Overview

overview

10

Static

static

3

270723a06c...d8.exe

windows7-x64

3

270723a06c...d8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-11-2024 20:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    270723a06c0f917204923693f09cc0d6cd2cc9cefd59fc051cfbf920d26f17d8.exe

  • Size

    113KB

  • MD5

    7cf417d06a24c1ade73ec6d8ae589077

  • SHA1

    128516790f9c6d8ac1d33a9f1f2b854162d94942

  • SHA256

    270723a06c0f917204923693f09cc0d6cd2cc9cefd59fc051cfbf920d26f17d8

  • SHA512

    3f5615b04489cfc755e19efc30fe619026dfacd250bb1c1677e1c55ceb6f69a80d0f05760c157696985e1090c34e8e403b453e5680fb981f274bdd66e2fcb5bb

  • SSDEEP

    3072:RSb0MKWY3tfR2y+/ESH7V3wy3OcpN4LBzl:44JWGJ+/ESx3wy+c34LBZ

Score
10/10
dcratorcusrobloxdefense_evasiondiscoveryevasionexecutioninfostealerpersistenceprivilege_escalationratspywarestealertrojan

Malware Config

Extracted

Family

orcus

Botnet

Roblox

C2

89.23.100.155:1337

Mutex

52641f3c61234743ba12f855fdae3135

Attributes
  • autostart_method

    Registry

  • enable_keylogger

    true

  • install_path

    %AppData%\Windows\Helper\WinHelper32.exe

  • reconnect_delay

    10000

  • registry_keyname

    WinHelper32.exe

  • taskscheduler_taskname

    WinHelper32

  • watchdog_path

    AppData\WinHelperWatchdog.exe

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs
    evasiontrojan
  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

    ratspywarestealerorcus
  • Orcus family
    orcus
  • Orcus main payload 1 IoCs
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
    evasiontrojan
  • DCRat payload 1 IoCs
    rat
  • Orcurs Rat Executable 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 9 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 13 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 2 IoCs

    Possible Turn off User Account Control's privilege elevation for standard users.

