zgrat | f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 01:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e40160ff1f09d7445f2cdcd24104701.exe
Size

1.8MB
MD5

1e40160ff1f09d7445f2cdcd24104701
SHA1

c660d302b2941a93c51cd1f857298126a3c0b219
SHA256

f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c
SHA512

ea3b325f2f4a75849a06859fd1f933c38abc425c542c1bd2b8b65abd7aff05a75d07caeb47656a9f699558306cc5fe789bf43cfc2c0676c5bd8d4109b0c015f0
SSDEEP

49152:uGkkhDESYZ24c4W3cs9gIDxH6HMfKZkQ6rQ:uGkkhDE74SR6gGHfy6

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral2/memory/2796-0-0x00000000003B0000-0x000000000058E000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Checks computer location settings 2 TTPs 19 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	1e40160ff1f09d7445f2cdcd24104701.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	1e40160ff1f09d7445f2cdcd24104701.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	1e40160ff1f09d7445f2cdcd24104701.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	1e40160ff1f09d7445f2cdcd24104701.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	1e40160ff1f09d7445f2cdcd24104701.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	1e40160ff1f09d7445f2cdcd24104701.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	1e40160ff1f09d7445f2cdcd24104701.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	1e40160ff1f09d7445f2cdcd24104701.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	1e40160ff1f09d7445f2cdcd24104701.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	1e40160ff1f09d7445f2cdcd24104701.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	1e40160ff1f09d7445f2cdcd24104701.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	1e40160ff1f09d7445f2cdcd24104701.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	1e40160ff1f09d7445f2cdcd24104701.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	1e40160ff1f09d7445f2cdcd24104701.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	1e40160ff1f09d7445f2cdcd24104701.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	1e40160ff1f09d7445f2cdcd24104701.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	1e40160ff1f09d7445f2cdcd24104701.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	1e40160ff1f09d7445f2cdcd24104701.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	1e40160ff1f09d7445f2cdcd24104701.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 19 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	1e40160ff1f09d7445f2cdcd24104701.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	1e40160ff1f09d7445f2cdcd24104701.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	1e40160ff1f09d7445f2cdcd24104701.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	1e40160ff1f09d7445f2cdcd24104701.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	1e40160ff1f09d7445f2cdcd24104701.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	1e40160ff1f09d7445f2cdcd24104701.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	1e40160ff1f09d7445f2cdcd24104701.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	1e40160ff1f09d7445f2cdcd24104701.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	1e40160ff1f09d7445f2cdcd24104701.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	1e40160ff1f09d7445f2cdcd24104701.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	1e40160ff1f09d7445f2cdcd24104701.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	1e40160ff1f09d7445f2cdcd24104701.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	1e40160ff1f09d7445f2cdcd24104701.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	1e40160ff1f09d7445f2cdcd24104701.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	1e40160ff1f09d7445f2cdcd24104701.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	1e40160ff1f09d7445f2cdcd24104701.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	1e40160ff1f09d7445f2cdcd24104701.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	1e40160ff1f09d7445f2cdcd24104701.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	1e40160ff1f09d7445f2cdcd24104701.exe

