orcus | 8667faa80b6d3e4126e5e9e60b6e2f755f5388c5554e7b6fd59bcd5a342326ad

Analysis

max time kernel
149s
max time network
141s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
28-10-2024 08:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Orcus.exe
Size

3.0MB
MD5

37128f8c34f0e2112cb6c60d2fe8d4c6
SHA1

42d4240892b4fcb2b5332fb70210238aa4070f6a
SHA256

8667faa80b6d3e4126e5e9e60b6e2f755f5388c5554e7b6fd59bcd5a342326ad
SHA512

f0387c7f8d4d74fc378599918cee295abf14e0cc3983a4e1681a7d40ba4b5af519a0bfec7244d2e081588590e421711dc412b3e32cb17c0a6b9db9a0d0656b88
SSDEEP

49152:uBpEKO3T5adZKM0sz5otCeEvsDKx+msbfGGW8wlBKJwAypQxbxEo9JnCmmLNrZEu:uBptODUKTslWp2MpbfGGilIJPypSbxEt

Score

10^/10

orcus roblox defense_evasion discovery evasion persistence privilege_escalation rat spyware stealer trojan

Malware Config

Extracted

Family

orcus

Botnet

Roblox

89.23.100.155:1337

Mutex

fa9ce586702b4090bcb834980fda0474

Attributes

autostart_method
Registry
enable_keylogger
true
install_path
%programfiles%\Windows\MpDefenderCore.exe
reconnect_delay
10000
registry_keyname
MpDefender
taskscheduler_taskname
MpDefender
watchdog_path
AppData\xdwdwatchdog.exe

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral1/memory/1508-23-0x000000001B1A0000-0x000000001B1AA000-memory.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

Orcus.exeMpDefenderCore.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Orcus.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Orcus.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Orcus.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Orcus.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	MpDefenderCore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	MpDefenderCore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	MpDefenderCore.exe

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Orcus main payload 1 IoCs

Processes:

resource	yara_rule
C:\Program Files\Windows\MpDefenderCore.exe	family_orcus

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

Orcus.exeMpDefenderCore.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Orcus.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Orcus.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	MpDefenderCore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	MpDefenderCore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	MpDefenderCore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	Orcus.exe

Orcurs Rat Executable 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1508-56-0x000000001CA60000-0x000000001CD62000-memory.dmp	orcus
C:\Program Files\Windows\MpDefenderCore.exe	orcus

Executes dropped EXE 6 IoCs

Processes:

WindowsInput.exeWindowsInput.exeMpDefenderCore.exeMpDefenderCore.exexdwdwatchdog.exexdwdwatchdog.exe

pid process

496 WindowsInput.exe
2652 WindowsInput.exe
904 MpDefenderCore.exe
744 MpDefenderCore.exe
2820 xdwdwatchdog.exe
2772 xdwdwatchdog.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

pid	process
496	WindowsInput.exe
2652	WindowsInput.exe
904	MpDefenderCore.exe
744	MpDefenderCore.exe
2820	xdwdwatchdog.exe
2772	xdwdwatchdog.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

Orcus.exeMpDefenderCore.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	Orcus.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	MpDefenderCore.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

MpDefenderCore.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\MpDefender = "\"C:\\Program Files\\Windows\\MpDefenderCore.exe\""	MpDefenderCore.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

MpDefenderCore.exeOrcus.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MpDefenderCore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	MpDefenderCore.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Orcus.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	Orcus.exe

Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 2 IoCs

Possible Turn off User Account Control's privilege elevation for standard users.

defense_evasion persistence privilege_escalation

Executable Installer File Permissions Weakness

T1574.005

Processes:

Orcus.exeMpDefenderCore.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	Orcus.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	MpDefenderCore.exe

Drops file in System32 directory 3 IoCs

Processes:

Orcus.exeWindowsInput.exe

description	ioc	process
File created	C:\Windows\SysWOW64\WindowsInput.exe	Orcus.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe.config	Orcus.exe
File created	C:\Windows\SysWOW64\WindowsInput.InstallState	WindowsInput.exe

Drops file in Program Files directory 3 IoCs

Processes:

Orcus.exe

description	ioc	process
File created	C:\Program Files\Windows\MpDefenderCore.exe	Orcus.exe
File opened for modification	C:\Program Files\Windows\MpDefenderCore.exe	Orcus.exe
File created	C:\Program Files\Windows\MpDefenderCore.exe.config	Orcus.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

xdwdwatchdog.exexdwdwatchdog.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdwdwatchdog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdwdwatchdog.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exexdwdwatchdog.exeMpDefenderCore.exe

pid	process
536	powershell.exe
2064	powershell.exe
2772	xdwdwatchdog.exe
2772	xdwdwatchdog.exe
904	MpDefenderCore.exe
904	MpDefenderCore.exe
904	MpDefenderCore.exe
2772	xdwdwatchdog.exe
904	MpDefenderCore.exe
2772	xdwdwatchdog.exe
904	MpDefenderCore.exe
2772	xdwdwatchdog.exe
904	MpDefenderCore.exe
2772	xdwdwatchdog.exe
904	MpDefenderCore.exe
2772	xdwdwatchdog.exe
904	MpDefenderCore.exe
2772	xdwdwatchdog.exe
904	MpDefenderCore.exe
2772	xdwdwatchdog.exe
904	MpDefenderCore.exe
2772	xdwdwatchdog.exe
904	MpDefenderCore.exe
2772	xdwdwatchdog.exe
904	MpDefenderCore.exe
2772	xdwdwatchdog.exe
904	MpDefenderCore.exe
2772	xdwdwatchdog.exe
904	MpDefenderCore.exe
2772	xdwdwatchdog.exe
904	MpDefenderCore.exe
2772	xdwdwatchdog.exe
904	MpDefenderCore.exe
2772	xdwdwatchdog.exe
904	MpDefenderCore.exe
2772	xdwdwatchdog.exe
904	MpDefenderCore.exe
2772	xdwdwatchdog.exe
904	MpDefenderCore.exe
2772	xdwdwatchdog.exe
904	MpDefenderCore.exe
2772	xdwdwatchdog.exe
904	MpDefenderCore.exe
2772	xdwdwatchdog.exe
904	MpDefenderCore.exe
2772	xdwdwatchdog.exe
904	MpDefenderCore.exe
2772	xdwdwatchdog.exe
904	MpDefenderCore.exe
2772	xdwdwatchdog.exe
904	MpDefenderCore.exe
2772	xdwdwatchdog.exe
904	MpDefenderCore.exe
2772	xdwdwatchdog.exe
904	MpDefenderCore.exe
2772	xdwdwatchdog.exe
904	MpDefenderCore.exe
2772	xdwdwatchdog.exe
904	MpDefenderCore.exe
2772	xdwdwatchdog.exe
904	MpDefenderCore.exe
2772	xdwdwatchdog.exe
904	MpDefenderCore.exe
2772	xdwdwatchdog.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exeMpDefenderCore.exepowershell.exexdwdwatchdog.exexdwdwatchdog.exe