    defense_evasionpersistenceprivilege_escalation
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Drops file in System32 directory 5 IoCs
  • Drops file in Program Files directory 12 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies registry class 4 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 14 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\270723a06c0f917204923693f09cc0d6cd2cc9cefd59fc051cfbf920d26f17d8.exe
    "C:\Users\Admin\AppData\Local\Temp\270723a06c0f917204923693f09cc0d6cd2cc9cefd59fc051cfbf920d26f17d8.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4672
    • C:\Program Files\Java\jre-1.8\bin\javaw.exe
      "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\270723a06c0f917204923693f09cc0d6cd2cc9cefd59fc051cfbf920d26f17d8.exe"
      2⤵
      • Drops startup file
      • Suspicious use of WriteProcessMemory
      PID:3496
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:SystemDrive) -Force
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3804
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:SystemDrive) -Force
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1876
      • C:\Users\Admin\AppData\Roaming\WinSFXConnectDevicesPlatform\WinHelper32.exe
        C:\Users\Admin\AppData\Roaming\WinSFXConnectDevicesPlatform\WinHelper32.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2240
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows\Defender\yjJlDaeiCtZ3rPY3voT8EfypAtNWVOHqwTO.vbe"
          4⤵
          • Checks computer location settings
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:648
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows\Defender\zHxvwMPtXsd9EflNyF6bR38DTMh313hvK806W5p8W9mTT85g.bat" "
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1316
            • C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe
              "C:\Users\Admin\AppData\Roaming\Windows/Defender/RunShell.exe"
              6⤵
              • Modifies WinLogon for persistence
              • Checks computer location settings
              • Executes dropped EXE
              • Adds Run key to start application
              • Drops file in Program Files directory
              • Modifies registry class
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1980
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3vmktq5v\3vmktq5v.cmdline"
                7⤵
                • Drops file in System32 directory
                • Suspicious use of WriteProcessMemory
                PID:376
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEA7F.tmp" "c:\Windows\System32\CSC7D38C812C41940E78C6E6C6C9A4A6BC.TMP"
                  8⤵
                    PID:1644
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3516
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\wininit.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2976
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\RuntimeBroker.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1768
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\RunShell.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4660
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\RuntimeBroker.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4920
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2840
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\I1Fw0JrAXE.bat"
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4816
                  • C:\Windows\system32\chcp.com
                    chcp 65001
                    8⤵
                      PID:540
                    • C:\Windows\system32\PING.EXE
                      ping -n 10 localhost
                      8⤵
                      • System Network Configuration Discovery: Internet Connection Discovery
                      • Runs ping.exe
                      PID:3300
                    • C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\RuntimeBroker.exe
                      "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\RuntimeBroker.exe"
                      8⤵
                      • Executes dropped EXE
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2608
            • C:\Users\Admin\AppData\Roaming\Windows\Defender\xdwd.exe
              "C:\Users\Admin\AppData\Roaming\Windows\Defender\xdwd.exe"
              4⤵
              • Modifies Windows Defender Real-time Protection settings
              • UAC bypass
              • Checks computer location settings
              • Executes dropped EXE
              • Windows security modification
              • Checks whether UAC is enabled
              • Hijack Execution Flow: Executable Installer File Permissions Weakness
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:3472
              • C:\Windows\SysWOW64\WindowsInput.exe
                "C:\Windows\SysWOW64\WindowsInput.exe" --install
                5⤵
                • Executes dropped EXE
                • Drops file in System32 directory
                PID:3552
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                "powershell" Get-MpPreference -verbose
                5⤵
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2772
              • C:\Users\Admin\AppData\Roaming\Windows\Helper\WinHelper32.exe
                "C:\Users\Admin\AppData\Roaming\Windows\Helper\WinHelper32.exe"
                5⤵
                • Modifies Windows Defender Real-time Protection settings
                • UAC bypass
                • Checks computer location settings
                • Executes dropped EXE
                • Windows security modification
                • Checks whether UAC is enabled
                • Hijack Execution Flow: Executable Installer File Permissions Weakness
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                • System policy modification
                PID:1816
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" Get-MpPreference -verbose
                  6⤵
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3440
                • C:\Users\Admin\AppData\Roaming\WinHelperWatchdog.exe
                  "C:\Users\Admin\AppData\Roaming\WinHelperWatchdog.exe" /launchSelfAndExit "C:\Users\Admin\AppData\Roaming\Windows\Helper\WinHelper32.exe" 1816 /protectFile
                  6⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4680
                  • C:\Users\Admin\AppData\Roaming\WinHelperWatchdog.exe
                    "C:\Users\Admin\AppData\Roaming\WinHelperWatchdog.exe" /watchProcess "C:\Users\Admin\AppData\Roaming\Windows\Helper\WinHelper32.exe" 1816 "/protectFile"
                    7⤵
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2008
            • C:\Users\Admin\AppData\Roaming\Windows\Defender\Boostrapper.exe
              "C:\Users\Admin\AppData\Roaming\Windows\Defender\Boostrapper.exe"
              4⤵
              • Checks computer location settings
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:2596
              • C:\Windows\SysWOW64\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\blockComAgentdll\l2A594olLEJWUEUfw4GfnauDbYxQl.vbe"
                5⤵
                • Checks computer location settings
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:3484
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c ""C:\blockComAgentdll\Q5HIcCBrM4kJ2gRS.bat" "
                  6⤵
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:3972
                  • C:\blockComAgentdll\hypercommonSvc.exe
                    "C:\blockComAgentdll/hypercommonSvc.exe"
                    7⤵
                    • Checks computer location settings
                    • Executes dropped EXE
                    • Drops file in Program Files directory
                    • Drops file in Windows directory
                    • Modifies registry class
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1128
                    • C:\Windows\System32\cmd.exe
                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TRdsJfNgFu.bat"
                      8⤵
                        PID:4080
                        • C:\Windows\system32\chcp.com
                          chcp 65001
                          9⤵
                            PID:2976
                          • C:\Windows\system32\PING.EXE
                            ping -n 10 localhost
                            9⤵
                            • System Network Configuration Discovery: Internet Connection Discovery
                            • Runs ping.exe
                            PID:4356
                          • C:\Recovery\WindowsRE\lsass.exe
                            "C:\Recovery\WindowsRE\lsass.exe"
                            9⤵
                            • Executes dropped EXE
                            • Suspicious behavior: GetForegroundWindowSpam
                            • Suspicious use of AdjustPrivilegeToken
                            PID:4992
          • C:\Windows\SysWOW64\WindowsInput.exe
            "C:\Windows\SysWOW64\WindowsInput.exe"
            1⤵
            • Executes dropped EXE
            PID:2176
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4944
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1508
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4448
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:412
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:676
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1256
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\Lang\RuntimeBroker.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:708
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\RuntimeBroker.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3092
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\RuntimeBroker.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3332
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RunShellR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Security\RunShell.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1500
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RunShell" /sc ONLOGON /tr "'C:\Program Files\Windows Security\RunShell.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3152
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RunShellR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Security\RunShell.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2376
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\RuntimeBroker.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4716
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\RuntimeBroker.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3132
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\RuntimeBroker.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:532
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RunShellR" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4308
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RunShell" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3952
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RunShellR" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4252
          • C:\Users\Admin\AppData\Roaming\Windows\Helper\WinHelper32.exe
            C:\Users\Admin\AppData\Roaming\Windows\Helper\WinHelper32.exe
            1⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:2360

