6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/10/2024, 15:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
Size

1.8MB
MD5

330a09824e901f7c2fb65be086df1493
SHA1

236a6a080f1ea340343bedab226a88b3b92ea9cf
SHA256

6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa
SHA512

8da1191fb37876db6e4747d3807999995dbd965c0d13d21b944b941e8455daa7512c9322c7e56bb228c83fc8babe849685685c16dd000cb3e8e5a3822e7a6c77
SSDEEP

24576:lZFeGcDsavzoey8aUB/WN0/AZ7mNUxrE3cmOrwAUqGStlkuVUoPYQhMaXeRTl:laiUB/WN0/AZ7mNUxrEle3/JVU0Yb

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 17 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe

Executes dropped EXE 17 IoCs

pid	Process
4172	unsecapp.exe
216	unsecapp.exe
348	unsecapp.exe
4756	unsecapp.exe
4168	unsecapp.exe
1916	unsecapp.exe
1500	unsecapp.exe
3164	unsecapp.exe
3884	unsecapp.exe
4140	unsecapp.exe
4392	unsecapp.exe
2236	unsecapp.exe
1716	unsecapp.exe
1260	unsecapp.exe
3000	unsecapp.exe
1324	unsecapp.exe
2384	unsecapp.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\Mozilla Firefox\fonts\taskhostw.exe	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
File created	C:\Program Files\Mozilla Firefox\fonts\ea9f0e6c9e2dcd	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\fontdrvhost.exe	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\5b884080fd4f94	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\upfc.exe	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\ea1d8f6d871115	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
File created	C:\Program Files (x86)\Windows NT\spoolsv.exe	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
File created	C:\Program Files (x86)\Windows NT\f3b6ecef712a24	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 9 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2980	PING.EXE
1872	PING.EXE
4516	PING.EXE
1180	PING.EXE
3780	PING.EXE
4484	PING.EXE
3544	PING.EXE
2140	PING.EXE
4940	PING.EXE

Modifies registry class 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	unsecapp.exe

