Overview

overview

10

Static

static

3

270723a06c...d8.exe

windows7-x64

3

270723a06c...d8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-11-2024 21:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    270723a06c0f917204923693f09cc0d6cd2cc9cefd59fc051cfbf920d26f17d8.exe

  • Size

    113KB

  • MD5

    7cf417d06a24c1ade73ec6d8ae589077

  • SHA1

    128516790f9c6d8ac1d33a9f1f2b854162d94942

  • SHA256

    270723a06c0f917204923693f09cc0d6cd2cc9cefd59fc051cfbf920d26f17d8

  • SHA512

    3f5615b04489cfc755e19efc30fe619026dfacd250bb1c1677e1c55ceb6f69a80d0f05760c157696985e1090c34e8e403b453e5680fb981f274bdd66e2fcb5bb

  • SSDEEP

    3072:RSb0MKWY3tfR2y+/ESH7V3wy3OcpN4LBzl:44JWGJ+/ESx3wy+c34LBZ

Score
10/10
dcratorcusrobloxdefense_evasiondiscoveryevasionexecutioninfostealerpersistenceprivilege_escalationratspywarestealertrojan

Malware Config

Extracted

Family

orcus

Botnet

Roblox

C2

89.23.100.155:1337

Mutex

52641f3c61234743ba12f855fdae3135

Attributes
  • autostart_method

    Registry

  • enable_keylogger

    true

  • install_path

    %AppData%\Windows\Helper\WinHelper32.exe

  • reconnect_delay

    10000

  • registry_keyname

    WinHelper32.exe

  • taskscheduler_taskname

    WinHelper32

  • watchdog_path

    AppData\WinHelperWatchdog.exe

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs
    evasiontrojan
  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

    ratspywarestealerorcus
  • Orcus family
    orcus
  • Orcus main payload 1 IoCs
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
    evasiontrojan
  • DCRat payload 1 IoCs
    rat
  • Orcurs Rat Executable 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 9 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 13 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 2 IoCs

    Possible Turn off User Account Control's privilege elevation for standard users.