          Network

          MITRE ATT&CK Enterprise v15

          Reconnaissance

          Resource Development

          Initial Access

          Execution

          Command and Scripting Interpreter

          1
          T1059

          PowerShell

          1
          T1059.001

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Persistence

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Winlogon Helper DLL

          1
          T1547.004

          Create or Modify System Process

          1
          T1543

          Windows Service

          1
          T1543.003

          Hijack Execution Flow

          1
          T1574

          Executable Installer File Permissions Weakness

          1
          T1574.005

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Privilege Escalation

          Abuse Elevation Control Mechanism

          1
          T1548

          Bypass User Account Control

          1
          T1548.002

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Winlogon Helper DLL

          1
          T1547.004

          Create or Modify System Process

          1
          T1543

          Windows Service

          1
          T1543.003

          Hijack Execution Flow

          1
          T1574

          Executable Installer File Permissions Weakness

          1
          T1574.005

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Defense Evasion

          Abuse Elevation Control Mechanism

          1
          T1548

          Bypass User Account Control

          1
          T1548.002

          Hijack Execution Flow

          1
          T1574

          Executable Installer File Permissions Weakness

          1
          T1574.005

          Impair Defenses

          3
          T1562

          Disable or Modify Tools

          3
          T1562.001

          Modify Registry

          6
          T1112

          Credential Access

          Credentials from Password Stores

          1
          T1555

          Credentials from Web Browsers

          1
          T1555.003

          Unsecured Credentials

          1
          T1552

          Credentials In Files

          1
          T1552.001

          Discovery

          Query Registry

          2
          T1012

          Remote System Discovery

          1
          T1018

          System Information Discovery

          3
          T1082

          System Location Discovery

          1
          T1614

          System Language Discovery

          1
          T1614.001

          System Network Configuration Discovery

          1
          T1016

          Internet Connection Discovery

          1
          T1016.001

          Lateral Movement

          Collection

          Data from Local System

          1
          T1005

          Command and Control

          Web Service

          1
          T1102

          Exfiltration

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
            Filesize

            2KB

            MD5

            d85ba6ff808d9e5444a4b369f5bc2730

            SHA1

            31aa9d96590fff6981b315e0b391b575e4c0804a

            SHA256

            84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

            SHA512

            8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WinHelperWatchdog.exe.log
            Filesize

            425B

            MD5

            4eaca4566b22b01cd3bc115b9b0b2196

            SHA1

            e743e0792c19f71740416e7b3c061d9f1336bf94

            SHA256

            34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

            SHA512

            bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
            Filesize

            2KB

            MD5

            968cb9309758126772781b83adb8a28f

            SHA1

            8da30e71accf186b2ba11da1797cf67f8f78b47c

            SHA256

            92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

            SHA512

            4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            98baf5117c4fcec1692067d200c58ab3

            SHA1

            5b33a57b72141e7508b615e17fb621612cb8e390

            SHA256

            30bf8496e9a08f4fdfe4767abcd565f92b6da06ca1c7823a70cb7cab16262e51

            SHA512

            344a70bfc037d54176f12db91f05bf4295bb587a5062fd1febe6f52853571170bd8ef6042cb87b893185bbae1937cf77b679d7970f8cc1c2666b0b7c1b32987d

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            3e242d3c4b39d344f66c494424020c61

            SHA1

            194e596f33d54482e7880e91dc05e0d247a46399

            SHA256

            f688037cb0c9f9c97b3b906a6c0636c91ad1864564feb17bba4973cde361172e

            SHA512

            27c1cd6d72554fdce3b960458a1a6bd3f740aa7c22a313a80b043db283a224bf390648b9e59e6bdbf48020d082d728fbde569bee4ee2a610f21d659a7b3dfa02