description	pid	process
Token: SeDebugPrivilege	536	powershell.exe
Token: SeDebugPrivilege	904	MpDefenderCore.exe
Token: SeDebugPrivilege	2064	powershell.exe
Token: SeDebugPrivilege	2820	xdwdwatchdog.exe
Token: SeDebugPrivilege	2772	xdwdwatchdog.exe
Token: SeBackupPrivilege	904	MpDefenderCore.exe
Token: SeSecurityPrivilege	904	MpDefenderCore.exe
Token: SeSecurityPrivilege	904	MpDefenderCore.exe
Token: SeSecurityPrivilege	904	MpDefenderCore.exe
Token: SeSecurityPrivilege	904	MpDefenderCore.exe
Token: SeSecurityPrivilege	904	MpDefenderCore.exe
Token: SeSecurityPrivilege	904	MpDefenderCore.exe
Token: SeSecurityPrivilege	904	MpDefenderCore.exe
Token: SeSecurityPrivilege	904	MpDefenderCore.exe
Token: SeSecurityPrivilege	904	MpDefenderCore.exe
Token: SeSecurityPrivilege	904	MpDefenderCore.exe
Token: SeSecurityPrivilege	904	MpDefenderCore.exe
Token: SeSecurityPrivilege	904	MpDefenderCore.exe
Token: SeSecurityPrivilege	904	MpDefenderCore.exe
Token: SeSecurityPrivilege	904	MpDefenderCore.exe
Token: SeSecurityPrivilege	904	MpDefenderCore.exe
Token: SeSecurityPrivilege	904	MpDefenderCore.exe
Token: SeSecurityPrivilege	904	MpDefenderCore.exe
Token: SeSecurityPrivilege	904	MpDefenderCore.exe
Token: SeSecurityPrivilege	904	MpDefenderCore.exe
Token: SeSecurityPrivilege	904	MpDefenderCore.exe
Token: SeSecurityPrivilege	904	MpDefenderCore.exe
Token: SeSecurityPrivilege	904	MpDefenderCore.exe
Token: SeSecurityPrivilege	904	MpDefenderCore.exe
Token: SeSecurityPrivilege	904	MpDefenderCore.exe
Token: SeSecurityPrivilege	904	MpDefenderCore.exe
Token: SeSecurityPrivilege	904	MpDefenderCore.exe
Token: SeSecurityPrivilege	904	MpDefenderCore.exe
Token: SeSecurityPrivilege	904	MpDefenderCore.exe
Token: SeSecurityPrivilege	904	MpDefenderCore.exe
Token: SeSecurityPrivilege	904	MpDefenderCore.exe
Token: SeSecurityPrivilege	904	MpDefenderCore.exe
Token: SeSecurityPrivilege	904	MpDefenderCore.exe
Token: SeSecurityPrivilege	904	MpDefenderCore.exe
Token: SeSecurityPrivilege	904	MpDefenderCore.exe
Token: SeSecurityPrivilege	904	MpDefenderCore.exe
Token: SeSecurityPrivilege	904	MpDefenderCore.exe
Token: SeSecurityPrivilege	904	MpDefenderCore.exe
Token: SeSecurityPrivilege	904	MpDefenderCore.exe
Token: SeSecurityPrivilege	904	MpDefenderCore.exe
Token: SeSecurityPrivilege	904	MpDefenderCore.exe
Token: SeSecurityPrivilege	904	MpDefenderCore.exe
Token: SeSecurityPrivilege	904	MpDefenderCore.exe
Token: SeSecurityPrivilege	904	MpDefenderCore.exe
Token: SeSecurityPrivilege	904	MpDefenderCore.exe
Token: SeSecurityPrivilege	904	MpDefenderCore.exe
Token: SeSecurityPrivilege	904	MpDefenderCore.exe
Token: SeSecurityPrivilege	904	MpDefenderCore.exe
Token: SeSecurityPrivilege	904	MpDefenderCore.exe
Token: SeSecurityPrivilege	904	MpDefenderCore.exe
Token: SeSecurityPrivilege	904	MpDefenderCore.exe
Token: SeSecurityPrivilege	904	MpDefenderCore.exe
Token: SeSecurityPrivilege	904	MpDefenderCore.exe
Token: SeSecurityPrivilege	904	MpDefenderCore.exe
Token: SeSecurityPrivilege	904	MpDefenderCore.exe
Token: SeSecurityPrivilege	904	MpDefenderCore.exe
Token: SeSecurityPrivilege	904	MpDefenderCore.exe
Token: SeSecurityPrivilege	904	MpDefenderCore.exe
Token: SeSecurityPrivilege	904	MpDefenderCore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

MpDefenderCore.exe

pid process

904 MpDefenderCore.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

MpDefenderCore.exe

pid process

904 MpDefenderCore.exe
904 MpDefenderCore.exe
904 MpDefenderCore.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

MpDefenderCore.exe

pid process

904 MpDefenderCore.exe

pid	process
904	MpDefenderCore.exe

pid	process
904	MpDefenderCore.exe
904	MpDefenderCore.exe
904	MpDefenderCore.exe

pid	process
904	MpDefenderCore.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

