orcus | c4d9d25dedcb02acf6eae98dec3fae4e53585ef8486d755f2b77740dd7ba7797

Analysis

max time kernel
202s
max time network
211s
platform
windows7_x64
resource
win7-20220414-en
submitted
20-05-2022 23:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4d9d25dedcb02acf6eae98dec3fae4e53585ef8486d755f2b77740dd7ba7797.exe
Size

2.8MB
MD5

f7a46b53afa7814e739d59fcdbd527fc
SHA1

b1d3158156a63d3981c3d49c33bb94ef899611d6
SHA256

c4d9d25dedcb02acf6eae98dec3fae4e53585ef8486d755f2b77740dd7ba7797
SHA512

0bb5d13d55fd27f1feb8c055118ba43fa0a611a2512abafbaceba0d2d3c0e5e9a45520d2f8093070589df422721f568fcc6b59fc2c994288ab5d2ec898b6b5da

Score

10^/10

orcus rat spyware stealer

Malware Config

Extracted

Family

orcus

18.221.17.220:1604

Mutex

1141a9276f324b1f8a2d4f8f2fec0ac5

Attributes

autostart_method
Registry
enable_keylogger
false
install_path
%temp%\drivers\ac2ftsdgj8m5ms5.exe
reconnect_delay
10000
registry_keyname
steam
taskscheduler_taskname
steam
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus Main Payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\tmp.exe	family_orcus
\Users\Admin\AppData\Local\Temp\tmp.exe	family_orcus
C:\Users\Admin\AppData\Local\Temp\tmp.exe	family_orcus
C:\Users\Admin\AppData\Local\Temp\tmp.exe	family_orcus

Orcurs Rat Executable 11 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\tmp.exe	orcus
\Users\Admin\AppData\Local\Temp\tmp.exe	orcus
C:\Users\Admin\AppData\Local\Temp\tmp.exe	orcus
C:\Users\Admin\AppData\Local\Temp\tmp.exe	orcus
behavioral1/memory/960-111-0x0000000000400000-0x00000000004E8000-memory.dmp	orcus
behavioral1/memory/960-114-0x00000000004E25DE-mapping.dmp	orcus
behavioral1/memory/960-113-0x0000000000400000-0x00000000004E8000-memory.dmp	orcus
behavioral1/memory/960-112-0x0000000000400000-0x00000000004E8000-memory.dmp	orcus
behavioral1/memory/960-117-0x0000000000400000-0x00000000004E8000-memory.dmp	orcus
behavioral1/memory/960-119-0x0000000000400000-0x00000000004E8000-memory.dmp	orcus
behavioral1/memory/276-122-0x0000000000A30000-0x0000000000B18000-memory.dmp	orcus

Executes dropped EXE 7 IoCs

Processes:

tmp.exeProcessHacker.exesvhost.exesvchost.exesvñhost.exetmp.exesvñhost.exe

pid process

1708 tmp.exe
1996 ProcessHacker.exe
2024 svhost.exe
1856 svchost.exe
1332 svñhost.exe
276 tmp.exe
960 svñhost.exe

pid	process
1708	tmp.exe
1996	ProcessHacker.exe
2024	svhost.exe
1856	svchost.exe
1332	svñhost.exe
276	tmp.exe
960	svñhost.exe

Loads dropped DLL 11 IoCs

Processes:

c4d9d25dedcb02acf6eae98dec3fae4e53585ef8486d755f2b77740dd7ba7797.exetmp.exesvñhost.exe

pid	process
1972	c4d9d25dedcb02acf6eae98dec3fae4e53585ef8486d755f2b77740dd7ba7797.exe
1972	c4d9d25dedcb02acf6eae98dec3fae4e53585ef8486d755f2b77740dd7ba7797.exe
1972	c4d9d25dedcb02acf6eae98dec3fae4e53585ef8486d755f2b77740dd7ba7797.exe
1708	tmp.exe
1708	tmp.exe
1708	tmp.exe
1708	tmp.exe
1708	tmp.exe
1332	svñhost.exe
1332	svñhost.exe
1332	svñhost.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

c4d9d25dedcb02acf6eae98dec3fae4e53585ef8486d755f2b77740dd7ba7797.exesvñhost.exe

description	pid	process	target process
PID 1972 set thread context of 2024	1972	c4d9d25dedcb02acf6eae98dec3fae4e53585ef8486d755f2b77740dd7ba7797.exe	svhost.exe
PID 1332 set thread context of 960	1332	svñhost.exe	svñhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