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            3d0067b090baf6c82daba976550f44bd

            SHA1

            9caa6fc2ec0eafb36652cd7ff2e0c0d9e5e8453c

            SHA256

            ff430d54168bc9a9a31fd3360a17c27d5256622b1b3ebe61594504633eed4684

            SHA512

            2d5cdbe2b85244b183c16fe70b37aa2b5df576f6d213074a46509ac42b490e5ece257dbf7f8632d84ccb561ffcd8f1b27840f34e92f7794a5bc9e725ce69b0b7

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            0026cdd9bbc34b9de2447c0eb04c14b5

            SHA1

            ab7713fe5fbbb23031937dd1dc7d0fa238884ad4

            SHA256

            cf5a1c42641a83dd41fe89923591962b7ad189006342c7a67669239688f84a2d

            SHA512

            62aab723672e2731946f4bbf6a3d92609ff94384e324f3c50e803095529baf848ce2cd37219a059ced4c3f559e598bd9b900b9dd8aa0657adca6d845127797fe

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            6c47b3f4e68eebd47e9332eebfd2dd4e

            SHA1

            67f0b143336d7db7b281ed3de5e877fa87261834

            SHA256

            8c48b1f2338e5b24094821f41121d2221f1cb3200338f46df49f64d1c4bc3e0c

            SHA512

            0acf302a9fc971ef9df65ed42c47ea17828e54dff685f4434f360556fd27cdc26a75069f00dcdc14ba174893c6fd7a2cfd8c6c07be3ce35dafee0a006914eaca

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\I1Fw0JrAXE.bat
            Filesize

            200B

            MD5

            54930078dca0dc77d9481169643c3ccd

            SHA1

            a6ab949f340f08666b8080b7589f25c15a30b915

            SHA256

            9a20b3dcae687ab774eceaf0ca82d511bb38b0d4097a8e8a760bf29c6252d26d

            SHA512

            bac3a397cbfbfb64e4f317b061363a6909274ee6fb6eea061cf73b3eb6080768ef864f4776b06c888a0d7e120a08983d74926552919ab703bd47c238ac19dff7

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\RESEA7F.tmp
            Filesize

            1KB

            MD5

            ca4cf5021b8ffe9647b849f253027e1a

            SHA1

            250ef66695380b4936ef2ca6b80867cb07c01286

            SHA256

            a1800724f8dfb010d62ad378b5f552a82067176bd818a0e20dd74bb4d3e99079

            SHA512

            c097070720acba2c0cee7fb5dfafc6952add03c7ef78867185a39178bd5764649dd4605474da7814d5e9ff482f49bf2ab16f34fd75db8ca941137683eee450eb

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\TRdsJfNgFu.bat
            Filesize

            159B

            MD5

            1733c1da643dfc3cdc4e65c291199c8d

            SHA1

            147ebd595daabb62cf4519d5c7c2e5958911087f

            SHA256

            aed03936d7086d910ac935d734ff363416643971be55b4d2ccbbc66b1b782613

            SHA512

            068c3dedf4f25af79c012e2c325e1d8b885206c557b6231f0c2729e30052b11e46f8c8bb99d95cbbad6f2264e50a311e324074bf88cf4affe89dae541fc7628c

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oprbbx31.fmt.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit

          • C:\Users\Admin\AppData\Roaming\WinHelperWatchdog.exe
            Filesize

            9KB

            MD5

            7a195b6c9de2d5cab015f649da6931a1

            SHA1

            89f7372dd92a90a8e13b74ee512b464412e4cf9b

            SHA256

            30183935449a625c2a61f6342dc3b9907028194173f2e3d594eaa3126ee316bc

            SHA512

            3c2aeef85b51e7f955072fba042bcedf8dd0b66ad813def58c0134355665ba56a713d58005a322561c62be5777d0adea2803da214459f362f22fe2a0dba5a1c7

            Download Submit

          • C:\Users\Admin\AppData\Roaming\WinSFXConnectDevicesPlatform\WinHelper32.exe
            Filesize

            4.9MB

            MD5

            72982e4d77aaee2ef6d16876037b3dbe

            SHA1

            bfffbe69bfc0cb1fb5e23199dba5ea69c4f3d9df

            SHA256

            bbe1c2a2af47b4e32fa9b6e8a44da455473604bd1aae5481524403f878a86662

            SHA512

            cb28f33f6c3acaa74ddb3e9f50922e764926fbf2b8a3d7317f13b57f6f30e259a5a8b0213c77dee27cf542ad860762909c1f46f695f2b2c45bb778de957f02db