Runs ping.exe 1 TTPs 8 IoCs

Remote System Discovery

T1018

pid	Process
1020	PING.EXE
4016	PING.EXE
3572	PING.EXE
3964	PING.EXE
2280	PING.EXE
1712	PING.EXE
3672	PING.EXE
2688	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2796	1e40160ff1f09d7445f2cdcd24104701.exe
2796	1e40160ff1f09d7445f2cdcd24104701.exe
2796	1e40160ff1f09d7445f2cdcd24104701.exe
2796	1e40160ff1f09d7445f2cdcd24104701.exe
2796	1e40160ff1f09d7445f2cdcd24104701.exe
2796	1e40160ff1f09d7445f2cdcd24104701.exe
2796	1e40160ff1f09d7445f2cdcd24104701.exe
2796	1e40160ff1f09d7445f2cdcd24104701.exe
2796	1e40160ff1f09d7445f2cdcd24104701.exe
2796	1e40160ff1f09d7445f2cdcd24104701.exe
2796	1e40160ff1f09d7445f2cdcd24104701.exe
2796	1e40160ff1f09d7445f2cdcd24104701.exe
2796	1e40160ff1f09d7445f2cdcd24104701.exe
2796	1e40160ff1f09d7445f2cdcd24104701.exe
2796	1e40160ff1f09d7445f2cdcd24104701.exe
2796	1e40160ff1f09d7445f2cdcd24104701.exe
2796	1e40160ff1f09d7445f2cdcd24104701.exe
2796	1e40160ff1f09d7445f2cdcd24104701.exe
2796	1e40160ff1f09d7445f2cdcd24104701.exe
2796	1e40160ff1f09d7445f2cdcd24104701.exe
2796	1e40160ff1f09d7445f2cdcd24104701.exe
2796	1e40160ff1f09d7445f2cdcd24104701.exe
2796	1e40160ff1f09d7445f2cdcd24104701.exe
2796	1e40160ff1f09d7445f2cdcd24104701.exe
2796	1e40160ff1f09d7445f2cdcd24104701.exe
2796	1e40160ff1f09d7445f2cdcd24104701.exe
2796	1e40160ff1f09d7445f2cdcd24104701.exe
2796	1e40160ff1f09d7445f2cdcd24104701.exe
2796	1e40160ff1f09d7445f2cdcd24104701.exe
2796	1e40160ff1f09d7445f2cdcd24104701.exe
2796	1e40160ff1f09d7445f2cdcd24104701.exe
2796	1e40160ff1f09d7445f2cdcd24104701.exe
2796	1e40160ff1f09d7445f2cdcd24104701.exe
2796	1e40160ff1f09d7445f2cdcd24104701.exe
2796	1e40160ff1f09d7445f2cdcd24104701.exe
2796	1e40160ff1f09d7445f2cdcd24104701.exe
2796	1e40160ff1f09d7445f2cdcd24104701.exe
2796	1e40160ff1f09d7445f2cdcd24104701.exe
2796	1e40160ff1f09d7445f2cdcd24104701.exe
2796	1e40160ff1f09d7445f2cdcd24104701.exe
2796	1e40160ff1f09d7445f2cdcd24104701.exe
2796	1e40160ff1f09d7445f2cdcd24104701.exe
2796	1e40160ff1f09d7445f2cdcd24104701.exe
2796	1e40160ff1f09d7445f2cdcd24104701.exe
2796	1e40160ff1f09d7445f2cdcd24104701.exe
2796	1e40160ff1f09d7445f2cdcd24104701.exe
2796	1e40160ff1f09d7445f2cdcd24104701.exe
2796	1e40160ff1f09d7445f2cdcd24104701.exe
3700	1e40160ff1f09d7445f2cdcd24104701.exe
3700	1e40160ff1f09d7445f2cdcd24104701.exe
3700	1e40160ff1f09d7445f2cdcd24104701.exe
3700	1e40160ff1f09d7445f2cdcd24104701.exe
3700	1e40160ff1f09d7445f2cdcd24104701.exe
3700	1e40160ff1f09d7445f2cdcd24104701.exe
3700	1e40160ff1f09d7445f2cdcd24104701.exe
3700	1e40160ff1f09d7445f2cdcd24104701.exe
3700	1e40160ff1f09d7445f2cdcd24104701.exe
3700	1e40160ff1f09d7445f2cdcd24104701.exe
3700	1e40160ff1f09d7445f2cdcd24104701.exe
3700	1e40160ff1f09d7445f2cdcd24104701.exe
3700	1e40160ff1f09d7445f2cdcd24104701.exe
3700	1e40160ff1f09d7445f2cdcd24104701.exe
3700	1e40160ff1f09d7445f2cdcd24104701.exe
3700	1e40160ff1f09d7445f2cdcd24104701.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	2796	1e40160ff1f09d7445f2cdcd24104701.exe
Token: SeDebugPrivilege	3700	1e40160ff1f09d7445f2cdcd24104701.exe
Token: SeDebugPrivilege	4268	1e40160ff1f09d7445f2cdcd24104701.exe
Token: SeDebugPrivilege	2068	1e40160ff1f09d7445f2cdcd24104701.exe
Token: SeDebugPrivilege	4324	1e40160ff1f09d7445f2cdcd24104701.exe
Token: SeDebugPrivilege	3664	1e40160ff1f09d7445f2cdcd24104701.exe
Token: SeDebugPrivilege	2284	1e40160ff1f09d7445f2cdcd24104701.exe
Token: SeDebugPrivilege	4596	1e40160ff1f09d7445f2cdcd24104701.exe
Token: SeDebugPrivilege	4416	1e40160ff1f09d7445f2cdcd24104701.exe
Token: SeDebugPrivilege	4824	1e40160ff1f09d7445f2cdcd24104701.exe
Token: SeDebugPrivilege	2028	1e40160ff1f09d7445f2cdcd24104701.exe
Token: SeDebugPrivilege	5100	1e40160ff1f09d7445f2cdcd24104701.exe
Token: SeDebugPrivilege	5056	1e40160ff1f09d7445f2cdcd24104701.exe
Token: SeDebugPrivilege	772	1e40160ff1f09d7445f2cdcd24104701.exe
Token: SeDebugPrivilege	4332	1e40160ff1f09d7445f2cdcd24104701.exe
