dcrat | 270723a06c0f917204923693f09cc0d6cd2cc9cefd59fc051cfbf920d26f17d8

Analysis

max time kernel
16s
max time network
38s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
11-11-2024 12:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bootstrapper.exe
Size

113KB
MD5

7cf417d06a24c1ade73ec6d8ae589077
SHA1

128516790f9c6d8ac1d33a9f1f2b854162d94942
SHA256

270723a06c0f917204923693f09cc0d6cd2cc9cefd59fc051cfbf920d26f17d8
SHA512

3f5615b04489cfc755e19efc30fe619026dfacd250bb1c1677e1c55ceb6f69a80d0f05760c157696985e1090c34e8e403b453e5680fb981f274bdd66e2fcb5bb
SSDEEP

3072:RSb0MKWY3tfR2y+/ESH7V3wy3OcpN4LBzl:44JWGJ+/ESx3wy+c34LBZ

Score

10^/10

dcrat orcus roblox discovery execution infostealer rat spyware stealer

Malware Config

Extracted

Family

orcus

Botnet

Roblox

89.23.100.155:1337

Mutex

52641f3c61234743ba12f855fdae3135

Attributes

autostart_method
Registry
enable_keylogger
true
install_path
%AppData%\Windows\Helper\WinHelper32.exe
reconnect_delay
10000
registry_keyname
WinHelper32.exe
taskscheduler_taskname
WinHelper32
watchdog_path
AppData\WinHelperWatchdog.exe

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/memory/5608-209-0x0000000005D20000-0x0000000005D2A000-memory.dmp	disable_win_def

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat
Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0028000000045069-152.dat	family_orcus

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	4468	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4640	4468	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	4468	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6068	4468	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4872	4468	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3716	4468	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5496	4468	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	4468	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3420	4468	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5148	4468	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5240	4468	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1232	4468	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	220	4468	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5664	4468	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	4468	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5192	4468	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5472	4468	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5432	4468	schtasks.exe	92

DCRat payload 2 IoCs

rat

resource	yara_rule
behavioral1/memory/5012-261-0x0000000002E00000-0x0000000002ED2000-memory.dmp	family_dcrat_v2
behavioral1/memory/332-507-0x000000001B670000-0x000000001B742000-memory.dmp	family_dcrat_v2

Orcurs Rat Executable 2 IoCs

resource	yara_rule
behavioral1/files/0x0028000000045069-152.dat	orcus
behavioral1/memory/5608-190-0x0000000000670000-0x0000000000972000-memory.dmp	orcus

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4968	powershell.exe
5692	powershell.exe
1576	powershell.exe
976	powershell.exe
5316	powershell.exe
4816	powershell.exe
2456	powershell.exe
3884	powershell.exe
4640	powershell.exe
1204	powershell.exe
4980	powershell.exe
5504	powershell.exe
1488	powershell.exe
2064	powershell.exe
5472	powershell.exe
3684	powershell.exe
4860	powershell.exe
1600	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	WinHelper32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	Boostrapper.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinHelper32.exe	javaw.exe

