ping.exe
        
        PID:520
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        "C:\Recovery\WindowsRE\fontdrvhost.exe"
        21⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5112
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tXcZTVakCz.bat"
        22⤵
        
        PID:4720
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:592
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        Runs ping.exe
        
        PID:4248
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        "C:\Recovery\WindowsRE\fontdrvhost.exe"
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4928
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zuRWOxc209.bat"
        24⤵
        
        PID:4336
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:4856
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        Runs ping.exe
        
        PID:956
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        "C:\Recovery\WindowsRE\fontdrvhost.exe"
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4020
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GyPdaK1JUk.bat"
        26⤵
        
        PID:1880
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:1852
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2300
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        "C:\Recovery\WindowsRE\fontdrvhost.exe"
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1248
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5TPLp0dsPT.bat"
        28⤵
        
        PID:2932
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:2260
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:2540
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        "C:\Recovery\WindowsRE\fontdrvhost.exe"
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:980
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5TPLp0dsPT.bat"
        30⤵
        
        PID:4384
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        "C:\Recovery\WindowsRE\fontdrvhost.exe"
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2680
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LMDaVm4bIu.bat"
        32⤵
        
        PID:2692
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        33⤵
        
        PID:316
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        33⤵
        
        PID:1876
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        "C:\Recovery\WindowsRE\fontdrvhost.exe"
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4964
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3sOpJujjEl.bat"
        34⤵
        
        PID:1896
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        35⤵
        
        PID:4520
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        35⤵
        Runs ping.exe
        
        PID:1368
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        "C:\Recovery\WindowsRE\fontdrvhost.exe"
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3000
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SuCPwp4RhE.bat"
        36⤵
        
        PID:4696
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        37⤵
        
        PID:4424
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        37⤵
        
        PID:4300
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        "C:\Recovery\WindowsRE\fontdrvhost.exe"
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4480
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z6bOuYaabJ.bat"
        38⤵
        
        PID:2900
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        39⤵
        
        PID:1864
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        39⤵
        Runs ping.exe
        
        PID:2216
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        "C:\Recovery\WindowsRE\fontdrvhost.exe"
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1504
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VhzrLBDaJg.bat"
        40⤵
        
        PID:2124
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        41⤵
        
        PID:1248
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        41⤵
        
        PID:3924
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        "C:\Recovery\WindowsRE\fontdrvhost.exe"
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2260
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zuRWOxc209.bat"
        42⤵
        
        PID:1344
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        "C:\Recovery\WindowsRE\fontdrvhost.exe"
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2408
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\a4noHdFs8q.bat"
        44⤵
        
        PID:4240
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        45⤵
        
        PID:4236
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        45⤵
        
        PID:3884
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        "C:\Recovery\WindowsRE\fontdrvhost.exe"
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3040
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nl5EWIzDsS.bat"
        46⤵
        
        PID:3704
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        "C:\Recovery\WindowsRE\fontdrvhost.exe"
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:500
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VhzrLBDaJg.bat"
        48⤵
        
        PID:2944
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        "C:\Recovery\WindowsRE\fontdrvhost.exe"
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4676
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LMDaVm4bIu.bat"
        50⤵
        
        PID:4920
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        "C:\Recovery\WindowsRE\fontdrvhost.exe"
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4540
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\w6iFNwlpp3.bat"
        52⤵
        
        PID:3356
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        "C:\Recovery\WindowsRE\fontdrvhost.exe"
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3972
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KCzYbro9FO.bat"
        54⤵
        
        PID:2908
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        "C:\Recovery\WindowsRE\fontdrvhost.exe"
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4136
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AqEIlSfADd.bat"
        56⤵
        
        PID:2148
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        "C:\Recovery\WindowsRE\fontdrvhost.exe"
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:352
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pZgFYZT4yN.bat"
        58⤵
        
        PID:4900
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        "C:\Recovery\WindowsRE\fontdrvhost.exe"
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3980
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9RMekxjZd4.bat"
        60⤵
        
        PID:688
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        61⤵
        
        PID:4772
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        61⤵
        
        PID:4488
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        "C:\Recovery\WindowsRE\fontdrvhost.exe"
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:952
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3sOpJujjEl.bat"
        62⤵
        
        PID:1096
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        63⤵
        
        PID:2912
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        63⤵
        Runs ping.exe
        
        PID:4064
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        "C:\Recovery\WindowsRE\fontdrvhost.exe"
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2740
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KCzYbro9FO.bat"
        64⤵
        
        PID:1532
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        65⤵
        
        PID:2840
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        65⤵
        
        PID:4052
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        "C:\Recovery\WindowsRE\fontdrvhost.exe"
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2296
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s8lvSze9bR.bat"
        66⤵
        
        PID:5104
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        67⤵
        
        PID:2288
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        67⤵
        Runs ping.exe
        
        PID:504
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        "C:\Recovery\WindowsRE\fontdrvhost.exe"
        67⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4424
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tXcZTVakCz.bat"
        68⤵
        
        PID:508
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        69⤵
        Runs ping.exe
        
        PID:3560
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        69⤵
        
        PID:4788
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        "C:\Recovery\WindowsRE\fontdrvhost.exe"
        69⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2744
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cfpJnj91JY.bat"
        70⤵
        
        PID:2868
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        71⤵
        
        PID:4308
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        71⤵
        Runs ping.exe
        
        PID:3880
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        "C:\Recovery\WindowsRE\fontdrvhost.exe"
        71⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:640
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\f2k7CZMYLR.bat"
        72⤵
        