ProcessHacker.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	ProcessHacker.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	ProcessHacker.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	ProcessHacker.exe

NTFS ADS 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\MsDrvOp.exe:Zone.Identifier cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\MsDrvOp.exe:Zone.Identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

c4d9d25dedcb02acf6eae98dec3fae4e53585ef8486d755f2b77740dd7ba7797.exeProcessHacker.exesvchost.exesvñhost.exe

pid	process
1972	c4d9d25dedcb02acf6eae98dec3fae4e53585ef8486d755f2b77740dd7ba7797.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1856	svchost.exe
1332	svñhost.exe
1332	svñhost.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

ProcessHacker.exe

pid process

1996 ProcessHacker.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

c4d9d25dedcb02acf6eae98dec3fae4e53585ef8486d755f2b77740dd7ba7797.exeProcessHacker.exesvchost.exesvñhost.exe

description	pid	process
Token: SeDebugPrivilege	1972	c4d9d25dedcb02acf6eae98dec3fae4e53585ef8486d755f2b77740dd7ba7797.exe
Token: SeDebugPrivilege	1996	ProcessHacker.exe
Token: SeIncBasePriorityPrivilege	1996	ProcessHacker.exe
Token: 33	1996	ProcessHacker.exe
Token: SeLoadDriverPrivilege	1996	ProcessHacker.exe
Token: SeProfSingleProcessPrivilege	1996	ProcessHacker.exe
Token: SeRestorePrivilege	1996	ProcessHacker.exe
Token: SeShutdownPrivilege	1996	ProcessHacker.exe
Token: SeTakeOwnershipPrivilege	1996	ProcessHacker.exe
Token: SeDebugPrivilege	1856	svchost.exe
Token: SeDebugPrivilege	1332	svñhost.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

ProcessHacker.exe

pid	process
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

ProcessHacker.exe

pid	process
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe

Suspicious use of WriteProcessMemory 59 IoCs

Processes:

c4d9d25dedcb02acf6eae98dec3fae4e53585ef8486d755f2b77740dd7ba7797.exetmp.exesvñhost.execmd.exe

