orcus | 28fea3814d7605da249dca493eb491e1261e0a3a87ab2790328ed9b76bb6fe8a

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 14:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67966a3b68b25438e90cd3d109dd5831_JaffaCakes118.exe
Size

1.5MB
MD5

67966a3b68b25438e90cd3d109dd5831
SHA1

e721a74be529652701fe07ced4962f225f055366
SHA256

28fea3814d7605da249dca493eb491e1261e0a3a87ab2790328ed9b76bb6fe8a
SHA512

22df6e3862e27bae6eab8e109953b4a2214ce729dd1c9c7d3986a16eb3acc06940eece3efed076556eaf00f71a9541c33d2495c6ed397a65efada8c7d47070a6
SSDEEP

24576:wxrDzROqOMsaEB7aSsv5QJiGFdEkk+SRgTfcOwtTe5CgQ:wx/zROnoEVaSwpkTSRkUR64gQ

Score

10^/10

orcus rat spyware stealer

Malware Config

Extracted

Family

orcus

linkadrum.nl:3444

Mutex

6c659710defd46d394487b3c49fa651e

Attributes

autostart_method
TaskScheduler
enable_keylogger
true
install_path
%programdata%\IIS\web.deployment.exe
reconnect_delay
10000
registry_keyname
web.deployment
taskscheduler_taskname
web.deployment
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcurs Rat Executable 1 IoCs

resource	yara_rule
behavioral2/memory/960-30-0x0000000000400000-0x00000000004E8000-memory.dmp	orcus

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	67966a3b68b25438e90cd3d109dd5831_JaffaCakes118.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Optimizesapp.dwkrgNetJfUtOZvV.lnk	Optimizesapp.exe

Executes dropped EXE 2 IoCs

pid	Process
2620	Optimizesapp.exe
960	Optimizesapp.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	Optimizesapp.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	Optimizesapp.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2620 set thread context of 960	2620	Optimizesapp.exe	114

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	Optimizesapp.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	Optimizesapp.exe
File opened for modification	C:\Windows\assembly	Optimizesapp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81	67966a3b68b25438e90cd3d109dd5831_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8120f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce7f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c06200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f1400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e00000074006800610077007400650000007e000000010000000800000000c0032f2df8d60168000000010000000000000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b81190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	67966a3b68b25438e90cd3d109dd5831_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 5c000000010000000400000000080000190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d03000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b816800000001000000000000007e000000010000000800000000c0032f2df8d6010b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748506200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f53000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703010f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8122000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	67966a3b68b25438e90cd3d109dd5831_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3012	67966a3b68b25438e90cd3d109dd5831_JaffaCakes118.exe
Token: SeDebugPrivilege	2620	Optimizesapp.exe
Token: SeDebugPrivilege	960	Optimizesapp.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
960	Optimizesapp.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 4808	3012	67966a3b68b25438e90cd3d109dd5831_JaffaCakes118.exe	100
PID 3012 wrote to memory of 4808	3012	67966a3b68b25438e90cd3d109dd5831_JaffaCakes118.exe	100
PID 3012 wrote to memory of 4808	3012	67966a3b68b25438e90cd3d109dd5831_JaffaCakes118.exe	100
PID 3012 wrote to memory of 1488	3012	67966a3b68b25438e90cd3d109dd5831_JaffaCakes118.exe	103
PID 3012 wrote to memory of 1488	3012	67966a3b68b25438e90cd3d109dd5831_JaffaCakes118.exe	103
PID 3012 wrote to memory of 1488	3012	67966a3b68b25438e90cd3d109dd5831_JaffaCakes118.exe	103
PID 2240 wrote to memory of 2620	2240	explorer.exe	105
PID 2240 wrote to memory of 2620	2240	explorer.exe	105
PID 2240 wrote to memory of 2620	2240	explorer.exe	105
PID 2620 wrote to memory of 960	2620	Optimizesapp.exe	114
PID 2620 wrote to memory of 960	2620	Optimizesapp.exe	114
PID 2620 wrote to memory of 960	2620	Optimizesapp.exe	114
PID 2620 wrote to memory of 960	2620	Optimizesapp.exe	114
PID 2620 wrote to memory of 960	2620	Optimizesapp.exe	114
PID 2620 wrote to memory of 960	2620	Optimizesapp.exe	114
PID 2620 wrote to memory of 960	2620	Optimizesapp.exe	114
PID 2620 wrote to memory of 960	2620	Optimizesapp.exe	114
PID 960 wrote to memory of 4808	960	Optimizesapp.exe	115
PID 960 wrote to memory of 4808	960	Optimizesapp.exe	115
PID 960 wrote to memory of 4808	960	Optimizesapp.exe	115
PID 4808 wrote to memory of 3920	4808	csc.exe	117
PID 4808 wrote to memory of 3920	4808	csc.exe	117
PID 4808 wrote to memory of 3920	4808	csc.exe	117

