Overview

overview

10

Static

static

3

Antiexploit(1).exe

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    205s
  • max time network
    206s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    10-11-2024 02:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Antiexploit(1).exe

  • Size

    4.9MB

  • MD5

    72982e4d77aaee2ef6d16876037b3dbe

  • SHA1

    bfffbe69bfc0cb1fb5e23199dba5ea69c4f3d9df

  • SHA256

    bbe1c2a2af47b4e32fa9b6e8a44da455473604bd1aae5481524403f878a86662

  • SHA512

    cb28f33f6c3acaa74ddb3e9f50922e764926fbf2b8a3d7317f13b57f6f30e259a5a8b0213c77dee27cf542ad860762909c1f46f695f2b2c45bb778de957f02db

  • SSDEEP

    98304:ubFDbY4GLfSbFqhmSPEE89WS9mi264mZAWto1pUluT:u5I4G2beL8t9WSK6Njto4a

Score
10/10
dcratorcusrobloxdefense_evasiondiscoveryevasionexecutioninfostealerpersistenceprivilege_escalationratspywarestealertrojan

Malware Config

Extracted

Family

orcus

Botnet

Roblox

C2

89.23.100.155:1337

Mutex

52641f3c61234743ba12f855fdae3135

Attributes
  • autostart_method

    Registry

  • enable_keylogger

    true

  • install_path

    %AppData%\Windows\Helper\WinHelper32.exe

  • reconnect_delay

    10000

  • registry_keyname

    WinHelper32.exe

  • taskscheduler_taskname

    WinHelper32

  • watchdog_path

    AppData\WinHelperWatchdog.exe

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

    ratspywarestealerorcus
  • Orcus family
    orcus
  • Orcus main payload 1 IoCs
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
    evasiontrojan
  • DCRat payload 2 IoCs
    rat
  • Orcurs Rat Executable 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 28 IoCs

    Using powershell.exe command.

    execution
  • Checks computer location settings 2 TTPs 9 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 12 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 2 IoCs

    Possible Turn off User Account Control's privilege elevation for standard users.