Executes dropped EXE 3 IoCs

pid	Process
2432	WinHelper32.exe
5608	xdwd.exe
2144	Boostrapper.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
20	raw.githubusercontent.com
19	raw.githubusercontent.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsInput.exe	xdwd.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe.config	xdwd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdwd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boostrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinHelper32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings	WinHelper32.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings	Boostrapper.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2860	schtasks.exe
6068	schtasks.exe
1232	schtasks.exe
220	schtasks.exe
3716	schtasks.exe
2348	schtasks.exe
5192	schtasks.exe
5432	schtasks.exe
4640	schtasks.exe
5472	schtasks.exe
5240	schtasks.exe
5664	schtasks.exe
2488	schtasks.exe
2944	schtasks.exe
4872	schtasks.exe
5496	schtasks.exe
3420	schtasks.exe
5148	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4968	powershell.exe
3884	powershell.exe
4968	powershell.exe
3884	powershell.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeDebugPrivilege	4968	powershell.exe
Token: SeDebugPrivilege	3884	powershell.exe
Token: SeIncreaseQuotaPrivilege	4968	powershell.exe
Token: SeSecurityPrivilege	4968	powershell.exe
Token: SeTakeOwnershipPrivilege	4968	powershell.exe
Token: SeLoadDriverPrivilege	4968	powershell.exe
Token: SeSystemProfilePrivilege	4968	powershell.exe
Token: SeSystemtimePrivilege	4968	powershell.exe
Token: SeProfSingleProcessPrivilege	4968	powershell.exe
Token: SeIncBasePriorityPrivilege	4968	powershell.exe
Token: SeCreatePagefilePrivilege	4968	powershell.exe
Token: SeBackupPrivilege	4968	powershell.exe
Token: SeRestorePrivilege	4968	powershell.exe
Token: SeShutdownPrivilege	4968	powershell.exe
Token: SeDebugPrivilege	4968	powershell.exe
Token: SeSystemEnvironmentPrivilege	4968	powershell.exe
Token: SeRemoteShutdownPrivilege	4968	powershell.exe
Token: SeUndockPrivilege	4968	powershell.exe
Token: SeManageVolumePrivilege	4968	powershell.exe
Token: 33	4968	powershell.exe
Token: 34	4968	powershell.exe
Token: 35	4968	powershell.exe
Token: 36	4968	powershell.exe
Token: SeIncreaseQuotaPrivilege	3884	powershell.exe
Token: SeSecurityPrivilege	3884	powershell.exe
Token: SeTakeOwnershipPrivilege	3884	powershell.exe
Token: SeLoadDriverPrivilege	3884	powershell.exe
Token: SeSystemProfilePrivilege	3884	powershell.exe
Token: SeSystemtimePrivilege	3884	powershell.exe
Token: SeProfSingleProcessPrivilege	3884	powershell.exe
Token: SeIncBasePriorityPrivilege	3884	powershell.exe
Token: SeCreatePagefilePrivilege	3884	powershell.exe
Token: SeBackupPrivilege	3884	powershell.exe
Token: SeRestorePrivilege	3884	powershell.exe
Token: SeShutdownPrivilege	3884	powershell.exe
Token: SeDebugPrivilege	3884	powershell.exe
Token: SeSystemEnvironmentPrivilege	3884	powershell.exe
Token: SeRemoteShutdownPrivilege	3884	powershell.exe
Token: SeUndockPrivilege	3884	powershell.exe
Token: SeManageVolumePrivilege	3884	powershell.exe
Token: 33	3884	powershell.exe
Token: 34	3884	powershell.exe
Token: 35	3884	powershell.exe
Token: 36	3884	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 648 wrote to memory of 1052	648	Bootstrapper.exe	82
PID 648 wrote to memory of 1052	648	Bootstrapper.exe	82
PID 1052 wrote to memory of 4968	1052	javaw.exe	84
PID 1052 wrote to memory of 4968	1052	javaw.exe	84
PID 1052 wrote to memory of 3884	1052	javaw.exe	85
PID 1052 wrote to memory of 3884	1052	javaw.exe	85
PID 1052 wrote to memory of 2432	1052	javaw.exe	93
PID 1052 wrote to memory of 2432	1052	javaw.exe	93
PID 1052 wrote to memory of 2432	1052	javaw.exe	93
PID 2432 wrote to memory of 5068	2432	WinHelper32.exe	95
PID 2432 wrote to memory of 5068	2432	WinHelper32.exe	95
PID 2432 wrote to memory of 5068	2432	WinHelper32.exe	95
PID 2432 wrote to memory of 5608	2432	WinHelper32.exe	96
PID 2432 wrote to memory of 5608	2432	WinHelper32.exe	96
PID 2432 wrote to memory of 5608	2432	WinHelper32.exe	96
PID 2432 wrote to memory of 2144	2432	WinHelper32.exe	98
PID 2432 wrote to memory of 2144	2432	WinHelper32.exe	98
PID 2432 wrote to memory of 2144	2432	WinHelper32.exe	98
PID 2144 wrote to memory of 3624	2144	Boostrapper.exe	100
PID 2144 wrote to memory of 3624	2144	Boostrapper.exe	100
PID 2144 wrote to memory of 3624	2144	Boostrapper.exe	100

C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:648
- C:\Program Files\Java\jre-1.8\bin\javaw.exe
  "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
  2⤵
  - Drops startup file
  - Suspicious use of WriteProcessMemory
  PID:1052
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:SystemDrive) -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4968
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:SystemDrive) -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3884
- - C:\Users\Admin\AppData\Roaming\WinSFXConnectDevicesPlatform\WinHelper32.exe
    C:\Users\Admin\AppData\Roaming\WinSFXConnectDevicesPlatform\WinHelper32.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2432
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows\Defender\yjJlDaeiCtZ3rPY3voT8EfypAtNWVOHqwTO.vbe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5068
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows\Defender\zHxvwMPtXsd9EflNyF6bR38DTMh313hvK806W5p8W9mTT85g.bat" "
        5⤵
        