C:\Users\Admin\AppData\Local\Temp\67966a3b68b25438e90cd3d109dd5831_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\67966a3b68b25438e90cd3d109dd5831_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\67966a3b68b25438e90cd3d109dd5831_JaffaCakes118.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Optimizesapp.exe"
  2⤵
  PID:4808
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\System32\explorer.exe" /c, "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Optimizesapp.exe"
  2⤵
  PID:1488

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Optimizesapp.exe
  "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Optimizesapp.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Optimizesapp.exe
    "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Optimizesapp.exe"
    3⤵
    - Executes dropped EXE
    - Drops desktop.ini file(s)
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:960
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\owf21bga.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4808
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES25DE.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC25DD.tmp"
        5⤵
        
        PID:3920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\378B079587A9184B2E2AB859CB263F40_524AD1B9B08D3C6450727265AE77B7D2

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C987C966D19B79B9D9F35B962FCC8FA

Filesize
604B

MD5
5a1ab1871c1dd0bbe715482943c74be6

SHA1
da4ce17e39abb581883120980f00a91cb029127c

SHA256
5fab31aa7540eaebb07d0315e540564b06d612b4b4eb3f2a645fd86a59e6b37c

SHA512
88d80e7ffc33aadb7e28363aad82f51e78bc09ef3ef193a7acb867c825bf633b04bb623796e699262c2f1b40f339bc5277b5520f17d87b2d1f6724288330545d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EB35376744F392396307460D546222D_DA4083211FC1CAD4C1215FF8726EF9C8

Filesize
1KB

MD5
2c28b249b0c08c7f397dd72e5fd345bf

SHA1
0494b5a4f44cb34d6e411e4fe1bcfb10e2a0fdfd

SHA256
f3fe4e8b4e7b074596654699ab00ce13ef6f18bf70750600294e326412d0ac20

SHA512
6137b469a8dba9d1a7041490d5a75050e76abefb0761e17b39706812e3e21af9ecac012e5063654966f783c945a5b5d7866845df11164382bc5d69d0e571822d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\378B079587A9184B2E2AB859CB263F40_524AD1B9B08D3C6450727265AE77B7D2

Filesize
394B

MD5
37b8693105200b82d4de7ea8d1ffed20

SHA1
06edbfcccb54f360d7bac147ea883afc0f736bb7

SHA256
11c46f794727b7a83955db9d9675624769ff49b537ee04e105095fd472c4259c

SHA512
3c59b2912ada0a8eed19d0a0e18b878c50e202b84d03cf2aec9b82d2aca3bc63217edd1ab407a3a81ca2fb1e8353f013a5ae4790d068a7a99e814860a59da8f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C987C966D19B79B9D9F35B962FCC8FA

Filesize
184B

MD5
960d24a16130608c272924728ade4c14

SHA1
f3392c5e36027b445199e1a1d86b97ecf311e8ce

SHA256
8692082b84a3d6b8f2fc3ec829202d40ec4382a8567cdabc49a514eac056e408

SHA512
ebd90ff334683f34826a19643aa917b82708740702cf371f0d5f809e72d52727330ba3344bc3bfb39dabde69f59dad0344962f8e89f4982535f56979ddb42ade

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EB35376744F392396307460D546222D_DA4083211FC1CAD4C1215FF8726EF9C8