description	pid	process	target process
PID 1972 wrote to memory of 1708	1972	c4d9d25dedcb02acf6eae98dec3fae4e53585ef8486d755f2b77740dd7ba7797.exe	tmp.exe
PID 1972 wrote to memory of 1708	1972	c4d9d25dedcb02acf6eae98dec3fae4e53585ef8486d755f2b77740dd7ba7797.exe	tmp.exe
PID 1972 wrote to memory of 1708	1972	c4d9d25dedcb02acf6eae98dec3fae4e53585ef8486d755f2b77740dd7ba7797.exe	tmp.exe
PID 1972 wrote to memory of 1708	1972	c4d9d25dedcb02acf6eae98dec3fae4e53585ef8486d755f2b77740dd7ba7797.exe	tmp.exe
PID 1972 wrote to memory of 2024	1972	c4d9d25dedcb02acf6eae98dec3fae4e53585ef8486d755f2b77740dd7ba7797.exe	svhost.exe
PID 1972 wrote to memory of 2024	1972	c4d9d25dedcb02acf6eae98dec3fae4e53585ef8486d755f2b77740dd7ba7797.exe	svhost.exe
PID 1972 wrote to memory of 2024	1972	c4d9d25dedcb02acf6eae98dec3fae4e53585ef8486d755f2b77740dd7ba7797.exe	svhost.exe
PID 1972 wrote to memory of 2024	1972	c4d9d25dedcb02acf6eae98dec3fae4e53585ef8486d755f2b77740dd7ba7797.exe	svhost.exe
PID 1972 wrote to memory of 2024	1972	c4d9d25dedcb02acf6eae98dec3fae4e53585ef8486d755f2b77740dd7ba7797.exe	svhost.exe
PID 1972 wrote to memory of 2024	1972	c4d9d25dedcb02acf6eae98dec3fae4e53585ef8486d755f2b77740dd7ba7797.exe	svhost.exe
PID 1972 wrote to memory of 2024	1972	c4d9d25dedcb02acf6eae98dec3fae4e53585ef8486d755f2b77740dd7ba7797.exe	svhost.exe
PID 1972 wrote to memory of 2024	1972	c4d9d25dedcb02acf6eae98dec3fae4e53585ef8486d755f2b77740dd7ba7797.exe	svhost.exe
PID 1708 wrote to memory of 1996	1708	tmp.exe	ProcessHacker.exe
PID 1708 wrote to memory of 1996	1708	tmp.exe	ProcessHacker.exe
PID 1708 wrote to memory of 1996	1708	tmp.exe	ProcessHacker.exe
PID 1708 wrote to memory of 1996	1708	tmp.exe	ProcessHacker.exe
PID 1972 wrote to memory of 2024	1972	c4d9d25dedcb02acf6eae98dec3fae4e53585ef8486d755f2b77740dd7ba7797.exe	svhost.exe
PID 1972 wrote to memory of 2024	1972	c4d9d25dedcb02acf6eae98dec3fae4e53585ef8486d755f2b77740dd7ba7797.exe	svhost.exe
PID 1708 wrote to memory of 1856	1708	tmp.exe	svchost.exe
PID 1708 wrote to memory of 1856	1708	tmp.exe	svchost.exe
PID 1708 wrote to memory of 1856	1708	tmp.exe	svchost.exe
PID 1708 wrote to memory of 1856	1708	tmp.exe	svchost.exe
PID 1708 wrote to memory of 1332	1708	tmp.exe	svñhost.exe
PID 1708 wrote to memory of 1332	1708	tmp.exe	svñhost.exe
PID 1708 wrote to memory of 1332	1708	tmp.exe	svñhost.exe
PID 1708 wrote to memory of 1332	1708	tmp.exe	svñhost.exe
PID 1332 wrote to memory of 1808	1332	svñhost.exe	cmd.exe
PID 1332 wrote to memory of 1808	1332	svñhost.exe	cmd.exe
PID 1332 wrote to memory of 1808	1332	svñhost.exe	cmd.exe
PID 1332 wrote to memory of 1808	1332	svñhost.exe	cmd.exe
PID 1332 wrote to memory of 692	1332	svñhost.exe	cmd.exe
PID 1332 wrote to memory of 692	1332	svñhost.exe	cmd.exe
PID 1332 wrote to memory of 692	1332	svñhost.exe	cmd.exe
PID 1332 wrote to memory of 692	1332	svñhost.exe	cmd.exe
PID 692 wrote to memory of 1244	692	cmd.exe	reg.exe
PID 692 wrote to memory of 1244	692	cmd.exe	reg.exe
PID 692 wrote to memory of 1244	692	cmd.exe	reg.exe
PID 692 wrote to memory of 1244	692	cmd.exe	reg.exe
PID 1332 wrote to memory of 1772	1332	svñhost.exe	cmd.exe
PID 1332 wrote to memory of 1772	1332	svñhost.exe	cmd.exe
PID 1332 wrote to memory of 1772	1332	svñhost.exe	cmd.exe
PID 1332 wrote to memory of 1772	1332	svñhost.exe	cmd.exe
PID 1332 wrote to memory of 996	1332	svñhost.exe	cmd.exe
PID 1332 wrote to memory of 996	1332	svñhost.exe	cmd.exe
PID 1332 wrote to memory of 996	1332	svñhost.exe	cmd.exe
PID 1332 wrote to memory of 996	1332	svñhost.exe	cmd.exe
PID 1332 wrote to memory of 276	1332	svñhost.exe	tmp.exe
PID 1332 wrote to memory of 276	1332	svñhost.exe	tmp.exe
PID 1332 wrote to memory of 276	1332	svñhost.exe	tmp.exe
PID 1332 wrote to memory of 276	1332	svñhost.exe	tmp.exe
PID 1332 wrote to memory of 960	1332	svñhost.exe	svñhost.exe
PID 1332 wrote to memory of 960	1332	svñhost.exe	svñhost.exe
PID 1332 wrote to memory of 960	1332	svñhost.exe	svñhost.exe
PID 1332 wrote to memory of 960	1332	svñhost.exe	svñhost.exe
PID 1332 wrote to memory of 960	1332	svñhost.exe	svñhost.exe
PID 1332 wrote to memory of 960	1332	svñhost.exe	svñhost.exe
PID 1332 wrote to memory of 960	1332	svñhost.exe	svñhost.exe
PID 1332 wrote to memory of 960	1332	svñhost.exe	svñhost.exe
PID 1332 wrote to memory of 960	1332	svñhost.exe	svñhost.exe

