zgrat | ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4

Analysis

max time kernel
146s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13/02/2024, 05:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
Size

2.0MB
MD5

70d149f275ccc89790c5405849a9ad9f
SHA1

de1a99c487f1b78320142e64fa1531c65a1ad8e7
SHA256

ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4
SHA512

899a53dda2c656117f1e618f06a334557536dcccd28d42a0f2ef6125ff9d0457759cff2c12c96c5b19381e25385ad3e31827f729bd6c5db397a58c0b7b7817a7
SSDEEP

49152:yKB0Z0w15HQDEbwbIx0QEiY/ifrR6Vuo:yKB+1NQDETjAifH

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 12 IoCs

resource	yara_rule
behavioral2/memory/2660-0-0x0000000000400000-0x00000000005FA000-memory.dmp	family_zgrat_v1
behavioral2/files/0x0006000000023238-45.dat	family_zgrat_v1
behavioral2/files/0x0006000000023238-327.dat	family_zgrat_v1
behavioral2/files/0x0006000000023238-326.dat	family_zgrat_v1
behavioral2/files/0x0006000000023238-358.dat	family_zgrat_v1
behavioral2/files/0x0006000000023238-387.dat	family_zgrat_v1
behavioral2/files/0x0006000000023238-416.dat	family_zgrat_v1
behavioral2/files/0x0006000000023238-445.dat	family_zgrat_v1
behavioral2/files/0x0006000000023238-472.dat	family_zgrat_v1
behavioral2/files/0x0006000000023238-526.dat	family_zgrat_v1
behavioral2/files/0x0006000000023238-552.dat	family_zgrat_v1
behavioral2/files/0x0006000000023238-578.dat	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Detects executables packed with unregistered version of .NET Reactor 12 IoCs

resource	yara_rule
behavioral2/memory/2660-0-0x0000000000400000-0x00000000005FA000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/files/0x0006000000023238-45.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/files/0x0006000000023238-327.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/files/0x0006000000023238-326.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/files/0x0006000000023238-358.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/files/0x0006000000023238-387.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/files/0x0006000000023238-416.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/files/0x0006000000023238-445.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/files/0x0006000000023238-472.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/files/0x0006000000023238-526.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/files/0x0006000000023238-552.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/files/0x0006000000023238-578.dat	INDICATOR_EXE_Packed_DotNetReactor

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	csrss.exe

Executes dropped EXE 10 IoCs

pid	Process
4544	csrss.exe
5012	csrss.exe
3960	csrss.exe
1464	csrss.exe
1588	csrss.exe
4676	csrss.exe
6084	csrss.exe
2956	csrss.exe
3296	csrss.exe
2936	csrss.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ipinfo.io
16	ipinfo.io

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\5940a34987c991	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
File created	C:\Program Files\Windows Mail\69ddcba757bf72	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
File opened for modification	C:\Program Files\VideoLAN\SearchApp.exe	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
File created	C:\Program Files (x86)\Internet Explorer\wininit.exe	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
File created	C:\Program Files (x86)\Internet Explorer\56085415360792	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\dllhost.exe	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
File created	C:\Program Files\ModifiableWindowsApps\RuntimeBroker.exe	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
File created	C:\Program Files\VideoLAN\SearchApp.exe	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
File created	C:\Program Files\VideoLAN\38384e6a620884	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
File created	C:\Program Files\Windows Mail\smss.exe	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\security\cap\csrss.exe	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
File created	C:\Windows\security\cap\886983d96e3d3e	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1552	schtasks.exe
2168	schtasks.exe
2400	schtasks.exe
2956	schtasks.exe
2516	schtasks.exe
3688	schtasks.exe
1408	schtasks.exe
4832	schtasks.exe
2100	schtasks.exe
4480	schtasks.exe
3892	schtasks.exe
4568	schtasks.exe
3452	schtasks.exe
4768	schtasks.exe
4528	schtasks.exe
4820	schtasks.exe
4916	schtasks.exe
4796	schtasks.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings	csrss.exe