        PID:1624
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        73⤵
        
        PID:2080
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        73⤵
        
        PID:3940
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        "C:\Recovery\WindowsRE\fontdrvhost.exe"
        73⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4104
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4IFTJQeKoJ.bat"
        74⤵
        
        PID:4556
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        75⤵
        
        PID:2688
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        75⤵
        Runs ping.exe
        
        PID:4152
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        "C:\Recovery\WindowsRE\fontdrvhost.exe"
        75⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4240
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\34YhpUhHpv.bat"
        76⤵
        
        PID:2464
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        77⤵
        
        PID:1940
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        77⤵
        Runs ping.exe
        
        PID:3024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\106.0.5249.119\f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Shared Gadgets\ApplicationFrameHost.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:588
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3540
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ModemLogs\spoolsv.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2528

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:2540

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:8

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:3744

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:2148
- C:\Windows\system32\w32tm.exe
  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
  2⤵
  PID:4904
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:1884

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:3884

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:5092

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:2292

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:2464

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:5116

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:2840

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:2300

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:1864

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:436

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:4080

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:2736

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:3804

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:4800

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:3748

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:2292

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:4964

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:4068

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:2392

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:4936

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:2240

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:4148

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:3772

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:1220

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:1544

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:4740

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:4744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\Application\106.0.5249.119\f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe

Filesize
1.2MB

MD5
65819723050ec8bb9bad5e6c87d6a5ff

SHA1
6058aba23ff746165d71ca6f2decb6c3ab486755

SHA256
b7935e8fb95e2b539c5e1962e4289e8596eddbec7c0776022ee23e31f6df6c79

SHA512
83e8db263e55d8e440f104ab4268836bf7ef5b1c14edc1e6b20dc343d28732e9467412e59e8ffa00446564f4dde287a72225bedf9a66c34e9b61a6a0fd5710a6

Download Submit
C:\Recovery\WindowsRE\fontdrvhost.exe

Filesize
181KB

MD5
e62ed8d6c15c880bf978df7fafb8a1dc

SHA1
4c540c9af41fe6884a8e226977c93f2c26e4ec20

SHA256
0b17bad03925daf7efb77a6c379de40c7b3666c46ef290e96fd8b2adcd56d208

SHA512
5307d0465fc11c3bd4a126ed775927334d50e54b31236b6cc513633e0e0b0c36a46335fc28c9c0fc942625d8a6f0b081dac8134a3f3c8488d3756552257ef61b

Download Submit
C:\Recovery\WindowsRE\fontdrvhost.exe

Filesize
257KB

MD5
fda466079f93c144c3cdbd93cc10ab52

SHA1
f3f86016d76c04fa89cdad99be0b8eab829dd4ff

SHA256
8acf557c0ee1e6b699701bf3c584ca9477f1f5477246fa02f3777c37364bf67b

SHA512
2b59bbfefbdd7049c623949f2455f954036f24ddb81fee7edd132331d14405dbdfe11bb2254f456856905a12324ac44747a2db24552959b140ffd70ddd7bfd5c

Download Submit
C:\Recovery\WindowsRE\fontdrvhost.exe

Filesize
50KB

MD5
d1e43a9a27e1beea4262ed6ee89b9a19

SHA1
fc5377af788d2d12cc8c933aab72e24064f2d64c

SHA256
19e6a400be4fa3e64d03b28dfd04400bba57a6c40d5b1dbc0a50a2b22bb15173

SHA512
033f7cd6dec590ccf975df738524a7e6d3ac79464f36c2e269de32554d081762bac7ebb165c09f823cf280a0bc511a06f266566703f1377183ab7c9555d207be

Download Submit
C:\Recovery\WindowsRE\fontdrvhost.exe

Filesize
27KB

MD5
1b849256728356ab004fe8b6483b7168

SHA1
7234a812d7f510627887e4642d832810fde933c6

SHA256
79566287615c9c69807d2abd122b25e67fefd56956d6c1d1b1bd130e8e9ac101

SHA512
9812d9e1e68a390fe0a0fda74aee1d07e013b77c14d7bd27c7058c75c32d0779eeafa9a0e0510f6e099c1a0d0665e46095419375e3d317324a075d13a0df5e00

Download Submit
C:\Recovery\WindowsRE\fontdrvhost.exe

Filesize
127KB

MD5
245649519ea3fd9e1d7d5eaca6b87f51

SHA1
581ee6410cd30af3b2711562e1d3fc085c9517a5

SHA256
ede1ac3d8524052328c85de7997b757be1b2ae07ba39c47f421a6150aea5924f

SHA512
6d4a2ce336c6a2ea5fa11fadc6e8556e13c89b903ef9799a29f53e19f0197717d210bc25be2bcc365bc596400b6d8635ce2f9ebbdc73631fe667b13a070e124c

Download Submit
C:\Recovery\WindowsRE\fontdrvhost.exe

Filesize
205KB

MD5
8bee6db8ce81afab067ab08393c89820

SHA1
4e5f7896eb39454c2db6c565d10f1536ff983838

SHA256
6fd188b2d9e230995ac2f0102ad909df1ccc6d2b8bf874794160101724a384ea

SHA512
2a900b2980eaed44cc85aa893ffbe9187becc07d2f52af697de69825182e1085e52b27a4d57b7172a4544594c5f8d423dff6e94f431364fcf417548748ac1600