C:\Users\Admin\AppData\Local\Temp\c4d9d25dedcb02acf6eae98dec3fae4e53585ef8486d755f2b77740dd7ba7797.exe
"C:\Users\Admin\AppData\Local\Temp\c4d9d25dedcb02acf6eae98dec3fae4e53585ef8486d755f2b77740dd7ba7797.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1708

C:\Users\Admin\AppData\Local\Temp\ProcessHacker.exe
"C:\Users\Admin\AppData\Local\Temp\ProcessHacker.exe"
3⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1996

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1856

C:\Users\Admin\AppData\Local\Temp\svñhost.exe
"C:\Users\Admin\AppData\Local\Temp\svñhost.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1332

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/svñhost.exe" "%appdata%\Microsoft\MsDrvOp.exe" /Y
4⤵
PID:1808

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%appdata%\Microsoft\MsDrvOp.exe.lnk" /f
4⤵
- Suspicious use of WriteProcessMemory
PID:692

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\MsDrvOp.exe.lnk" /f
5⤵
PID:1244

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %appdata%\Microsoft\MsDrvOp.exe:Zone.Identifier
4⤵
- NTFS ADS
PID:1772

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ren "%appdata%\Microsoft\MsDrvOp.exe.jpg" MsDrvOp.exe
4⤵
PID:996

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
4⤵
- Executes dropped EXE
PID:276

C:\Users\Admin\AppData\Local\Temp\svñhost.exe
"C:/Users/Admin/AppData/Local/Temp/svñhost.exe"
4⤵
- Executes dropped EXE
PID:960

C:\Users\Admin\AppData\Local\Temp\svhost.exe
"C:\Users\Admin\AppData\Local\Temp\svhost.exe"
2⤵
- Executes dropped EXE
PID:2024

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ProcessHacker.exe
Filesize
1.6MB

MD5
b365af317ae730a67c936f21432b9c71

SHA1
a0bdfac3ce1880b32ff9b696458327ce352e3b1d

SHA256
bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4

SHA512
cc3359e16c6fe905a9e176a87acf4c4ed5e22c29bfca11949799caf8442e00ec0d1679b3d8754dbc3e313528d3e8e82c0ec1941e2c3530b48229c1cb337f6b8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ProcessHacker.exe
Filesize
1.6MB

MD5
b365af317ae730a67c936f21432b9c71

SHA1
a0bdfac3ce1880b32ff9b696458327ce352e3b1d

SHA256
bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4

SHA512
cc3359e16c6fe905a9e176a87acf4c4ed5e22c29bfca11949799caf8442e00ec0d1679b3d8754dbc3e313528d3e8e82c0ec1941e2c3530b48229c1cb337f6b8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
408KB

MD5
bcc445de41fcfbbad5c4b0b0a4ea859a

SHA1
520466387cc8283238d2b69252051de0853e2e74

SHA256
aac1eb531b6f215859319664221f762e837d5c19db39f75193ff28f768170bf0

SHA512
c2696bba3ffd74e2421de45a55c76a6dbbdd0c1c3266d711a533b9d38d9cee5a33c55b1053044ca7373b625aba37aa87d6b0b1ea61bc899ac113fdac31e92c5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
408KB

MD5
bcc445de41fcfbbad5c4b0b0a4ea859a

SHA1
520466387cc8283238d2b69252051de0853e2e74

SHA256
aac1eb531b6f215859319664221f762e837d5c19db39f75193ff28f768170bf0

SHA512
c2696bba3ffd74e2421de45a55c76a6dbbdd0c1c3266d711a533b9d38d9cee5a33c55b1053044ca7373b625aba37aa87d6b0b1ea61bc899ac113fdac31e92c5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe
Filesize
255KB

MD5
9af17c8393f0970ee5136bd3ffa27001

SHA1
4b285b72c1a11285a25f31f2597e090da6bbc049

SHA256
71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019

SHA512
b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe
Filesize
255KB

MD5
9af17c8393f0970ee5136bd3ffa27001

SHA1
4b285b72c1a11285a25f31f2597e090da6bbc049

SHA256
71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019

SHA512
b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\svñhost.exe
Filesize
1009KB