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Windows\Defender\Boostrapper.exe
            Filesize

            2.2MB

            MD5

            f21f63c5ac1e7afc50125b10c75e30af

            SHA1

            09be95306a2e9f48934b6f3ec4e789eefaaefc94

            SHA256

            a4bf1fbf3c41613a6ca44ec770bca60ed1a23206bd01a2296513c302ff63e046

            SHA512

            681ba321321fe8c856a1d6d3de10f23e4f313d943e0e83abfa4ab575cc8932b8be28024eaec282f21dabafa4848b9305d4a15bbd3db7591bccf46d1ee369d58c

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe
            Filesize

            427KB

            MD5

            8d860de39a47014bb85432844205defc

            SHA1

            16b6485662cc4b57af26f1ee2fe5e5595156264d

            SHA256

            6f64566b9adc350458221bc7312acaa09290c58241659336b9921c3dcf27fbbb

            SHA512

            c76408b4390d9aeae243f7333c5acdc68b6fe08efd1694c774069627d09e91e97ab1a5ccf55b60a247f3b00e8b95166d3dfcc41ac92150f00dfb897480a5a539

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Windows\Defender\xdwd.exe
            Filesize

            3.0MB

            MD5

            c33b516c2f5105562cc621929d2f3a5a

            SHA1

            ac89044573fc5b586b43c1bf784c3bcc50a46c1f

            SHA256

            42fcea19c41fd2e09ce01b6f0f48027f7f58aac75f93b7aeae8d24af7eb23f3c

            SHA512

            eace4742d8f75a2093cfeab3cd20f8ddb23514f6d5a598b16927621afc6e2bc4dff58d775e0c2c261f7c1ffc20a4b7d1004fe1ef8c7f904d8ef1cd94636caec6

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Windows\Defender\yjJlDaeiCtZ3rPY3voT8EfypAtNWVOHqwTO.vbe
            Filesize

            249B

            MD5

            5299f191d092a082374029620d0184cd

            SHA1

            154c0f2d892c0dde9914e1d2e114995ab5f1a8cb

            SHA256

            9c46745f3776d8f344029103da41e060516a4bf324e7238b112a3069abececf9

            SHA512

            670159a1352e91ad4739903c7d5bbca2b91e81ab542ac6b4532db8701d5bf01b900909812164db6ce4dbdc2fc1af59593d9abc84daff835de07eb7d383869e39

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Windows\Defender\zHxvwMPtXsd9EflNyF6bR38DTMh313hvK806W5p8W9mTT85g.bat
            Filesize

            104B

            MD5

            b33c8997ecd39b1b7e8af929abd526c7

            SHA1

            e30e21ca9e74d508cfc35e9affd57a7fbc089a77

            SHA256

            71340cb564242cd1454892eaa33aae6eaf8e444d9301731753a9aa993bb9785c

            SHA512

            394a9df69628162228d6a8934d6df532d5055a65a41788ef7d2b8170fae3bd586d80c8592ebc10e32650b81d43efd2eefdef865523d687b6def20fe4374afefc

            Download Submit

          • C:\Windows\SysWOW64\WindowsInput.exe
            Filesize

            21KB

            MD5

            f6285edd247fa58161be33f8cf662d31

            SHA1

            e2b49bca43cd0bd6cc1eee582ba58f0ed6de1470

            SHA256

            bc16993d1a774793044ca37eb2ce84ecbdb5c578e3c710ed82879e07dcef2fec

            SHA512

            6f3e6073a1dafc679da1caa4a4c9cb7cc2da79c3f81034d7b7b7b1d855fd5421cbb517a7d3f9520f49d4d3b7f9577f4f8f92486994c8b78fabff5033b390a788

            Download Submit

          • C:\Windows\SysWOW64\WindowsInput.exe.config
            Filesize

            349B

            MD5

            89817519e9e0b4e703f07e8c55247861

            SHA1

            4636de1f6c997a25c3190f73f46a3fd056238d78

            SHA256

            f40dfaa50dcbff93611d45607009158f798e9cd845170939b1d6088a7d10ee13

            SHA512

            b017cb7a522b9c6794f3691cb7266ec82f565a90d7d07cc9beb53b939d2e9bf34275bc25f6f32d9a9c7136a0aab2189d9556af7244450c610d11ed7a4f584ba3