Download Submit
C:\Recovery\WindowsRE\fontdrvhost.exe

Filesize
974KB

MD5
3fa106b5066a836e141681996c9e9d1b

SHA1
b93c8fecd53e9af4ff6af93e28742659aa4ca51b

SHA256
69d928ea9cfdfd81af5d192d0cbef8cbf85f6dd4c545630fc9a2194c58bf6ac4

SHA512
0bff8b7d792e320883bea04c3eaf0c244b4d4f92924b0e01b4236821dea000b92e12373b0c9e98e1f9e6005c03c3608ef93edd32ecdf29c3ced856e53e2dc58b

Download Submit
C:\Recovery\WindowsRE\fontdrvhost.exe

Filesize
1.7MB

MD5
596404d266d7105282abdc1c6ad1ad25

SHA1
9ba501299f1f8930e705d2deaad6c2fd896ffb5b

SHA256
f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97

SHA512
884dbb24455fae479e3351a1a28b4ae13635ed3c0ff5c0e1a822837bff6a53891a332e6fef14e933c34d358ef91edc742ca73294c06bf33426436972967574ce

Download Submit
C:\Recovery\WindowsRE\fontdrvhost.exe

Filesize
176KB

MD5
983c0a2ce8607e5965c8b8df7f2ffa79

SHA1
ea2c4dfd1bb3cd58adf4414028d8e4a45c0bcfef

SHA256
e8b7946be31a7a6db6539e81dccf4ddc93a34492567e95095f0b01f08a33149e

SHA512
3db3efd672950adb4b0c579e2b82076de0e60b6961d79a5478192b2a56da99850a343609833e120f9f9a5f01e96c6b0a70b9d2bc0974cef99e7fce0c3d3f9695

Download Submit
C:\Recovery\WindowsRE\fontdrvhost.exe

Filesize
48KB

MD5
4365cf2ea41f07352dc6cbad9fa874dc

SHA1
4952c180b5306ce86cbef0e834a7a87cd97ffd60

SHA256
9b814ba224027781f0e75b0b5aaff64ab5264e68e8ede7980cc982adf268fe49

SHA512
ac0ef321e72de4b4411dad862540ecf488d97c528f037eb611e5b0a851badc1ed6b7ac8ac293ed51f7b7e5f879614920dd79e40913dcf26ddc29146d7135adf3

Download Submit
C:\Recovery\WindowsRE\fontdrvhost.exe

Filesize
32KB

MD5
7fcc81e4eb3bb6afca18131665ca0bb0

SHA1
d14597cb04627b7504e8aafdb046e056879b4ac3

SHA256
0440384e57edeebe6af9e71e42715c7e9042239419bc23901b8eb4b32092d1aa

SHA512
528775ec8645d714b8a6357a22585809a544e7d18284e182f788a1359092b9ea5765e803db67ef104a0b75a1850e867d442875197d1f8ed43b835c15f1311264

Download Submit
C:\Recovery\WindowsRE\fontdrvhost.exe

Filesize
8KB

MD5
d027bef92e72fe188e53ff9534d14eb2

SHA1
42b876c4cba98746e8da9f287f36e45053825eeb

SHA256
2fc4e887103b2e69900af51129983d8c178924e6471b0f04ce94bfcbb628d54d

SHA512
539485991bb8ba6e4de07897efae304980adea4bf04b4ae2bd31765e2e06785cfc396a12800f973db3a71498176123adcb47f5c76211d18c3ea2be954288abaf

Download Submit
C:\Recovery\WindowsRE\fontdrvhost.exe

Filesize
52KB

MD5
1dcef73ae261eb5e2b0cba7860df3bf6

SHA1
22b88df9ffb346d04800a0df9dbf6c01785f8b7b

SHA256
eeae5436c832c9c4cea64e6535d932e2a84800a6e2294104e8ab48078b28c6be

SHA512
8e2bfd98cd2f28fc4dbc8fe5e55f9c889dd2cc8addbbd8f6a0a48a7e31730983268a85e615892b684b0c2f4a5966ff4de54f6b3b65be9df5da0639a44325cfbf

Download Submit
C:\Recovery\WindowsRE\fontdrvhost.exe

Filesize
149KB

MD5
2d80bfd41c4fcc3a391a3c1da8dbffe4

SHA1
ce793c4040fd48207ccba3d07f7f1572f22ea52f

SHA256
5ba8dec049828466201d95409cee8d7144f74d9b698f18babe239522d84e3a1f

SHA512
0a85de30dfa7fe6b673a05e633720f1d1857c6a56cd96d0322bf85195e0a2a863f0fb22eccd304879fa8bd19f2e6a21733f1d53b2369a6bbe6f729bce02f12c1

Download Submit
C:\Recovery\WindowsRE\fontdrvhost.exe

Filesize
197KB

MD5
170aad64d913f2c22375f41b6beda15b

SHA1
cee5c547a267a64975212c90b051d12cae4fabed

SHA256
69d72f76e751dcc5c55b58bab12620bd6dd7cb87ca5647a08a2c113d32b10c87

SHA512
77f041f6b5a970e194240ccb4308fdeba925f75b34129af74c03fb693d69312ca3c33ee9c381c3a7b846f22f1ccb42d6d74d567c6813e186e7c1e96337a6d1ee

Download Submit
C:\Recovery\WindowsRE\fontdrvhost.exe

Filesize
307KB

MD5
9252e29a0dd334da84cff6bbda5372ea

SHA1
f34c945c41e66ba1d75c9b897449b7ef4d5393bc

SHA256
447ab27f1111b066135e4ce259e446ffbf85bdda0b2d58e87c2bf68edb7fdcf5

SHA512
9afb21eeec2e144199702c681bae8df8ce61b0ed2764cf05390fe96559ac201bd22ef1cff848930927243364ef98cd58b01f6b1e6e7bafbc6268524bf62ece23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fontdrvhost.exe.log