Runs ping.exe 1 TTPs 9 IoCs

Remote System Discovery

T1018

pid	Process
1872	PING.EXE
3544	PING.EXE
2140	PING.EXE
4516	PING.EXE
4940	PING.EXE
1180	PING.EXE
3780	PING.EXE
4484	PING.EXE
2980	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1728	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
1728	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
1728	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
1728	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
1728	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
1728	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
1728	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
1728	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
1728	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
1728	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
1728	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
1728	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
1728	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
1728	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
1728	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
1728	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
1728	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
1728	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
1728	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
1728	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
1728	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
1728	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
1728	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
1728	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
1728	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
1728	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
1728	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
1728	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
1728	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
1728	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
1728	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
1728	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
1728	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
1728	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
1728	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
1728	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
1728	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
1728	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
1728	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
1728	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
1728	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
1728	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
1728	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
1728	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
1728	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
1728	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
1728	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
1728	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
1728	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
1728	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
1728	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
1728	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
1728	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
1728	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
1728	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
4172	unsecapp.exe
4172	unsecapp.exe
4172	unsecapp.exe
4172	unsecapp.exe
4172	unsecapp.exe
4172	unsecapp.exe
4172	unsecapp.exe
4172	unsecapp.exe
4172	unsecapp.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	1728	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
Token: SeDebugPrivilege	4172	unsecapp.exe
Token: SeDebugPrivilege	216	unsecapp.exe
Token: SeDebugPrivilege	348	unsecapp.exe
Token: SeDebugPrivilege	4756	unsecapp.exe
Token: SeDebugPrivilege	4168	unsecapp.exe
Token: SeDebugPrivilege	1916	unsecapp.exe
Token: SeDebugPrivilege	1500	unsecapp.exe
Token: SeDebugPrivilege	3164	unsecapp.exe
Token: SeDebugPrivilege	3884	unsecapp.exe
Token: SeDebugPrivilege	4140	unsecapp.exe
Token: SeDebugPrivilege	4392	unsecapp.exe
Token: SeDebugPrivilege	2236	unsecapp.exe
Token: SeDebugPrivilege	1716	unsecapp.exe
Token: SeDebugPrivilege	1260	unsecapp.exe
Token: SeDebugPrivilege	3000	unsecapp.exe
Token: SeDebugPrivilege	1324	unsecapp.exe
Token: SeDebugPrivilege	2384	unsecapp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 2520	1728	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe	82
PID 1728 wrote to memory of 2520	1728	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe	82
PID 2520 wrote to memory of 2268	2520	cmd.exe	84
PID 2520 wrote to memory of 2268	2520	cmd.exe	84
PID 2520 wrote to memory of 1180	2520	cmd.exe	85
PID 2520 wrote to memory of 1180	2520	cmd.exe	85
PID 2520 wrote to memory of 4172	2520	cmd.exe	91
PID 2520 wrote to memory of 4172	2520	cmd.exe	91
PID 4172 wrote to memory of 3132	4172	unsecapp.exe	92
PID 4172 wrote to memory of 3132	4172	unsecapp.exe	92
PID 3132 wrote to memory of 2612	3132	cmd.exe	94
PID 3132 wrote to memory of 2612	3132	cmd.exe	94
PID 3132 wrote to memory of 3120	3132	cmd.exe	95
PID 3132 wrote to memory of 3120	3132	cmd.exe	95
PID 3132 wrote to memory of 216	3132	cmd.exe	98
PID 3132 wrote to memory of 216	3132	cmd.exe	98
PID 216 wrote to memory of 1692	216	unsecapp.exe	99
PID 216 wrote to memory of 1692	216	unsecapp.exe	99
PID 1692 wrote to memory of 228	1692	cmd.exe	101
PID 1692 wrote to memory of 228	1692	cmd.exe	101
PID 1692 wrote to memory of 3780	1692	cmd.exe	102
PID 1692 wrote to memory of 3780	1692	cmd.exe	102
PID 1692 wrote to memory of 348	1692	cmd.exe	104
PID 1692 wrote to memory of 348	1692	cmd.exe	104
PID 348 wrote to memory of 1164	348	unsecapp.exe	105
PID 348 wrote to memory of 1164	348	unsecapp.exe	105
PID 1164 wrote to memory of 4340	1164	cmd.exe	107
PID 1164 wrote to memory of 4340	1164	cmd.exe	107
PID 1164 wrote to memory of 980	1164	cmd.exe	108
PID 1164 wrote to memory of 980	1164	cmd.exe	108
PID 1164 wrote to memory of 4756	1164	cmd.exe	110
PID 1164 wrote to memory of 4756	1164	cmd.exe	110
PID 4756 wrote to memory of 3944	4756	unsecapp.exe	111
PID 4756 wrote to memory of 3944	4756	unsecapp.exe	111
PID 3944 wrote to memory of 4920	3944	cmd.exe	113
PID 3944 wrote to memory of 4920	3944	cmd.exe	113
PID 3944 wrote to memory of 4484	3944	cmd.exe	114
PID 3944 wrote to memory of 4484	3944	cmd.exe	114
PID 3944 wrote to memory of 4168	3944	cmd.exe	115
PID 3944 wrote to memory of 4168	3944	cmd.exe	115
PID 4168 wrote to memory of 3392	4168	unsecapp.exe	116
PID 4168 wrote to memory of 3392	4168	unsecapp.exe	116
PID 3392 wrote to memory of 1584	3392	cmd.exe	118
PID 3392 wrote to memory of 1584	3392	cmd.exe	118
PID 3392 wrote to memory of 680	3392	cmd.exe	119
PID 3392 wrote to memory of 680	3392	cmd.exe	119
PID 3392 wrote to memory of 1916	3392	cmd.exe	120
PID 3392 wrote to memory of 1916	3392	cmd.exe	120
PID 1916 wrote to memory of 4204	1916	unsecapp.exe	121
PID 1916 wrote to memory of 4204	1916	unsecapp.exe	121
PID 4204 wrote to memory of 5092	4204	cmd.exe	123
PID 4204 wrote to memory of 5092	4204	cmd.exe	123
PID 4204 wrote to memory of 2980	4204	cmd.exe	124
PID 4204 wrote to memory of 2980	4204	cmd.exe	124
PID 4204 wrote to memory of 1500	4204	cmd.exe	125
PID 4204 wrote to memory of 1500	4204	cmd.exe	125
PID 1500 wrote to memory of 2216	1500	unsecapp.exe	126
PID 1500 wrote to memory of 2216	1500	unsecapp.exe	126
PID 2216 wrote to memory of 4428	2216	cmd.exe	128
PID 2216 wrote to memory of 4428	2216	cmd.exe	128
PID 2216 wrote to memory of 1872	2216	cmd.exe	129
PID 2216 wrote to memory of 1872	2216	cmd.exe	129
PID 2216 wrote to memory of 3164	2216	cmd.exe	130
PID 2216 wrote to memory of 3164	2216	cmd.exe	130