    defense_evasionpersistenceprivilege_escalation
  • Drops file in System32 directory 5 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 35 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 4 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 14 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Antiexploit(1).exe
    "C:\Users\Admin\AppData\Local\Temp\Antiexploit(1).exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4352
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows\Defender\yjJlDaeiCtZ3rPY3voT8EfypAtNWVOHqwTO.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2652
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows\Defender\zHxvwMPtXsd9EflNyF6bR38DTMh313hvK806W5p8W9mTT85g.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4420
        • C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe
          "C:\Users\Admin\AppData\Roaming\Windows/Defender/RunShell.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Checks computer location settings
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4236
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\50dmcqmv\50dmcqmv.cmdline"
            5⤵
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:1620
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8DB9.tmp" "c:\Windows\System32\CSC9ADAD6FDE5FD465EBE6E4C3E35F893EA.TMP"
              6⤵
                PID:1904
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\uk-UA\wscript.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:3036
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\explorer.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:3132
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\CbsTemp\WaaSMedicAgent.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:1080
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Multimedia Platform\lsass.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2700
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\hrtfs\RuntimeBroker.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2616
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:4308
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IL4ftBofFG.bat"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:1604
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:3920
                • C:\Windows\system32\w32tm.exe
                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                  6⤵
                    PID:5068
                  • C:\Program Files\VideoLAN\VLC\hrtfs\RuntimeBroker.exe
                    "C:\Program Files\VideoLAN\VLC\hrtfs\RuntimeBroker.exe"
                    6⤵
                    • Executes dropped EXE
                    • Suspicious behavior: GetForegroundWindowSpam
                    PID:5924
          • C:\Users\Admin\AppData\Roaming\Windows\Defender\xdwd.exe
            "C:\Users\Admin\AppData\Roaming\Windows\Defender\xdwd.exe"
            2⤵
            • Modifies Windows Defender Real-time Protection settings
            • UAC bypass
            • Checks computer location settings
            • Executes dropped EXE
            • Windows security modification
            • Checks whether UAC is enabled
            • Hijack Execution Flow: Executable Installer File Permissions Weakness
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:396
            • C:\Windows\SysWOW64\WindowsInput.exe
              "C:\Windows\SysWOW64\WindowsInput.exe" --install
              3⤵
              • Executes dropped EXE
              • Drops file in System32 directory
              PID:1492
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "powershell" Get-MpPreference -verbose
              3⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:252
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
              3⤵
              • Command and Scripting Interpreter: PowerShell
              • System Location Discovery: System Language Discovery
              PID:3224
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
              3⤵
              • Command and Scripting Interpreter: PowerShell
              • System Location Discovery: System Language Discovery
              PID:1424
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
              3⤵
              • Command and Scripting Interpreter: PowerShell
              • System Location Discovery: System Language Discovery
              PID:1372
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
              3⤵
              • Command and Scripting Interpreter: PowerShell
              • System Location Discovery: System Language Discovery
              PID:5240
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
              3⤵
              • Command and Scripting Interpreter: PowerShell
              • System Location Discovery: System Language Discovery
              PID:5556
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
              3⤵
              • Command and Scripting Interpreter: PowerShell
              • System Location Discovery: System Language Discovery
              PID:5576
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
              3⤵
              • Command and Scripting Interpreter: PowerShell
              • System Location Discovery: System Language Discovery
              PID:5616
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
              3⤵
              • Command and Scripting Interpreter: PowerShell
              • System Location Discovery: System Language Discovery
              PID:5720
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
              3⤵
              • Command and Scripting Interpreter: PowerShell
              • System Location Discovery: System Language Discovery
              PID:5536
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
              3⤵
              • Command and Scripting Interpreter: PowerShell
              • System Location Discovery: System Language Discovery
              PID:6004
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
              3⤵
              • Command and Scripting Interpreter: PowerShell
              • System Location Discovery: System Language Discovery
              PID:1412
            • C:\Users\Admin\AppData\Roaming\Windows\Helper\WinHelper32.exe
              "C:\Users\Admin\AppData\Roaming\Windows\Helper\WinHelper32.exe"
              3⤵
              • Modifies Windows Defender Real-time Protection settings
              • UAC bypass
              • Checks computer location settings
              • Executes dropped EXE
              • Windows security modification
              • Checks whether UAC is enabled
              • Hijack Execution Flow: Executable Installer File Permissions Weakness
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of SetWindowsHookEx
              • System policy modification
              PID:6492
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                "powershell" Get-MpPreference -verbose
                4⤵
                • System Location Discovery: System Language Discovery
                PID:6136
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
                4⤵
                • Command and Scripting Interpreter: PowerShell
                • System Location Discovery: System Language Discovery
                PID:6540
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
                4⤵
                • Command and Scripting Interpreter: PowerShell
                • System Location Discovery: System Language Discovery
                PID:6872
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
                4⤵
                • Command and Scripting Interpreter: PowerShell
                • System Location Discovery: System Language Discovery
                PID:6944
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
                4⤵
                • Command and Scripting Interpreter: PowerShell
                • System Location Discovery: System Language Discovery
                PID:6984
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
                4⤵
                • Command and Scripting Interpreter: PowerShell
                • System Location Discovery: System Language Discovery
                PID:7044
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
                4⤵
                • Command and Scripting Interpreter: PowerShell
                • System Location Discovery: System Language Discovery
                PID:7104
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
                4⤵
                • Command and Scripting Interpreter: PowerShell
                • System Location Discovery: System Language Discovery
                PID:4204
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
                4⤵
                • Command and Scripting Interpreter: PowerShell
                • System Location Discovery: System Language Discovery
                PID:6148
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
                4⤵
                • Command and Scripting Interpreter: PowerShell
                • System Location Discovery: System Language Discovery
                PID:7008
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
                4⤵
                • Command and Scripting Interpreter: PowerShell
                • System Location Discovery: System Language Discovery
                PID:252
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
                4⤵
                • Command and Scripting Interpreter: PowerShell
                • System Location Discovery: System Language Discovery
                PID:2472
              • C:\Users\Admin\AppData\Roaming\WinHelperWatchdog.exe
                "C:\Users\Admin\AppData\Roaming\WinHelperWatchdog.exe" /launchSelfAndExit "C:\Users\Admin\AppData\Roaming\Windows\Helper\WinHelper32.exe" 6492 /protectFile
                4⤵
                • Checks computer location settings
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:1048
                • C:\Users\Admin\AppData\Roaming\WinHelperWatchdog.exe
                  "C:\Users\Admin\AppData\Roaming\WinHelperWatchdog.exe" /watchProcess "C:\Users\Admin\AppData\Roaming\Windows\Helper\WinHelper32.exe" 6492 "/protectFile"
                  5⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:1668
          • C:\Users\Admin\AppData\Roaming\Windows\Defender\Boostrapper.exe
            "C:\Users\Admin\AppData\Roaming\Windows\Defender\Boostrapper.exe"
            2⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:692
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\blockComAgentdll\l2A594olLEJWUEUfw4GfnauDbYxQl.vbe"
              3⤵
              • Checks computer location settings
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1500
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c ""C:\blockComAgentdll\Q5HIcCBrM4kJ2gRS.bat" "
                4⤵
                • System Location Discovery: System Language Discovery
                PID:5292
                • C:\blockComAgentdll\hypercommonSvc.exe
                  "C:\blockComAgentdll/hypercommonSvc.exe"
                  5⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Drops file in Program Files directory
                  • Drops file in Windows directory
                  • Modifies registry class
                  PID:6812
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XP5VlD46Ih.bat"
                    6⤵
                      PID:5956
                      • C:\Windows\system32\chcp.com
                        chcp 65001
                        7⤵
                          PID:3264
                        • C:\Windows\system32\PING.EXE
                          ping -n 10 localhost
                          7⤵
                          • System Network Configuration Discovery: Internet Connection Discovery
                          • Runs ping.exe
                          PID:3488
                        • C:\Windows\Globalization\Time Zone\powershell.exe
                          "C:\Windows\Globalization\Time Zone\powershell.exe"
                          7⤵
                          • Executes dropped EXE
                          • Suspicious behavior: GetForegroundWindowSpam
                          PID:2292
            • C:\Windows\system32\taskmgr.exe
              "C:\Windows\system32\taskmgr.exe" /4
              1⤵
              • Checks SCSI registry key(s)
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              PID:5076
            • C:\Windows\SysWOW64\WindowsInput.exe
              "C:\Windows\SysWOW64\WindowsInput.exe"
              1⤵
              • Executes dropped EXE
              PID:4976
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\uk-UA\wscript.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2472
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\uk-UA\wscript.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:4372
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\uk-UA\wscript.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1068
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2656
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:3712
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:4716
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 5 /tr "'C:\Windows\CbsTemp\WaaSMedicAgent.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:3152
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Windows\CbsTemp\WaaSMedicAgent.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2088
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 10 /tr "'C:\Windows\CbsTemp\WaaSMedicAgent.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:4948
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Multimedia Platform\lsass.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1216
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\lsass.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1012
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Multimedia Platform\lsass.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1040
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\RuntimeBroker.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1428
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\RuntimeBroker.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:3980
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\RuntimeBroker.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:4364
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "RunShellR" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:3876
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "RunShell" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:792
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "RunShellR" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:4360
            • C:\Windows\system32\taskmgr.exe
              "C:\Windows\system32\taskmgr.exe" /4
              1⤵
              • Checks SCSI registry key(s)
              • Checks processor information in registry
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              PID:2168
            • C:\Users\Admin\AppData\Roaming\Windows\Helper\WinHelper32.exe
              "C:\Users\Admin\AppData\Roaming\Windows\Helper\WinHelper32.exe"
              1⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:6636