Filesize
1KB

MD5
d9fbbda32f03209ae8e2d8e1ce595b32

SHA1
04996e2efdd89a0a7f5172690f96d34abe28ccc6

SHA256
d3f038da27a23a26f88df2466c10c4a846acfdbb323987d5cdd235ade8c16a60

SHA512
5ff8493732d18f6439e548a8149d291e619ad98d4d2280367add07e8fcf38d55803bf2396dba897a239ae0ed1455b157f3a7f827432196c52bc94c5f4154db6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d1f50cb53eb66e7745ea6b786168ba40

SHA1
efd8d39fbd3465dd4fd901fa71ebfbff814fd811

SHA256
9898ba43b7c6cae23d5efaba77f727cac988089ebfb48da2bb528864cbfa8c6c

SHA512
db183c6d9118482df8d9c5d45bc470ec86e9dbf1eda79039c419e5a0d60564093b1f59da5eef487a96090a170f9d038a532e54467c8e40c3f8d34b99baa71219

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
282eaa83a9f6cb706884fec7c0e6e2f2

SHA1
94d2880bac4fad34d0c7f4feb85ba7580d6a88f9

SHA256
886273f9aadea35224db68fb143b201d3061dbbe02e6ac31d514cab27d4e5ebe

SHA512
bee91bc28999632921f42e6e5604568bfa14fd6bea00fd12df04b463d4aefbdfe68afa290082791e540857dbd19d193bef92e27a51f5c2800d53b6598122f2b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
950ec079a214623244964cc833b03a8f

SHA1
d452b4c3faba84e7efc3e2ec92111a53fc2e68bb

SHA256
fb6cada8a6db73aec7caf5638760d7a08425ddecc4ca3a04904606bf85698644

SHA512
9b8d6d6f1bbaef61a8a06f44eac911ae12148f13f2759f4a9defb06055faf8c7c285a9248e419a0fa214d4e35adde1b0c89db48de7c1abeb5326c0fe80eca8a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\0VS1u4WCCr.bat

Filesize
213B

MD5
8efceaae087638232e5a908d913bb449

SHA1
08363d13edf5c515c14fd09da40bb83cc074710b

SHA256
87e7a71e615aa916a9114601d3caac47745956d671b2001e7a4d1d0887c3b332

SHA512
7d3553041c9ecbf978d6f7ce7517920ab4b6a296d23e5e6d71f3b8757e08dce8520a494fae9f2699160da5a75e2c209961b101976b8a37d2d8c4e268aaa922cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\3sOpJujjEl.bat

Filesize
165B

MD5
30091297613e62e8bfdc0af139e5a2ee

SHA1
f41dcc226a92b3cbf5ed62a672ce0a6fb9c995cc

SHA256
e5b6b5dd36a369c4cd6588eaa1642da89918b919898886e79b26b581aa5e101e

SHA512
30be7bc3cc3307ebbc6019974cbc5540df7c22c7dff03ffd16650854f5abf4ada5b602aec36f4a35539ccd988332df6e54b12653c66351538977e4b55303a2f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\5E2IIXQuAr.bat

Filesize
165B

MD5
0476cca0dd59717f8e3e4e216d0b998e

SHA1
d4c76252847a20d19d7991318b9e50db63edb2ab

SHA256
8921995048d1d9f21d83546ac3671b1dc59a72856a4916112584457764b3daf6

SHA512
ef73bb514810ccf8b6d15a6a0f4768b1b17d06003c32ccf9f4cb4568db93642f493eb030f769a04b990c788e6d9ea737c4598572dc40de65144d9f9a38ee05f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\5TPLp0dsPT.bat

Filesize
213B

MD5
b84382e4fd6f150f0ca1aa04f09a2168

SHA1
ec1849f28b87bcac32d21d55404209b6b41ea063

SHA256
cfb89e562dc4cd88fb709f2180a29119ba715d9606c21ae5f429d9c6cf7b6f58

SHA512
4cf2c484f1cdaeeeb67c8b0bef87a6550542b9e451fac95d69d2e34454bc1a08423d6be39549de2d0b626db48e715555e7d57a4ab128d62ee3f485076f4d7d75

Download Submit
C:\Users\Admin\AppData\Local\Temp\7rL9EqqPRM.bat

Filesize
165B

MD5
80281ac51440acb82dc5c421c3c79be7

SHA1
892b500767be69a6272772cfb23b6d05ec1f509c

SHA256
b6e3083bbdf224151cd11fcbe7362fd235acaf08b97b701e67f4118a93accb0b

SHA512
0e8d6248b816618637e6ee1114d6f160849d40d380c7b28322c9c84abae52b455e7dedd4e19f5302e5eb77dec1ec11f6352f34a7e61bdd84f2a4f512aedc45ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\AqEIlSfADd.bat

Filesize
213B

MD5
b186e57c26cce343b641aa46a8643c74

SHA1
84ab7f99525dc56bbf7f042d3a479fcfe97dd11f

SHA256
a466e274e99fa9c76037a5de316fb1b88a18d399ed28537a717cd7b37155b55f

SHA512
ee548f6cda8fe158c88bf9a297c6c9afb03f252453984e38da4c73c306b5ef1f098435ab12e89406f01e99bb495d8e92f3086982d681f278f06937b6844f8e1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\C0SKfNvdG8.bat