        PID:4140
      - C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows/Defender/RunShell.exe"
        6⤵
        
        PID:5012
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nltg3b0i\nltg3b0i.cmdline"
        7⤵
        
        PID:1044
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE203.tmp" "c:\Windows\System32\CSCD95C6B1CAAEF4B2E8464C49789574DB5.TMP"
        8⤵
        
        PID:2288
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\blockComAgentdll\fontdrvhost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2456
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Registry.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4816
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SppExtComObj.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5316
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:976
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\browser\WmiPrvSE.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1576
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5692
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rfow39xwQ1.bat"
        7⤵
        
        PID:3824
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:5176
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2760
        
        C:\Program Files (x86)\Windows Portable Devices\dllhost.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\dllhost.exe"
        8⤵
        
        PID:332
  - - C:\Users\Admin\AppData\Roaming\Windows\Defender\xdwd.exe
      "C:\Users\Admin\AppData\Roaming\Windows\Defender\xdwd.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      PID:5608
    - - C:\Windows\SysWOW64\WindowsInput.exe
        
        "C:\Windows\SysWOW64\WindowsInput.exe" --install
        5⤵
        
        PID:1800
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" Get-MpPreference -verbose
        5⤵
        
        PID:5780
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4640
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2064
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1204
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5472
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4980
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5504
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3684
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1488
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4860
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1600
  - - C:\Users\Admin\AppData\Roaming\Windows\Defender\Boostrapper.exe
      "C:\Users\Admin\AppData\Roaming\Windows\Defender\Boostrapper.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2144
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\blockComAgentdll\l2A594olLEJWUEUfw4GfnauDbYxQl.vbe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3624
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\blockComAgentdll\Q5HIcCBrM4kJ2gRS.bat" "
        6⤵
        
        PID:3136
        
        C:\blockComAgentdll\hypercommonSvc.exe
        
        "C:\blockComAgentdll/hypercommonSvc.exe"
        7⤵
        
        PID:4608
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sa0jlG3nmg.bat"
        8⤵
        
        PID:5200
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:6096

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
1⤵
PID:6016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\blockComAgentdll\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\blockComAgentdll\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\blockComAgentdll\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\browser\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\browser\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RunShellR" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RunShell" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RunShellR" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4bcdb551b57a99a3cc848e7535619dcf

SHA1
ed4fd7e40cc0e8b0cbd7f70c60579aa77d7b605e

SHA256
77ccbd8bb0337b3387ed201a3ad3f121b9e7075326447b16456eeb49c5dd858c

SHA512
6d0485054934b52f1605c78e3a81d6b590976bfa7d686f891b955419ddf6de26cc12891c336891b14ff0048b247b9ccf44357e3c07b23a1b2fa527202843b17e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f56928ec88eae1a6cd857312b47271ac

SHA1
70364aa0d0bf17647cd57f8644f86e0499ad5a74

SHA256
9c72ce0feceb3a4e76e0cad5b7220d7a67eea9c5acd343d886489e8098fa5ab5

SHA512
07abdcdc804124bb3983849e50b29fddc105f750f81256c93585d3e0f4e1445ca8cf143ae9cf077bab498e1797050bae8c07a4eacff1a4b3fdc96d51767cbd35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0c9cd2c87c9263ad1ae36b7a5a75be2c

SHA1
cfa935dc6c7b33b49614d4d78ec14d27112f96eb

SHA256
81b30ac0401d8ca56969e5c99d168d457505e079d14c10a3964de55dc4c6e8be

SHA512
3d9c02939b54c56dd94ffcfc2d465cd0ed16c84196212f1243651a92525cfcb15b520542c08fadc98f6cbcbe8762beba7178a094a51b71aad14cefb5c8c25d1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fb1aab68648117340b07770d537f6498

SHA1
ccda526277fc4ed93258319897fc766f426374cd

SHA256
a78389327efa0dff06d148589f956006b3cdd7c7a66a288c23a7cda5f31f3513

SHA512
c22a0a644f6797329ff9499c93bc7ba05ab19d91f70861d619ea9c57aeafc0f83ea11c1059977653f085b0cd9cd92b1680c0f0913dbb21e1d124f2a665fb2287

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
60b3262c3163ee3d466199160b9ed07d

SHA1
994ece4ea4e61de0be2fdd580f87e3415f9e1ff6

SHA256
e3b30f16d41f94cba2b8a75f35c91ae7418465abfbfe5477ec0551d1952b2fdb

SHA512
081d2015cb94477eb0fbc38f44b6d9b4a3204fb3ad0b7d0e146a88ab4ab9a0d475207f1adae03f4a81ccc5beb7568dc8be1249f69e32fe56efd9ee2f6ee3b1af