    defense_evasionpersistenceprivilege_escalation
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Drops file in System32 directory 5 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 4 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 14 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\270723a06c0f917204923693f09cc0d6cd2cc9cefd59fc051cfbf920d26f17d8.exe
    "C:\Users\Admin\AppData\Local\Temp\270723a06c0f917204923693f09cc0d6cd2cc9cefd59fc051cfbf920d26f17d8.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1880
    • C:\Program Files\Java\jre-1.8\bin\javaw.exe
      "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\270723a06c0f917204923693f09cc0d6cd2cc9cefd59fc051cfbf920d26f17d8.exe"
      2⤵
      • Drops startup file
      • Suspicious use of WriteProcessMemory
      PID:1184
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:SystemDrive) -Force
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2640
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:SystemDrive) -Force
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2896
      • C:\Users\Admin\AppData\Roaming\WinSFXConnectDevicesPlatform\WinHelper32.exe
        C:\Users\Admin\AppData\Roaming\WinSFXConnectDevicesPlatform\WinHelper32.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:4868
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows\Defender\yjJlDaeiCtZ3rPY3voT8EfypAtNWVOHqwTO.vbe"
          4⤵
          • Checks computer location settings
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4440
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows\Defender\zHxvwMPtXsd9EflNyF6bR38DTMh313hvK806W5p8W9mTT85g.bat" "
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4752
            • C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe
              "C:\Users\Admin\AppData\Roaming\Windows/Defender/RunShell.exe"
              6⤵
              • Modifies WinLogon for persistence
              • Checks computer location settings
              • Executes dropped EXE
              • Adds Run key to start application
              • Drops file in Program Files directory
              • Drops file in Windows directory
              • Modifies registry class
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1636
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\q42puxjw\q42puxjw.cmdline"
                7⤵
                • Drops file in System32 directory
                • Suspicious use of WriteProcessMemory
                PID:1880
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES913.tmp" "c:\Windows\System32\CSC65690CAE25442DCAE2A1BDACD90A6A2.TMP"
                  8⤵
                    PID:3644
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\csrss.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2688
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\InputMethod\SHARED\conhost.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious use of AdjustPrivilegeToken
                  PID:728
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\blockComAgentdll\dllhost.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1088
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\dllhost.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3308
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\OfficeClickToRun.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3588
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2940
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QEUkYeQnTA.bat"
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2452
                  • C:\Windows\system32\chcp.com
                    chcp 65001
                    8⤵
                      PID:4832
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      8⤵
                        PID:4260
                      • C:\Program Files\MSBuild\csrss.exe
                        "C:\Program Files\MSBuild\csrss.exe"
                        8⤵
                        • Executes dropped EXE
                        • Suspicious behavior: GetForegroundWindowSpam
                        • Suspicious use of AdjustPrivilegeToken
                        PID:4692
              • C:\Users\Admin\AppData\Roaming\Windows\Defender\xdwd.exe
                "C:\Users\Admin\AppData\Roaming\Windows\Defender\xdwd.exe"
                4⤵
                • Modifies Windows Defender Real-time Protection settings
                • UAC bypass
                • Checks computer location settings
                • Executes dropped EXE
                • Windows security modification
                • Checks whether UAC is enabled
                • Hijack Execution Flow: Executable Installer File Permissions Weakness
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                • System policy modification
                PID:3400
                • C:\Windows\SysWOW64\WindowsInput.exe
                  "C:\Windows\SysWOW64\WindowsInput.exe" --install
                  5⤵
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  PID:3144
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" Get-MpPreference -verbose
                  5⤵
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:368
                • C:\Users\Admin\AppData\Roaming\Windows\Helper\WinHelper32.exe
                  "C:\Users\Admin\AppData\Roaming\Windows\Helper\WinHelper32.exe"
                  5⤵
                  • Modifies Windows Defender Real-time Protection settings
                  • UAC bypass
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Windows security modification
                  • Checks whether UAC is enabled
                  • Hijack Execution Flow: Executable Installer File Permissions Weakness
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  • System policy modification
                  PID:4180
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" Get-MpPreference -verbose
                    6⤵
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3620
                  • C:\Users\Admin\AppData\Roaming\WinHelperWatchdog.exe
                    "C:\Users\Admin\AppData\Roaming\WinHelperWatchdog.exe" /launchSelfAndExit "C:\Users\Admin\AppData\Roaming\Windows\Helper\WinHelper32.exe" 4180 /protectFile
                    6⤵
                    • Checks computer location settings
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4256
                    • C:\Users\Admin\AppData\Roaming\WinHelperWatchdog.exe
                      "C:\Users\Admin\AppData\Roaming\WinHelperWatchdog.exe" /watchProcess "C:\Users\Admin\AppData\Roaming\Windows\Helper\WinHelper32.exe" 4180 "/protectFile"
                      7⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1344
              • C:\Users\Admin\AppData\Roaming\Windows\Defender\Boostrapper.exe
                "C:\Users\Admin\AppData\Roaming\Windows\Defender\Boostrapper.exe"
                4⤵
                • Checks computer location settings
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:3628
                • C:\Windows\SysWOW64\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\blockComAgentdll\l2A594olLEJWUEUfw4GfnauDbYxQl.vbe"
                  5⤵
                  • Checks computer location settings
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:4168
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c ""C:\blockComAgentdll\Q5HIcCBrM4kJ2gRS.bat" "
                    6⤵
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of WriteProcessMemory
                    PID:3428
                    • C:\blockComAgentdll\hypercommonSvc.exe
                      "C:\blockComAgentdll/hypercommonSvc.exe"
                      7⤵
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Drops file in Program Files directory
                      • Modifies registry class
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1060
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PmQZXrSoop.bat"
                        8⤵
                          PID:1252
                          • C:\Windows\system32\chcp.com
                            chcp 65001
                            9⤵
                              PID:1400
                            • C:\Windows\system32\w32tm.exe
                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                              9⤵
                                PID:2444
                              • C:\Users\Admin\Start Menu\sihost.exe
                                "C:\Users\Admin\Start Menu\sihost.exe"
                                9⤵
                                • Executes dropped EXE
                                • Suspicious use of AdjustPrivilegeToken
                                PID:3460
              • C:\Windows\SysWOW64\WindowsInput.exe
                "C:\Windows\SysWOW64\WindowsInput.exe"
                1⤵
                • Executes dropped EXE
                PID:1620
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\csrss.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:5016
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\MSBuild\csrss.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:4808
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\csrss.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:544
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Windows\InputMethod\SHARED\conhost.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:1836
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\InputMethod\SHARED\conhost.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:5068
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Windows\InputMethod\SHARED\conhost.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:4220
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\blockComAgentdll\dllhost.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:3180
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\blockComAgentdll\dllhost.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:752
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\blockComAgentdll\dllhost.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:776
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\dllhost.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:448
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\dllhost.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:2904
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\dllhost.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:4304
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:4944
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:2004
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:4956
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "RunShellR" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:4928
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "RunShell" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:3288
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "RunShellR" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:3076
              • C:\Users\Admin\AppData\Roaming\Windows\Helper\WinHelper32.exe
                C:\Users\Admin\AppData\Roaming\Windows\Helper\WinHelper32.exe
                1⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:448