Filesize
402B

MD5
43a0714e2c79819002eff45205d860a5

SHA1
9a28a7058a62abc5438bbab34dbb92debbb4fbb2

SHA256
65d4209a20703260fc91e33d9056e38197c875992793580b188e250a49fff357

SHA512
fbc9a8241941bac8e10f122767410844b9d2216a08b47be99332bb26789b55a5a778ce0179499878bf7b4617a5c03a8327dff4663c414eb3f4c32d000d2d535b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Optimizesapp.exe

Filesize
1.5MB

MD5
67966a3b68b25438e90cd3d109dd5831

SHA1
e721a74be529652701fe07ced4962f225f055366

SHA256
28fea3814d7605da249dca493eb491e1261e0a3a87ab2790328ed9b76bb6fe8a

SHA512
22df6e3862e27bae6eab8e109953b4a2214ce729dd1c9c7d3986a16eb3acc06940eece3efed076556eaf00f71a9541c33d2495c6ed397a65efada8c7d47070a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES25DE.tmp

Filesize
1KB

MD5
678a8fa499e6fc3fb855395446a51dbf

SHA1
edfca999fe085351b065cd36aa9d8b92b4ebd50a

SHA256
289fc1b2f10387845e70e90773562249e7045454c1e77ee2df77659fafbf5966

SHA512
845fb43580d17daf4d8095e350cacdffaf9160ab009dd5afc186a4efc0894de113e0edef0c867bfdb78a079d5e9ad203bfe86fb2433f4ad6aaa587824c63b54c

Download Submit
C:\Users\Admin\AppData\Local\Temp\owf21bga.dll

Filesize
76KB

MD5
095437a7c197511de7dcc1753dc31d05

SHA1
1a720873438adab05d1bab5ef338f619d83b3733

SHA256
b8d838aada4820879346ef7331b9aa3c7d1fb2056e60c3f466d48e5f01c1ef30

SHA512
09725f127b7af2adee38f90ccb1593f87d4a36dbfe80736792b7ddf8d7d39908aaff864c9dcbe72a6792267f62cda73976a3e4ba78c211f28bb27460aac8e5ee

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC25DD.tmp

Filesize
676B

MD5
b11fa191b118c219c3b30e50575dbc57

SHA1
0bbfc98b2f77a4db638d5a959489c51329e0e072

SHA256
68cc76c60222c2eca363ae87db5c68f61316a0ec598692f7c79989aa90ce1645

SHA512
78038714d4aa0c7e18fec06d89e21c3a8a6def5c72b0bde76e3a4c487a226f666bfaa886d311b1e1c9d9ccd37837be4b053f68e23fcfb458231ce76506689ba6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\owf21bga.0.cs

Filesize
208KB

MD5
fda8f6122dfe4b29fb6e81f8464d2d93

SHA1
0a3c180c556bf3eb02c34399abd37dd84911a6fa

SHA256
33cb6036d864b75dbc969800fdb6c08daa740da853c4a533283a434a0c81b628

SHA512
27d3a18a720768ef1e929690d2d7ae40d0042eb498300f2fab3dbb3da66261229f574bb09e0daf2cdbba5d60acabf5268acc14e52cc9dc66bc4804aba59ffae3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\owf21bga.cmdline

Filesize
347B

MD5
5573917bb5b64f1deed2a93c3b99510e

SHA1
0a61cf41aa2b7ec85898e2d0d6237cd4b7b29fc9

SHA256
0186f6b1cfe88e4a14c601665d358c3bee461f20f63aed889236af16c2aa6534

SHA512
0d200f316bcf56effd81a1f0f41f975f2a43916a2a77a6bb2546cbb6ba3f0003b30218cba617bd52b19018ce6369ce7cae8288ab300112865ecf3a3c913b374d

Download Submit
memory/960-30-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/3012-17-0x0000000074E92000-0x0000000074E93000-memory.dmp

Filesize
4KB

Download
memory/3012-0-0x0000000074E92000-0x0000000074E93000-memory.dmp

Filesize
4KB

Download
memory/3012-16-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/3012-1-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/3012-2-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/3012-21-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download