Runs ping.exe 1 TTPs 7 IoCs

Remote System Discovery

T1018

pid	Process
5568	PING.EXE
1984	PING.EXE
4380	PING.EXE
3580	PING.EXE
1916	PING.EXE
5768	PING.EXE
5776	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
Token: SeDebugPrivilege	3940	powershell.exe
Token: SeDebugPrivilege	1216	powershell.exe
Token: SeDebugPrivilege	588	powershell.exe
Token: SeDebugPrivilege	1984	PING.EXE
Token: SeDebugPrivilege	660	powershell.exe
Token: SeDebugPrivilege	4984	powershell.exe
Token: SeDebugPrivilege	1760	powershell.exe
Token: SeDebugPrivilege	908	powershell.exe
Token: SeDebugPrivilege	3232	powershell.exe
Token: SeDebugPrivilege	3200	powershell.exe
Token: SeDebugPrivilege	1220	powershell.exe
Token: SeDebugPrivilege	3736	powershell.exe
Token: SeDebugPrivilege	3416	powershell.exe
Token: SeDebugPrivilege	1016	powershell.exe
Token: SeDebugPrivilege	1164	powershell.exe
Token: SeDebugPrivilege	1680	powershell.exe
Token: SeDebugPrivilege	4792	powershell.exe
Token: SeDebugPrivilege	4872	powershell.exe
Token: SeDebugPrivilege	4544	csrss.exe
Token: SeDebugPrivilege	5012	csrss.exe
Token: SeDebugPrivilege	3960	csrss.exe
Token: SeDebugPrivilege	1464	csrss.exe
Token: SeDebugPrivilege	1588	csrss.exe
Token: SeDebugPrivilege	4676	csrss.exe
Token: SeDebugPrivilege	6084	csrss.exe
Token: SeDebugPrivilege	2956	csrss.exe
Token: SeDebugPrivilege	3296	csrss.exe
Token: SeDebugPrivilege	2936	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2660 wrote to memory of 4872	2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	83
PID 2660 wrote to memory of 4872	2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	83
PID 2660 wrote to memory of 1220	2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	82
PID 2660 wrote to memory of 1220	2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	82
PID 2660 wrote to memory of 4792	2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	81
PID 2660 wrote to memory of 4792	2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	81
PID 2660 wrote to memory of 1984	2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	162
PID 2660 wrote to memory of 1984	2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	162
PID 2660 wrote to memory of 1016	2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	79
PID 2660 wrote to memory of 1016	2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	79
PID 2660 wrote to memory of 3940	2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	78
PID 2660 wrote to memory of 3940	2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	78
PID 2660 wrote to memory of 660	2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	77
PID 2660 wrote to memory of 660	2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	77
PID 2660 wrote to memory of 908	2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	76
PID 2660 wrote to memory of 908	2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	76
PID 2660 wrote to memory of 3232	2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	75
PID 2660 wrote to memory of 3232	2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	75
PID 2660 wrote to memory of 3416	2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	74
PID 2660 wrote to memory of 3416	2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	74
PID 2660 wrote to memory of 588	2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	73
PID 2660 wrote to memory of 588	2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	73
PID 2660 wrote to memory of 3200	2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	72
PID 2660 wrote to memory of 3200	2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	72
PID 2660 wrote to memory of 4984	2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	71
PID 2660 wrote to memory of 4984	2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	71
PID 2660 wrote to memory of 1760	2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	70
PID 2660 wrote to memory of 1760	2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	70
PID 2660 wrote to memory of 1680	2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	69
PID 2660 wrote to memory of 1680	2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	69
PID 2660 wrote to memory of 3736	2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	68
PID 2660 wrote to memory of 3736	2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	68
PID 2660 wrote to memory of 1164	2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	67
PID 2660 wrote to memory of 1164	2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	67
PID 2660 wrote to memory of 1216	2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	66
PID 2660 wrote to memory of 1216	2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	66
PID 2660 wrote to memory of 3064	2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	46
PID 2660 wrote to memory of 3064	2660	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	46
PID 3064 wrote to memory of 5300	3064	cmd.exe	48
PID 3064 wrote to memory of 5300	3064	cmd.exe	48
PID 3064 wrote to memory of 5776	3064	cmd.exe	53
PID 3064 wrote to memory of 5776	3064	cmd.exe	53
PID 3064 wrote to memory of 4544	3064	cmd.exe	150
PID 3064 wrote to memory of 4544	3064	cmd.exe	150
PID 4544 wrote to memory of 4916	4544	csrss.exe	154
PID 4544 wrote to memory of 4916	4544	csrss.exe	154
PID 4916 wrote to memory of 5884	4916	cmd.exe	152
PID 4916 wrote to memory of 5884	4916	cmd.exe	152
PID 4916 wrote to memory of 5568	4916	cmd.exe	151
PID 4916 wrote to memory of 5568	4916	cmd.exe	151
PID 4916 wrote to memory of 5012	4916	cmd.exe	155
PID 4916 wrote to memory of 5012	4916	cmd.exe	155
PID 5012 wrote to memory of 5044	5012	csrss.exe	159
PID 5012 wrote to memory of 5044	5012	csrss.exe	159
PID 5044 wrote to memory of 5952	5044	cmd.exe	157
PID 5044 wrote to memory of 5952	5044	cmd.exe	157
PID 5044 wrote to memory of 3640	5044	cmd.exe	156
PID 5044 wrote to memory of 3640	5044	cmd.exe	156
PID 5044 wrote to memory of 3960	5044	cmd.exe	161
PID 5044 wrote to memory of 3960	5044	cmd.exe	161
PID 3960 wrote to memory of 3680	3960	csrss.exe	165
PID 3960 wrote to memory of 3680	3960	csrss.exe	165
PID 3680 wrote to memory of 4320	3680	cmd.exe	163
PID 3680 wrote to memory of 4320	3680	cmd.exe	163