MD5
eee2282277e64485627c058793aa65e0

SHA1
ed5ae121bf074decf9b7a95214e67874733a5cf2

SHA256
79e31aa291777d936bdbd198ebf53f3b7d230972fcf95f92908872aca6bf888c

SHA512
b5ea27c4b0e14687065c94b72fa3c177fe161a92c15aad7db48a466ea34745fbfd15d7305f022ef322f41169b81df621253ace5d0720d11eb8ccc688a251767b

Download Submit
C:\Users\Admin\AppData\Local\Temp\svñhost.exe
Filesize
1009KB

MD5
eee2282277e64485627c058793aa65e0

SHA1
ed5ae121bf074decf9b7a95214e67874733a5cf2

SHA256
79e31aa291777d936bdbd198ebf53f3b7d230972fcf95f92908872aca6bf888c

SHA512
b5ea27c4b0e14687065c94b72fa3c177fe161a92c15aad7db48a466ea34745fbfd15d7305f022ef322f41169b81df621253ace5d0720d11eb8ccc688a251767b

Download Submit
C:\Users\Admin\AppData\Local\Temp\svñhost.exe
Filesize
1009KB

MD5
eee2282277e64485627c058793aa65e0

SHA1
ed5ae121bf074decf9b7a95214e67874733a5cf2

SHA256
79e31aa291777d936bdbd198ebf53f3b7d230972fcf95f92908872aca6bf888c

SHA512
b5ea27c4b0e14687065c94b72fa3c177fe161a92c15aad7db48a466ea34745fbfd15d7305f022ef322f41169b81df621253ace5d0720d11eb8ccc688a251767b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.exe
Filesize
902KB

MD5
4f569bfdf48c4193795be0c012a66d9b

SHA1
9df29ae3f4c0666303204ae3d2b36b21ff483bb9

SHA256
8c46765193808e7655ea8d2a578da25b8a064dbd5eb1a42911bd26c4d82df333

SHA512
cb1c2c6539951d66d66448c64763d4efd9127bf9a593a93179ac7ff86a8100ec2380ae947cc87f22afef78489648ba8f7a8e1664b255f182efcda138c05b602f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.exe
Filesize
902KB

MD5
4f569bfdf48c4193795be0c012a66d9b

SHA1
9df29ae3f4c0666303204ae3d2b36b21ff483bb9

SHA256
8c46765193808e7655ea8d2a578da25b8a064dbd5eb1a42911bd26c4d82df333

SHA512
cb1c2c6539951d66d66448c64763d4efd9127bf9a593a93179ac7ff86a8100ec2380ae947cc87f22afef78489648ba8f7a8e1664b255f182efcda138c05b602f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.exe
Filesize
902KB

MD5
4f569bfdf48c4193795be0c012a66d9b

SHA1
9df29ae3f4c0666303204ae3d2b36b21ff483bb9

SHA256
8c46765193808e7655ea8d2a578da25b8a064dbd5eb1a42911bd26c4d82df333

SHA512
cb1c2c6539951d66d66448c64763d4efd9127bf9a593a93179ac7ff86a8100ec2380ae947cc87f22afef78489648ba8f7a8e1664b255f182efcda138c05b602f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.exe
Filesize
2.5MB

MD5
79682b35bc0d20012d115b060b13d59e

SHA1
187d5ae4ce46095c2a05fe45fe768bbb92b3e164

SHA256
c06240ad1258978e6588fd6b4c9efe32e90d109e5728848b0aed413a4c568b5e

SHA512
b727075ce2f003de057f0aeb8e53bcadeaa5bc685bc606b8e94078bbb61a1ea84a4f66d60e50a1574785d9ad0352235028861e0625929d77cafa52fb3e9ff24e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\MsDrvOp.exe
Filesize
1009KB

MD5
eee2282277e64485627c058793aa65e0

SHA1
ed5ae121bf074decf9b7a95214e67874733a5cf2

SHA256
79e31aa291777d936bdbd198ebf53f3b7d230972fcf95f92908872aca6bf888c

SHA512
b5ea27c4b0e14687065c94b72fa3c177fe161a92c15aad7db48a466ea34745fbfd15d7305f022ef322f41169b81df621253ace5d0720d11eb8ccc688a251767b