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE203.tmp

Filesize
1KB

MD5
6bcbb86ad46d2beb2537a755198213a9

SHA1
d9d7c0368e3f2d539113180089de41ef30cbf0f9

SHA256
badec2eba9b4d38dbabcd281d7a556cfc984367222c1898f695e2bcf6cc64139

SHA512
2cba94b6821ddf1dcc471d300e99d682ebbb30b314a58e87de1415335c4866c1ab53f46bc77a5d3e57da7f9ae98d7da48118f098ab1dd31e825b64fe8b1e91db

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rdk1vqc1.pha.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfow39xwQ1.bat

Filesize
235B

MD5
c99d2ce007b197451cc200f56bbe01ad

SHA1
c29c5fcdb560eb2e35ecc68c9f5fed9724fc6b56

SHA256
b17fd47386bc7d7558f919557616cb38cf2a02bbe587a4d90dbf0488648f160f

SHA512
7cb955a6dacc55f5ffab5a5fb20faa57396c3d9ed9ae716a98ff976285635ed320bf174f6d472038268a97cc43d6a25132b5db29e6d3d2a1369210f8d0f2b8b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\sa0jlG3nmg.bat

Filesize
161B

MD5
44bfb2f863a529242682ebdbe5a650bc

SHA1
034f7b041173f9293df542f1d1ed7f35f5fda703

SHA256
74b89e8f07d646b045671b852219a09a34bfc0090af642d648c4a7cdf81684ec

SHA512
7bc66b0c57d0f96347c11a210a0ada0bd74396945f43847c9f319e7d2c7d7f94364c33f71225d2b9dd6618e746a97fc202564bd3543d635bf255ede9e8faf5f2

Download Submit
C:\Users\Admin\AppData\Roaming\WinSFXConnectDevicesPlatform\WinHelper32.exe

Filesize
4.9MB

MD5
72982e4d77aaee2ef6d16876037b3dbe

SHA1
bfffbe69bfc0cb1fb5e23199dba5ea69c4f3d9df

SHA256
bbe1c2a2af47b4e32fa9b6e8a44da455473604bd1aae5481524403f878a86662

SHA512
cb28f33f6c3acaa74ddb3e9f50922e764926fbf2b8a3d7317f13b57f6f30e259a5a8b0213c77dee27cf542ad860762909c1f46f695f2b2c45bb778de957f02db

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\Defender\Boostrapper.exe

Filesize
2.2MB

MD5
f21f63c5ac1e7afc50125b10c75e30af

SHA1
09be95306a2e9f48934b6f3ec4e789eefaaefc94

SHA256
a4bf1fbf3c41613a6ca44ec770bca60ed1a23206bd01a2296513c302ff63e046

SHA512
681ba321321fe8c856a1d6d3de10f23e4f313d943e0e83abfa4ab575cc8932b8be28024eaec282f21dabafa4848b9305d4a15bbd3db7591bccf46d1ee369d58c

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe

Filesize
427KB

MD5
8d860de39a47014bb85432844205defc

SHA1
16b6485662cc4b57af26f1ee2fe5e5595156264d

SHA256
6f64566b9adc350458221bc7312acaa09290c58241659336b9921c3dcf27fbbb

SHA512
c76408b4390d9aeae243f7333c5acdc68b6fe08efd1694c774069627d09e91e97ab1a5ccf55b60a247f3b00e8b95166d3dfcc41ac92150f00dfb897480a5a539

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\Defender\xdwd.exe

Filesize
3.0MB

MD5
c33b516c2f5105562cc621929d2f3a5a

SHA1
ac89044573fc5b586b43c1bf784c3bcc50a46c1f

SHA256
42fcea19c41fd2e09ce01b6f0f48027f7f58aac75f93b7aeae8d24af7eb23f3c

SHA512
eace4742d8f75a2093cfeab3cd20f8ddb23514f6d5a598b16927621afc6e2bc4dff58d775e0c2c261f7c1ffc20a4b7d1004fe1ef8c7f904d8ef1cd94636caec6

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\Defender\yjJlDaeiCtZ3rPY3voT8EfypAtNWVOHqwTO.vbe

Filesize
249B

MD5
5299f191d092a082374029620d0184cd

SHA1
154c0f2d892c0dde9914e1d2e114995ab5f1a8cb

SHA256
9c46745f3776d8f344029103da41e060516a4bf324e7238b112a3069abececf9

SHA512
670159a1352e91ad4739903c7d5bbca2b91e81ab542ac6b4532db8701d5bf01b900909812164db6ce4dbdc2fc1af59593d9abc84daff835de07eb7d383869e39