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
"C:\Users\Admin\AppData\Local\Temp\ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\unwZTfeHjE.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:5300
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - Runs ping.exe
    PID:5776
- - C:\Windows\security\cap\csrss.exe
    "C:\Windows\security\cap\csrss.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4544
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vUeiK7j9e9.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4916
    - - C:\Windows\security\cap\csrss.exe
        
        "C:\Windows\security\cap\csrss.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5012
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YhJZRZmgeT.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Windows\security\cap\csrss.exe
        
        "C:\Windows\security\cap\csrss.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3960
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mkvvIrKbn0.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3680
        
        C:\Windows\security\cap\csrss.exe
        
        "C:\Windows\security\cap\csrss.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1464
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6ODIA3Zf31.bat"
        10⤵
        
        PID:5700
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:2592
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        Runs ping.exe
        
        PID:4380
        
        C:\Windows\security\cap\csrss.exe
        
        "C:\Windows\security\cap\csrss.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1588
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c4BTxhTwZ3.bat"
        12⤵
        
        PID:5628
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:3352
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        Runs ping.exe
        
        PID:3580
        
        C:\Windows\security\cap\csrss.exe
        
        "C:\Windows\security\cap\csrss.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4676
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Tl03UWnGtn.bat"
        14⤵
        
        PID:1172
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:5732
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        Runs ping.exe
        
        PID:1916
        
        C:\Windows\security\cap\csrss.exe
        
        "C:\Windows\security\cap\csrss.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:6084
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eJ0bRSTnly.bat"
        16⤵
        
        PID:2644
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:5088
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:5792
        
        C:\Windows\security\cap\csrss.exe
        
        "C:\Windows\security\cap\csrss.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2956
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6ODIA3Zf31.bat"
        18⤵
        
        PID:1524
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        Runs ping.exe
        
        PID:5768
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:1840
        
        C:\Windows\security\cap\csrss.exe
        
        "C:\Windows\security\cap\csrss.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3296
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\39SckRh7ya.bat"
        20⤵
        
        PID:5332
        
        C:\Windows\security\cap\csrss.exe
        
        "C:\Windows\security\cap\csrss.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1216
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\SearchApp.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1164
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\wininit.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\dllhost.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\smss.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1760
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\security\cap\csrss.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3200
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:588
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3416
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3232
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:908
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:660
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
  2⤵
  PID:1984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1220
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\security\cap\csrss.exe'" /f
1⤵
- Creates scheduled task(s)
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:1408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4c" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Local\Temp\ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:4768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4c" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Local\Temp\ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe'" /f
1⤵
- Creates scheduled task(s)
PID:4832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Program Files\VideoLAN\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:4528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:4480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\SearchApp.exe'" /f
1⤵
- Creates scheduled task(s)
PID:4820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\wininit.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:4916
- C:\Windows\system32\PING.EXE
  ping -n 10 localhost
  2⤵
  - Runs ping.exe
  PID:5568
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:5884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\wininit.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\wininit.exe'" /f
1⤵
- Creates scheduled task(s)
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\dllhost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:4796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\dllhost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:4568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\dllhost.exe'" /f
1⤵
- Creates scheduled task(s)
PID:3452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Mail\smss.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\smss.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:3688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\smss.exe'" /f
1⤵
- Creates scheduled task(s)
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\security\cap\csrss.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\security\cap\csrss.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:3892

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:3640

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:5952

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
- Suspicious use of AdjustPrivilegeToken
PID:1984

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:4320

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:2852

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:4564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\csrss.exe.log