Filesize
213B

MD5
31cd984aa25ed0b40f377a73aa2597b1

SHA1
18629a2e9831a18025db7fa84cb615228706668c

SHA256
de062c9fc8b7b9d2513cb06a4ef491cec24bf865cbafe32ff0642139fa6cf8f7

SHA512
40e6d6c239b611794e4c1035ab9a10a5db3bb78e66fdcbe242b4d237060961f0cc0c7296a28991abaa4fed67ba699732ba65a59b198786278f44e0ffe32c34d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\GyPdaK1JUk.bat

Filesize
213B

MD5
4e91f14ee3bba5692ca10b73d5cf8984

SHA1
09bf48105c2f35bcbc98aad795a942fe0903d098

SHA256
78987f7039f232e2fd95e072552d5142c493823556a9caac34159f665eceb32a

SHA512
2b73001b28ce440e11e0036e4a9e449c9dea784806e8100e76e24a403fbb15c14823b9c5239a5611fadc9a94435b1d384dbfbb979ee8872f4829f5b930995e78

Download Submit
C:\Users\Admin\AppData\Local\Temp\HNGHapxv4I.bat

Filesize
213B

MD5
fcf61a597a7f46dcc6a3f0dfd2accd96

SHA1
a5a5878db5afbb70f47ba6bbed5740755aaae5b5

SHA256
359ec552849225d2a1351d671d81a225922ab8ae1b8852cd00d1264e95abf577

SHA512
f459e081401bf00992710d3fe4bcf0ff0e7696310c500625b795d537567b706e34a79beeff5dc228512d72d8262deda3e38f8b909b42a5081c60bbae2fe1d63a

Download Submit
C:\Users\Admin\AppData\Local\Temp\KCzYbro9FO.bat

Filesize
213B

MD5
9c15ae790bb4b15976dac8a6747cc808

SHA1
8eaf8ee323ff3c2993362d6a3f4e200a86054ae4

SHA256
2e17ec67b5ad624ff517745c8fc138889b1906445efd7c26e4ee566899b8d4ac

SHA512
af29ebecd6fdd79de676d67f1d010a61579e60ef3e564911fb4156edf2e9ec4998c5f2ec84af61b34668383593d5ce44214a50831428dbcdf001e857b13b76ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\LMDaVm4bIu.bat

Filesize
213B

MD5
70aa1b0807d5375bfcab2688501d7001

SHA1
69b7a229ed146c7c7d16778496a95f95667e8f67

SHA256
59f636db9dec3eff3099835c24406ad73cd4229d009291cb3d869d42ae0be41e

SHA512
1b47c5d52852ad3ec45bc239b5651bbc68c7dcfcfae9206d32715b2663f01692a307fa5b5e8e314edcf838e0695bdfb97eb98e3c4bae59c77b80df44011db65d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nl5EWIzDsS.bat

Filesize
213B

MD5
f315ffce26ac36be9c066f01fd761870

SHA1
edb3964412bf3fabbf2d31d3bc3fd09939182fb8

SHA256
f17d3e44de43b1c963e6363f073a138b42d2949676eac94e1b82244187196901

SHA512
1132db03203a28cd57623aaecd8584cb520b3e597081bdfe65770f6fe13d93237faaf81d3e8ca5f933762396bb54320c847fdbcad627e1a7b6056c6045145122

Download Submit
C:\Users\Admin\AppData\Local\Temp\SuCPwp4RhE.bat

Filesize
213B

MD5
b1b91d388d5c5c47290aa9b2957b7367

SHA1
a84514625249b21d69ebb94a6238f2599af20d71

SHA256
46c2935f76d4cd3bbf056f57be00fc854692d439562c4ae4c83a39c11c92139b

SHA512
123fd90b94c49c9992c98033f392d4ac4e8de571caf7e4bcfbf002705eaf6fb9d81482e26ed9f39a16de038e0e31185da4054ae9b99c970c68d19b09aadbe988

Download Submit
C:\Users\Admin\AppData\Local\Temp\UI7DLfHyj8.bat

Filesize
213B

MD5
349501f0d449bedf366a07fda32c8e8a

SHA1
3b7afc5d3e50d13b241babc224f95ec708e1c4e7

SHA256
4a5c2f511aeda43b3f61e753e8be6b84fe919ac792f203a66893930dda522690

SHA512
c1f3ce67d2ace75aef225d48a7e331375012fb8c66a67c514c43fc1a813abf3959a9c109991bf515640958f86d690a465cc9aec4d2da7e0dd92e5f34c4be9dfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\VhzrLBDaJg.bat

Filesize
213B

MD5
26d928d7ae27ff1f7b652b30c00448d6

SHA1
908ac5d5a33bbd8f4f0d557061bd7325664c9d81

SHA256
f8bacb6127ea6fb69a27e5bd7bb86defc14b56c1c17ee5cb4585f1067ecb1ba6

SHA512
ffc1996c9a896f92f9287dacd1b8b89c85886ed12644e214a9306f6eeb4c9601b7d3a1c2d2a0ef8f46fe733153593ea3563f9153584beea496f68ada810b58cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dd4fbllz.m3w.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4noHdFs8q.bat

Filesize
213B

MD5
6116577dd77c0b8d0d6f289cc613658d

SHA1
db8df4f096726cef7348c41c3b6fb94789b6ff55

SHA256
4f4b0995609d36434c47902ef132945f815ed1ba3817d30d0c5e63db99483942

SHA512
edf834d418b761cb2469e4f7cbaa448d7652d6c038bdc3b0e06abded34aa05e65962a23f265c8aee7c362d1bbe6ac034f29c5b5bcff470c05eb9d6e58bb62fe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\hdmdigGiX9.bat