              Network

              MITRE ATT&CK Enterprise v15

              Reconnaissance

              Resource Development

              Initial Access

              Execution

              Command and Scripting Interpreter

              1
              T1059

              PowerShell

              1
              T1059.001

              Scheduled Task/Job

              1
              T1053

              Scheduled Task

              1
              T1053.005

              Persistence

              Boot or Logon Autostart Execution

              2
              T1547

              Registry Run Keys / Startup Folder

              1
              T1547.001

              Winlogon Helper DLL

              1
              T1547.004

              Create or Modify System Process

              1
              T1543

              Windows Service

              1
              T1543.003

              Hijack Execution Flow

              1
              T1574

              Executable Installer File Permissions Weakness

              1
              T1574.005

              Scheduled Task/Job

              1
              T1053

              Scheduled Task

              1
              T1053.005

              Privilege Escalation

              Abuse Elevation Control Mechanism

              1
              T1548

              Bypass User Account Control

              1
              T1548.002

              Boot or Logon Autostart Execution

              2
              T1547

              Registry Run Keys / Startup Folder

              1
              T1547.001

              Winlogon Helper DLL

              1
              T1547.004

              Create or Modify System Process

              1
              T1543

              Windows Service

              1
              T1543.003

              Hijack Execution Flow

              1
              T1574

              Executable Installer File Permissions Weakness

              1
              T1574.005

              Scheduled Task/Job

              1
              T1053

              Scheduled Task

              1
              T1053.005

              Defense Evasion

              Abuse Elevation Control Mechanism

              1
              T1548

              Bypass User Account Control

              1
              T1548.002

              Hijack Execution Flow

              1
              T1574

              Executable Installer File Permissions Weakness

              1
              T1574.005

              Impair Defenses

              3
              T1562

              Disable or Modify Tools

              3
              T1562.001

              Modify Registry

              6
              T1112

              Credential Access

              Credentials from Password Stores

              1
              T1555

              Credentials from Web Browsers

              1
              T1555.003

              Unsecured Credentials

              1
              T1552

              Credentials In Files

              1
              T1552.001

              Discovery

              Query Registry

              2
              T1012

              System Information Discovery

              3
              T1082

              System Location Discovery

              1
              T1614

              System Language Discovery

              1
              T1614.001

              Lateral Movement

              Collection

              Data from Local System

              1
              T1005

              Command and Control

              Web Service

              1
              T1102

              Exfiltration

              Impact

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                Filesize

                2KB

                MD5

                d85ba6ff808d9e5444a4b369f5bc2730

                SHA1

                31aa9d96590fff6981b315e0b391b575e4c0804a

                SHA256

                84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                SHA512

                8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WinHelperWatchdog.exe.log
                Filesize

                425B

                MD5

                4eaca4566b22b01cd3bc115b9b0b2196

                SHA1

                e743e0792c19f71740416e7b3c061d9f1336bf94

                SHA256

                34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

                SHA512

                bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
                Filesize

                2KB

                MD5

                968cb9309758126772781b83adb8a28f

                SHA1

                8da30e71accf186b2ba11da1797cf67f8f78b47c

                SHA256

                92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

                SHA512

                4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                18KB

                MD5

                8f5b63c1cb9e3df554a695199e7eda37

                SHA1

                7275432ca8b39040fa068de0f72a4cc8893bd658

                SHA256

                b3400b1cb9b503998092d8b272a84e9df8e4262d40ecc99aaf2bb4ef47b1e822

                SHA512

                51faa4a166fd2fbe4935fff0bc012873118be549f83debc6ddf9a6b87c6ade5f00dabf8243b58198cd05f44a0197717559003da6d5a2f68eb99341e744396069

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                944B

                MD5

                e2efbfd23e33d8d07d019bdd9ca20649

                SHA1

                68d3b285c423d311bdf8dc53354f5f4000caf386

                SHA256

                f4386e3a103dafd6e85bebc2ad649069d168b4da8a0ded51b3ec96fa1408a828

                SHA512

                b7a961002557ff2efb785f756c9347e250392eab3dcb5168c67e89238e85368a41d0a5bdc94bfbbc192ba427c83e982234b3cf8824b166a69973f3f9df177443

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                944B

                MD5

                2ea91e7d1b473f8290ae52d13e105194

                SHA1

                5e565d99a7733250427e70f5f6e1951a081deed6

                SHA256

                712db2b991a3c11ccd71b36cfe99fad0b5b1eb1026b12d28c35a43334128671a

                SHA512

                0d6e2f0f8963986cb27a5cb853c5a87af5d2b65142ff082b4a12681b467d4a72efbcaea71307513523915aa4f27e7b238c67f4ab563f69525938f38253599424