Filesize
1KB

MD5
d630e0db449ad8976cacc63421267c72

SHA1
a83e66cf385b6fd0d0f3050c851945804f00cd78

SHA256
9bc1ab4c50e10a7292ac1c4515defda4e48a484fa474c5e69a80d5b1ef22fb49

SHA512
8c7de267fde85f9fb4521afb956a33fd1e69ec86b530d5f348b382fbbc0f777f9b3189f6fe3223822895c8262a626c8a30f6d3a83ccf7efe92ce4acc46e2b7b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\39SckRh7ya.bat

Filesize
209B

MD5
6f24b5e52ad3828111c2d98114eb503c

SHA1
659b8b864ab5d7718423aa002045a7e446718bbe

SHA256
03bffef17105aa67421877834cbe73b37116edc4af6514c7b6bf36f7ed0e8dbd

SHA512
12e54081a5490db7d83fe3693c8e89b513facba6dc8f0d57efbcfca3e9891a615dd7a9fa6863695c6ecb3264414938c4deb13da35337e148017881cd4b64d92c

Download Submit
C:\Users\Admin\AppData\Local\Temp\6ODIA3Zf31.bat

Filesize
161B

MD5
c4029a0fee80698158247f54cbce54e4

SHA1
38b39e6e05585a3bd59cb8fed02d351090a77bec

SHA256
25ead9f2ab64e751c0a9979531720fe7b809511aad6b206022dfd84b2aec1b98

SHA512
5d861665c867d6fb26b144c5a23acfad0d11a4bc50232f288a77850225dfdb03690e7f73c0851ddfaac0f4e2e2a60d7fbf1442779222fae80b85be6857947e11

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tl03UWnGtn.bat

Filesize
161B

MD5
9ea110d695bd353f9b71f71a5318605d

SHA1
675082d179e11f2e264246c1b8ebe353b479259b

SHA256
b2455b06c81701bf6f9775e08c05043a29514a9abe88fa5a62ad9712ea21f126

SHA512
01be4cc46133993145362cb03299141755366e1a157bffab261847cdf555f6705477547cf04a3ccffef41de8569fd4c66eca4f126dc7e950272e58e2b72d27e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\YhJZRZmgeT.bat

Filesize
209B

MD5
f827dbe15435e43ede0b1591c0bdcd5a

SHA1
6261884f1370c42271e5eb9d8e27dc4a3bde7286

SHA256
6371b569b2e058cba2dbda938558279372169abb6c86263a2e223eafc401a2e8

SHA512
d1cb1d6c456205585e48a6ab255c3708ed1eba99aeac6ab17e712395ebacd03747830452e9fb97261f4736f0bc87c440d4e1c863f9ed2509d3bf864146c06f9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_j2ubc2aj.upn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\c4BTxhTwZ3.bat

Filesize
161B

MD5
1fe24ea8e40df755668e274570b449cd

SHA1
a52e4370d6cc36814663bf058bf6542174891971

SHA256
b82fa6f24c8106f019f25db485f94846f2b6726e2973a4e72853da8c5582ed02

SHA512
9a113fec27de64a088f12e7344e5010f5358778487d5986a0abf9df5904e63f196f3603098850f4763ef1b4a8d2143533bb39932e975df99b63d8637bfff5d13

Download Submit
C:\Users\Admin\AppData\Local\Temp\eJ0bRSTnly.bat

Filesize
209B

MD5
c6c5c59dd3013e73b71c5bdf671cd5dc

SHA1
6061c738f3433f0b6ae572604c2d9c2a5099bf39

SHA256
7e3033bfa8d0b5ec4dc2c49fc6f72aee52f71b6d393c144ce971f65e7c5597a7

SHA512
d6d1aac7594be8bddc87e37f4a6690a4586fc794251795df605aad11f282113ff9c9bf7dbd3fdf1b65867716aa36fcff96e457debe52e5699681cbf7d6f46059

Download Submit
C:\Users\Admin\AppData\Local\Temp\mkvvIrKbn0.bat

Filesize
161B

MD5
dd6d5a5a792dc85f1a78fe5cb0405099

SHA1
89b20d1d10d9cc5d91c1d46b7f9f97441bc801ee

SHA256
c6541cda7593e42ccaae582148e1f3427db61cf6027d43c8140324cfa76b693b

SHA512
a14ed6decb9de1cfb985524a211b32e0210750664902a574a1ab24df46608c596b08852423fd3761b3c69c059f995fcbc369323a117a43fc4e30422e51eb9471