            Download Submit

          • C:\blockComAgentdll\Q5HIcCBrM4kJ2gRS.bat
            Filesize

            98B

            MD5

            1316b7f40530ee0c903a091d248c63dd

            SHA1

            6e9322f825d3d18a712458d98430a54b17c9f904

            SHA256

            43c1d785f81931b200e0be0a9fc40a736f26f397fda6571e26f52c21acf1065f

            SHA512

            1c9a435ca6d25466b715d2d4505dc33d42ab33fe192e89820929ee01b1962a2128c0ce9281ae96d27a9c18a4d035e55d912f673e17c6e7936d96160fea253345

            Download Submit

          • C:\blockComAgentdll\hypercommonSvc.exe
            Filesize

            1.9MB

            MD5

            c9cda0ef2f246e5a640c25ff468a87a4

            SHA1

            44c7046f6251c49905cc569d1836361d0ae7856a

            SHA256

            cc66b2f2a0bcd9104078ed351c6b313a488f6b895c5fef9743b227c0397c4d6f

            SHA512

            2731df92281b29a4421b5071891676a4048bb39378956674c99dddea5b27f7684c71b7e3808942fd758c3c60e3eae93da535de95d702a3ae6f8829aae598ff21

            Download Submit

          • C:\blockComAgentdll\l2A594olLEJWUEUfw4GfnauDbYxQl.vbe
            Filesize

            211B

            MD5

            386552a2a95b01f9b62bbf076f55204a

            SHA1

            4b202d016dc86a72837fdcb080caea7b8761842c

            SHA256

            be3ca473daa12562ac27843de069cca900d4413f08703b0cefee87303b8ec414

            SHA512

            dbba55a57db75cb351606a7dbc89cd0cf37dd333fa7456f94c6c2f9fd0480af28a27c29ca411cc5745c9929a92222123f770a870b046a84b25b23f4417ec62c4

            Download Submit

          • \??\c:\Users\Admin\AppData\Local\Temp\3vmktq5v\3vmktq5v.0.cs
            Filesize

            371B

            MD5

            2326fc11e9d8d69dd2df2a7456ca286e

            SHA1

            545bf60a9b0b0946384309f6d4b3670e2e04d981

            SHA256

            c587925122505a42f100b2fdd4b299916a83df89f7b6f64041218739e95432e2

            SHA512

            785c497233603ea0534b8f46ca6ba75d2b8dcab41c342cf85b51a21a4776fb39d97c805f7eacd5f751a5e04d24d9773fbb9bc2ad4f85e9d5a1a15a7c5d0202a7

            Download Submit

          • \??\c:\Users\Admin\AppData\Local\Temp\3vmktq5v\3vmktq5v.cmdline
            Filesize

            235B

            MD5

            77eb72640180370dba789884f227a945

            SHA1

            115c0c42218d6fabf28a47f2aef4e88c1b032c5e

            SHA256

            92d8f41ca7f40753a7a8ca73cf94ac28b5e2d26f811666eb5108b5d0c4616bb6

            SHA512

            8c1251fadf9a2b1ca3c93b8b285c25e53d2dbd3ca1e9ea278a5df6a46367ffe162e1848b0ccce6299e37f0e001fb37be77e0a6b4003bab06a1852915e463cdb8

            Download Submit

          • \??\c:\Windows\System32\CSC7D38C812C41940E78C6E6C6C9A4A6BC.TMP
            Filesize

            1KB

            MD5

            d544bac668d308d2aba58ded2c13d82d

            SHA1

            e5dd50ef24d5c16629092f9290661a92387773b3

            SHA256

            84b05d56c45fd0382410fcd59e16aeef467ed0a455595dda88386dd5c87d7a02

            SHA512

            0826de2bc95d93dde2c540d2d768a0188481ee88f1da79f9c7d70d7ccd3c8715b8f1d62053f84d14f19e4d2b0a13e67084d970a158464e6223e340eb0733e1b0

            Download Submit

          • memory/1816-401-0x0000000006A90000-0x0000000006AA0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1816-397-0x0000000005BB0000-0x0000000005BC2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/1816-398-0x0000000006860000-0x00000000068AE000-memory.dmp