Download Submit
\Users\Admin\AppData\Local\Temp\ProcessHacker.exe
Filesize
1.6MB

MD5
b365af317ae730a67c936f21432b9c71

SHA1
a0bdfac3ce1880b32ff9b696458327ce352e3b1d

SHA256
bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4

SHA512
cc3359e16c6fe905a9e176a87acf4c4ed5e22c29bfca11949799caf8442e00ec0d1679b3d8754dbc3e313528d3e8e82c0ec1941e2c3530b48229c1cb337f6b8b

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
408KB

MD5
bcc445de41fcfbbad5c4b0b0a4ea859a

SHA1
520466387cc8283238d2b69252051de0853e2e74

SHA256
aac1eb531b6f215859319664221f762e837d5c19db39f75193ff28f768170bf0

SHA512
c2696bba3ffd74e2421de45a55c76a6dbbdd0c1c3266d711a533b9d38d9cee5a33c55b1053044ca7373b625aba37aa87d6b0b1ea61bc899ac113fdac31e92c5b

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
408KB

MD5
bcc445de41fcfbbad5c4b0b0a4ea859a

SHA1
520466387cc8283238d2b69252051de0853e2e74

SHA256
aac1eb531b6f215859319664221f762e837d5c19db39f75193ff28f768170bf0

SHA512
c2696bba3ffd74e2421de45a55c76a6dbbdd0c1c3266d711a533b9d38d9cee5a33c55b1053044ca7373b625aba37aa87d6b0b1ea61bc899ac113fdac31e92c5b

Download Submit
\Users\Admin\AppData\Local\Temp\svhost.exe
Filesize
255KB

MD5
9af17c8393f0970ee5136bd3ffa27001

SHA1
4b285b72c1a11285a25f31f2597e090da6bbc049

SHA256
71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019

SHA512
b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3

Download Submit
\Users\Admin\AppData\Local\Temp\svñhost.exe
Filesize
1009KB

MD5
eee2282277e64485627c058793aa65e0

SHA1
ed5ae121bf074decf9b7a95214e67874733a5cf2

SHA256
79e31aa291777d936bdbd198ebf53f3b7d230972fcf95f92908872aca6bf888c

SHA512
b5ea27c4b0e14687065c94b72fa3c177fe161a92c15aad7db48a466ea34745fbfd15d7305f022ef322f41169b81df621253ace5d0720d11eb8ccc688a251767b

Download Submit
\Users\Admin\AppData\Local\Temp\svñhost.exe
Filesize
1009KB

MD5
eee2282277e64485627c058793aa65e0

SHA1
ed5ae121bf074decf9b7a95214e67874733a5cf2

SHA256
79e31aa291777d936bdbd198ebf53f3b7d230972fcf95f92908872aca6bf888c

SHA512
b5ea27c4b0e14687065c94b72fa3c177fe161a92c15aad7db48a466ea34745fbfd15d7305f022ef322f41169b81df621253ace5d0720d11eb8ccc688a251767b

Download Submit
\Users\Admin\AppData\Local\Temp\svñhost.exe
Filesize
1009KB

MD5
eee2282277e64485627c058793aa65e0

SHA1
ed5ae121bf074decf9b7a95214e67874733a5cf2

SHA256
79e31aa291777d936bdbd198ebf53f3b7d230972fcf95f92908872aca6bf888c

SHA512
b5ea27c4b0e14687065c94b72fa3c177fe161a92c15aad7db48a466ea34745fbfd15d7305f022ef322f41169b81df621253ace5d0720d11eb8ccc688a251767b

Download Submit
\Users\Admin\AppData\Local\Temp\tmp.exe
Filesize
902KB

MD5
4f569bfdf48c4193795be0c012a66d9b

SHA1
9df29ae3f4c0666303204ae3d2b36b21ff483bb9

SHA256
8c46765193808e7655ea8d2a578da25b8a064dbd5eb1a42911bd26c4d82df333

SHA512
cb1c2c6539951d66d66448c64763d4efd9127bf9a593a93179ac7ff86a8100ec2380ae947cc87f22afef78489648ba8f7a8e1664b255f182efcda138c05b602f