Filesize
165B

MD5
1e6254567b4d848ff64d4171710313d4

SHA1
a1a15dff7b9dd80ed238aedaae1464dafbdd8990

SHA256
f1e4e113ec5482f670a85afcfd95fca74d06ab7f2f334f9f351ba43113d10b81

SHA512
dedd1af20d3cb6a607c13aae151d1fcbdd99eee1bdf52b62a5d94f002514e07c9df99224d7582915c263d4943c7efc8d279da6732a249d4bfad2555e1676cf3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\kPY472Oq9b.bat

Filesize
213B

MD5
26a58d04024b38b94ec7b5e7fd10af3b

SHA1
84a01d997cfcb1f3652a59b5de72f40469916338

SHA256
5fc7abc8da569ca23b8fddda3c434917f1dbc318cac99ef8665168435755e1db

SHA512
258bf494664b630c24660382944543f25af348e8a61a52abc67ef4a87667a55ecddf625244250719e8fea09c81fe38d93e8cbae7ca37e03c2cbfa23d99f5b239

Download Submit
C:\Users\Admin\AppData\Local\Temp\pZgFYZT4yN.bat

Filesize
165B

MD5
b3538aaf292dcc197617a85bb0ef79bb

SHA1
87eb29caacae26e4c25e4b4855c6f99cf161ca1a

SHA256
2292a8623b8bcfa9c9b11fc48d63a2b4946243c705f06cfb82e49433cb30b51e

SHA512
f8147993add81c1e9b382b7839e8fd27c43c9a9baaef18d68d413f415cf7aa6037af2cff2da27733feb00f43d686d6b1e0988b9273685740c7b75d1eb0e09dad

Download Submit
C:\Users\Admin\AppData\Local\Temp\tXcZTVakCz.bat

Filesize
165B

MD5
8f58e30f66a29d570153d2b3c10fabdc

SHA1
02c47feda06559608943adb2a937e8c9cba36248

SHA256
8ab965696e2756faa992ea7d0c3f9b1741c6290e4f63a3f5d6ce2d86622bbed5

SHA512
e58d4c0a6b408ee1a63e3618844251f69200a29bae80f69c88d0747759a49f98c73678aa9165500144e79bcf9c95525529ea2f9f1d1fd658a6a0442ea6319631

Download Submit
C:\Users\Admin\AppData\Local\Temp\w6iFNwlpp3.bat

Filesize
165B

MD5
a425fdd205d62f880f5c66cae4756de6

SHA1
2c77865d37ebbb7855647cbd4561be4cbc0775ae

SHA256
b4334625e567d4f31926e6fba0eaea6577cc71d74bd082726b1dff9d98a68806

SHA512
80827a6176ef71bf1538aa4f55da770170e6fcec8f77390b0661cb8c0aeb92518d27268c3448dd91708ec920f439382b179ca078bcc6d5890c7885d0f9097970

Download Submit
C:\Users\Admin\AppData\Local\Temp\z6bOuYaabJ.bat

Filesize
165B

MD5
94dfb7a288122c2965478305b3cd8f26

SHA1
d4652d3e4b0b74b45c41bd6529da291eea4276e6

SHA256
afc00e026d6d709e859477392a1b2d629bee24fbf13e729f82311850d8d1ae4d

SHA512
5f2676786a5512f3ded1dd543be9c76f61d76c2321af1ce7682a4025bcdc149b182a797e020122d9af2dd98a0a8e419c4c9c658e1ffcefd67122601c2415dc09

Download Submit
C:\Users\Admin\AppData\Local\Temp\zuRWOxc209.bat

Filesize
165B

MD5
4efded6825b7700fb947b73236df51b6

SHA1
aa5fdc65fc781011873ce707b92d01706984bd53

SHA256
81fab22ee423ce9f1f4e2459e43a6248cb33493d222f298926d7ba60cb70e3a0

SHA512
f6dfaa95ee410856682d672b60d19af804242b2ca20887ec578e553c1421c4b54a96bbfd07ad3301dd1214427abfa1884302db156bf81b2087c41781b2919c26