            Filesize

            312KB

            Download

          • memory/1816-399-0x0000000006A30000-0x0000000006A48000-memory.dmp

            Filesize

            96KB

            Download

          • memory/1816-402-0x0000000006F80000-0x0000000007142000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/1816-412-0x0000000008AB0000-0x0000000008E04000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/1876-65-0x00007FFFD1480000-0x00007FFFD1F41000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/1876-58-0x00007FFFD1480000-0x00007FFFD1F41000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/1876-56-0x00007FFFD1480000-0x00007FFFD1F41000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/1876-35-0x00007FFFD1483000-0x00007FFFD1485000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1980-261-0x00000000009E0000-0x00000000009EE000-memory.dmp

            Filesize

            56KB

            Download

          • memory/1980-249-0x000000001ADE0000-0x000000001AEB2000-memory.dmp

            Filesize

            840KB

            Download

          • memory/1980-263-0x00000000009F0000-0x00000000009FC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/1980-248-0x00000000001F0000-0x00000000001F8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/1980-257-0x000000001AD30000-0x000000001AD80000-memory.dmp

            Filesize

            320KB

            Download

          • memory/1980-256-0x0000000000A00000-0x0000000000A1C000-memory.dmp

            Filesize

            112KB

            Download

          • memory/1980-254-0x00000000009D0000-0x00000000009DE000-memory.dmp

            Filesize

            56KB

            Download

          • memory/1980-259-0x0000000000A20000-0x0000000000A38000-memory.dmp

            Filesize

            96KB

            Download

          • memory/2176-205-0x000000001A300000-0x000000001A40A000-memory.dmp

            Filesize

            1.0MB

            Download

          • memory/2772-297-0x0000000007460000-0x0000000007492000-memory.dmp

            Filesize

            200KB

            Download

          • memory/2772-298-0x00000000755C0000-0x000000007560C000-memory.dmp

            Filesize

            304KB

            Download

          • memory/2772-308-0x00000000074A0000-0x0000000007543000-memory.dmp

            Filesize

            652KB

            Download

          • memory/2772-309-0x00000000077B0000-0x00000000077C1000-memory.dmp

            Filesize

            68KB

            Download

          • memory/2772-310-0x00000000077F0000-0x0000000007804000-memory.dmp

            Filesize

            80KB

            Download

          • memory/3472-251-0x0000000009900000-0x000000000991A000-memory.dmp

            Filesize

            104KB

            Download

          • memory/3472-227-0x0000000007340000-0x00000000073A6000-memory.dmp

            Filesize

            408KB

            Download

          • memory/3472-166-0x0000000002930000-0x000000000293E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/3472-152-0x0000000000330000-0x0000000000632000-memory.dmp

            Filesize

            3.0MB

            Download

          • memory/3472-252-0x00000000098F0000-0x00000000098F8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/3472-167-0x0000000005010000-0x000000000506C000-memory.dmp

            Filesize

            368KB

            Download

          • memory/3472-250-0x00000000098A0000-0x00000000098B4000-memory.dmp

            Filesize

            80KB

            Download

          • memory/3472-174-0x00000000059B0000-0x0000000005F54000-memory.dmp

            Filesize

            5.6MB

            Download

          • memory/3472-176-0x0000000005400000-0x0000000005492000-memory.dmp

            Filesize

            584KB

            Download

          • memory/3472-178-0x0000000005310000-0x0000000005318000-memory.dmp

            Filesize

            32KB

            Download

          • memory/3472-182-0x00000000058F0000-0x0000000005912000-memory.dmp

            Filesize

            136KB

            Download

          • memory/3472-181-0x00000000058B0000-0x00000000058B8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/3472-180-0x00000000058A0000-0x00000000058AA000-memory.dmp

            Filesize

            40KB

            Download

          • memory/3472-247-0x0000000009890000-0x000000000989E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/3472-179-0x0000000005320000-0x0000000005328000-memory.dmp

            Filesize

            32KB

            Download

          • memory/3472-177-0x00000000052F0000-0x0000000005302000-memory.dmp

            Filesize

            72KB

            Download

          • memory/3472-242-0x0000000009860000-0x0000000009871000-memory.dmp

            Filesize

            68KB

            Download

          • memory/3472-241-0x0000000009710000-0x000000000971A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/3472-240-0x00000000094A0000-0x0000000009543000-memory.dmp

            Filesize

            652KB

            Download

          • memory/3472-239-0x0000000009480000-0x000000000949E000-memory.dmp

            Filesize

            120KB

            Download

          • memory/3472-229-0x0000000008110000-0x000000000815C000-memory.dmp

            Filesize

            304KB

            Download

          • memory/3472-228-0x00000000073E0000-0x0000000007402000-memory.dmp

            Filesize

            136KB

            Download

          • memory/3472-209-0x00000000067B0000-0x0000000006DD8000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/3472-219-0x0000000006610000-0x000000000662A000-memory.dmp