            Network

            MITRE ATT&CK Enterprise v15

            Reconnaissance

            Resource Development

            Initial Access

            Execution

            Command and Scripting Interpreter

            1
            T1059

            PowerShell

            1
            T1059.001

            Scheduled Task/Job

            1
            T1053

            Scheduled Task

            1
            T1053.005

            Persistence

            Boot or Logon Autostart Execution

            2
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Winlogon Helper DLL

            1
            T1547.004

            Create or Modify System Process

            1
            T1543

            Windows Service

            1
            T1543.003

            Hijack Execution Flow

            1
            T1574

            Executable Installer File Permissions Weakness

            1
            T1574.005

            Scheduled Task/Job

            1
            T1053

            Scheduled Task

            1
            T1053.005

            Privilege Escalation

            Abuse Elevation Control Mechanism

            1
            T1548

            Bypass User Account Control

            1
            T1548.002

            Boot or Logon Autostart Execution

            2
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Winlogon Helper DLL

            1
            T1547.004

            Create or Modify System Process

            1
            T1543

            Windows Service

            1
            T1543.003

            Hijack Execution Flow

            1
            T1574

            Executable Installer File Permissions Weakness

            1
            T1574.005

            Scheduled Task/Job

            1
            T1053

            Scheduled Task

            1
            T1053.005

            Defense Evasion

            Abuse Elevation Control Mechanism

            1
            T1548

            Bypass User Account Control

            1
            T1548.002

            Hijack Execution Flow

            1
            T1574

            Executable Installer File Permissions Weakness

            1
            T1574.005

            Impair Defenses

            3
            T1562

            Disable or Modify Tools

            3
            T1562.001

            Modify Registry

            6
            T1112

            Credential Access

            Credentials from Password Stores

            1
            T1555

            Credentials from Web Browsers

            1
            T1555.003

            Unsecured Credentials

            1
            T1552

            Credentials In Files

            1
            T1552.001

            Discovery

            Peripheral Device Discovery

            1
            T1120

            Query Registry

            4
            T1012

            Remote System Discovery

            1
            T1018

            System Information Discovery

            5
            T1082

            System Location Discovery

            1
            T1614

            System Language Discovery

            1
            T1614.001

            System Network Configuration Discovery

            1
            T1016

            Internet Connection Discovery

            1
            T1016.001

            Lateral Movement

            Collection

            Data from Local System

            1
            T1005

            Command and Control

            Exfiltration

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx
              Filesize

              64KB

              MD5

              d2fb266b97caff2086bf0fa74eddb6b2

              SHA1

              2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

              SHA256

              b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

              SHA512

              c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

              Download Submit

            • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock
              Filesize

              4B

              MD5

              f49655f856acb8884cc0ace29216f511

              SHA1

              cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

              SHA256

              7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

              SHA512

              599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

              Download Submit

            • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val
              Filesize

              944B

              MD5

              6bd369f7c74a28194c991ed1404da30f

              SHA1

              0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

              SHA256

              878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

              SHA512

              8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
              Filesize

              3KB

              MD5

              3eb3833f769dd890afc295b977eab4b4

              SHA1

              e857649b037939602c72ad003e5d3698695f436f

              SHA256

              c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

              SHA512

              c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
              Filesize

              2KB

              MD5

              f811272c20ff6decbbd16ff364334427

              SHA1

              cb31be66c972daa61d45920fa2fa824c1dfb194d

              SHA256

              730aff8c9e430a9f9e5e44f1c376e57f42fa5adc744824df2f69855009473592

              SHA512

              5c68bf3a41c3607cad5abe94f2bb3816f3e69426fa7d43bf7c9787c4e9ce6660b1843a2e505a22a93d7008b76fc564078513fe9ef47051e5b6fc344ab9d0a528

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              20KB

              MD5

              afbf9b72db9d1c0366c97a1701969914

              SHA1

              93fbceec201851c89fb77e2283a8397eef9543ad

              SHA256

              55d6230209aa85edcf1ac5267d07f460d542c1119c968089fd95bfeb80fc1348

              SHA512

              4ccb455e3ad726dea92daa466c4705fbd47d2b29484354220ec595a0ffc92b4ad8b8afaffde58723d5a344f152900e9762232e78c029f5d548b36e715c09e501

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              1KB

              MD5

              6a807b1c91ac66f33f88a787d64904c1

              SHA1

              83c554c7de04a8115c9005709e5cd01fca82c5d3

              SHA256

              155314c1c86d8d4e5b802f1eef603c5dd4a2f7c949f069a38af5ba4959bd8256

              SHA512

              29f2d9f30fc081e7fe6e9fb772c810c9be0422afdc6aff5a286f49a990ededebcf0d083798c2d9f41ad8434393c6d0f5fa6df31226d9c3511ba2a41eb4a65200

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              1KB

              MD5

              af1cc13f412ef37a00e668df293b1584

              SHA1

              8973b3e622f187fcf484a0eb9fa692bf3e2103cb

              SHA256

              449c0c61734cf23f28ad05a7e528f55dd8a7c6ae7a723253707e5f73de187037

              SHA512

              75d954ec8b98f804d068635875fac06e9594874f0f5d6e2ad9d6267285d1d4a1de6309009de9e2956c6477a888db648396f77a1a49b58287d2683b8214e7a3d3

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              1KB

              MD5

              b5bf6b0261deb53c0e3d422e3f83a664

              SHA1

              60cd83ab6dd15abaa9abf34d9ab54e42c8eefa16

              SHA256

              a431a9e84c64c6ad29339df6a714cb697081dc1c6c5557ada967d4caaeed0c1c

              SHA512

              27dfba0d2d7ebce4e6eebdeefa81b2518c5222efb9d37b4c323023e5117eed30ad6aeba8e062bde96d17d53b01bb9a59313229aeaf4863c8b30d9bbb09d46bff

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              21KB

              MD5

              9845308e9c49c68843172e4b6f99ad78

              SHA1

              9ac099f9f91edbdbf235d191befb6c570bf290b8

              SHA256

              b56daa6360d40ad7137ed00c896dd134522fe129e93abb020008fdc2e812dc9c

              SHA512

              f9c63da60fb0eee726a35745dd0339439eb9dba2910e76f8331dadc12e0f87d2346048b9e1a3c3cd09e92a8f476f77450e216ebcc7f86dffbc69fb3d66c4f3f2