C:\Users\Admin\AppData\Local\Temp\6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
"C:\Users\Admin\AppData\Local\Temp\6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zn4IUa01sU.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2268
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1180
- - C:\Recovery\WindowsRE\unsecapp.exe
    "C:\Recovery\WindowsRE\unsecapp.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4172
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ybJBPcXt9a.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3132
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2612
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:3120
    - - C:\Recovery\WindowsRE\unsecapp.exe
        
        "C:\Recovery\WindowsRE\unsecapp.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:216
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\04ySO8WbXQ.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:228
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3780
        
        C:\Recovery\WindowsRE\unsecapp.exe
        
        "C:\Recovery\WindowsRE\unsecapp.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:348
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HGbZHomwPb.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1164
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:4340
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:980
        
        C:\Recovery\WindowsRE\unsecapp.exe
        
        "C:\Recovery\WindowsRE\unsecapp.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4756
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kYiqYJzx03.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:3944
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:4920
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4484
        
        C:\Recovery\WindowsRE\unsecapp.exe
        
        "C:\Recovery\WindowsRE\unsecapp.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4168
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BP5Pm95y6C.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:3392
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:1584
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:680
        
        C:\Recovery\WindowsRE\unsecapp.exe
        
        "C:\Recovery\WindowsRE\unsecapp.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\T3REiUSKTh.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:4204
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:5092
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2980
        
        C:\Recovery\WindowsRE\unsecapp.exe
        
        "C:\Recovery\WindowsRE\unsecapp.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1500
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\o3IeSgqMHP.bat"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:4428
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1872
        
        C:\Recovery\WindowsRE\unsecapp.exe
        
        "C:\Recovery\WindowsRE\unsecapp.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3164
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GMPvjC3Nss.bat"
        18⤵
        
        PID:3132
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:3772
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1284
        
        C:\Recovery\WindowsRE\unsecapp.exe
        
        "C:\Recovery\WindowsRE\unsecapp.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3884
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KjGpFKlenR.bat"
        20⤵
        
        PID:3928
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:2744
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4516
        
        C:\Recovery\WindowsRE\unsecapp.exe
        
        "C:\Recovery\WindowsRE\unsecapp.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4140
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AAGHIO57vH.bat"
        22⤵
        
        PID:1964
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:4540
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:4332
        
        C:\Recovery\WindowsRE\unsecapp.exe
        
        "C:\Recovery\WindowsRE\unsecapp.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4392
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kYiqYJzx03.bat"
        24⤵
        
        PID:2056
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:2480
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3544
        
        C:\Recovery\WindowsRE\unsecapp.exe
        
        "C:\Recovery\WindowsRE\unsecapp.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2236
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JURhlZmnbW.bat"
        26⤵
        
        PID:2152
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:1764
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:1508
        
        C:\Recovery\WindowsRE\unsecapp.exe
        
        "C:\Recovery\WindowsRE\unsecapp.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1716
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lnXy25yoCy.bat"
        28⤵
        
        PID:2112
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:4996
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        29⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2140
        
        C:\Recovery\WindowsRE\unsecapp.exe
        
        "C:\Recovery\WindowsRE\unsecapp.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1260
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JURhlZmnbW.bat"
        30⤵
        
        PID:3548
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:3232
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        31⤵
        
        PID:4660
        
        C:\Recovery\WindowsRE\unsecapp.exe
        
        "C:\Recovery\WindowsRE\unsecapp.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3000
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ip3Bhi35Fh.bat"
        32⤵
        
        PID:3540
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        33⤵
        
        PID:4732
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        33⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4940
        
        C:\Recovery\WindowsRE\unsecapp.exe
        
        "C:\Recovery\WindowsRE\unsecapp.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1324
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PLxqGDTluw.bat"
        34⤵
        