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\Defender\zHxvwMPtXsd9EflNyF6bR38DTMh313hvK806W5p8W9mTT85g.bat

Filesize
104B

MD5
b33c8997ecd39b1b7e8af929abd526c7

SHA1
e30e21ca9e74d508cfc35e9affd57a7fbc089a77

SHA256
71340cb564242cd1454892eaa33aae6eaf8e444d9301731753a9aa993bb9785c

SHA512
394a9df69628162228d6a8934d6df532d5055a65a41788ef7d2b8170fae3bd586d80c8592ebc10e32650b81d43efd2eefdef865523d687b6def20fe4374afefc

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe

Filesize
21KB

MD5
f6285edd247fa58161be33f8cf662d31

SHA1
e2b49bca43cd0bd6cc1eee582ba58f0ed6de1470

SHA256
bc16993d1a774793044ca37eb2ce84ecbdb5c578e3c710ed82879e07dcef2fec

SHA512
6f3e6073a1dafc679da1caa4a4c9cb7cc2da79c3f81034d7b7b7b1d855fd5421cbb517a7d3f9520f49d4d3b7f9577f4f8f92486994c8b78fabff5033b390a788

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe.config

Filesize
349B

MD5
89817519e9e0b4e703f07e8c55247861

SHA1
4636de1f6c997a25c3190f73f46a3fd056238d78

SHA256
f40dfaa50dcbff93611d45607009158f798e9cd845170939b1d6088a7d10ee13

SHA512
b017cb7a522b9c6794f3691cb7266ec82f565a90d7d07cc9beb53b939d2e9bf34275bc25f6f32d9a9c7136a0aab2189d9556af7244450c610d11ed7a4f584ba3

Download Submit
C:\blockComAgentdll\Q5HIcCBrM4kJ2gRS.bat

Filesize
98B

MD5
1316b7f40530ee0c903a091d248c63dd

SHA1
6e9322f825d3d18a712458d98430a54b17c9f904

SHA256
43c1d785f81931b200e0be0a9fc40a736f26f397fda6571e26f52c21acf1065f

SHA512
1c9a435ca6d25466b715d2d4505dc33d42ab33fe192e89820929ee01b1962a2128c0ce9281ae96d27a9c18a4d035e55d912f673e17c6e7936d96160fea253345

Download Submit
C:\blockComAgentdll\hypercommonSvc.exe

Filesize
1.9MB

MD5
c9cda0ef2f246e5a640c25ff468a87a4

SHA1
44c7046f6251c49905cc569d1836361d0ae7856a

SHA256
cc66b2f2a0bcd9104078ed351c6b313a488f6b895c5fef9743b227c0397c4d6f

SHA512
2731df92281b29a4421b5071891676a4048bb39378956674c99dddea5b27f7684c71b7e3808942fd758c3c60e3eae93da535de95d702a3ae6f8829aae598ff21

Download Submit
C:\blockComAgentdll\l2A594olLEJWUEUfw4GfnauDbYxQl.vbe

Filesize
211B

MD5
386552a2a95b01f9b62bbf076f55204a

SHA1
4b202d016dc86a72837fdcb080caea7b8761842c

SHA256
be3ca473daa12562ac27843de069cca900d4413f08703b0cefee87303b8ec414

SHA512
dbba55a57db75cb351606a7dbc89cd0cf37dd333fa7456f94c6c2f9fd0480af28a27c29ca411cc5745c9929a92222123f770a870b046a84b25b23f4417ec62c4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nltg3b0i\nltg3b0i.0.cs

Filesize
367B

MD5
ec9fedc92de1c4c8e8b92cc8545671b5

SHA1
f8ca4d4ff01fd8ef362ccfbe698f043ea9813717

SHA256
0200caa5d4a7838e1db742549674beb78cc37f0c8f8368d44d7f3acb17cb02a5

SHA512
540deb4b52c7ad42bae4a3aff039749ffe39344944c5ecbc23f55f61be8f4e2ac1c5f41e3e19eacf214878e8f217fec69f9f4a888cb19502d63110466449fe79

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nltg3b0i\nltg3b0i.cmdline

Filesize
235B

MD5
c1873ee5475e7f1285da3bd95a3ac8b9

SHA1
39eec82c137965c9ea69560f9a25e7e4f0058df1

SHA256
bc7c1e87cefa7466cf8a2e85a6d69367ee2c8bd4bdeaa79dd64a8e865db0d2f7

SHA512
ab6fb2128f798ff38bdd3a10ee538556b876c45b5b3461376d8d5e56238a1374b3926240f45c72c2844c01b01ded9ce3359795cee322e520cfcb379b504e8759