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              21KB

              MD5

              1bcdb398609755a2cd969045f503296f

              SHA1

              4821be2d32dee55d3bdd280439ca1a74abfd595d

              SHA256

              fff21609a16c9f456faeb6516f050a4ac5c7da1532887a3b814ebe18f07d130f

              SHA512

              dc7c1e5050f25affa3696fa589b8b062cd92a6edad62d459bc0ea994c088107cccac191dfc83ce3801e54fedf8c5b994259bfa30d4f0a60a6239abd5e4f2081a

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              21KB

              MD5

              79c7bc0cac270780f54c05d4a7866d93

              SHA1

              48c1323b5c1334c37d80ced259343683168e5355

              SHA256

              ee3319274fe8c8f6a9df1b6b28f221c74454267b00f98f329aaa7a12e4a6e260

              SHA512

              9369e6a9968349cb640495f5db9c4d4b0fcfeff2d79fca7fe7c62c341a16906b2bd285e0bf9421a4a46f4e9be507851e65f38ebcf40a8b26c214e533c38e0856

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              21KB

              MD5

              ed0f80783364fd4d82ffcb2a46453970

              SHA1

              bffc2e55540d2d3cacc6594a6b686d543d966aaa

              SHA256

              8ef6d04ba77b267f46545f5c98c03068fe0320ccab8a912d33d590e33d9e7125

              SHA512

              451fba2d73ea84a8c098ae597147df00eb2c70ddcdbee15d9efbc68c79a2805f0febeabf37d11945e383c84711ab3c8f6c353bc7a72fcb7e4d89022178464d22

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              21KB

              MD5

              6abb33de2ab319eac9ee142290d9fd8b

              SHA1

              f364a3edc7af573630627d208fe44f2d364271ec

              SHA256

              34f9b0ec52f6eb80dd6b00fcd6a8665bfe011a222d253eeeb7c12175c9ba98f6

              SHA512

              4bff9ee28999799d13669c585c058c6324fe967f1e37ec2ff0cfa42f52c72fbbabb8bc4b4cee624549a580716efc36c9689ff0e7c73208dd202f96fa80ba82a9

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              21KB

              MD5

              b2d9aa43f8ac68ac0230b79654035cc8

              SHA1

              e59c31ffb67eb5c15b0ba931e63498e17cd37612

              SHA256

              8320db98ebd453a9a5aabf0436f4270c293d40a78fabd50aca21f60c3c35f415

              SHA512

              81584c3c03ed9e720f5f16950e2f001073f92d17f7ec8b238923c6934951f314b6caa4167b562e47f1a1ecdcc869f151341e2edf3176ebbacb5f57c08dc4f6c3

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              21KB

              MD5

              3873efc679a9bc2779ba81d87780854a

              SHA1

              60ce48cb49367e7cd56124d12e7c684941723101

              SHA256

              fd2d5516336fbec96f222d258ec9574bf3f5a3b29abaad3b5487ad3890f9db02

              SHA512

              8ccbcfbf7b1021dffcf0ef5d2212919105c901e21e27a1353ae494f0ea6b5597711434277713c21868777a5a3d8e1497b1ee98fb0e73cb46e172965e3f23f8f7

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              21KB

              MD5

              6b5613c15d63822bbb20c96a9c93feb0

              SHA1

              23ea319c96afb807ebe0b3e31e5f2861d0d0e5b9

              SHA256

              953f2361294adb2c3cd72ffa42fad71e0afc6bade4c16575e52d15224739b970

              SHA512

              2e620875698deb4d4dbcd61048e2cb324ef2bdfe9ea0813754b8c87235a093b3d6b3a58297f36365e081bda8db426b6e37b51361b9fdf2cc6ab1ea93e6c967fe

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              21KB

              MD5

              81f4b2a46432bafb5e60ccdc4e1b3c5b

              SHA1

              3c65c79b062ed982f6d7b17daea5dce352b9c4d8

              SHA256

              4d1f8db6bacef9347e45d4f0dc61576f97dd61811a19cb645658e81dfdf95546

              SHA512

              dcd72d3d78c6b627bacabd94685c6380580aad3ca60a560569e085d71654f4cbf2450f21487f5abba3c0335d6ac6905baf6475297c6223a69907c309095df70e

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              21KB

              MD5

              d1a38492c7d322ac4411b142f3d82307

              SHA1

              3b5e72a21fe898e5493eb0a2381e94019db631e1

              SHA256

              334af47b4230767cfc483bd1408d142c58ab4a48571cf3d8e1f5d5e6353ee761

              SHA512

              21670dca4467d882a8e9ececadf48450f84f168f0c1429edf72e8912789ed96a27537569a1fd1d75d97f37e7a9d4b3bf3679c15e4a181e42bff7fdd1865529bf

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              21KB

              MD5

              a4de4f1d2e6e3d2ccfefd23281944cee

              SHA1

              9663f0f8c24b74f2a5a5239d15f6615e826b5931

              SHA256

              f8af8201e781b1cb2897631b6f8b9982d45eb130a0c3bc92ad2ce4901e674da7

              SHA512

              48b84b9f284c9b5b1b091396da37be67ab7869d782f52f0c0e34e6ec3da63161df6bf03f9e5bce49145e936f0c593355455f9c3c4d0c26e7295999cbc8181cc1

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              21KB

              MD5

              597fd5456ddce9964bf5614a19675c5f

              SHA1

              a6b73a337306ffccdd9a7219c689d497b55eb378

              SHA256

              990963b1bcd13eee3f36805fee5dfc30d57defb5d7d9e6dc3a6766dcb32b18f2

              SHA512

              e262fc0843bec3c83ba1ddd37d3b1f8c454d87dc44818a03699811cf04b9c28c21936b6c607fc0d2269a890826e2929ad2b2413285363cefc2c1fe387a9cbce3