        PID:2800
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        35⤵
        
        PID:2972
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        35⤵
        
        PID:1272
        
        C:\Recovery\WindowsRE\unsecapp.exe
        
        "C:\Recovery\WindowsRE\unsecapp.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows NT\spoolsv.exe

Filesize
1.8MB

MD5
330a09824e901f7c2fb65be086df1493

SHA1
236a6a080f1ea340343bedab226a88b3b92ea9cf

SHA256
6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa

SHA512
8da1191fb37876db6e4747d3807999995dbd965c0d13d21b944b941e8455daa7512c9322c7e56bb228c83fc8babe849685685c16dd000cb3e8e5a3822e7a6c77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\unsecapp.exe.log

Filesize
1KB

MD5
f8b2fca3a50771154571c11f1c53887b

SHA1
2e83b0c8e2f4c10b145b7fb4832ed1c78743de3f

SHA256
0efa72802031a8f902c3a4ab18fe3d667dafc71c93eb3a1811e78353ecf4a6b6

SHA512
b98b8d5516593d13415199d4ac6fbe4ff924488487c4bd863cb677601048785d872a3ff30129148e2961cb6fb2fc33117540302980a132f57f7ec9a497813f1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\04ySO8WbXQ.bat

Filesize
162B

MD5
de7d722a48b9cfae87c11f5119992818

SHA1
bcc2eff9333a1b0669476c2345a3e1eb36b61022

SHA256
5fccf858a92bb9bbd30a012f51d8627f369321697f41b14eb867fd1229fcd8cd

SHA512
3a1e4a01a3624c4d6ac37223bd0623183b493f55a49d12983cd26c3a88e4712da0e580edd9c85b5a9a0656081b882ac6e491956db93cf39712e1e1818e774fab

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAGHIO57vH.bat

Filesize
210B

MD5
ea14f9215aaad1d7f91bf0443077a050

SHA1
a0bcfdb3dae80b83de0fb73af661ce403ce83364

SHA256
4faee6444ab32656b0ea7575e13f26386f2810805a2af6ec8ae648420cdad6bf

SHA512
d765f6447dde512ad3a30f752e75f76388b81a957815a2bb359967dac2382857b21a0395f371bf3d017dc50ddce38f1be74eee701b04b579ab730373d9283142

Download Submit
C:\Users\Admin\AppData\Local\Temp\BP5Pm95y6C.bat

Filesize
210B

MD5
148bfce9bcab55882f9088540289d9f7

SHA1
d16ca79cd50ccc3bf368e6ca4dcf2f9f269f7791

SHA256
5e55ac5f3eb1277456e6dd0431fc1c71309570ec8bff57fc44befedc9961894b

SHA512
c92027e8ee36b5407cb24dd1a3dadecc6f6ae9c687cd84f3c48f01442441886670248f6644a65e2356669218c252ca898418cce4a26de7ea6cc53df7887c07d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\GMPvjC3Nss.bat

Filesize
210B

MD5
98f127901edb7517485e131db6325bf6

SHA1
121e8d1663c0a5a9421550432d06dc6cbcf4b4a3

SHA256
028693e390205cbade915ed09f2b704024d723a6292249cbb059c24a2f869305

SHA512
cfee6f52f6aa4aab0c186f018736ba637136cbfc177d679ddb1ecc26bee33553b64dcc6fde491daf7a73599bdd141e4376d1ed39e7b99a287453666d3d63875f

Download Submit
C:\Users\Admin\AppData\Local\Temp\HGbZHomwPb.bat

Filesize
210B

MD5
dd90bcdc3b38d11872cacfa165dbe54e

SHA1
73ebd77d5f61eb92d21ff0f91853cf6e3b2e59b6

SHA256
725798b871a74e7dc641f6fae53fc42849af38c38495d66bd647f5b8a03ca2df

SHA512
91999caeef0128e4b62614c85f28fef91df729fe0958d04df4cdc6f506a8ac92900acfefed16adc0b22db590229277c903135570858125987e47b38a9bc2c278

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ip3Bhi35Fh.bat

Filesize
162B

MD5
8262750f427335f545cbc8cdd6403ba5

SHA1
ebca356e69fa640a97bf53f55f566af1b5df701d

SHA256
2ec425f42ceb1a6bdc90ebd05c587a391d120493c92f2fcafbcb3de897315ec3

SHA512
68f026da27d4ecf8b69ea22375aca47ca01dad1697bf7e4e2acc77596b3a4cb1189bf7164199ec4dd24dc1975f71061b5acf0906d85eba1a3f8ca557ccc0036a