Download Submit
C:\Users\Admin\AppData\Local\Temp\unwZTfeHjE.bat

Filesize
161B

MD5
f31f8557c23706ee4d1c9f08d8edf9c1

SHA1
aac5bc60020f0f52ddac8f0a087f705c0d6b791d

SHA256
d02b5e9ffa3af325530382e7eb73981d558b6fc3a39cbc0e279b9f5ff4d751a4

SHA512
55f5431172dd603d76792e53d83083c22e01227c5b174dfb75f8110e9b16323f97ae5f8431242dbc42dcefc520d2194475019534e2d49f4df135b73db9a82152

Download Submit
C:\Users\Admin\AppData\Local\Temp\vUeiK7j9e9.bat

Filesize
161B

MD5
fc7e86c31e21e2af7272739fb253734d

SHA1
e5962305fd50ea65595a1ac7f593b292a9412ff8

SHA256
05429bb579f58aa0e3a3babc3443d385ddb7a9aec6b955e358241885db89b661

SHA512
8e7ec77ca77de1559a155bd3d6e3734a6f9fb121ae27c55c32b74cd9290d5f11a57d4abeff6b0fc65131f7ad2316b726fabcd1edc6a5be52a32fbb25d32d8066

Download Submit
C:\Windows\security\cap\csrss.exe

Filesize
74KB

MD5
6222e072b44e09725d208a021efcb180

SHA1
cfc37570563f12898ea26efc0d09c3c45d8a36bb

SHA256
f905baedd5a53d701094abfdb4d0b40b3776f6b64d3f6d82f6eb488d206efca5

SHA512
8f57d6a4d80ff2b21c39dadcbd9499de62decd9a2bf6570f3d54df40ab9785d0eea1600a5a5253eb6646198d1351ac12fb09b3ca9a84da1aab1cb02c9cef62b0

Download Submit
C:\Windows\security\cap\csrss.exe

Filesize
123KB

MD5
8266aa4f641a10b9327ba4702fcc9d4b

SHA1
145ee3266b87a49e9671e0f5920568d535e181a2

SHA256
6260f83e7a19a00fdb2b1fc2a0ccfc399ea88e543bbe02a27346e13c34a5bc6b

SHA512
92bdebef46cb618155c2d03d28515587c845beede297be2e6e6b424937b567b556e57af622bd6b8b2dab9113d4f0d3a6f88c182f147b9438f458e990149a8b7d

Download Submit
C:\Windows\security\cap\csrss.exe

Filesize
205KB

MD5
69172679f63e237a84854390af2cc631

SHA1
ac9a0ad6e0d20dc22215b17193b2ea99c367bf0a

SHA256
24dfc999425cc8185affafb0329db8636c1d99b5e2a1b5faf54594fe96f92eb4

SHA512
6585e7fa8fd8adeebf0a9c2a692020ce501a998c0b40fe850df17bf288cf6a578ea5d4704fa37321480fac4adca6aeb95fae0765b54690279ebb3824d3f776b2

Download Submit
C:\Windows\security\cap\csrss.exe

Filesize
253KB

MD5
2c2ad4199a454ca1a9f8e288a9eae59f

SHA1
6f8dc3f0d8c0e52631357d117109ee49cd15c11d

SHA256
4279e2e95fa95f65462bdbb4fc94cdec6ac0ea1a7d700a6edc716ada3e925f39

SHA512
cf9d02d574aa36f4b6db86823b57712ae0847e66619960aee7739d5158083b3994a51c37ca2899d4b99e345c2ff523413b9e81e7703c3c612629154c8f8d7484

Download Submit
C:\Windows\security\cap\csrss.exe

Filesize
393KB

MD5
a936e4ecffce3c1eaab10240e1b15396

SHA1
30d0f175014d1976bf628a616a618067d74c4fc3

SHA256
aaff7a0f0d269fd1df56d69db5b266043a4eecd329b08f539418a72326a91610

SHA512
8c5d00941a6496ae112602d477a69ba16446b91a9a049cf85dee1274553ec070272224cbee3b26b174b02937a9d5d8f228b7f63792512bf56a7dd3ca0c4b43ab

Download Submit
C:\Windows\security\cap\csrss.exe

Filesize
2.0MB

MD5
70d149f275ccc89790c5405849a9ad9f

SHA1
de1a99c487f1b78320142e64fa1531c65a1ad8e7

SHA256
ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4

SHA512
899a53dda2c656117f1e618f06a334557536dcccd28d42a0f2ef6125ff9d0457759cff2c12c96c5b19381e25385ad3e31827f729bd6c5db397a58c0b7b7817a7