Orcus.execsc.exeMpDefenderCore.exetaskeng.exexdwdwatchdog.exe

description	pid	process	target process
PID 1508 wrote to memory of 2804	1508	Orcus.exe	csc.exe
PID 1508 wrote to memory of 2804	1508	Orcus.exe	csc.exe
PID 1508 wrote to memory of 2804	1508	Orcus.exe	csc.exe
PID 2804 wrote to memory of 2708	2804	csc.exe	cvtres.exe
PID 2804 wrote to memory of 2708	2804	csc.exe	cvtres.exe
PID 2804 wrote to memory of 2708	2804	csc.exe	cvtres.exe
PID 1508 wrote to memory of 496	1508	Orcus.exe	WindowsInput.exe
PID 1508 wrote to memory of 496	1508	Orcus.exe	WindowsInput.exe
PID 1508 wrote to memory of 496	1508	Orcus.exe	WindowsInput.exe
PID 1508 wrote to memory of 536	1508	Orcus.exe	powershell.exe
PID 1508 wrote to memory of 536	1508	Orcus.exe	powershell.exe
PID 1508 wrote to memory of 536	1508	Orcus.exe	powershell.exe
PID 1508 wrote to memory of 904	1508	Orcus.exe	MpDefenderCore.exe
PID 1508 wrote to memory of 904	1508	Orcus.exe	MpDefenderCore.exe
PID 1508 wrote to memory of 904	1508	Orcus.exe	MpDefenderCore.exe
PID 904 wrote to memory of 2064	904	MpDefenderCore.exe	powershell.exe
PID 904 wrote to memory of 2064	904	MpDefenderCore.exe	powershell.exe
PID 904 wrote to memory of 2064	904	MpDefenderCore.exe	powershell.exe
PID 2256 wrote to memory of 744	2256	taskeng.exe	MpDefenderCore.exe
PID 2256 wrote to memory of 744	2256	taskeng.exe	MpDefenderCore.exe
PID 2256 wrote to memory of 744	2256	taskeng.exe	MpDefenderCore.exe
PID 904 wrote to memory of 2820	904	MpDefenderCore.exe	xdwdwatchdog.exe
PID 904 wrote to memory of 2820	904	MpDefenderCore.exe	xdwdwatchdog.exe
PID 904 wrote to memory of 2820	904	MpDefenderCore.exe	xdwdwatchdog.exe
PID 904 wrote to memory of 2820	904	MpDefenderCore.exe	xdwdwatchdog.exe
PID 2820 wrote to memory of 2772	2820	xdwdwatchdog.exe	xdwdwatchdog.exe
PID 2820 wrote to memory of 2772	2820	xdwdwatchdog.exe	xdwdwatchdog.exe
PID 2820 wrote to memory of 2772	2820	xdwdwatchdog.exe	xdwdwatchdog.exe
PID 2820 wrote to memory of 2772	2820	xdwdwatchdog.exe	xdwdwatchdog.exe

System policy modification 1 TTPs 14 IoCs

evasion

Modify Registry

T1112

Processes:

Orcus.exeMpDefenderCore.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Orcus.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	MpDefenderCore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	MpDefenderCore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	Orcus.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle = "0"	Orcus.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	MpDefenderCore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	MpDefenderCore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	MpDefenderCore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle = "0"	MpDefenderCore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	MpDefenderCore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	Orcus.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Orcus.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	Orcus.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	Orcus.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Orcus.exe
"C:\Users\Admin\AppData\Local\Temp\Orcus.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Windows security modification
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1508
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\_o_qf7oh.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES678A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6789.tmp"
    3⤵
    PID:2708
- C:\Windows\SysWOW64\WindowsInput.exe
  "C:\Windows\SysWOW64\WindowsInput.exe" --install
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:496
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:536
- C:\Program Files\Windows\MpDefenderCore.exe
  "C:\Program Files\Windows\MpDefenderCore.exe"
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - UAC bypass
  - Executes dropped EXE
  - Windows security modification
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Hijack Execution Flow: Executable Installer File Permissions Weakness
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:904
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2064
- - C:\Users\Admin\AppData\Roaming\xdwdwatchdog.exe
    "C:\Users\Admin\AppData\Roaming\xdwdwatchdog.exe" /launchSelfAndExit "C:\Program Files\Windows\MpDefenderCore.exe" 904 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Users\Admin\AppData\Roaming\xdwdwatchdog.exe
      "C:\Users\Admin\AppData\Roaming\xdwdwatchdog.exe" /watchProcess "C:\Program Files\Windows\MpDefenderCore.exe" 904 "/protectFile"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2772

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
1⤵
- Executes dropped EXE
PID:2652

C:\Windows\system32\taskeng.exe
taskeng.exe {3FA5D253-AE12-47E2-9D58-8A4B2398381A} S-1-5-21-3551809350-4263495960-1443967649-1000:NNYJZAHP\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Program Files\Windows\MpDefenderCore.exe
  "C:\Program Files\Windows\MpDefenderCore.exe"
  2⤵
  - Executes dropped EXE
  PID:744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

T1574.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

T1574.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

T1574.005

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows\MpDefenderCore.exe

Filesize
3.0MB

MD5
37128f8c34f0e2112cb6c60d2fe8d4c6

SHA1
42d4240892b4fcb2b5332fb70210238aa4070f6a

SHA256
8667faa80b6d3e4126e5e9e60b6e2f755f5388c5554e7b6fd59bcd5a342326ad

SHA512
f0387c7f8d4d74fc378599918cee295abf14e0cc3983a4e1681a7d40ba4b5af519a0bfec7244d2e081588590e421711dc412b3e32cb17c0a6b9db9a0d0656b88