Download Submit
\??\c:\Windows\System32\CSCD95C6B1CAAEF4B2E8464C49789574DB5.TMP

Filesize
1KB

MD5
97a3a4ab7f63bb87648297531ccc5bf0

SHA1
9d175b8d02181c4284f0e14f165470292d462bd9

SHA256
f052e2c0a4308c072c22e2e8daa7734fc0a64885c57d2009a28160f7cddc3cc8

SHA512
154c35f3c2cac99c012d82679ff30e0e60c37140500d0c47ef788d803d8edaa1db02e4154277bc31af51cdd0e37ce00f4192c1baff3977c15a8c645140149db8

Download Submit
memory/332-507-0x000000001B670000-0x000000001B742000-memory.dmp

Filesize
840KB

Download
memory/648-128-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/648-189-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1052-182-0x0000016A654A0000-0x0000016A654B0000-memory.dmp

Filesize
64KB

Download
memory/1052-64-0x0000016A65450000-0x0000016A65460000-memory.dmp

Filesize
64KB

Download
memory/1052-83-0x0000016A65470000-0x0000016A65480000-memory.dmp

Filesize
64KB

Download
memory/1052-96-0x0000016A654B0000-0x0000016A654C0000-memory.dmp

Filesize
64KB

Download
memory/1052-95-0x0000016A654A0000-0x0000016A654B0000-memory.dmp

Filesize
64KB

Download
memory/1052-94-0x0000016A65490000-0x0000016A654A0000-memory.dmp

Filesize
64KB

Download
memory/1052-93-0x0000016A65480000-0x0000016A65490000-memory.dmp

Filesize
64KB

Download
memory/1052-102-0x0000016A638D0000-0x0000016A638D1000-memory.dmp

Filesize
4KB

Download
memory/1052-105-0x0000016A638D0000-0x0000016A638D1000-memory.dmp

Filesize
4KB

Download
memory/1052-111-0x0000016A638D0000-0x0000016A638D1000-memory.dmp

Filesize
4KB

Download
memory/1052-115-0x0000016A638D0000-0x0000016A638D1000-memory.dmp

Filesize
4KB

Download
memory/1052-119-0x0000016A638D0000-0x0000016A638D1000-memory.dmp

Filesize
4KB

Download
memory/1052-120-0x0000016A638D0000-0x0000016A638D1000-memory.dmp

Filesize
4KB

Download
memory/1052-180-0x0000016A65480000-0x0000016A65490000-memory.dmp

Filesize
64KB

Download
memory/1052-129-0x0000016A654C0000-0x0000016A654D0000-memory.dmp

Filesize
64KB

Download
memory/1052-133-0x0000016A65500000-0x0000016A65510000-memory.dmp

Filesize
64KB

Download
memory/1052-132-0x0000016A654F0000-0x0000016A65500000-memory.dmp

Filesize
64KB

Download
memory/1052-131-0x0000016A654E0000-0x0000016A654F0000-memory.dmp

Filesize
64KB

Download
memory/1052-130-0x0000016A654D0000-0x0000016A654E0000-memory.dmp

Filesize
64KB

Download
memory/1052-2-0x0000016A651E0000-0x0000016A65450000-memory.dmp

Filesize
2.4MB

Download
memory/1052-11-0x0000016A638D0000-0x0000016A638D1000-memory.dmp

Filesize
4KB

Download
memory/1052-14-0x0000016A65450000-0x0000016A65460000-memory.dmp

Filesize
64KB

Download
memory/1052-15-0x0000016A65460000-0x0000016A65470000-memory.dmp

Filesize
64KB

Download
memory/1052-176-0x0000016A65460000-0x0000016A65470000-memory.dmp

Filesize
64KB

Download
memory/1052-188-0x0000016A65500000-0x0000016A65510000-memory.dmp

Filesize
64KB

Download
memory/1052-185-0x0000016A654D0000-0x0000016A654E0000-memory.dmp

Filesize
64KB

Download
memory/1052-17-0x0000016A65470000-0x0000016A65480000-memory.dmp

Filesize
64KB

Download
memory/1052-187-0x0000016A654F0000-0x0000016A65500000-memory.dmp

Filesize
64KB

Download
memory/1052-186-0x0000016A654E0000-0x0000016A654F0000-memory.dmp

Filesize
64KB

Download
memory/1052-184-0x0000016A654C0000-0x0000016A654D0000-memory.dmp

Filesize
64KB

Download
memory/1052-179-0x0000016A65470000-0x0000016A65480000-memory.dmp