Download Submit
C:\Windows\security\cap\csrss.exe

Filesize
66KB

MD5
11d756d3f150504f26e7b858aa0be248

SHA1
23feb3045766f401a29b686d28433c9179cad4bb

SHA256
a694ad3d3bd1c01bf27bde0d5ba3fca03ef4289b2b07b7637b4d9d2cecc5d196

SHA512
ac6612e796d4596c51bdcd1e2d6f8d6bb73f4cc8fe8746333caf0487e198265ea540443890ed3f171c7410bf8602a97e65a7e4438ad0a2caea6ad29914a1ffbe

Download Submit
C:\Windows\security\cap\csrss.exe

Filesize
1.2MB

MD5
8c3ab06fc53dbfe8fa7ccf033c9d26c8

SHA1
a065883f1f0b37caa141bc1e11a809196666e5dd

SHA256
10dca2b09c85b104fa3db21140e84092fc2f715f02e235562f12a1b762137489

SHA512
d814eba64ee2f41286405ad81442137112c03ce2aab4029970d15210f6b2ddaf7930ab02404901f4147b91b63cb22b30fd9877d1f3fda12e845dc1373de22674

Download Submit
C:\Windows\security\cap\csrss.exe

Filesize
1.0MB

MD5
e5630cd5c57c3552dc4c81b130507644

SHA1
380f5ebeaa45db25d9f5dd140af85f27d4f583a7

SHA256
8fc170e5245a791f93b4492a86c4734297ab98f3f8c15e446c7f1c205da8c3da

SHA512
48f3be4a69998389e51bd31c13e936b9c7da4ebbb39afc071ca5f40ee97ae9104fae74b0065ecf8443d138ba896613866e5e4aa7e59e251f179ada2319139a1b

Download Submit
C:\Windows\security\cap\csrss.exe

Filesize
199KB

MD5
53c1a9e8cc72e59db6d215970c0f7442

SHA1
5e4ecf26c5ace28f6482a6b1f5eba00f845e5a59

SHA256
e491ffb5023ca4da5991c337d077f4572d4d1f2c351a17570a4ed8a585542615

SHA512
11a56974ee2379213ed4d8280875c7245d4af817fa3e4c38979b82b1b8932a558d3bd9f226f24f020b4452115502009ba6d8013e15bbc04a1e19e787a2e921f4

Download Submit
C:\Windows\security\cap\csrss.exe

Filesize
251KB

MD5
47da15f860300fbaa127b98eed691f43

SHA1
f6dd1f29b905330c11b3d06fcb564b0e4f368c98

SHA256
ebff7e1bb72e03af6327575d81c583751e8b9418c5cfdb45f74f337aa8b05a80

SHA512
a958eb9c21081ce7f6b2ee2e85a4dd56f9dd728e8d58059e6766f1c3ac113670e3c1d42d33c0d100f576d1a5cbe9974c3c884c2f6cc78eb3aff5125d5dcba841