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
10b46bfbe9b5f53cba8e2395c82bff2d

SHA1
8bd1824dbeb57f78a7d5d832b257e87398a0e74b

SHA256
39511c13757b2d4301074c4a91be9d9ff11545e2eb0303613d58cd6e61917e16

SHA512
003d4f1112070a0d919311053516e4b28844c13578854aef67e9e0482c89722cc4ff44628c73a19c051103194ee63cbc454b29858c9f2fc743f1a663fe6ce301

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD365.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES678A.tmp

Filesize
1KB

MD5
3f61e7df29ebc7c4bf1c3fecf0545bf6

SHA1
19d65934629f4263c5096e1380ea1a61c43bb8c2

SHA256
b71402d4d79e029ad9a1091d59eaf5fc6b6262acd5a8e90d0553c71e9df1596f

SHA512
65ea61166e5fbc6cce1ead3b034d412e115c35c82fd8b623be6cc6de05d47c8a8fa5a0c4564e32432a897474e9186e2ac9edf988e1ac9fd0d2538fe34c76d0a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD433.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_o_qf7oh.dll

Filesize
76KB

MD5
11f5ef3e903bfa1408e03617b2b9e2c1

SHA1
0de7e3890061eaf64a1047ad4292e909054c8e90

SHA256
782e729c11b59eba2ec19fdc93100bb02ac59c7c2b0c0dd420c034244a6df9af

SHA512
1e7d9d2e8dd42efa40f3c3ac5f70368a5bb17d485c1949664c7ff44770d3de43cf056bad58dde89a3fef24ddea46ce7b792067ef01316d3124661e22152934fa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
90b86e7c86e42d642a321b489b1e013d

SHA1
e87f650bdf3003e81f65bafb27759c0e89c56fa3

SHA256
0c6f3ee776b754adb620a4a01d13641fd787db3fa84dcff5a51fdf5ec7894c3e

SHA512
dc83a227fb4ca59e60d20a064f932cf5f3db404a815cffe3b12d406fbf06d2669939639c4434771214ae9915570fedca9da38eb4abc1261fd69aa7ffc75a52bd

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\lib_fa9ce586702b4090bcb834980fda0474\ICSharpCode.SharpZipLib.dll

Filesize
196KB

MD5
c8164876b6f66616d68387443621510c

SHA1
7a9df9c25d49690b6a3c451607d311a866b131f4

SHA256
40b3d590f95191f3e33e5d00e534fa40f823d9b1bb2a9afe05f139c4e0a3af8d

SHA512
44a6accc70c312a16d0e533d3287e380997c5e5d610dbeaa14b2dbb5567f2c41253b895c9817ecd96c85d286795bbe6ab35fd2352fddd9d191669a2fb0774bc4

Download Submit
C:\Users\Admin\AppData\Roaming\xdwdwatchdog.exe

Filesize
9KB

MD5
7a195b6c9de2d5cab015f649da6931a1

SHA1
89f7372dd92a90a8e13b74ee512b464412e4cf9b

SHA256
30183935449a625c2a61f6342dc3b9907028194173f2e3d594eaa3126ee316bc

SHA512
3c2aeef85b51e7f955072fba042bcedf8dd0b66ad813def58c0134355665ba56a713d58005a322561c62be5777d0adea2803da214459f362f22fe2a0dba5a1c7

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe

Filesize
21KB

MD5
f6285edd247fa58161be33f8cf662d31

SHA1
e2b49bca43cd0bd6cc1eee582ba58f0ed6de1470

SHA256
bc16993d1a774793044ca37eb2ce84ecbdb5c578e3c710ed82879e07dcef2fec

SHA512
6f3e6073a1dafc679da1caa4a4c9cb7cc2da79c3f81034d7b7b7b1d855fd5421cbb517a7d3f9520f49d4d3b7f9577f4f8f92486994c8b78fabff5033b390a788