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                944B

                MD5

                07ab6cc81c5230a598c0ad1711b6bd97

                SHA1

                de7e270e12d447dfc5896b7c96777eb32725778a

                SHA256

                900aa2c83ec8773c3f9705f75b28fff0eaca57f7adb33dc82564d7ea8f8069a3

                SHA512

                ffef0ad0824ea0fdab29eb3c44448100f79365a1729c7665eba9aef85a88e60901bc6a6c248de15a28d21be9ce5839d68861e4449ff557d8845927c740ba3a25

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                944B

                MD5

                6d3e9c29fe44e90aae6ed30ccf799ca8

                SHA1

                c7974ef72264bbdf13a2793ccf1aed11bc565dce

                SHA256

                2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

                SHA512

                60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\PmQZXrSoop.bat
                Filesize

                212B

                MD5

                e38e9781a42f832c9afb98ad1295dd2d

                SHA1

                12281d188b601aef89fae851acb54327d967e8b2

                SHA256

                ea60e25b750b69581e43dbae5effe01e600006bc06deda68e27040e034e3ee52

                SHA512

                fd29e1d13b1f7b6202b04e0ad5ce92fe292a48ed6d4c697c63721b189b16a7228e353f6e5bab4e092f856c6c0f4358c1d3df7f3c2b7f8e6e7b4580d948804647

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\QEUkYeQnTA.bat
                Filesize

                210B

                MD5

                8b68b6398793abc3f6cd7e74bc410651

                SHA1

                ee1742796d38890f36b77ee858f5886046e19adf

                SHA256

                eccb4b7273ebe4cd9160a626496100605d9aeddae09b98b19f54cb7a20bcf367

                SHA512

                9deb192b2be6d7d6ac9c429f945ebfc2161a495bf46bdcc1e6b673a24f424a79f36c17a5e8ef359cdef6422e48f8d1c0a58a948b141372e8c183d42e897c82e2

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\RES913.tmp
                Filesize

                1KB

                MD5

                18ee312499b4893a6a2d4f92c8af5423

                SHA1

                ec449c18380e97f519d91f1949db3ba1fba31f81

                SHA256

                d1faadd5493412715612744bac71668cce939683992539d116ff2d0b6173d76c

                SHA512

                410b3ec0833eedce25959e3cf29ca70fb8a9163e663fc8bd6c6f4ce3ddd7f8be24ad24aa81f3b18ab2597592b8dabeac690e8e91ade29d01bc15f01d9bacba93

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hclwhwlo.dzx.ps1
                Filesize

                60B

                MD5

                d17fe0a3f47be24a6453e9ef58c94641

                SHA1

                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                SHA256

                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                SHA512

                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                Download Submit

              • C:\Users\Admin\AppData\Roaming\WinHelperWatchdog.exe
                Filesize

                9KB

                MD5

                7a195b6c9de2d5cab015f649da6931a1

                SHA1

                89f7372dd92a90a8e13b74ee512b464412e4cf9b

                SHA256

                30183935449a625c2a61f6342dc3b9907028194173f2e3d594eaa3126ee316bc

                SHA512

                3c2aeef85b51e7f955072fba042bcedf8dd0b66ad813def58c0134355665ba56a713d58005a322561c62be5777d0adea2803da214459f362f22fe2a0dba5a1c7

                Download Submit

              • C:\Users\Admin\AppData\Roaming\WinSFXConnectDevicesPlatform\WinHelper32.exe
                Filesize

                4.9MB

                MD5

                72982e4d77aaee2ef6d16876037b3dbe

                SHA1

                bfffbe69bfc0cb1fb5e23199dba5ea69c4f3d9df

                SHA256

                bbe1c2a2af47b4e32fa9b6e8a44da455473604bd1aae5481524403f878a86662

                SHA512

                cb28f33f6c3acaa74ddb3e9f50922e764926fbf2b8a3d7317f13b57f6f30e259a5a8b0213c77dee27cf542ad860762909c1f46f695f2b2c45bb778de957f02db

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Windows\Defender\Boostrapper.exe
                Filesize

                2.2MB

                MD5

                f21f63c5ac1e7afc50125b10c75e30af

                SHA1

                09be95306a2e9f48934b6f3ec4e789eefaaefc94

                SHA256

                a4bf1fbf3c41613a6ca44ec770bca60ed1a23206bd01a2296513c302ff63e046

                SHA512

                681ba321321fe8c856a1d6d3de10f23e4f313d943e0e83abfa4ab575cc8932b8be28024eaec282f21dabafa4848b9305d4a15bbd3db7591bccf46d1ee369d58c