Download Submit
memory/352-873-0x000000001B400000-0x000000001B49E000-memory.dmp

Filesize
632KB

Download
memory/500-769-0x000000001AEF0000-0x000000001AF8E000-memory.dmp

Filesize
632KB

Download
memory/588-170-0x00000245F4240000-0x00000245F4250000-memory.dmp

Filesize
64KB

Download
memory/588-67-0x00000245F4240000-0x00000245F4250000-memory.dmp

Filesize
64KB

Download
memory/588-68-0x00000245F4240000-0x00000245F4250000-memory.dmp

Filesize
64KB

Download
memory/588-57-0x00007FF830160000-0x00007FF830B4C000-memory.dmp

Filesize
9.9MB

Download
memory/588-278-0x00007FF830160000-0x00007FF830B4C000-memory.dmp

Filesize
9.9MB

Download
memory/588-258-0x00000245F4240000-0x00000245F4250000-memory.dmp

Filesize
64KB

Download
memory/640-1007-0x000000001BB20000-0x000000001BBBE000-memory.dmp

Filesize
632KB

Download
memory/952-912-0x000000001C1D0000-0x000000001C26E000-memory.dmp

Filesize
632KB

Download
memory/980-582-0x00000000030A0000-0x000000000313E000-memory.dmp

Filesize
632KB

Download
memory/1248-561-0x00000000034B0000-0x000000000354E000-memory.dmp

Filesize
632KB

Download
memory/1504-685-0x000000001C610000-0x000000001C6AE000-memory.dmp

Filesize
632KB

Download
memory/1564-313-0x000000001B700000-0x000000001B710000-memory.dmp

Filesize
64KB

Download
memory/1564-310-0x00007FF840DC0000-0x00007FF8417AC000-memory.dmp

Filesize
9.9MB

Download
memory/1564-327-0x000000001B630000-0x000000001B6CE000-memory.dmp

Filesize
632KB

Download
memory/1564-314-0x00007FF84C680000-0x00007FF84C681000-memory.dmp

Filesize
4KB

Download
memory/1564-315-0x000000001B700000-0x000000001B710000-memory.dmp

Filesize
64KB

Download
memory/1564-319-0x00007FF84C670000-0x00007FF84C671000-memory.dmp

Filesize
4KB

Download
memory/1564-311-0x000000001B700000-0x000000001B710000-memory.dmp

Filesize
64KB

Download
memory/1564-312-0x0000000001050000-0x0000000001051000-memory.dmp

Filesize
4KB

Download
memory/1628-455-0x000000001BF00000-0x000000001BF9E000-memory.dmp

Filesize
632KB

Download
memory/1860-370-0x0000000002960000-0x00000000029FE000-memory.dmp

Filesize
632KB

Download
memory/1932-17-0x0000000002820000-0x000000000282C000-memory.dmp

Filesize
48KB

Download
memory/1932-2-0x0000000000D80000-0x0000000000D81000-memory.dmp

Filesize
4KB

Download
memory/1932-44-0x000000001B1A0000-0x000000001B23E000-memory.dmp

Filesize
632KB

Download
memory/1932-12-0x00007FF84C660000-0x00007FF84C661000-memory.dmp

Filesize
4KB

Download
memory/1932-7-0x00007FF84C680000-0x00007FF84C681000-memory.dmp

Filesize
4KB

Download
memory/1932-0-0x0000000000450000-0x0000000000610000-memory.dmp

Filesize
1.8MB

Download
memory/1932-4-0x000000001B370000-0x000000001B380000-memory.dmp

Filesize
64KB

Download
memory/1932-1-0x00007FF830160000-0x00007FF830B4C000-memory.dmp

Filesize
9.9MB

Download
memory/1932-3-0x000000001B370000-0x000000001B380000-memory.dmp

Filesize
64KB

Download
memory/1932-47-0x00007FF830160000-0x00007FF830B4C000-memory.dmp

Filesize
9.9MB

Download
memory/1932-6-0x0000000000E00000-0x0000000000E0E000-memory.dmp

Filesize
56KB

Download
memory/1932-8-0x000000001B370000-0x000000001B380000-memory.dmp

Filesize
64KB

Download
memory/1932-10-0x0000000000E10000-0x0000000000E1E000-memory.dmp

Filesize
56KB

Download
memory/1932-15-0x00007FF84C650000-0x00007FF84C651000-memory.dmp

Filesize
4KB

Download
memory/1932-11-0x00007FF84C670000-0x00007FF84C671000-memory.dmp

Filesize
4KB

Download
memory/1932-14-0x0000000000E20000-0x0000000000E2C000-memory.dmp

Filesize
48KB

Download
memory/1936-66-0x0000027D77E10000-0x0000027D77E20000-memory.dmp

Filesize
64KB

Download
memory/1936-63-0x00007FF830160000-0x00007FF830B4C000-memory.dmp

Filesize
9.9MB

Download
memory/1936-282-0x00007FF830160000-0x00007FF830B4C000-memory.dmp

Filesize
9.9MB

Download
memory/1936-265-0x0000027D77E10000-0x0000027D77E20000-memory.dmp

Filesize
64KB

Download
memory/1936-61-0x0000027D77E10000-0x0000027D77E20000-memory.dmp

Filesize
64KB

Download
memory/1936-81-0x0000027D78680000-0x0000027D786F6000-memory.dmp

Filesize
472KB

Download
memory/1936-147-0x0000027D77E10000-0x0000027D77E20000-memory.dmp

Filesize
64KB

Download
memory/2260-706-0x000000001B810000-0x000000001B8AE000-memory.dmp

Filesize
632KB

Download
memory/2296-950-0x000000001BB60000-0x000000001BBFE000-memory.dmp

Filesize
632KB

Download
memory/2408-727-0x000000001C0F0000-0x000000001C18E000-memory.dmp

Filesize
632KB

Download
memory/2528-264-0x00007FF830160000-0x00007FF830B4C000-memory.dmp

Filesize
9.9MB

Download
memory/2528-45-0x00007FF830160000-0x00007FF830B4C000-memory.dmp

Filesize
9.9MB

Download