Token: SeDebugPrivilege	4156	1e40160ff1f09d7445f2cdcd24104701.exe
Token: SeDebugPrivilege	5040	1e40160ff1f09d7445f2cdcd24104701.exe
Token: SeDebugPrivilege	2132	1e40160ff1f09d7445f2cdcd24104701.exe
Token: SeDebugPrivilege	5044	1e40160ff1f09d7445f2cdcd24104701.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 1900	2796	1e40160ff1f09d7445f2cdcd24104701.exe	87
PID 2796 wrote to memory of 1900	2796	1e40160ff1f09d7445f2cdcd24104701.exe	87
PID 1900 wrote to memory of 4772	1900	cmd.exe	89
PID 1900 wrote to memory of 4772	1900	cmd.exe	89
PID 1900 wrote to memory of 4376	1900	cmd.exe	90
PID 1900 wrote to memory of 4376	1900	cmd.exe	90
PID 1900 wrote to memory of 3700	1900	cmd.exe	97
PID 1900 wrote to memory of 3700	1900	cmd.exe	97
PID 3700 wrote to memory of 2352	3700	1e40160ff1f09d7445f2cdcd24104701.exe	99
PID 3700 wrote to memory of 2352	3700	1e40160ff1f09d7445f2cdcd24104701.exe	99
PID 2352 wrote to memory of 3716	2352	cmd.exe	101
PID 2352 wrote to memory of 3716	2352	cmd.exe	101
PID 2352 wrote to memory of 4808	2352	cmd.exe	102
PID 2352 wrote to memory of 4808	2352	cmd.exe	102
PID 2352 wrote to memory of 4268	2352	cmd.exe	104
PID 2352 wrote to memory of 4268	2352	cmd.exe	104
PID 4268 wrote to memory of 4416	4268	1e40160ff1f09d7445f2cdcd24104701.exe	106
PID 4268 wrote to memory of 4416	4268	1e40160ff1f09d7445f2cdcd24104701.exe	106
PID 4416 wrote to memory of 4396	4416	cmd.exe	108
PID 4416 wrote to memory of 4396	4416	cmd.exe	108
PID 4416 wrote to memory of 4052	4416	cmd.exe	109
PID 4416 wrote to memory of 4052	4416	cmd.exe	109
PID 4416 wrote to memory of 2068	4416	cmd.exe	110
PID 4416 wrote to memory of 2068	4416	cmd.exe	110
PID 2068 wrote to memory of 4428	2068	1e40160ff1f09d7445f2cdcd24104701.exe	111
PID 2068 wrote to memory of 4428	2068	1e40160ff1f09d7445f2cdcd24104701.exe	111
PID 4428 wrote to memory of 2704	4428	cmd.exe	113
PID 4428 wrote to memory of 2704	4428	cmd.exe	113
PID 4428 wrote to memory of 2280	4428	cmd.exe	114
PID 4428 wrote to memory of 2280	4428	cmd.exe	114
PID 4428 wrote to memory of 4324	4428	cmd.exe	116
PID 4428 wrote to memory of 4324	4428	cmd.exe	116
PID 4324 wrote to memory of 3860	4324	1e40160ff1f09d7445f2cdcd24104701.exe	117
PID 4324 wrote to memory of 3860	4324	1e40160ff1f09d7445f2cdcd24104701.exe	117
PID 3860 wrote to memory of 1160	3860	cmd.exe	119
PID 3860 wrote to memory of 1160	3860	cmd.exe	119
PID 3860 wrote to memory of 1712	3860	cmd.exe	120
PID 3860 wrote to memory of 1712	3860	cmd.exe	120
PID 3860 wrote to memory of 3664	3860	cmd.exe	122
PID 3860 wrote to memory of 3664	3860	cmd.exe	122
PID 3664 wrote to memory of 2700	3664	1e40160ff1f09d7445f2cdcd24104701.exe	123
PID 3664 wrote to memory of 2700	3664	1e40160ff1f09d7445f2cdcd24104701.exe	123
PID 2700 wrote to memory of 4512	2700	cmd.exe	125
PID 2700 wrote to memory of 4512	2700	cmd.exe	125
PID 2700 wrote to memory of 4644	2700	cmd.exe	126
PID 2700 wrote to memory of 4644	2700	cmd.exe	126
PID 2700 wrote to memory of 2284	2700	cmd.exe	127
PID 2700 wrote to memory of 2284	2700	cmd.exe	127
PID 2284 wrote to memory of 4476	2284	1e40160ff1f09d7445f2cdcd24104701.exe	128
PID 2284 wrote to memory of 4476	2284	1e40160ff1f09d7445f2cdcd24104701.exe	128
PID 4476 wrote to memory of 3516	4476	cmd.exe	130
PID 4476 wrote to memory of 3516	4476	cmd.exe	130
PID 4476 wrote to memory of 4660	4476	cmd.exe	131
PID 4476 wrote to memory of 4660	4476	cmd.exe	131
PID 4476 wrote to memory of 4596	4476	cmd.exe	132
PID 4476 wrote to memory of 4596	4476	cmd.exe	132
PID 4596 wrote to memory of 1628	4596	1e40160ff1f09d7445f2cdcd24104701.exe	133
PID 4596 wrote to memory of 1628	4596	1e40160ff1f09d7445f2cdcd24104701.exe	133
PID 1628 wrote to memory of 4316	1628	cmd.exe	135
PID 1628 wrote to memory of 4316	1628	cmd.exe	135
PID 1628 wrote to memory of 3672	1628	cmd.exe	136
PID 1628 wrote to memory of 3672	1628	cmd.exe	136
PID 1628 wrote to memory of 4416	1628	cmd.exe	137
PID 1628 wrote to memory of 4416	1628	cmd.exe	137