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe
                Filesize

                427KB

                MD5

                8d860de39a47014bb85432844205defc

                SHA1

                16b6485662cc4b57af26f1ee2fe5e5595156264d

                SHA256

                6f64566b9adc350458221bc7312acaa09290c58241659336b9921c3dcf27fbbb

                SHA512

                c76408b4390d9aeae243f7333c5acdc68b6fe08efd1694c774069627d09e91e97ab1a5ccf55b60a247f3b00e8b95166d3dfcc41ac92150f00dfb897480a5a539

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Windows\Defender\xdwd.exe
                Filesize

                3.0MB

                MD5

                c33b516c2f5105562cc621929d2f3a5a

                SHA1

                ac89044573fc5b586b43c1bf784c3bcc50a46c1f

                SHA256

                42fcea19c41fd2e09ce01b6f0f48027f7f58aac75f93b7aeae8d24af7eb23f3c

                SHA512

                eace4742d8f75a2093cfeab3cd20f8ddb23514f6d5a598b16927621afc6e2bc4dff58d775e0c2c261f7c1ffc20a4b7d1004fe1ef8c7f904d8ef1cd94636caec6

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Windows\Defender\yjJlDaeiCtZ3rPY3voT8EfypAtNWVOHqwTO.vbe
                Filesize

                249B

                MD5

                5299f191d092a082374029620d0184cd

                SHA1

                154c0f2d892c0dde9914e1d2e114995ab5f1a8cb

                SHA256

                9c46745f3776d8f344029103da41e060516a4bf324e7238b112a3069abececf9

                SHA512

                670159a1352e91ad4739903c7d5bbca2b91e81ab542ac6b4532db8701d5bf01b900909812164db6ce4dbdc2fc1af59593d9abc84daff835de07eb7d383869e39

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Windows\Defender\zHxvwMPtXsd9EflNyF6bR38DTMh313hvK806W5p8W9mTT85g.bat
                Filesize

                104B

                MD5

                b33c8997ecd39b1b7e8af929abd526c7

                SHA1

                e30e21ca9e74d508cfc35e9affd57a7fbc089a77

                SHA256

                71340cb564242cd1454892eaa33aae6eaf8e444d9301731753a9aa993bb9785c

                SHA512

                394a9df69628162228d6a8934d6df532d5055a65a41788ef7d2b8170fae3bd586d80c8592ebc10e32650b81d43efd2eefdef865523d687b6def20fe4374afefc

                Download Submit

              • C:\Windows\SysWOW64\WindowsInput.exe
                Filesize

                21KB

                MD5

                f6285edd247fa58161be33f8cf662d31

                SHA1

                e2b49bca43cd0bd6cc1eee582ba58f0ed6de1470

                SHA256

                bc16993d1a774793044ca37eb2ce84ecbdb5c578e3c710ed82879e07dcef2fec

                SHA512

                6f3e6073a1dafc679da1caa4a4c9cb7cc2da79c3f81034d7b7b7b1d855fd5421cbb517a7d3f9520f49d4d3b7f9577f4f8f92486994c8b78fabff5033b390a788

                Download Submit

              • C:\Windows\SysWOW64\WindowsInput.exe.config
                Filesize

                349B

                MD5

                89817519e9e0b4e703f07e8c55247861

                SHA1

                4636de1f6c997a25c3190f73f46a3fd056238d78

                SHA256

                f40dfaa50dcbff93611d45607009158f798e9cd845170939b1d6088a7d10ee13

                SHA512

                b017cb7a522b9c6794f3691cb7266ec82f565a90d7d07cc9beb53b939d2e9bf34275bc25f6f32d9a9c7136a0aab2189d9556af7244450c610d11ed7a4f584ba3

                Download Submit

              • C:\blockComAgentdll\Q5HIcCBrM4kJ2gRS.bat
                Filesize

                98B

                MD5

                1316b7f40530ee0c903a091d248c63dd

                SHA1

                6e9322f825d3d18a712458d98430a54b17c9f904

                SHA256

                43c1d785f81931b200e0be0a9fc40a736f26f397fda6571e26f52c21acf1065f

                SHA512

                1c9a435ca6d25466b715d2d4505dc33d42ab33fe192e89820929ee01b1962a2128c0ce9281ae96d27a9c18a4d035e55d912f673e17c6e7936d96160fea253345

                Download Submit

              • C:\blockComAgentdll\hypercommonSvc.exe
                Filesize

                1.9MB

                MD5

                c9cda0ef2f246e5a640c25ff468a87a4

                SHA1

                44c7046f6251c49905cc569d1836361d0ae7856a

                SHA256

                cc66b2f2a0bcd9104078ed351c6b313a488f6b895c5fef9743b227c0397c4d6f

                SHA512

                2731df92281b29a4421b5071891676a4048bb39378956674c99dddea5b27f7684c71b7e3808942fd758c3c60e3eae93da535de95d702a3ae6f8829aae598ff21