Download Submit
memory/588-61-0x000001A8D0030000-0x000001A8D0040000-memory.dmp

Filesize
64KB

Download
memory/588-54-0x00007FFACE960000-0x00007FFACF421000-memory.dmp

Filesize
10.8MB

Download
memory/588-58-0x000001A8D0030000-0x000001A8D0040000-memory.dmp

Filesize
64KB

Download
memory/588-277-0x000001A8D03B0000-0x000001A8D051A000-memory.dmp

Filesize
1.4MB

Download
memory/660-93-0x00007FFACE960000-0x00007FFACF421000-memory.dmp

Filesize
10.8MB

Download
memory/660-181-0x000001DB987E0000-0x000001DB987F0000-memory.dmp

Filesize
64KB

Download
memory/660-269-0x000001DBB0D70000-0x000001DBB0EDA000-memory.dmp

Filesize
1.4MB

Download
memory/908-302-0x000001DF523A0000-0x000001DF5250A000-memory.dmp

Filesize
1.4MB

Download
memory/908-236-0x00007FFACE960000-0x00007FFACF421000-memory.dmp

Filesize
10.8MB

Download
memory/1016-250-0x00000292415B0000-0x00000292415C0000-memory.dmp

Filesize
64KB

Download
memory/1016-312-0x00000292416C0000-0x000002924182A000-memory.dmp

Filesize
1.4MB

Download
memory/1164-249-0x00007FFACE960000-0x00007FFACF421000-memory.dmp

Filesize
10.8MB

Download
memory/1164-296-0x00000295F84D0000-0x00000295F863A000-memory.dmp

Filesize
1.4MB

Download
memory/1216-278-0x000002C1A1510000-0x000002C1A167A000-memory.dmp

Filesize
1.4MB

Download
memory/1216-74-0x000002C1A12C0000-0x000002C1A12E2000-memory.dmp

Filesize
136KB

Download
memory/1216-59-0x000002C1A12B0000-0x000002C1A12C0000-memory.dmp

Filesize
64KB

Download
memory/1216-56-0x00007FFACE960000-0x00007FFACF421000-memory.dmp

Filesize
10.8MB

Download
memory/1220-242-0x0000028738740000-0x0000028738750000-memory.dmp

Filesize
64KB

Download
memory/1220-260-0x0000028750EE0000-0x000002875104A000-memory.dmp

Filesize
1.4MB

Download
memory/1220-241-0x0000028738740000-0x0000028738750000-memory.dmp

Filesize
64KB

Download
memory/1220-240-0x00007FFACE960000-0x00007FFACF421000-memory.dmp

Filesize
10.8MB

Download
memory/1680-320-0x0000020B53620000-0x0000020B5378A000-memory.dmp

Filesize
1.4MB

Download
memory/1680-251-0x00007FFACE960000-0x00007FFACF421000-memory.dmp

Filesize
10.8MB

Download
memory/1760-270-0x0000019CEC8F0000-0x0000019CECA5A000-memory.dmp

Filesize
1.4MB

Download
memory/1760-237-0x0000019CEC420000-0x0000019CEC430000-memory.dmp

Filesize
64KB

Download
memory/1760-234-0x00007FFACE960000-0x00007FFACF421000-memory.dmp

Filesize
10.8MB

Download
memory/1984-164-0x00007FFACE960000-0x00007FFACF421000-memory.dmp

Filesize
10.8MB

Download
memory/1984-289-0x0000024474520000-0x000002447468A000-memory.dmp

Filesize
1.4MB

Download
memory/1984-186-0x0000024472470000-0x0000024472480000-memory.dmp

Filesize
64KB

Download
memory/1984-214-0x0000024472470000-0x0000024472480000-memory.dmp

Filesize
64KB

Download
memory/2660-53-0x000000001B3A0000-0x000000001B3B0000-memory.dmp

Filesize
64KB

Download
memory/2660-29-0x00007FFAEC3B0000-0x00007FFAEC3B1000-memory.dmp

Filesize
4KB

Download
memory/2660-2-0x000000001B3A0000-0x000000001B3B0000-memory.dmp

Filesize
64KB

Download
memory/2660-3-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

Filesize
4KB

Download
memory/2660-1-0x00007FFACE960000-0x00007FFACF421000-memory.dmp

Filesize
10.8MB

Download
memory/2660-4-0x000000001B3A0000-0x000000001B3B0000-memory.dmp

Filesize
64KB

Download
memory/2660-10-0x000000001B3A0000-0x000000001B3B0000-memory.dmp

Filesize
64KB

Download
memory/2660-15-0x00007FFAEC3F0000-0x00007FFAEC3F1000-memory.dmp

Filesize
4KB

Download
memory/2660-51-0x00007FFAEC4D0000-0x00007FFAEC58E000-memory.dmp

Filesize
760KB

Download
memory/2660-14-0x000000001B6B0000-0x000000001B700000-memory.dmp

Filesize
320KB

Download
memory/2660-20-0x00007FFAEC3E0000-0x00007FFAEC3E1000-memory.dmp

Filesize
4KB

Download
memory/2660-23-0x00007FFAEC3D0000-0x00007FFAEC3D1000-memory.dmp

Filesize