C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
"C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SWAv0lnPhs.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:4772
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4376
- - C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
    "C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"
    3⤵
    - Checks computer location settings
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3700
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Phxc9FejmL.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2352
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:3716
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:4808
    - - C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"
        5⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4268
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fYqjwDText.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4416
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:4396
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:4052
        
        C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"
        7⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c4BTxhTwZ3.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4428
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:2704
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        Runs ping.exe
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"
        9⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4324
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\B0uJAwGmBV.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:3860
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:1160
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        Runs ping.exe
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"
        11⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3664
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\O2a76Ow1QW.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:4512
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"
        13⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WEfJS3myHd.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:4476
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:3516
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"
        15⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4596
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Tl03UWnGtn.bat"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:4316
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        Runs ping.exe
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"
        17⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4416
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AzylF6O5Hz.bat"
        18⤵
        
        PID:1484
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:5032
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        Runs ping.exe
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"
        19⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4824
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MYvr7swJ3g.bat"
        20⤵
        
        PID:1068
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:2444
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        Runs ping.exe
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"
        21⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2028
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J5Gb9Mxbfq.bat"
        22⤵
        
        PID:4084
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:1900
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        Runs ping.exe
        
        PID:4016
        
        C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"
        23⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5100
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JQt66VEtJ1.bat"
        24⤵
        
        PID:4072
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:3856
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        Runs ping.exe
        
        PID:3572
        
        C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"
        25⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5056
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c4BTxhTwZ3.bat"
        26⤵
        
        PID:3868
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:4656
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        Runs ping.exe
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"
        27⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:772
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IqQTfaxkTv.bat"
        28⤵
        
        PID:4440
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:968
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:928
        
        C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"
        29⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4332
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\39SckRh7ya.bat"
        30⤵
        
        PID:5096
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:1712
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        31⤵
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"
        31⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4156
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\w46Kl20HUF.bat"
        32⤵
        
        PID:1252
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        33⤵
        
        PID:4740
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        33⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"
        33⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5040
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FiOhdEFLkG.bat"
        34⤵
        
        PID:2460
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        35⤵
        
        PID:2436
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        35⤵
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"
        35⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2132
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SWAv0lnPhs.bat"
        36⤵
        
        PID:5088
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        37⤵
        
        PID:3524
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        37⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"
        37⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5044
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xIvSFn08gA.bat"
        38⤵
        