                Download Submit

              • C:\blockComAgentdll\l2A594olLEJWUEUfw4GfnauDbYxQl.vbe
                Filesize

                211B

                MD5

                386552a2a95b01f9b62bbf076f55204a

                SHA1

                4b202d016dc86a72837fdcb080caea7b8761842c

                SHA256

                be3ca473daa12562ac27843de069cca900d4413f08703b0cefee87303b8ec414

                SHA512

                dbba55a57db75cb351606a7dbc89cd0cf37dd333fa7456f94c6c2f9fd0480af28a27c29ca411cc5745c9929a92222123f770a870b046a84b25b23f4417ec62c4

                Download Submit

              • \??\c:\Users\Admin\AppData\Local\Temp\q42puxjw\q42puxjw.0.cs
                Filesize

                366B

                MD5

                09e5e8935dfe60855d3e0baa454cf4ca

                SHA1

                830fa6302244f5fd77dec60f3ab08f692b643845

                SHA256

                936836042f363d3a5a58309d612a2e4712c3a250e10c3d48b2602fceabb7cc94

                SHA512

                d97b00b5ef19048dd9d5a54d49a92c774dc90d6e8d15782a7a4548806502db28f58dafac7de92599bdcc9cc5181e2f29f95d5fa96b71eb1075ebaf10c6a4935d

                Download Submit

              • \??\c:\Users\Admin\AppData\Local\Temp\q42puxjw\q42puxjw.cmdline
                Filesize

                235B

                MD5

                e56a983f213e0245d1e3fa2884433eb3

                SHA1

                7977d7217af5489bd5bbefea8e9ad9293af4f602

                SHA256

                96064fbee3ab0f6dcc7f067815127ecd7a47fca0d12e69a08b4b3b01d2aa318c

                SHA512

                a8b07ee4d2dc60dd6bb6ec917f69b290e8d85a2d04e77a405d87ab8b0db0ba580118fd1e77a3b297b4bcac62124d20663ac2de8b53d32c0f68865ca94a95e55b

                Download Submit

              • \??\c:\Windows\System32\CSC65690CAE25442DCAE2A1BDACD90A6A2.TMP
                Filesize

                1KB

                MD5

                be99f41194f5159cc131a1a4353a0e0a

                SHA1

                f24e3bf06e777b4de8d072166cff693e43f2295c

                SHA256

                564d9051e5639603c83562a9ff2c2e478cc7e13d54faf39f761297bac78603bf

                SHA512

                51d1a50772bb7d689193e6a9b2e363185cf5438103644b2b68cf13e08274c5d99407b99f8cdc856143d28669f5ee4ee316041a8e33df42f55bfd181aa3f3c0f5

                Download Submit

              • memory/368-302-0x0000000006D90000-0x0000000006DC2000-memory.dmp

                Filesize

                200KB

                Download

              • memory/368-303-0x0000000072E50000-0x0000000072E9C000-memory.dmp

                Filesize

                304KB

                Download

              • memory/368-313-0x0000000006DF0000-0x0000000006E93000-memory.dmp

                Filesize

                652KB

                Download

              • memory/368-314-0x0000000007120000-0x0000000007131000-memory.dmp

                Filesize

                68KB

                Download

              • memory/368-315-0x0000000007160000-0x0000000007174000-memory.dmp

                Filesize

                80KB

                Download

              • memory/1184-74-0x0000020DD2010000-0x0000020DD2280000-memory.dmp

                Filesize

                2.4MB

                Download

              • memory/1184-157-0x0000020DD0780000-0x0000020DD0781000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1184-107-0x0000020DD22F0000-0x0000020DD2300000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1184-87-0x0000020DD2280000-0x0000020DD2290000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1184-117-0x0000020DD0780000-0x0000020DD0781000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1184-109-0x0000020DD2310000-0x0000020DD2320000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1184-45-0x0000020DD0780000-0x0000020DD0781000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1184-28-0x0000020DD22E0000-0x0000020DD22F0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1184-29-0x0000020DD22F0000-0x0000020DD2300000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1184-158-0x0000020DD2010000-0x0000020DD2280000-memory.dmp