4KB

Download
memory/2660-31-0x000000001B380000-0x000000001B388000-memory.dmp

Filesize
32KB

Download
memory/2660-33-0x000000001B390000-0x000000001B39C000-memory.dmp

Filesize
48KB

Download
memory/2660-35-0x00007FFAEC3A0000-0x00007FFAEC3A1000-memory.dmp

Filesize
4KB

Download
memory/2660-57-0x000000001D2A0000-0x000000001D3B5000-memory.dmp

Filesize
1.1MB

Download
memory/2660-34-0x00007FFAEC4D0000-0x00007FFAEC58E000-memory.dmp

Filesize
760KB

Download
memory/2660-62-0x00007FFAEC4D0000-0x00007FFAEC58E000-memory.dmp

Filesize
760KB

Download
memory/2660-47-0x000000001B3A0000-0x000000001B3B0000-memory.dmp

Filesize
64KB

Download
memory/2660-0-0x0000000000400000-0x00000000005FA000-memory.dmp

Filesize
2.0MB

Download
memory/2660-28-0x000000001B3A0000-0x000000001B3B0000-memory.dmp

Filesize
64KB

Download
memory/2660-27-0x00007FFAEC3C0000-0x00007FFAEC3C1000-memory.dmp

Filesize
4KB

Download
memory/2660-26-0x00007FFACE960000-0x00007FFACF421000-memory.dmp

Filesize
10.8MB

Download
memory/2660-25-0x000000001B370000-0x000000001B37C000-memory.dmp

Filesize
48KB

Download
memory/2660-22-0x000000001B210000-0x000000001B21E000-memory.dmp

Filesize
56KB

Download
memory/2660-19-0x000000001B200000-0x000000001B20E000-memory.dmp

Filesize
56KB

Download
memory/2660-17-0x000000001B350000-0x000000001B368000-memory.dmp

Filesize
96KB

Download
memory/2660-13-0x00007FFAEC400000-0x00007FFAEC401000-memory.dmp

Filesize
4KB

Download
memory/2660-60-0x00007FFACE960000-0x00007FFACF421000-memory.dmp

Filesize
10.8MB

Download
memory/2660-12-0x000000001B330000-0x000000001B34C000-memory.dmp

Filesize
112KB

Download
memory/2660-9-0x00007FFAEC410000-0x00007FFAEC411000-memory.dmp

Filesize
4KB

Download
memory/2660-8-0x00007FFAEC4D0000-0x00007FFAEC58E000-memory.dmp

Filesize
760KB

Download
memory/2660-7-0x00007FFAEC4D0000-0x00007FFAEC58E000-memory.dmp

Filesize
760KB

Download
memory/2660-6-0x000000001B1B0000-0x000000001B1BE000-memory.dmp

Filesize
56KB

Download
memory/3200-318-0x0000019C76E70000-0x0000019C76FDA000-memory.dmp

Filesize
1.4MB

Download
memory/3200-243-0x00007FFACE960000-0x00007FFACF421000-memory.dmp

Filesize
10.8MB

Download
memory/3232-290-0x00000183E7540000-0x00000183E76AA000-memory.dmp

Filesize
1.4MB

Download
memory/3232-239-0x00000183E7330000-0x00000183E7340000-memory.dmp

Filesize
64KB

Download
memory/3232-238-0x00007FFACE960000-0x00007FFACF421000-memory.dmp

Filesize
10.8MB

Download
memory/3416-246-0x0000025C668B0000-0x0000025C668C0000-memory.dmp

Filesize
64KB

Download
memory/3416-245-0x0000025C668B0000-0x0000025C668C0000-memory.dmp

Filesize
64KB

Download
memory/3416-244-0x00007FFACE960000-0x00007FFACF421000-memory.dmp

Filesize
10.8MB

Download
memory/3416-310-0x0000025C7EBA0000-0x0000025C7ED0A000-memory.dmp

Filesize
1.4MB

Download
memory/3736-297-0x00000158411C0000-0x000001584132A000-memory.dmp

Filesize
1.4MB

Download
memory/3736-248-0x0000015840FB0000-0x0000015840FC0000-memory.dmp

Filesize
64KB

Download
memory/3736-247-0x00007FFACE960000-0x00007FFACF421000-memory.dmp

Filesize
10.8MB

Download
memory/3940-63-0x0000021CA5010000-0x0000021CA5020000-memory.dmp

Filesize
64KB

Download
memory/3940-293-0x0000021CBD810000-0x0000021CBD97A000-memory.dmp

Filesize
1.4MB

Download
memory/3940-69-0x0000021CA5010000-0x0000021CA5020000-memory.dmp

Filesize
64KB

Download
memory/4544-354-0x000000001E8B0000-0x000000001E9C5000-memory.dmp

Filesize
1.1MB

Download
memory/4792-315-0x0000019AFC8A0000-0x0000019AFCA0A000-memory.dmp

Filesize
1.4MB

Download
memory/4872-319-0x000001F3B2070000-0x000001F3B21DA000-memory.dmp

Filesize
1.4MB

Download
memory/4984-311-0x00000197AB840000-0x00000197AB9AA000-memory.dmp

Filesize
1.4MB

Download
memory/4984-220-0x00000197AB630000-0x00000197AB640000-memory.dmp

Filesize
64KB

Download