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              21KB

              MD5

              bccbe7eee0ce4a6e84998b8d2cc2fc14

              SHA1

              c91d18943fd63188cbda2f2cffe47834704873b3

              SHA256

              c918da7242fc0e2f814677eed9111a88d39eccf7dfd3d65442f18a66e2589026

              SHA512

              e743fbd105501300a940803d4ae7bf76866a3f9de2e6d3a1345079049b5f9dd1ab6098e7c0c92364f07f822e007eded6104bc374742579a6e8ab6d95dd921557

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              21KB

              MD5

              d297aed2d9debcc4ec514904d3e0dfe8

              SHA1

              6b7730ed16885617342280568adee7dbd75b2bdb

              SHA256

              310f66610a5473b62aefff2c8a1978877b55045793e523cac971d54eba984488

              SHA512

              2b7822043491e15b40029c2906977f3d62405aae8267ff84ebf0a0f27667055a327bcbe001654b1b89393e4923f369a4f9744ea29bef8476bc8b3570f19f511d

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              21KB

              MD5

              61ea5230837beb89aa0cd8ae7a859534

              SHA1

              6b172c27f7efec85371bd665eb7126a9a72b4114

              SHA256

              4dff4842408a1c5d92bd025601a24531df6b1ed953ba0d9241712baf3ab7dccb

              SHA512

              a5ebc8c5236422dee698b839f66a1c49b37b03ffcb7e4956304c1188e37e8655df9f309974f6ad7fb0eaa3a81229ab0864418f2a1bdb19f83f0b6750f3eb6842

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IL4ftBofFG.bat
              Filesize

              229B

              MD5

              3d0c9b14a8784d04ef6eaeb1ac769bca

              SHA1

              bf75bff1d079f80bc28c349649c608897f620719

              SHA256

              ccd4ad514b5f2116171e6aec29dc02309d41ad3c64e674271a204e95809cf9a4

              SHA512

              e4f5537362bf4072a66f453fc1babf384487e36b8e41d25aa56c22452d1e4ecb1b26690cc401bae308d2e849956fa9ab7955420e2aa3d22351ac51d285aa33ea

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\RES8DB9.tmp
              Filesize

              1KB

              MD5

              74a57a1187844f28091b59dd93ff25e9

              SHA1

              a430fcddc99a55af8dcbaf72d6e8a10923725a39

              SHA256

              cc7c698e7339e11133c535667189b5fd55c3c82568c49334cd5a11a2f5b95bf2

              SHA512

              39524c3b67337fd75c8919b982887f4f27bc9f722dae3e642eb2e3916b67e7b6d80259ccfe2f2499c0340550695a3c901430738ae56193d2fdf330036c32562d

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\XP5VlD46Ih.bat
              Filesize

              177B

              MD5

              b2aef3fcb3f1828ea8bbca48ba5bbc2b

              SHA1

              ed490df87c333579248d693af1aedf220ea31fcc

              SHA256

              aadc5bf778ffcbe1f97598327ab16f1fc3488b74212feaac62bbca6c1db774a9

              SHA512

              05b7c374201c2e38078065194b178ca71ad3a94a0351d82d8260b0277210b06c40a8697a43612485411a40b322df0f6f41da82ee36e9d83fb7de9dcdfb6457c8

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aep05tzg.2tn.ps1
              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              Download Submit

            • C:\Users\Admin\AppData\Roaming\WinHelperWatchdog.exe
              Filesize

              9KB

              MD5

              7a195b6c9de2d5cab015f649da6931a1

              SHA1

              89f7372dd92a90a8e13b74ee512b464412e4cf9b

              SHA256

              30183935449a625c2a61f6342dc3b9907028194173f2e3d594eaa3126ee316bc

              SHA512

              3c2aeef85b51e7f955072fba042bcedf8dd0b66ad813def58c0134355665ba56a713d58005a322561c62be5777d0adea2803da214459f362f22fe2a0dba5a1c7

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Windows\Defender\Boostrapper.exe
              Filesize

              2.2MB

              MD5

              f21f63c5ac1e7afc50125b10c75e30af

              SHA1

              09be95306a2e9f48934b6f3ec4e789eefaaefc94

              SHA256

              a4bf1fbf3c41613a6ca44ec770bca60ed1a23206bd01a2296513c302ff63e046

              SHA512

              681ba321321fe8c856a1d6d3de10f23e4f313d943e0e83abfa4ab575cc8932b8be28024eaec282f21dabafa4848b9305d4a15bbd3db7591bccf46d1ee369d58c

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe
              Filesize

              427KB

              MD5

              8d860de39a47014bb85432844205defc

              SHA1

              16b6485662cc4b57af26f1ee2fe5e5595156264d

              SHA256

              6f64566b9adc350458221bc7312acaa09290c58241659336b9921c3dcf27fbbb

              SHA512

              c76408b4390d9aeae243f7333c5acdc68b6fe08efd1694c774069627d09e91e97ab1a5ccf55b60a247f3b00e8b95166d3dfcc41ac92150f00dfb897480a5a539

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Windows\Defender\xdwd.exe
              Filesize

              3.0MB

              MD5

              c33b516c2f5105562cc621929d2f3a5a

              SHA1

              ac89044573fc5b586b43c1bf784c3bcc50a46c1f

              SHA256

              42fcea19c41fd2e09ce01b6f0f48027f7f58aac75f93b7aeae8d24af7eb23f3c

              SHA512

              eace4742d8f75a2093cfeab3cd20f8ddb23514f6d5a598b16927621afc6e2bc4dff58d775e0c2c261f7c1ffc20a4b7d1004fe1ef8c7f904d8ef1cd94636caec6

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Windows\Defender\yjJlDaeiCtZ3rPY3voT8EfypAtNWVOHqwTO.vbe
              Filesize