                Filesize

                2.4MB

                Download

              • memory/1184-169-0x0000020DD2320000-0x0000020DD2330000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1184-168-0x0000020DD2310000-0x0000020DD2320000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1184-167-0x0000020DD2300000-0x0000020DD2310000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1184-166-0x0000020DD22F0000-0x0000020DD2300000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1184-165-0x0000020DD22E0000-0x0000020DD22F0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1184-164-0x0000020DD22D0000-0x0000020DD22E0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1184-163-0x0000020DD22C0000-0x0000020DD22D0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1184-162-0x0000020DD22B0000-0x0000020DD22C0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1184-30-0x0000020DD2300000-0x0000020DD2310000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1184-161-0x0000020DD22A0000-0x0000020DD22B0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1184-160-0x0000020DD2290000-0x0000020DD22A0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1184-108-0x0000020DD2300000-0x0000020DD2310000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1184-159-0x0000020DD2280000-0x0000020DD2290000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1184-31-0x0000020DD2310000-0x0000020DD2320000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1184-32-0x0000020DD2320000-0x0000020DD2330000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1184-110-0x0000020DD2320000-0x0000020DD2330000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1184-20-0x0000020DD22B0000-0x0000020DD22C0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1184-21-0x0000020DD22C0000-0x0000020DD22D0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1184-106-0x0000020DD22E0000-0x0000020DD22F0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1184-104-0x0000020DD0780000-0x0000020DD0781000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1184-101-0x0000020DD22C0000-0x0000020DD22D0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1184-102-0x0000020DD22D0000-0x0000020DD22E0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1184-100-0x0000020DD22B0000-0x0000020DD22C0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1184-22-0x0000020DD22D0000-0x0000020DD22E0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1184-98-0x0000020DD22A0000-0x0000020DD22B0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1184-16-0x0000020DD22A0000-0x0000020DD22B0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1184-15-0x0000020DD2290000-0x0000020DD22A0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1184-94-0x0000020DD2290000-0x0000020DD22A0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1184-93-0x0000020DD0780000-0x0000020DD0781000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1184-2-0x0000020DD2010000-0x0000020DD2280000-memory.dmp

                Filesize

                2.4MB

                Download

              • memory/1184-12-0x0000020DD2280000-0x0000020DD2290000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1620-210-0x000000001A8F0000-0x000000001A9FA000-memory.dmp

                Filesize

                1.0MB

                Download

              • memory/1636-272-0x000000001B7A0000-0x000000001B7F0000-memory.dmp

                Filesize

                320KB

                Download

              • memory/1636-276-0x0000000000EC0000-0x0000000000ECE000-memory.dmp

                Filesize

                56KB

                Download

              • memory/1636-257-0x0000000001170000-0x0000000001242000-memory.dmp

                Filesize

                840KB

                Download

              • memory/1636-268-0x0000000000EB0000-0x0000000000EBE000-memory.dmp

                Filesize

                56KB

                Download

              • memory/1636-271-0x0000000000EE0000-0x0000000000EFC000-memory.dmp

                Filesize

                112KB

                Download

              • memory/1636-274-0x0000000000F00000-0x0000000000F18000-memory.dmp

                Filesize

                96KB

                Download

              • memory/1636-255-0x0000000000800000-0x0000000000808000-memory.dmp

                Filesize

                32KB

                Download

              • memory/1636-278-0x0000000000ED0000-0x0000000000EDC000-memory.dmp

                Filesize

                48KB

                Download

              • memory/1636-338-0x000000001BB30000-0x000000001BB9B000-memory.dmp

                Filesize

                428KB

                Download

              • memory/1880-170-0x0000000000400000-0x000000000041E000-memory.dmp

                Filesize

                120KB

                Download

              • memory/1880-113-0x0000000000400000-0x000000000041E000-memory.dmp

                Filesize

                120KB

                Download

              • memory/2896-61-0x00007FFD4E510000-0x00007FFD4EFD1000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/2896-46-0x00007FFD4E510000-0x00007FFD4EFD1000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/2896-44-0x00007FFD4E510000-0x00007FFD4EFD1000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/2896-40-0x000001F7D99B0000-0x000001F7D99D2000-memory.dmp