            Filesize

            104KB

            Download

          • memory/3472-220-0x0000000006670000-0x00000000066A6000-memory.dmp

            Filesize

            216KB

            Download

          • memory/3472-221-0x0000000007460000-0x0000000007ADA000-memory.dmp

            Filesize

            6.5MB

            Download

          • memory/3472-222-0x0000000006DE0000-0x0000000006E76000-memory.dmp

            Filesize

            600KB

            Download

          • memory/3472-223-0x0000000006740000-0x00000000067A6000-memory.dmp

            Filesize

            408KB

            Download

          • memory/3472-224-0x0000000006710000-0x000000000672E000-memory.dmp

            Filesize

            120KB

            Download

          • memory/3472-225-0x0000000006ED0000-0x0000000006F1A000-memory.dmp

            Filesize

            296KB

            Download

          • memory/3472-226-0x0000000007AE0000-0x0000000007E34000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/3496-160-0x000002A638450000-0x000002A638460000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3496-120-0x000002A638470000-0x000002A638480000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3496-16-0x000002A638430000-0x000002A638440000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3496-157-0x000002A638420000-0x000002A638430000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3496-27-0x000002A638480000-0x000002A638490000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3496-159-0x000002A638440000-0x000002A638450000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3496-15-0x000002A638420000-0x000002A638430000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3496-162-0x000002A638470000-0x000002A638480000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3496-163-0x000002A638480000-0x000002A638490000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3496-158-0x000002A638430000-0x000002A638440000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3496-164-0x000002A6384A0000-0x000002A6384B0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3496-165-0x000002A6384B0000-0x000002A6384C0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3496-13-0x000002A638410000-0x000002A638420000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3496-2-0x000002A6381A0000-0x000002A638410000-memory.dmp

            Filesize

            2.4MB

            Download

          • memory/3496-155-0x000002A6381A0000-0x000002A638410000-memory.dmp

            Filesize

            2.4MB

            Download

          • memory/3496-154-0x000002A638180000-0x000002A638181000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3496-156-0x000002A638410000-0x000002A638420000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3496-151-0x000002A638490000-0x000002A6384A0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3496-132-0x000002A638180000-0x000002A638181000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3496-161-0x000002A638460000-0x000002A638470000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3496-109-0x000002A638180000-0x000002A638181000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3496-106-0x000002A638460000-0x000002A638470000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3496-107-0x000002A638480000-0x000002A638490000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3496-99-0x000002A638450000-0x000002A638460000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3496-98-0x000002A638180000-0x000002A638181000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3496-91-0x000002A638440000-0x000002A638450000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3496-18-0x000002A638440000-0x000002A638450000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3496-20-0x000002A638450000-0x000002A638460000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3496-22-0x000002A638460000-0x000002A638470000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3496-61-0x000002A638430000-0x000002A638440000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3496-28-0x000002A638490000-0x000002A6384A0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3496-57-0x000002A638180000-0x000002A638181000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3496-33-0x000002A6381A0000-0x000002A638410000-memory.dmp

            Filesize

            2.4MB

            Download

          • memory/3496-36-0x000002A638420000-0x000002A638430000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3496-34-0x000002A638410000-0x000002A638420000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3496-31-0x000002A6384A0000-0x000002A6384B0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3496-32-0x000002A6384B0000-0x000002A6384C0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3496-26-0x000002A638470000-0x000002A638480000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3552-200-0x0000000002C00000-0x0000000002C3C000-memory.dmp

            Filesize

            240KB

            Download

          • memory/3552-199-0x0000000002BA0000-0x0000000002BB2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/3552-197-0x0000000000C00000-0x0000000000C0C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/3804-51-0x0000020DC92F0000-0x0000020DC9312000-memory.dmp

            Filesize

            136KB

            Download

          • memory/3804-59-0x00007FFFD1480000-0x00007FFFD1F41000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3804-60-0x00007FFFD1480000-0x00007FFFD1F41000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3804-62-0x00007FFFD1480000-0x00007FFFD1F41000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3804-77-0x00007FFFD1480000-0x00007FFFD1F41000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4672-175-0x0000000000400000-0x000000000041E000-memory.dmp

            Filesize

            120KB

            Download