              249B

              MD5

              5299f191d092a082374029620d0184cd

              SHA1

              154c0f2d892c0dde9914e1d2e114995ab5f1a8cb

              SHA256

              9c46745f3776d8f344029103da41e060516a4bf324e7238b112a3069abececf9

              SHA512

              670159a1352e91ad4739903c7d5bbca2b91e81ab542ac6b4532db8701d5bf01b900909812164db6ce4dbdc2fc1af59593d9abc84daff835de07eb7d383869e39

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Windows\Defender\zHxvwMPtXsd9EflNyF6bR38DTMh313hvK806W5p8W9mTT85g.bat
              Filesize

              104B

              MD5

              b33c8997ecd39b1b7e8af929abd526c7

              SHA1

              e30e21ca9e74d508cfc35e9affd57a7fbc089a77

              SHA256

              71340cb564242cd1454892eaa33aae6eaf8e444d9301731753a9aa993bb9785c

              SHA512

              394a9df69628162228d6a8934d6df532d5055a65a41788ef7d2b8170fae3bd586d80c8592ebc10e32650b81d43efd2eefdef865523d687b6def20fe4374afefc

              Download Submit

            • C:\Windows\SysWOW64\WindowsInput.exe
              Filesize

              21KB

              MD5

              f6285edd247fa58161be33f8cf662d31

              SHA1

              e2b49bca43cd0bd6cc1eee582ba58f0ed6de1470

              SHA256

              bc16993d1a774793044ca37eb2ce84ecbdb5c578e3c710ed82879e07dcef2fec

              SHA512

              6f3e6073a1dafc679da1caa4a4c9cb7cc2da79c3f81034d7b7b7b1d855fd5421cbb517a7d3f9520f49d4d3b7f9577f4f8f92486994c8b78fabff5033b390a788

              Download Submit

            • C:\Windows\SysWOW64\WindowsInput.exe.config
              Filesize

              349B

              MD5

              89817519e9e0b4e703f07e8c55247861

              SHA1

              4636de1f6c997a25c3190f73f46a3fd056238d78

              SHA256

              f40dfaa50dcbff93611d45607009158f798e9cd845170939b1d6088a7d10ee13

              SHA512

              b017cb7a522b9c6794f3691cb7266ec82f565a90d7d07cc9beb53b939d2e9bf34275bc25f6f32d9a9c7136a0aab2189d9556af7244450c610d11ed7a4f584ba3

              Download Submit

            • C:\blockComAgentdll\Q5HIcCBrM4kJ2gRS.bat
              Filesize

              98B

              MD5

              1316b7f40530ee0c903a091d248c63dd

              SHA1

              6e9322f825d3d18a712458d98430a54b17c9f904

              SHA256

              43c1d785f81931b200e0be0a9fc40a736f26f397fda6571e26f52c21acf1065f

              SHA512

              1c9a435ca6d25466b715d2d4505dc33d42ab33fe192e89820929ee01b1962a2128c0ce9281ae96d27a9c18a4d035e55d912f673e17c6e7936d96160fea253345

              Download Submit

            • C:\blockComAgentdll\hypercommonSvc.exe
              Filesize

              1.9MB

              MD5

              c9cda0ef2f246e5a640c25ff468a87a4

              SHA1

              44c7046f6251c49905cc569d1836361d0ae7856a

              SHA256

              cc66b2f2a0bcd9104078ed351c6b313a488f6b895c5fef9743b227c0397c4d6f

              SHA512

              2731df92281b29a4421b5071891676a4048bb39378956674c99dddea5b27f7684c71b7e3808942fd758c3c60e3eae93da535de95d702a3ae6f8829aae598ff21

              Download Submit

            • C:\blockComAgentdll\l2A594olLEJWUEUfw4GfnauDbYxQl.vbe
              Filesize

              211B

              MD5

              386552a2a95b01f9b62bbf076f55204a

              SHA1

              4b202d016dc86a72837fdcb080caea7b8761842c

              SHA256

              be3ca473daa12562ac27843de069cca900d4413f08703b0cefee87303b8ec414

              SHA512

              dbba55a57db75cb351606a7dbc89cd0cf37dd333fa7456f94c6c2f9fd0480af28a27c29ca411cc5745c9929a92222123f770a870b046a84b25b23f4417ec62c4

              Download Submit

            • C:\windows\system32\dnk2o1.exe
              Filesize

              4KB

              MD5

              2e904aebe335ec5ae3708be79a975e2b

              SHA1

              ffc6e7d5eb68f5593dd8814ca2c6978a799d5731

              SHA256

              a5d7ff513c7ca99f97ea675b26ce69bbd340e2cfc1d20ac7b6ad79dfc4537e89

              SHA512

              157a2c960fd274757ea238d3af8ce2bd66681231ab571e7d8a1d494d322e8bc786b6ee08750349bc9ec53dfa9e1686b3e43c594068f9a8559ae81df06c664a59

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\50dmcqmv\50dmcqmv.0.cs
              Filesize

              393B

              MD5

              63322c4ce5c898f68ef2b4e520b9cf47

              SHA1

              18dc78d78722f8b9ef9fbd81c663beae4832c046

              SHA256

              bf2252af8b8668ee64cee8806d3f106439d51842d4b9d0e9cd048b1e4c7fac3e

              SHA512

              0c7e7cb97eb0089998b466138ce884cdfab4f9156714a68aed80f7db8594de50eb8ce4ac1d2f127c9e200d71b6753afbb423902b6b9e2c635d47d17a8a5323b6

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\50dmcqmv\50dmcqmv.cmdline
              Filesize

              235B

              MD5

              7595e3075395ea658ab6bce0f5f04140

              SHA1

              435c845af24253fb86915957b097a6576e818630

              SHA256

              743f13c1034353741770330cd8068b0c11d2e6bb3315d4cdf73834df8c127b64

              SHA512

              9f092f6ee539c93ec7ccf8d3c22e587120b557f707b5f7c8152aa4f64e7d68eb58afebd30fa535a1308ed617a4cc3c4112254d98ec9aaf1ec376c90d82cb2908