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe.config

Filesize
349B

MD5
89817519e9e0b4e703f07e8c55247861

SHA1
4636de1f6c997a25c3190f73f46a3fd056238d78

SHA256
f40dfaa50dcbff93611d45607009158f798e9cd845170939b1d6088a7d10ee13

SHA512
b017cb7a522b9c6794f3691cb7266ec82f565a90d7d07cc9beb53b939d2e9bf34275bc25f6f32d9a9c7136a0aab2189d9556af7244450c610d11ed7a4f584ba3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC6789.tmp

Filesize
676B

MD5
6c887d4a895aaff3b8045e2e34c24d81

SHA1
a9534c3d83e253ace92075ea181f5743e913e835

SHA256
2099d2e47360f0d139a656ecdd315c25fdc084e89863dbd1327b2551198d9854

SHA512
812c5acf98e1d813048bdf81b4df7666dbea3e2e49b7802ba4f50db9081fcda2362a43b21e461f2c02d0846461782bd6b3a689184c305c7b472bb7f2ff4f442b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\_o_qf7oh.0.cs

Filesize
208KB

MD5
f7ddf06b5730b808c73ebb94294d8ffb

SHA1
355cbf12b4bd84b57d361b5e35c2dbc7aa98962b

SHA256
a7ac185f2c5b8eee7ba89eb1d35180f9097c170b2dcebd18d2fc6c7a4837fe0c

SHA512
fcf07d3d9bac0993a88c303e4470960766ff05d6620aa140a45b1b187019ced0b62aef4119d104d0dd25c83517ca9d325b5a063ccb027953b9f601db3d1aec18

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\_o_qf7oh.cmdline

Filesize
349B

MD5
54932ab71f0e623f661e08afe2979826

SHA1
04752f541b3d56a3f370263090c3142e2f6fa39d

SHA256
c6e078160e6fae414fc71450185f7afcd762de8920de9933dd36bcfbb7cfe862

SHA512
820bb26c74c6a2a03099046d9b7927b6c13c798630efb0163fcc7a665ac3df7495ac7c6a4a2f83e81bca80156cb8859dbfd55c053cf9debf608ee754d916e244

Download Submit
memory/496-32-0x0000000000A70000-0x0000000000A7C000-memory.dmp

Filesize
48KB

Download
memory/536-44-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/536-45-0x0000000001D20000-0x0000000001D28000-memory.dmp