Download Submit
C:\Users\Admin\AppData\Local\Temp\JURhlZmnbW.bat

Filesize
210B

MD5
53a86c87aff920585f1472eab3c50472

SHA1
809e5569cd16fccff9cd6403f7eb52ba9e08dcb5

SHA256
8b0a01e3ff8aa1a6b1788d5b750bd54eb5639f4e9507ecfa52d5a1c4c5fea890

SHA512
cc1eef9c22c1a627edae39b6c372c3912c7289bcb23c8fa25982beb652c28adba70da0e0a81db0c56aa13122f077d70c14256cde923e8e8b3b97a27f450ee4dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\KjGpFKlenR.bat

Filesize
162B

MD5
5715ebe73845ea175097a1c118146298

SHA1
fba1a55e984e6e7c64cf6e1b1b7b2506706c27b7

SHA256
14c94510e7d9f2c919283aeb7e01ffc2048e5e9827887aea9f8c1080100e7495

SHA512
6b60b05b3500c88cd670f2d0ac00f892194745815b2a202fe6472dc27aa2f2ff9a994586be24ac79754f385625da85931bd5386289c1fc1db91ba96e7ceb0873

Download Submit
C:\Users\Admin\AppData\Local\Temp\PLxqGDTluw.bat

Filesize
210B

MD5
19c842a2e16372d6eb59c26b6e909dda

SHA1
4946c53f4139096b8044eca8113a4957257318ba

SHA256
511ae697d0582ea62b1cc4fa2b74a10ee9572468e7aedeb1604dc0369bda24d3

SHA512
637650409ea4a2d40bc31a90e5157e4fb11a333e4a100547cde4417c5f2339d73623368789bd3e1acb86c747e27f4ffe0afcdb3dff10595c97480870cba3015b

Download Submit
C:\Users\Admin\AppData\Local\Temp\T3REiUSKTh.bat

Filesize
162B

MD5
f8137dc07f9427f6b0b812c2d3000d2f

SHA1
2e198997654726ae330df60184910d5addb7f3f7

SHA256
6e4a5a6ca764e2262ed3bfc13fcfe1a35269c41784673eb00eb9f5b3c4125eaa

SHA512
afc10f51916f3aca20a5319ecbb11ef593aab39c353c4494a372a66419040fbc11a59a425b471775b6ad783bacedfafdc330e102ab4e46a33614d5c6b50a8cc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zn4IUa01sU.bat

Filesize
162B

MD5
a32c9d4e83c62138715f61ba1903a23f

SHA1
661d470fa784e7e4d1fdbbec2df9a689defde55a

SHA256
132b553aea6349c9e993069b4850265dc97c7a23cb93f6a82d2c4868360b6b3a

SHA512
4d110eb52c4f3ea22a6a9a0b7eb40a3cc58503072dabf46cb1a738a10bb5381747bbb2f7abb2e3ad12448c84422e06eb49299bd1a6676610198ce9d8d633842a

Download Submit
C:\Users\Admin\AppData\Local\Temp\kYiqYJzx03.bat

Filesize
162B

MD5
01b6b0dbef6aaed69127f71d9dd94316

SHA1
da651831103efbb52def6187709028b061adfa2f

SHA256
500843e81ffeb18433b374a72e7fa932d4ad38ac4b1d383e66ebdcb90fc76167

SHA512
ffc0b151bb53d4fec5e92dd2d40329bab7b258294159568f17e568f79ecfa2631c37f622ff047c5e849ff5689173ddd650977b1ac27122e97d4179de9b4c4f1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\lnXy25yoCy.bat

Filesize
162B

MD5
398b106028b94fbe63ea907b274b116c

SHA1
2987bd5b409668414312b2ca06d241b27928b731

SHA256
b8a86d36b6b30b4b2bf5d3b50145a23a330a791b6359b4d80318c8e1e987915e

SHA512
6f84f7fbabb050ea60a691a571abee1fa5dc5623964e9a52efe3d2f0d19c83051d6e1c28d0f119569d41da9ccf4f233df104d4febfeabb6811c334e9b9b39d6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\o3IeSgqMHP.bat