        PID:1192
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        39⤵
        
        PID:4428
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        39⤵
        
        PID:3892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\1e40160ff1f09d7445f2cdcd24104701.exe.log

Filesize
1KB

MD5
f8b2fca3a50771154571c11f1c53887b

SHA1
2e83b0c8e2f4c10b145b7fb4832ed1c78743de3f

SHA256
0efa72802031a8f902c3a4ab18fe3d667dafc71c93eb3a1811e78353ecf4a6b6

SHA512
b98b8d5516593d13415199d4ac6fbe4ff924488487c4bd863cb677601048785d872a3ff30129148e2961cb6fb2fc33117540302980a132f57f7ec9a497813f1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\39SckRh7ya.bat

Filesize
246B

MD5
61948e305f41bf7c0d254f49443c2e6d

SHA1
c8c9c5fd4cea10042699d4836809421c276875cf

SHA256
30b43d9c6c644a49ef23d5c4dce00a4716701ccc13bfd1ab55491c31505a3acc

SHA512
8ea421d6d4cd9fcaed58c893159157637d024be4e43900bf69c7a77d835ad8453062e5ccbaff8dcbcc543ec364faff354b47be55c36ed896761f96de0a64d1bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\AzylF6O5Hz.bat

Filesize
198B

MD5
4e4ff7d6d34695548896646a046b6e63

SHA1
b87a4c1a71b1de17f66efbb61e7671b781c4c9e4

SHA256
136b918a3086aa2041ae0ed0510f9aaeaaed6ee916a38b4fa55d7e0009bb5d91

SHA512
07f6c7fef460042d0a7b5112773e5314016ef012a6fb059bfc866a110030aeb1cc41295a867d25150bd03f3449ced68c44e49cb160b46677a3943453a4ea7531

Download Submit
C:\Users\Admin\AppData\Local\Temp\B0uJAwGmBV.bat

Filesize
198B

MD5
194d24d20ceadce7232d1fd90d35b083

SHA1
9a5f5924281fbdb4557dd523b59a474394fbe96c

SHA256
dd1c4efad91e3bb8b8af60dc28ac8b6e4a131da0ffa226abc80fe3dd71208148

SHA512
3c7a3d53b3bf4ab641e060765574b8c999531fa98d4ff9a068d6c2932cb606461d09e7cd6e53b88bd133b425d5e6a2be55ce91d13118a01626a7ea8d9aff05d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\FiOhdEFLkG.bat

Filesize
246B

MD5
5233d843420639858c171b97ac912e27

SHA1
433c3c661d2d13a47db296836d20b6dfd87bbfe6

SHA256
704ccf063aa7b1e251186eb8f8789cb19fdd5420386d51e9e602cd88b2833ec6

SHA512
3513e26d971047ecb2d677ab405627c19101bc2edf4714521b889793c961a4b12c2b39c2bc17617fcc626868409d7ad18c841d5954e9275cf029e28d2d817744

Download Submit
C:\Users\Admin\AppData\Local\Temp\IqQTfaxkTv.bat

Filesize
246B

MD5
955136ea799b87a2be9231701bdb95b7

SHA1
198b0c030ccba14224e3f2db3bb7f55179937928

SHA256
bbfcc1de2a0cc0a296c69908f583659587da5c2ddd54df8217a11f6fc4384c97

SHA512
b151145bb3a2bb5a9c709200fcc1269feaf08edaef2c1013fe531506cecb61973c31510c6594762bd4cb9eefb71a4770b4cadce6b228892934041b79cd90df4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\J5Gb9Mxbfq.bat

Filesize
198B

MD5
741461711893cf457ad9bc7d9593252e

SHA1
53bbfc652b6603dd5979f02861e8d4fa2060967b

SHA256
024deab044943c5b0bfe8014dbda12a6ca258c0a9022c472ddd5f50e550be904

SHA512
9ac002a315a7dde5801a3845b2b01b9d0b32680e3ecd2a22f850045c108ccfd96681da20213f2d2f5e0f1c5e81e50831895e2c0ca533dbb7e63f92eee9ca4fe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\JQt66VEtJ1.bat

Filesize
198B

MD5
0c1ee96513fc858587a19400f86c860a

SHA1
174608f6fdf1a0083f5ee27b9e2e317475f19f38

SHA256
c7790365bef52e77d7701368d7679369f5e1b24f17e03038baa1ab5d23b2f5ef

SHA512
f8704b97176a5b6351911b07a594caed07cee23563827099661b9e9ccfc1f8417222a6f24cbcbac18238c7da32544dcd365d55de84dcdb9ea30b3b297dc7b0de