Download Submit
\Users\Admin\AppData\Local\Temp\tmp.exe
Filesize
2.5MB

MD5
79682b35bc0d20012d115b060b13d59e

SHA1
187d5ae4ce46095c2a05fe45fe768bbb92b3e164

SHA256
c06240ad1258978e6588fd6b4c9efe32e90d109e5728848b0aed413a4c568b5e

SHA512
b727075ce2f003de057f0aeb8e53bcadeaa5bc685bc606b8e94078bbb61a1ea84a4f66d60e50a1574785d9ad0352235028861e0625929d77cafa52fb3e9ff24e

Download Submit
\Users\Admin\AppData\Local\Temp\tmp.exe
Filesize
2.5MB

MD5
79682b35bc0d20012d115b060b13d59e

SHA1
187d5ae4ce46095c2a05fe45fe768bbb92b3e164

SHA256
c06240ad1258978e6588fd6b4c9efe32e90d109e5728848b0aed413a4c568b5e

SHA512
b727075ce2f003de057f0aeb8e53bcadeaa5bc685bc606b8e94078bbb61a1ea84a4f66d60e50a1574785d9ad0352235028861e0625929d77cafa52fb3e9ff24e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\MsDrvOp.exe
Filesize
1009KB

MD5
eee2282277e64485627c058793aa65e0

SHA1
ed5ae121bf074decf9b7a95214e67874733a5cf2

SHA256
79e31aa291777d936bdbd198ebf53f3b7d230972fcf95f92908872aca6bf888c

SHA512
b5ea27c4b0e14687065c94b72fa3c177fe161a92c15aad7db48a466ea34745fbfd15d7305f022ef322f41169b81df621253ace5d0720d11eb8ccc688a251767b

Download Submit
memory/276-122-0x0000000000A30000-0x0000000000B18000-memory.dmp

Filesize
928KB

Download
memory/276-104-0x0000000000000000-mapping.dmp

Download
memory/692-96-0x0000000000000000-mapping.dmp

Download
memory/960-112-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/960-117-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/960-126-0x00000000007B0000-0x00000000007C0000-memory.dmp

Filesize
64KB

Download
memory/960-125-0x00000000003D0000-0x00000000003E8000-memory.dmp

Filesize
96KB

Download
memory/960-124-0x0000000000330000-0x0000000000342000-memory.dmp

Filesize
72KB

Download
memory/960-121-0x0000000000BE0000-0x0000000000C3C000-memory.dmp

Filesize
368KB

Download
memory/960-120-0x00000000002E0000-0x00000000002EE000-memory.dmp

Filesize
56KB

Download
memory/960-119-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/960-113-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/960-114-0x00000000004E25DE-mapping.dmp

Download
memory/960-111-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/960-109-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/960-108-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/996-101-0x0000000000000000-mapping.dmp

Download
memory/1244-97-0x0000000000000000-mapping.dmp

Download
memory/1332-86-0x0000000000000000-mapping.dmp

Download
memory/1332-92-0x00000000010C0000-0x00000000011C2000-memory.dmp

Filesize
1.0MB

Download
memory/1332-93-0x00000000048A0000-0x0000000004986000-memory.dmp

Filesize
920KB

Download
memory/1708-59-0x0000000000000000-mapping.dmp

Download
memory/1772-100-0x0000000000000000-mapping.dmp

Download
memory/1808-95-0x0000000000000000-mapping.dmp

Download
memory/1856-83-0x0000000000B20000-0x0000000000B8C000-memory.dmp

Filesize
432KB

Download
memory/1856-87-0x0000000000420000-0x000000000046A000-memory.dmp

Filesize
296KB

Download
memory/1856-80-0x0000000000000000-mapping.dmp

Download
memory/1972-54-0x0000000001100000-0x00000000013C6000-memory.dmp

Filesize
2.8MB

Download
memory/1972-55-0x00000000050A0000-0x000000000532C000-memory.dmp

Filesize
2.5MB

Download
memory/1972-56-0x0000000076C81000-0x0000000076C83000-memory.dmp

Filesize
8KB

Download
memory/1996-69-0x0000000000000000-mapping.dmp

Download
memory/1996-73-0x000007FEFC5C1000-0x000007FEFC5C3000-memory.dmp

Filesize
8KB

Download
memory/2024-74-0x0000000000401AD8-mapping.dmp

Download
memory/2024-68-0x0000000000481000-0x0000000000707000-memory.dmp

Filesize
2.5MB

Download