                Filesize

                136KB

                Download

              • memory/2896-33-0x00007FFD4E513000-0x00007FFD4E515000-memory.dmp

                Filesize

                8KB

                Download

              • memory/3144-203-0x0000000000CE0000-0x0000000000CEC000-memory.dmp

                Filesize

                48KB

                Download

              • memory/3144-204-0x00000000014C0000-0x00000000014D2000-memory.dmp

                Filesize

                72KB

                Download

              • memory/3144-205-0x0000000001530000-0x000000000156C000-memory.dmp

                Filesize

                240KB

                Download

              • memory/3400-224-0x0000000006330000-0x000000000634A000-memory.dmp

                Filesize

                104KB

                Download

              • memory/3400-233-0x0000000007100000-0x0000000007122000-memory.dmp

                Filesize

                136KB

                Download

              • memory/3400-256-0x0000000009610000-0x0000000009618000-memory.dmp

                Filesize

                32KB

                Download

              • memory/3400-252-0x00000000095C0000-0x00000000095D4000-memory.dmp

                Filesize

                80KB

                Download

              • memory/3400-214-0x00000000064D0000-0x0000000006AF8000-memory.dmp

                Filesize

                6.2MB

                Download

              • memory/3400-249-0x00000000095B0000-0x00000000095BE000-memory.dmp

                Filesize

                56KB

                Download

              • memory/3400-225-0x0000000006390000-0x00000000063C6000-memory.dmp

                Filesize

                216KB

                Download

              • memory/3400-247-0x0000000009580000-0x0000000009591000-memory.dmp

                Filesize

                68KB

                Download

              • memory/3400-246-0x0000000009430000-0x000000000943A000-memory.dmp

                Filesize

                40KB

                Download

              • memory/3400-245-0x00000000091C0000-0x0000000009263000-memory.dmp

                Filesize

                652KB

                Download

              • memory/3400-244-0x00000000091A0000-0x00000000091BE000-memory.dmp

                Filesize

                120KB

                Download

              • memory/3400-234-0x0000000007E30000-0x0000000007E7C000-memory.dmp

                Filesize

                304KB

                Download

              • memory/3400-189-0x0000000005BE0000-0x0000000005C02000-memory.dmp

                Filesize

                136KB

                Download

              • memory/3400-186-0x0000000005110000-0x0000000005118000-memory.dmp

                Filesize

                32KB

                Download

              • memory/3400-187-0x00000000055C0000-0x00000000055CA000-memory.dmp

                Filesize

                40KB

                Download

              • memory/3400-188-0x00000000055D0000-0x00000000055D8000-memory.dmp

                Filesize

                32KB

                Download

              • memory/3400-185-0x0000000005100000-0x0000000005108000-memory.dmp

                Filesize

                32KB

                Download

              • memory/3400-184-0x0000000004F80000-0x0000000004F92000-memory.dmp

                Filesize

                72KB

                Download

              • memory/3400-183-0x0000000005120000-0x00000000051B2000-memory.dmp

                Filesize

                584KB

                Download

              • memory/3400-254-0x0000000009620000-0x000000000963A000-memory.dmp

                Filesize

                104KB

                Download

              • memory/3400-182-0x0000000005630000-0x0000000005BD4000-memory.dmp

                Filesize

                5.6MB

                Download

              • memory/3400-181-0x0000000004D60000-0x0000000004DBC000-memory.dmp

                Filesize

                368KB

                Download

              • memory/3400-179-0x0000000002630000-0x000000000263E000-memory.dmp

                Filesize

                56KB

                Download

              • memory/3400-171-0x0000000000180000-0x0000000000482000-memory.dmp

                Filesize

                3.0MB

                Download

              • memory/3400-232-0x0000000007060000-0x00000000070C6000-memory.dmp

                Filesize

                408KB

                Download

              • memory/3400-226-0x0000000007180000-0x00000000077FA000-memory.dmp

                Filesize

                6.5MB

                Download

              • memory/3400-227-0x0000000006B00000-0x0000000006B96000-memory.dmp

                Filesize

                600KB

                Download

              • memory/3400-228-0x0000000006460000-0x00000000064C6000-memory.dmp

                Filesize

                408KB

                Download

              • memory/3400-229-0x0000000006430000-0x000000000644E000-memory.dmp

                Filesize

                120KB

                Download

              • memory/3400-230-0x0000000006BF0000-0x0000000006C3A000-memory.dmp

                Filesize

                296KB

                Download

              • memory/3400-231-0x0000000007800000-0x0000000007B54000-memory.dmp

                Filesize

                3.3MB

                Download

              • memory/3460-529-0x000000001C220000-0x000000001C28B000-memory.dmp

                Filesize

                428KB

                Download

              • memory/4180-419-0x0000000008910000-0x000000000895C000-memory.dmp

                Filesize

                304KB

                Download

              • memory/4180-418-0x00000000082B0000-0x0000000008604000-memory.dmp

                Filesize

                3.3MB

                Download

              • memory/4180-408-0x0000000006440000-0x0000000006450000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4180-407-0x0000000006780000-0x0000000006942000-memory.dmp

                Filesize

                1.8MB

                Download

              • memory/4180-406-0x00000000063E0000-0x00000000063F8000-memory.dmp

                Filesize

                96KB

                Download

              • memory/4180-403-0x00000000055A0000-0x00000000055B2000-memory.dmp

                Filesize

                72KB

                Download

              • memory/4180-404-0x0000000005C20000-0x0000000005C6E000-memory.dmp

                Filesize

                312KB

                Download

              • memory/4692-527-0x000000001D600000-0x000000001D66B000-memory.dmp

                Filesize

                428KB

                Download