memory/2528-58-0x000001D4AF990000-0x000001D4AF9A0000-memory.dmp

Filesize
64KB

Download
memory/2528-152-0x000001D4AF990000-0x000001D4AF9A0000-memory.dmp

Filesize
64KB

Download
memory/2528-256-0x000001D4AF990000-0x000001D4AF9A0000-memory.dmp

Filesize
64KB

Download
memory/2680-601-0x000000001B310000-0x000000001B3AE000-memory.dmp

Filesize
632KB

Download
memory/2688-476-0x0000000002B80000-0x0000000002C1E000-memory.dmp

Filesize
632KB

Download
memory/2740-931-0x000000001BB70000-0x000000001BC0E000-memory.dmp

Filesize
632KB

Download
memory/2744-988-0x000000001C460000-0x000000001C4FE000-memory.dmp

Filesize
632KB

Download
memory/3000-643-0x000000001C890000-0x000000001C92E000-memory.dmp

Filesize
632KB

Download
memory/3040-748-0x0000000002800000-0x000000000289E000-memory.dmp

Filesize
632KB

Download
memory/3348-433-0x000000001BB60000-0x000000001BBFE000-memory.dmp

Filesize
632KB

Download
memory/3540-283-0x00007FF830160000-0x00007FF830B4C000-memory.dmp

Filesize
9.9MB

Download
memory/3540-69-0x0000020A51270000-0x0000020A51292000-memory.dmp

Filesize
136KB

Download
memory/3540-143-0x0000020A512F0000-0x0000020A51300000-memory.dmp

Filesize
64KB

Download
memory/3540-37-0x00007FF830160000-0x00007FF830B4C000-memory.dmp

Filesize
9.9MB

Download
memory/3540-64-0x0000020A512F0000-0x0000020A51300000-memory.dmp

Filesize
64KB

Download
memory/3540-259-0x0000020A512F0000-0x0000020A51300000-memory.dmp

Filesize
64KB

Download
memory/3540-65-0x0000020A512F0000-0x0000020A51300000-memory.dmp

Filesize
64KB

Download
memory/3540-263-0x00007FF830160000-0x00007FF830B4C000-memory.dmp

Filesize
9.9MB

Download
memory/3956-412-0x000000001C010000-0x000000001C0AE000-memory.dmp

Filesize
632KB

Download
memory/3972-832-0x000000001B510000-0x000000001B5AE000-memory.dmp

Filesize
632KB

Download
memory/3980-893-0x000000001C120000-0x000000001C1BE000-memory.dmp

Filesize
632KB

Download
memory/4020-540-0x000000001C510000-0x000000001C5AE000-memory.dmp

Filesize
632KB

Download
memory/4104-1026-0x0000000002D70000-0x0000000002E0E000-memory.dmp

Filesize
632KB

Download
memory/4136-853-0x000000001C1A0000-0x000000001C23E000-memory.dmp

Filesize
632KB

Download
memory/4152-349-0x000000001C0B0000-0x000000001C14E000-memory.dmp

Filesize
632KB

Download
memory/4240-1045-0x000000001AEF0000-0x000000001AF8E000-memory.dmp

Filesize
632KB

Download
memory/4368-141-0x00000218FF360000-0x00000218FF370000-memory.dmp

Filesize
64KB

Download
memory/4368-53-0x00000218FF360000-0x00000218FF370000-memory.dmp

Filesize
64KB

Download
memory/4368-51-0x00000218FF360000-0x00000218FF370000-memory.dmp

Filesize
64KB

Download
memory/4368-274-0x00007FF830160000-0x00007FF830B4C000-memory.dmp

Filesize
9.9MB

Download
memory/4368-266-0x00000218FF360000-0x00000218FF370000-memory.dmp

Filesize
64KB

Download
memory/4368-34-0x00007FF830160000-0x00007FF830B4C000-memory.dmp

Filesize
9.9MB

Download
memory/4424-969-0x000000001C6B0000-0x000000001C74E000-memory.dmp

Filesize
632KB

Download
memory/4480-664-0x000000001C810000-0x000000001C8AE000-memory.dmp

Filesize
632KB

Download
memory/4540-811-0x000000001B860000-0x000000001B8FE000-memory.dmp

Filesize
632KB

Download
memory/4676-790-0x000000001B150000-0x000000001B1EE000-memory.dmp

Filesize
632KB

Download
memory/4916-307-0x00007FF830160000-0x00007FF830B4C000-memory.dmp

Filesize
9.9MB

Download
memory/4916-297-0x00007FF84C660000-0x00007FF84C661000-memory.dmp

Filesize
4KB

Download
memory/4916-288-0x00000000015F0000-0x00000000015F1000-memory.dmp

Filesize
4KB

Download
memory/4916-305-0x000000001BAF0000-0x000000001BB8E000-memory.dmp

Filesize
632KB

Download
memory/4916-292-0x00007FF84C680000-0x00007FF84C681000-memory.dmp

Filesize
4KB

Download
memory/4916-295-0x00007FF84C670000-0x00007FF84C671000-memory.dmp

Filesize
4KB

Download
memory/4916-289-0x000000001BAE0000-0x000000001BAF0000-memory.dmp

Filesize
64KB

Download
memory/4916-287-0x00007FF830160000-0x00007FF830B4C000-memory.dmp

Filesize
9.9MB

Download
memory/4916-290-0x000000001BAE0000-0x000000001BAF0000-memory.dmp

Filesize
64KB

Download
memory/4916-298-0x00007FF84C650000-0x00007FF84C651000-memory.dmp

Filesize
4KB

Download
memory/4916-293-0x000000001BAE0000-0x000000001BAF0000-memory.dmp

Filesize
64KB

Download
memory/4928-518-0x000000001C1C0000-0x000000001C25E000-memory.dmp

Filesize
632KB

Download
memory/4964-622-0x0000000002FB0000-0x000000000304E000-memory.dmp

Filesize
632KB

Download
memory/5076-391-0x000000001C510000-0x000000001C5AE000-memory.dmp

Filesize
632KB

Download
memory/5112-497-0x000000001B4F0000-0x000000001B58E000-memory.dmp

Filesize
632KB

Download