Filesize
162B

MD5
90939504334811e53c1b281cd2d540d5

SHA1
be29fd6a61276b5db3b6ea2d40f10c3ec140a93a

SHA256
0d20892720c723d065ee25396350dea9cb1b0866c8223c0a0657b2da4576766f

SHA512
ae85da777cd65426b96a39d2a25ebea1b91f9048430cb8809647923b5dd6476efc1d7cf77d591cc032e0e13188d7dc97cf3a5afbc68a3a58c9d3c5c7f3ad556b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ybJBPcXt9a.bat

Filesize
210B

MD5
042e18b13229027ee4b767882549daf2

SHA1
8e25cac7f1d74717c90d2302cecaba739cf61696

SHA256
e5b5780841e56ac94fd94fdd98308ebd1e0710a244c63deedf625c710922308f

SHA512
5a3191b6ae57db87aef12be053b990fea6caafb3126536f5d8d2c70e500a95f354e30d8e4254869649f097d9cac344efed86ad7d2e35d82ad828d3defd7925e6

Download Submit
memory/1500-116-0x000000001BFC0000-0x000000001C0C2000-memory.dmp

Filesize
1.0MB

Download
memory/1728-13-0x0000000002990000-0x00000000029A8000-memory.dmp

Filesize
96KB

Download
memory/1728-8-0x00007FFE4A1F0000-0x00007FFE4ACB1000-memory.dmp

Filesize
10.8MB

Download
memory/1728-1-0x0000000000430000-0x000000000060A000-memory.dmp

Filesize
1.9MB

Download
memory/1728-36-0x00007FFE4A1F0000-0x00007FFE4ACB1000-memory.dmp

Filesize
10.8MB

Download
memory/1728-33-0x00007FFE4A1F0000-0x00007FFE4ACB1000-memory.dmp

Filesize
10.8MB

Download
memory/1728-32-0x00007FFE4A1F0000-0x00007FFE4ACB1000-memory.dmp

Filesize
10.8MB

Download
memory/1728-24-0x00007FFE4A1F0000-0x00007FFE4ACB1000-memory.dmp

Filesize
10.8MB

Download
memory/1728-2-0x00007FFE4A1F0000-0x00007FFE4ACB1000-memory.dmp

Filesize
10.8MB

Download
memory/1728-16-0x00007FFE4A1F0000-0x00007FFE4ACB1000-memory.dmp

Filesize
10.8MB

Download
memory/1728-3-0x00007FFE4A1F0000-0x00007FFE4ACB1000-memory.dmp

Filesize
10.8MB

Download
memory/1728-15-0x0000000002820000-0x000000000282C000-memory.dmp

Filesize
48KB

Download
memory/1728-4-0x00007FFE4A1F0000-0x00007FFE4ACB1000-memory.dmp

Filesize
10.8MB

Download
memory/1728-0-0x00007FFE4A1F3000-0x00007FFE4A1F5000-memory.dmp

Filesize
8KB

Download
memory/1728-11-0x000000001B210000-0x000000001B260000-memory.dmp

Filesize
320KB

Download
memory/1728-10-0x0000000002970000-0x000000000298C000-memory.dmp

Filesize
112KB

Download
memory/1728-6-0x00000000027D0000-0x00000000027DE000-memory.dmp

Filesize
56KB

Download
memory/1728-7-0x00007FFE4A1F0000-0x00007FFE4ACB1000-memory.dmp

Filesize
10.8MB

Download
memory/1916-105-0x000000001B600000-0x000000001B702000-memory.dmp

Filesize
1.0MB

Download
memory/3164-127-0x000000001C150000-0x000000001C252000-memory.dmp

Filesize
1.0MB

Download
memory/4168-94-0x000000001BED0000-0x000000001BFD2000-memory.dmp

Filesize
1.0MB

Download
memory/4172-41-0x00007FFE49D50000-0x00007FFE4A811000-memory.dmp

Filesize
10.8MB

Download
memory/4172-51-0x00007FFE49D50000-0x00007FFE4A811000-memory.dmp

Filesize
10.8MB

Download
memory/4756-83-0x000000001BFF0000-0x000000001C0F2000-memory.dmp

Filesize
1.0MB

Download