              Download Submit

            • \??\c:\Windows\System32\CSC9ADAD6FDE5FD465EBE6E4C3E35F893EA.TMP
              Filesize

              1KB

              MD5

              775561cb0fd5f100b42ac5758ae200bb

              SHA1

              05987ff3a389d36f7cc66f0906afd470803520e2

              SHA256

              821d62917f13490566a3cff08a261328a0954dbb3d96cec18025763de74cb2d5

              SHA512

              6fc136ba28b0c822a00989a1df46c7629c7d1b820fee96fc2d24efe6d0ef2ee521f446637830978d9369d6d92ce11848170ac24a9e618aa5a78518cb011b27b9

              Download Submit

            • memory/252-197-0x00000000076A0000-0x0000000007743000-memory.dmp

              Filesize

              652KB

              Download

            • memory/252-187-0x0000000073F50000-0x0000000073F9C000-memory.dmp

              Filesize

              304KB

              Download

            • memory/252-823-0x0000000073F50000-0x0000000073F9C000-memory.dmp

              Filesize

              304KB

              Download

            • memory/396-112-0x0000000006A90000-0x0000000006B26000-memory.dmp

              Filesize

              600KB

              Download

            • memory/396-115-0x0000000006BF0000-0x0000000006C3A000-memory.dmp

              Filesize

              296KB

              Download

            • memory/396-37-0x00000000726DE000-0x00000000726DF000-memory.dmp

              Filesize

              4KB

              Download

            • memory/396-137-0x0000000009730000-0x000000000974E000-memory.dmp

              Filesize

              120KB

              Download

            • memory/396-39-0x0000000000790000-0x0000000000A92000-memory.dmp

              Filesize

              3.0MB

              Download

            • memory/396-140-0x0000000009750000-0x00000000097F3000-memory.dmp

              Filesize

              652KB

              Download

            • memory/396-50-0x00000000013A0000-0x00000000013AE000-memory.dmp

              Filesize

              56KB

              Download

            • memory/396-51-0x0000000005390000-0x00000000053EC000-memory.dmp

              Filesize

              368KB

              Download

            • memory/396-52-0x0000000005DA0000-0x0000000006346000-memory.dmp

              Filesize

              5.6MB

              Download

            • memory/396-53-0x00000000057F0000-0x0000000005882000-memory.dmp

              Filesize

              584KB

              Download

            • memory/396-151-0x0000000009870000-0x000000000987A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/396-59-0x0000000005D50000-0x0000000005D72000-memory.dmp

              Filesize

              136KB

              Download

            • memory/396-119-0x00000000084F0000-0x000000000853C000-memory.dmp

              Filesize

              304KB

              Download

            • memory/396-118-0x0000000008380000-0x00000000083A2000-memory.dmp

              Filesize

              136KB

              Download

            • memory/396-116-0x00000000076A0000-0x00000000079F7000-memory.dmp

              Filesize

              3.3MB

              Download

            • memory/396-117-0x0000000008110000-0x0000000008176000-memory.dmp

              Filesize

              408KB

              Download

            • memory/396-168-0x00000000097A0000-0x00000000097D2000-memory.dmp

              Filesize

              200KB

              Download

            • memory/396-113-0x0000000006B30000-0x0000000006B96000-memory.dmp

              Filesize

              408KB

              Download

            • memory/396-58-0x0000000005D10000-0x0000000005D18000-memory.dmp

              Filesize

              32KB

              Download

            • memory/396-109-0x0000000006950000-0x000000000696A000-memory.dmp

              Filesize

              104KB

              Download

            • memory/396-114-0x0000000006A40000-0x0000000006A5E000-memory.dmp

              Filesize

              120KB

              Download

            • memory/396-110-0x00000000069B0000-0x00000000069E6000-memory.dmp

              Filesize

              216KB

              Download

            • memory/396-254-0x00000000726DE000-0x00000000726DF000-memory.dmp

              Filesize

              4KB

              Download

            • memory/396-86-0x0000000006CD0000-0x000000000739A000-memory.dmp

              Filesize

              6.8MB

              Download

            • memory/396-57-0x0000000005D00000-0x0000000005D0A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/396-111-0x0000000007A20000-0x000000000809A000-memory.dmp

              Filesize

              6.5MB

              Download

            • memory/396-54-0x0000000005700000-0x0000000005712000-memory.dmp

              Filesize

              72KB

              Download

            • memory/396-56-0x0000000005CF0000-0x0000000005CF8000-memory.dmp

              Filesize

              32KB

              Download

            • memory/396-55-0x0000000005CE0000-0x0000000005CE8000-memory.dmp

              Filesize

              32KB

              Download

            • memory/1048-651-0x0000000000D80000-0x0000000000D88000-memory.dmp

              Filesize

              32KB

              Download

            • memory/1080-203-0x00000220900C0000-0x00000220900E2000-memory.dmp

              Filesize

              136KB

              Download

            • memory/1372-362-0x0000000073F50000-0x0000000073F9C000-memory.dmp

              Filesize

              304KB

              Download

            • memory/1412-509-0x0000000073F50000-0x0000000073F9C000-memory.dmp

              Filesize

              304KB

              Download

            • memory/1424-342-0x0000000073F50000-0x0000000073F9C000-memory.dmp

              Filesize

              304KB

              Download

            • memory/1492-78-0x0000000000D80000-0x0000000000D92000-memory.dmp

              Filesize

              72KB

              Download

            • memory/1492-79-0x0000000000EF0000-0x0000000000F2C000-memory.dmp

              Filesize

              240KB

              Download

            • memory/1492-77-0x00000000005B0000-0x00000000005BC000-memory.dmp

              Filesize

              48KB

              Download

            • memory/2168-257-0x00000265257B0000-0x00000265257B1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2168-262-0x00000265257B0000-0x00000265257B1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2168-255-0x00000265257B0000-0x00000265257B1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2168-256-0x00000265257B0000-0x00000265257B1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2168-267-0x00000265257B0000-0x00000265257B1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2168-266-0x00000265257B0000-0x00000265257B1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2168-265-0x00000265257B0000-0x00000265257B1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2168-264-0x00000265257B0000-0x00000265257B1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2168-263-0x00000265257B0000-0x00000265257B1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2292-864-0x000000001BA60000-0x000000001BB09000-memory.dmp