Filesize
32KB

Download
memory/1508-87-0x000000001B6B0000-0x000000001B6C0000-memory.dmp

Filesize
64KB

Download
memory/1508-97-0x000000001B6B0000-0x000000001B6BC000-memory.dmp

Filesize
48KB

Download
memory/1508-3-0x000007FEF5300000-0x000007FEF5C9D000-memory.dmp

Filesize
9.6MB

Download
memory/1508-2-0x0000000000B30000-0x0000000000B3E000-memory.dmp

Filesize
56KB

Download
memory/1508-1-0x0000000002290000-0x00000000022EC000-memory.dmp

Filesize
368KB

Download
memory/1508-0-0x000007FEF55BE000-0x000007FEF55BF000-memory.dmp

Filesize
4KB

Download
memory/1508-46-0x000000001B8E0000-0x000000001B936000-memory.dmp

Filesize
344KB

Download
memory/1508-56-0x000000001CA60000-0x000000001CD62000-memory.dmp

Filesize
3.0MB

Download
memory/1508-58-0x000000001B6B0000-0x000000001B6BA000-memory.dmp

Filesize
40KB

Download
memory/1508-59-0x000000001B760000-0x000000001B786000-memory.dmp

Filesize
152KB

Download
memory/1508-60-0x000000001B730000-0x000000001B748000-memory.dmp

Filesize
96KB

Download
memory/1508-61-0x000000001B730000-0x000000001B76B000-memory.dmp

Filesize
236KB

Download
memory/1508-62-0x000000001B730000-0x000000001B746000-memory.dmp

Filesize
88KB

Download
memory/1508-63-0x000000001B760000-0x000000001B78A000-memory.dmp

Filesize
168KB

Download
memory/1508-64-0x000000001B6B0000-0x000000001B6B8000-memory.dmp

Filesize
32KB

Download
memory/1508-65-0x000000001B760000-0x000000001B786000-memory.dmp

Filesize
152KB

Download
memory/1508-66-0x000000001B730000-0x000000001B74C000-memory.dmp

Filesize
112KB

Download
memory/1508-67-0x000000001C860000-0x000000001C96A000-memory.dmp

Filesize
1.0MB

Download
memory/1508-68-0x000000001B6B0000-0x000000001B6BC000-memory.dmp

Filesize
48KB

Download
memory/1508-69-0x000000001B730000-0x000000001B750000-memory.dmp

Filesize
128KB

Download
memory/1508-70-0x000000001B760000-0x000000001B786000-memory.dmp

Filesize
152KB

Download
memory/1508-71-0x000000001B760000-0x000000001B786000-memory.dmp

Filesize
152KB

Download
memory/1508-72-0x000000001B730000-0x000000001B74C000-memory.dmp

Filesize
112KB

Download
memory/1508-73-0x000000001B730000-0x000000001B76B000-memory.dmp

Filesize
236KB

Download
memory/1508-74-0x000000001B730000-0x000000001B742000-memory.dmp

Filesize
72KB

Download
memory/1508-75-0x000000001B730000-0x000000001B74C000-memory.dmp

Filesize
112KB

Download
memory/1508-76-0x000000001B760000-0x000000001B786000-memory.dmp

Filesize
152KB

Download
memory/1508-77-0x000000001B6B0000-0x000000001B6BA000-memory.dmp

Filesize
40KB

Download
memory/1508-78-0x000000001B6B0000-0x000000001B6BC000-memory.dmp

Filesize
48KB

Download
memory/1508-79-0x000000001B6B0000-0x000000001B6BA000-memory.dmp

Filesize
40KB

Download
memory/1508-80-0x000000001B730000-0x000000001B74E000-memory.dmp

Filesize
120KB

Download
memory/1508-81-0x000000001B730000-0x000000001B74E000-memory.dmp

Filesize
120KB

Download
memory/1508-82-0x000000001B6B0000-0x000000001B6B8000-memory.dmp

Filesize
32KB

Download
memory/1508-83-0x000000001B6B0000-0x000000001B6B8000-memory.dmp

Filesize
32KB

Download
memory/1508-84-0x000000001B6B0000-0x000000001B6BA000-memory.dmp

Filesize
40KB

Download
memory/1508-85-0x000000001B6B0000-0x000000001B6BE000-memory.dmp

Filesize
56KB

Download
memory/1508-86-0x000000001B730000-0x000000001B744000-memory.dmp

Filesize
80KB

Download
memory/1508-24-0x000000001B1B0000-0x000000001B1B8000-memory.dmp

Filesize
32KB

Download
memory/1508-88-0x000000001B6B0000-0x000000001B6BC000-memory.dmp

Filesize
48KB

Download
memory/1508-89-0x000000001B760000-0x000000001B78A000-memory.dmp

Filesize
168KB

Download
memory/1508-90-0x000000001C750000-0x000000001C825000-memory.dmp

Filesize
852KB

Download
memory/1508-91-0x000000001B760000-0x000000001B788000-memory.dmp

Filesize
160KB

Download
memory/1508-92-0x000000001B730000-0x000000001B750000-memory.dmp

Filesize
128KB

Download
memory/1508-93-0x000000001B760000-0x000000001B786000-memory.dmp

Filesize
152KB

Download
memory/1508-94-0x000000001B6B0000-0x000000001B6BA000-memory.dmp

Filesize
40KB

Download
memory/1508-95-0x000000001B6B0000-0x000000001B6BC000-memory.dmp

Filesize
48KB

Download
memory/1508-96-0x000000001B6B0000-0x000000001B6BC000-memory.dmp