Download Submit
C:\Users\Admin\AppData\Local\Temp\MYvr7swJ3g.bat

Filesize
198B

MD5
5122621c2e270714e11632f94582b2de

SHA1
13fab1d450b1759967bf45df70eb7279eea0eac4

SHA256
79a0fbbf54fc5d38a2ae9f48f04142faa885bccc9063a32d98f586bb69a98b9e

SHA512
bc3dc546572a5ccc50531eb09fedcd168be7b84b2ccc0111194bf1501c28f15e3265dcdb2d1f6ffde7be36e3d997603be5d5f2d2907101d37de057104e3424a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\O2a76Ow1QW.bat

Filesize
246B

MD5
eaf35a7cb2e749cbedb2f37c0593a4dc

SHA1
5618e31c11fe8be5f19645bc6f5099f64003fb07

SHA256
6242e6bb10a0facf9504cd03398f5ba52dab1eea6f7d236d9ef0306b2c51dce4

SHA512
89fdbecdd947861528e5390fbe60b5c38e07305bd745e96bbd980242412f9afb787526b3c090f76208ea838aa239c4b2b22041601970ca75c112aa333897f826

Download Submit
C:\Users\Admin\AppData\Local\Temp\Phxc9FejmL.bat

Filesize
246B

MD5
651d346c8d618f9e9a87ef2033acbe22

SHA1
1c4002fddb81265ad4988b212d29ee1a026663c5

SHA256
bb7173a913a5c01f259f71cf03780d13b5555ee9da7d0de822e3ebdc4281c6af

SHA512
ca93678bfbdadb46dbae198ba6cb7abebe2719b20fcedd464ec511688764aba8beef3e876c29930206ed316e38dbca3524feb7c411c41bdaa23debf0d1ceb57a

Download Submit
C:\Users\Admin\AppData\Local\Temp\SWAv0lnPhs.bat

Filesize
246B

MD5
7094ddd3b3d9af46205f004d01eb55db

SHA1
fc5f7865607400f8aa55f74db9c18a212afc5652

SHA256
e7fa2c7b1f6cea9acddcb5876e0b37662aa3da8617318ecce65bf1031494f45d

SHA512
e9533c16ef361286fe9733b24d81a37d1cf9a8e669b11453bbfcc09b9140ba214081747e1c7756c1d69f525f042e51392521799114195d3ade187908f915aeb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tl03UWnGtn.bat

Filesize
198B

MD5
214d40b952318ef831d6c4acc8c6bb90

SHA1
786964ce6bea1deb417db7f5f96df49382fa5d94

SHA256
c0bf7569f5fd0ded277cc576751a858a8c39cfd67b750b47d13004e8c3aa927c

SHA512
04d09c7afa149538fbd2e003f1c9fe49a973b02866b7f373fcddcecffcd8a0ab823ed6af0e6c8e2b3901265af64fee7da9253acc1e885669d3f86d179ddfc842

Download Submit
C:\Users\Admin\AppData\Local\Temp\WEfJS3myHd.bat

Filesize
246B

MD5
f29de7d11a40a1cfb4335508a0e57e81

SHA1
1b991c235884a0150d982fed654cf734dab91a33

SHA256
f734292e74fea0e6b121903174812b2347adc22cd0f64fc42b7dbc2c771da7f5

SHA512
7bc1ec827f84bba4e6b4f7d044fad211af3ca2ff69db77ab84c9a3c208c5f36e31fdbe0e024c55792aab477800e1d59873f17721fca17feae6fa30ac159cd1d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\c4BTxhTwZ3.bat

Filesize
198B

MD5
423a843829db69465889b09d9dce535c

SHA1
70b0493d8a6e19d905169da43a95a20d3cf8d1f3

SHA256
2abc757a0b02f34b9ce847c2bf43751911d938f4735cbaae420d3373de092dc3

SHA512
7150dca783d3d6ddf9fa1f5ac96d67dd190dd5320dfe990c228a1b8685fdbe27fa6a5ce06f5b4865a513989a37724e918c7b088165d24d1e9f96dd7ddef9f7b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\fYqjwDText.bat