              Filesize

              676KB

              Download

            • memory/2472-803-0x0000000073F50000-0x0000000073F9C000-memory.dmp

              Filesize

              304KB

              Download

            • memory/3224-352-0x0000000073F50000-0x0000000073F9C000-memory.dmp

              Filesize

              304KB

              Download

            • memory/4204-793-0x0000000073F50000-0x0000000073F9C000-memory.dmp

              Filesize

              304KB

              Download

            • memory/4236-141-0x000000001BAE0000-0x000000001BB30000-memory.dmp

              Filesize

              320KB

              Download

            • memory/4236-139-0x000000001BA70000-0x000000001BA8C000-memory.dmp

              Filesize

              112KB

              Download

            • memory/4236-145-0x000000001B640000-0x000000001B64E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/4236-127-0x000000001B630000-0x000000001B63E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/4236-143-0x000000001BA90000-0x000000001BAA8000-memory.dmp

              Filesize

              96KB

              Download

            • memory/4236-125-0x0000000002B70000-0x0000000002C42000-memory.dmp

              Filesize

              840KB

              Download

            • memory/4236-147-0x000000001B650000-0x000000001B65C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/4236-124-0x00000000009F0000-0x00000000009F8000-memory.dmp

              Filesize

              32KB

              Download

            • memory/4236-186-0x000000001BDB0000-0x000000001BE59000-memory.dmp

              Filesize

              676KB

              Download

            • memory/4976-84-0x0000000019F40000-0x000000001A04A000-memory.dmp

              Filesize

              1.0MB

              Download

            • memory/5076-89-0x00000260510C0000-0x00000260510C1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/5076-103-0x00000260510C0000-0x00000260510C1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/5076-102-0x00000260510C0000-0x00000260510C1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/5076-107-0x00000260510C0000-0x00000260510C1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/5076-88-0x00000260510C0000-0x00000260510C1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/5076-87-0x00000260510C0000-0x00000260510C1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/5076-104-0x00000260510C0000-0x00000260510C1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/5076-106-0x00000260510C0000-0x00000260510C1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/5076-105-0x00000260510C0000-0x00000260510C1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/5076-108-0x00000260510C0000-0x00000260510C1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/5240-372-0x0000000073F50000-0x0000000073F9C000-memory.dmp

              Filesize

              304KB

              Download

            • memory/5536-480-0x0000000073F50000-0x0000000073F9C000-memory.dmp

              Filesize

              304KB

              Download

            • memory/5556-382-0x0000000073F50000-0x0000000073F9C000-memory.dmp

              Filesize

              304KB

              Download

            • memory/5576-398-0x0000000073F50000-0x0000000073F9C000-memory.dmp

              Filesize

              304KB

              Download

            • memory/5616-434-0x0000000073F50000-0x0000000073F9C000-memory.dmp

              Filesize

              304KB

              Download

            • memory/5720-422-0x0000000073F50000-0x0000000073F9C000-memory.dmp

              Filesize

              304KB

              Download

            • memory/5924-408-0x000000001AF20000-0x000000001AFF2000-memory.dmp

              Filesize

              840KB

              Download

            • memory/5924-650-0x000000001CE50000-0x000000001CEF9000-memory.dmp

              Filesize

              676KB

              Download

            • memory/6004-490-0x0000000073F50000-0x0000000073F9C000-memory.dmp

              Filesize

              304KB

              Download

            • memory/6136-556-0x0000000073F50000-0x0000000073F9C000-memory.dmp

              Filesize

              304KB

              Download

            • memory/6148-773-0x0000000073F50000-0x0000000073F9C000-memory.dmp

              Filesize

              304KB

              Download

            • memory/6492-462-0x0000000005E20000-0x0000000005E6E000-memory.dmp

              Filesize

              312KB

              Download

            • memory/6492-463-0x00000000065E0000-0x00000000065F8000-memory.dmp

              Filesize

              96KB

              Download

            • memory/6492-464-0x00000000067A0000-0x00000000067B0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/6492-466-0x0000000006980000-0x0000000006B42000-memory.dmp

              Filesize

              1.8MB

              Download

            • memory/6492-461-0x0000000005520000-0x0000000005532000-memory.dmp

              Filesize

              72KB

              Download

            • memory/6492-615-0x0000000008D70000-0x0000000008D7A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/6540-733-0x0000000073F50000-0x0000000073F9C000-memory.dmp

              Filesize

              304KB

              Download

            • memory/6812-543-0x000000001B7A0000-0x000000001B849000-memory.dmp

              Filesize

              676KB

              Download

            • memory/6812-523-0x0000000000E10000-0x0000000000E1E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/6812-525-0x0000000000E20000-0x0000000000E2C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/6812-527-0x0000000000E30000-0x0000000000E38000-memory.dmp

              Filesize

              32KB

              Download

            • memory/6812-479-0x0000000000520000-0x0000000000710000-memory.dmp

              Filesize

              1.9MB

              Download

            • memory/6872-721-0x0000000073F50000-0x0000000073F9C000-memory.dmp

              Filesize

              304KB

              Download

            • memory/6944-743-0x0000000073F50000-0x0000000073F9C000-memory.dmp

              Filesize

              304KB

              Download

            • memory/6984-763-0x0000000073F50000-0x0000000073F9C000-memory.dmp

              Filesize

              304KB

              Download

            • memory/7008-783-0x0000000073F50000-0x0000000073F9C000-memory.dmp

              Filesize

              304KB

              Download

            • memory/7044-753-0x0000000073F50000-0x0000000073F9C000-memory.dmp

              Filesize

              304KB

              Download

            • memory/7104-813-0x0000000073F50000-0x0000000073F9C000-memory.dmp

              Filesize

              304KB

              Download