Filesize
48KB

Download
memory/1508-7-0x000007FEF5300000-0x000007FEF5C9D000-memory.dmp

Filesize
9.6MB

Download
memory/1508-98-0x000000001B730000-0x000000001B744000-memory.dmp

Filesize
80KB

Download
memory/1508-99-0x000000001B730000-0x000000001B748000-memory.dmp

Filesize
96KB

Download
memory/1508-100-0x000000001B730000-0x000000001B748000-memory.dmp

Filesize
96KB

Download
memory/1508-101-0x000000001B6B0000-0x000000001B6BC000-memory.dmp

Filesize
48KB

Download
memory/1508-102-0x000000001B6B0000-0x000000001B6BC000-memory.dmp

Filesize
48KB

Download
memory/1508-103-0x000000001B6B0000-0x000000001B6BC000-memory.dmp

Filesize
48KB

Download
memory/1508-104-0x000000001B6B0000-0x000000001B6C0000-memory.dmp

Filesize
64KB

Download
memory/1508-105-0x000000001B6B0000-0x000000001B6BE000-memory.dmp

Filesize
56KB

Download
memory/1508-106-0x000000001B760000-0x000000001B782000-memory.dmp

Filesize
136KB

Download
memory/1508-107-0x000007FEF55BE000-0x000007FEF55BF000-memory.dmp

Filesize
4KB

Download
memory/1508-108-0x000000001B730000-0x000000001B74C000-memory.dmp

Filesize
112KB

Download
memory/1508-109-0x000000001B760000-0x000000001B78C000-memory.dmp

Filesize
176KB

Download
memory/1508-110-0x000000001B730000-0x000000001B744000-memory.dmp

Filesize
80KB

Download
memory/1508-111-0x000000001B6B0000-0x000000001B6B8000-memory.dmp

Filesize
32KB

Download
memory/1508-113-0x000000001B6B0000-0x000000001B6BC000-memory.dmp

Filesize
48KB

Download
memory/1508-112-0x000000001B730000-0x000000001B74A000-memory.dmp

Filesize
104KB

Download
memory/1508-114-0x000000001B6B0000-0x000000001B6BE000-memory.dmp

Filesize
56KB

Download
memory/1508-115-0x000000001B6B0000-0x000000001B6BA000-memory.dmp

Filesize
40KB

Download
memory/1508-116-0x000000001B770000-0x000000001B7B0000-memory.dmp

Filesize
256KB

Download
memory/1508-117-0x000000001B730000-0x000000001B742000-memory.dmp

Filesize
72KB

Download
memory/1508-118-0x000000001B6B0000-0x000000001B6BE000-memory.dmp

Filesize
56KB

Download
memory/1508-119-0x000000001B760000-0x000000001B784000-memory.dmp

Filesize
144KB

Download
memory/1508-120-0x000000001B760000-0x000000001B788000-memory.dmp

Filesize
160KB

Download
memory/1508-121-0x000000001B6B0000-0x000000001B6BA000-memory.dmp

Filesize
40KB

Download
memory/1508-122-0x000000001B6B0000-0x000000001B6B8000-memory.dmp

Filesize
32KB

Download
memory/1508-123-0x000000001B730000-0x000000001B74C000-memory.dmp

Filesize
112KB

Download
memory/1508-124-0x000000001B730000-0x000000001B74C000-memory.dmp

Filesize
112KB

Download
memory/1508-125-0x000000001B6B0000-0x000000001B6B8000-memory.dmp

Filesize
32KB

Download
memory/1508-126-0x000000001B6B0000-0x000000001B6B8000-memory.dmp

Filesize
32KB

Download
memory/1508-127-0x000000001B6B0000-0x000000001B6B8000-memory.dmp

Filesize
32KB

Download
memory/1508-128-0x000000001B6B0000-0x000000001B6BE000-memory.dmp

Filesize
56KB

Download
memory/1508-129-0x000000001B730000-0x000000001B742000-memory.dmp

Filesize
72KB

Download
memory/1508-130-0x000000001B6B0000-0x000000001B6BE000-memory.dmp

Filesize
56KB

Download
memory/1508-131-0x000000001B6B0000-0x000000001B6BA000-memory.dmp

Filesize
40KB

Download
memory/1508-132-0x000000001B760000-0x000000001B78A000-memory.dmp

Filesize
168KB

Download
memory/1508-133-0x000000001C750000-0x000000001C825000-memory.dmp

Filesize
852KB

Download
memory/1508-134-0x000000001B760000-0x000000001B788000-memory.dmp

Filesize
160KB

Download
memory/1508-135-0x000000001B730000-0x000000001B74E000-memory.dmp

Filesize
120KB

Download
memory/1508-23-0x000000001B1A0000-0x000000001B1AA000-memory.dmp

Filesize
40KB

Download
memory/1508-22-0x0000000002270000-0x0000000002278000-memory.dmp

Filesize
32KB

Download
memory/1508-19-0x000000001B1C0000-0x000000001B1D6000-memory.dmp

Filesize
88KB

Download
memory/1508-21-0x000000001AF90000-0x000000001AFA2000-memory.dmp

Filesize
72KB

Download
memory/2652-36-0x0000000000C60000-0x0000000000C6C000-memory.dmp

Filesize
48KB

Download
memory/2804-17-0x000007FEF5300000-0x000007FEF5C9D000-memory.dmp

Filesize
9.6MB

Download
memory/2804-10-0x000007FEF5300000-0x000007FEF5C9D000-memory.dmp

Filesize
9.6MB

Download