Filesize
246B

MD5
b13ac39fdfe19f75146c3c36fd4b6909

SHA1
7a1b059cc1989f374036bd2286225c7439900798

SHA256
900884129f10acf37f74a8e93f16016658d084fd4a53bbd554b3c5bf95129232

SHA512
5261c116cddd5f3b54d8bf9050ce385fcdb9506df4f44cd3929ef27d0f9a5de9e0572fd7190c7d520a35d9d8606b78437ce3cac7ca7e54340cb654c7075f66ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\w46Kl20HUF.bat

Filesize
246B

MD5
23705d99d8ddcf6aafc33f23e29e2ed7

SHA1
36bf526d4c75f5b87ddd0aec3ce894f99f3908ba

SHA256
d4700d73b4ef01ac990b4ff2f84abbe4c199ffdc2bdcd413ab34c5c24b494c95

SHA512
882ff0b44d2ceb86b6312d6f2747adba65af438f9fcac199166bcb9f681a407c5434a87627a8b0d63a0322b6afcff6aa9a4895dc57b5319969d5b5135577ad72

Download Submit
C:\Users\Admin\AppData\Local\Temp\xIvSFn08gA.bat

Filesize
246B

MD5
2c343cf86778d32b75ec7ea25d91c9f9

SHA1
15c2d165f20f7cb5d23ac0f9ca9273a89fde7665

SHA256
0fe82eaf418b9ad1448be6d60fe5ad63e49e325297149c65401b5a4733187455

SHA512
be5cfbe15428a2b4be1d0931bb97b699c59e14e6be94580971e8c2da8a436b094b7f9f67d0051c402b3221679b2580b16350c558e01be08ef94ce7bf993a15ab

Download Submit
memory/2796-28-0x00007FF95A030000-0x00007FF95AAF1000-memory.dmp

Filesize
10.8MB

Download
memory/2796-24-0x00007FF95A030000-0x00007FF95AAF1000-memory.dmp

Filesize
10.8MB

Download
memory/2796-15-0x00007FF95A030000-0x00007FF95AAF1000-memory.dmp

Filesize
10.8MB

Download
memory/2796-16-0x00007FF95A030000-0x00007FF95AAF1000-memory.dmp

Filesize
10.8MB

Download
memory/2796-18-0x00007FF95A030000-0x00007FF95AAF1000-memory.dmp

Filesize
10.8MB

Download
memory/2796-1-0x00007FF95A033000-0x00007FF95A035000-memory.dmp

Filesize
8KB

Download
memory/2796-14-0x0000000002660000-0x000000000266C000-memory.dmp

Filesize
48KB

Download
memory/2796-26-0x000000001BAD0000-0x000000001BC3A000-memory.dmp

Filesize
1.4MB

Download
memory/2796-27-0x00007FF95A030000-0x00007FF95AAF1000-memory.dmp

Filesize
10.8MB

Download
memory/2796-12-0x000000001B0D0000-0x000000001B0E8000-memory.dmp

Filesize
96KB

Download
memory/2796-9-0x000000001B340000-0x000000001B390000-memory.dmp

Filesize
320KB

Download
memory/2796-17-0x00007FF95A030000-0x00007FF95AAF1000-memory.dmp

Filesize
10.8MB

Download
memory/2796-0-0x00000000003B0000-0x000000000058E000-memory.dmp

Filesize
1.9MB

Download
memory/2796-10-0x00007FF95A030000-0x00007FF95AAF1000-memory.dmp

Filesize
10.8MB

Download
memory/2796-8-0x0000000002680000-0x000000000269C000-memory.dmp

Filesize
112KB

Download
memory/2796-6-0x0000000002650000-0x000000000265E000-memory.dmp

Filesize
56KB

Download
memory/2796-4-0x00007FF95A030000-0x00007FF95AAF1000-memory.dmp

Filesize
10.8MB

Download
memory/2796-3-0x00007FF95A030000-0x00007FF95AAF1000-memory.dmp

Filesize
10.8MB

Download
memory/2796-2-0x00007FF95A030000-0x00007FF95AAF1000-memory.dmp

Filesize
10.8MB

Download
memory/2796-22-0x00007FF95A030000-0x00007FF95AAF1000-memory.dmp

Filesize
10.8MB

Download
memory/3700-40-0x00007FF9598B0000-0x00007FF95A371000-memory.dmp

Filesize
10.8MB

Download
memory/3700-31-0x00007FF9598B0000-0x00007FF95A371000-memory.dmp

Filesize
10.8MB

Download