Filesize
64KB

Download
memory/1052-70-0x0000016A65460000-0x0000016A65470000-memory.dmp

Filesize
64KB

Download
memory/1052-175-0x0000016A638D0000-0x0000016A638D1000-memory.dmp

Filesize
4KB

Download
memory/1052-25-0x0000016A654B0000-0x0000016A654C0000-memory.dmp

Filesize
64KB

Download
memory/1052-183-0x0000016A654B0000-0x0000016A654C0000-memory.dmp

Filesize
64KB

Download
memory/1052-178-0x0000016A651E0000-0x0000016A65450000-memory.dmp

Filesize
2.4MB

Download
memory/1052-177-0x0000016A65450000-0x0000016A65460000-memory.dmp

Filesize
64KB

Download
memory/1052-181-0x0000016A65490000-0x0000016A654A0000-memory.dmp

Filesize
64KB

Download
memory/1052-24-0x0000016A654A0000-0x0000016A654B0000-memory.dmp

Filesize
64KB

Download
memory/1052-23-0x0000016A65490000-0x0000016A654A0000-memory.dmp

Filesize
64KB

Download
memory/1052-22-0x0000016A65480000-0x0000016A65490000-memory.dmp

Filesize
64KB

Download
memory/1052-35-0x0000016A65500000-0x0000016A65510000-memory.dmp

Filesize
64KB

Download
memory/1052-34-0x0000016A654F0000-0x0000016A65500000-memory.dmp

Filesize
64KB

Download
memory/1052-33-0x0000016A654E0000-0x0000016A654F0000-memory.dmp

Filesize
64KB

Download
memory/1052-32-0x0000016A654D0000-0x0000016A654E0000-memory.dmp

Filesize
64KB

Download
memory/1052-31-0x0000016A654C0000-0x0000016A654D0000-memory.dmp

Filesize
64KB

Download
memory/1052-36-0x0000016A651E0000-0x0000016A65450000-memory.dmp

Filesize
2.4MB

Download
memory/1800-228-0x0000000000AA0000-0x0000000000AAC000-memory.dmp

Filesize
48KB

Download
memory/1800-230-0x0000000002CB0000-0x0000000002CEC000-memory.dmp

Filesize
240KB

Download
memory/1800-229-0x0000000002C30000-0x0000000002C42000-memory.dmp

Filesize
72KB

Download
memory/2064-518-0x00000000747B0000-0x00000000747FC000-memory.dmp

Filesize
304KB

Download
memory/3884-37-0x00007FFFC4393000-0x00007FFFC4395000-memory.dmp

Filesize
8KB

Download
memory/3884-71-0x00007FFFC4390000-0x00007FFFC4E52000-memory.dmp

Filesize
10.8MB

Download
memory/3884-60-0x00007FFFC4390000-0x00007FFFC4E52000-memory.dmp

Filesize
10.8MB

Download
memory/3884-62-0x00007FFFC4390000-0x00007FFFC4E52000-memory.dmp

Filesize
10.8MB

Download
memory/4608-415-0x0000000001650000-0x0000000001658000-memory.dmp

Filesize
32KB

Download
memory/4608-413-0x0000000001640000-0x000000000164C000-memory.dmp

Filesize
48KB

Download
memory/4608-395-0x0000000000D60000-0x0000000000F50000-memory.dmp

Filesize
1.9MB

Download
memory/4608-449-0x000000001C860000-0x000000001C909000-memory.dmp

Filesize
676KB

Download
memory/4608-411-0x0000000001620000-0x000000000162E000-memory.dmp

Filesize
56KB

Download
memory/4640-508-0x00000000747B0000-0x00000000747FC000-memory.dmp

Filesize
304KB

Download
memory/4968-40-0x00000179154C0000-0x00000179154E2000-memory.dmp

Filesize
136KB

Download
memory/4968-57-0x00007FFFC4390000-0x00007FFFC4E52000-memory.dmp

Filesize
10.8MB

Download
memory/4968-72-0x00007FFFC4390000-0x00007FFFC4E52000-memory.dmp

Filesize
10.8MB

Download
memory/4968-58-0x00007FFFC4390000-0x00007FFFC4E52000-memory.dmp

Filesize
10.8MB

Download
memory/4968-61-0x00007FFFC4390000-0x00007FFFC4E52000-memory.dmp

Filesize
10.8MB

Download
memory/5012-266-0x0000000002CD0000-0x0000000002CEC000-memory.dmp

Filesize
112KB

Download
memory/5012-271-0x00000000011B0000-0x00000000011BE000-memory.dmp

Filesize
56KB

Download
memory/5012-260-0x0000000000B00000-0x0000000000B08000-memory.dmp

Filesize
32KB

Download
memory/5012-261-0x0000000002E00000-0x0000000002ED2000-memory.dmp

Filesize
840KB

Download
memory/5012-313-0x000000001C7C0000-0x000000001C869000-memory.dmp

Filesize
676KB

Download
memory/5012-264-0x00000000011A0000-0x00000000011AE000-memory.dmp

Filesize
56KB

Download
memory/5012-274-0x00000000013D0000-0x00000000013DC000-memory.dmp

Filesize
48KB

Download
memory/5012-267-0x000000001B6F0000-0x000000001B740000-memory.dmp

Filesize
320KB

Download
memory/5012-269-0x000000001B6A0000-0x000000001B6B8000-memory.dmp

Filesize
96KB

Download
memory/5608-250-0x0000000007A40000-0x00000000080BA000-memory.dmp

Filesize
6.5MB

Download
memory/5608-237-0x0000000006CF0000-0x00000000073BA000-memory.dmp

Filesize
6.8MB

Download
memory/5608-255-0x00000000080C0000-0x0000000008417000-memory.dmp

Filesize
3.3MB

Download
memory/5608-254-0x0000000006C10000-0x0000000006C5A000-memory.dmp

Filesize
296KB

Download
memory/5608-253-0x0000000006A60000-0x0000000006A7E000-memory.dmp

Filesize
120KB

Download
memory/5608-252-0x0000000006B50000-0x0000000006BB6000-memory.dmp

Filesize
408KB

Download
memory/5608-251-0x0000000006AB0000-0x0000000006B46000-memory.dmp

Filesize
600KB

Download
memory/5608-302-0x0000000009750000-0x000000000976E000-memory.dmp

Filesize
120KB

Download
memory/5608-303-0x0000000009770000-0x0000000009813000-memory.dmp

Filesize
652KB

Download
memory/5608-304-0x0000000009890000-0x000000000989A000-memory.dmp

Filesize
40KB

Download
memory/5608-257-0x0000000007940000-0x00000000079A6000-memory.dmp

Filesize
408KB

Download
memory/5608-262-0x00000000079B0000-0x00000000079D2000-memory.dmp

Filesize
136KB

Download
memory/5608-341-0x00000000097C0000-0x00000000097F2000-memory.dmp

Filesize
200KB

Download
memory/5608-248-0x00000000069D0000-0x0000000006A06000-memory.dmp

Filesize
216KB

Download
memory/5608-247-0x0000000006970000-0x000000000698A000-memory.dmp

Filesize
104KB

Download
memory/5608-272-0x0000000008510000-0x000000000855C000-memory.dmp

Filesize
304KB

Download
memory/5608-190-0x0000000000670000-0x0000000000972000-memory.dmp

Filesize
3.0MB

Download
memory/5608-211-0x0000000006320000-0x0000000006342000-memory.dmp

Filesize
136KB

Download
memory/5608-210-0x0000000005D30000-0x0000000005D38000-memory.dmp

Filesize
32KB

Download
memory/5608-209-0x0000000005D20000-0x0000000005D2A000-memory.dmp

Filesize
40KB

Download
memory/5608-202-0x0000000005250000-0x000000000525E000-memory.dmp

Filesize
56KB

Download
memory/5608-203-0x0000000005680000-0x00000000056DC000-memory.dmp

Filesize
368KB

Download
memory/5608-208-0x0000000005D10000-0x0000000005D18000-memory.dmp

Filesize
32KB

Download
memory/5608-207-0x0000000005D00000-0x0000000005D08000-memory.dmp

Filesize
32KB

Download
memory/5608-206-0x0000000005840000-0x0000000005852000-memory.dmp

Filesize
72KB

Download
memory/5608-205-0x0000000005860000-0x00000000058F2000-memory.dmp

Filesize
584KB

Download
memory/5608-204-0x0000000005D70000-0x0000000006316000-memory.dmp

Filesize
5.6MB

Download
memory/5780-396-0x00000000747B0000-0x00000000747FC000-memory.dmp

Filesize
304KB

Download
memory/5780-406-0x0000000007930000-0x00000000079D3000-memory.dmp

Filesize
652KB

Download
memory/6016-235-0x000000001B090000-0x000000001B19A000-memory.dmp

Filesize
1.0MB

Download