orcus | 098c48ea4fb2c2f4efefba74a6e4c3c4c0367ed8a257786fcf3cc9d9d08f8377

Analysis

max time kernel
150s
max time network
147s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
10-08-2024 22:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe
Size

2.3MB
MD5

87f7d55dbf9bd13dd5440ef0a51fec2e
SHA1

b57facd3bda38c5fca68a44898cc7930d727e48c
SHA256

098c48ea4fb2c2f4efefba74a6e4c3c4c0367ed8a257786fcf3cc9d9d08f8377
SHA512

b887e2b340a22a0a6607ef5396bb5d75ac68c6a7d06e0def3fbaa86fb59696c89399b6b83a870f7fb88f5804e055ce8f873d811d2b58ff6471e700c6bc3d1659
SSDEEP

49152:3AyKUOPuD8C+N+3M/i5cdRW2CVip0CfXl2LXV7eoW:bh8YNcdRW2KiRgF5W

Score

10^/10

orcus defense_evasion discovery persistence rat spyware stealer

Malware Config

Extracted

Family

orcus

37.46.150.253:1337

Mutex

42a98ed1b2ce431689d696f918634edc

Attributes

autostart_method
Registry
enable_keylogger
true
install_path
%programfiles%\Windows Defender\Windows Defender.exe
reconnect_delay
10000
registry_keyname
Windows Defender
taskscheduler_taskname
Windows Defender Service
watchdog_path
Temp\Windows Defender.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus main payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x0034000000016d5a-7.dat	family_orcus

Orcurs Rat Executable 7 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x0034000000016d5a-7.dat	orcus
behavioral1/memory/2732-27-0x0000000000400000-0x00000000004EC000-memory.dmp	orcus
behavioral1/memory/2732-25-0x0000000000400000-0x00000000004EC000-memory.dmp	orcus
behavioral1/memory/2732-22-0x0000000000400000-0x00000000004EC000-memory.dmp	orcus
behavioral1/memory/2732-20-0x0000000000400000-0x00000000004EC000-memory.dmp	orcus
behavioral1/memory/2732-19-0x0000000000400000-0x00000000004EC000-memory.dmp	orcus
behavioral1/memory/2732-1064-0x00000000051D0000-0x00000000052BC000-memory.dmp	orcus

Executes dropped EXE 11 IoCs

Processes:

tmp.exesvhost.exeWindows Defender.exesvchost.exetmp.exesvhost.exeWindows Defender.exeWindows Defender.exeWindows Defender.exeWindows Defender.exesvchost.exe

pid	Process
1928	tmp.exe
2732	svhost.exe
1916	Windows Defender.exe
1964	svchost.exe
2336	tmp.exe
1912	svhost.exe
2980	Windows Defender.exe
2236	Windows Defender.exe
2708	Windows Defender.exe
2072	Windows Defender.exe
2484	svchost.exe

Loads dropped DLL 18 IoCs

Processes:

87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exesvhost.execmd.exesvchost.exeWindows Defender.exe

pid	Process
2764	87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe
2764	87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe
2732	svhost.exe
2732	svhost.exe
2732	svhost.exe
2732	svhost.exe
2732	svhost.exe
2732	svhost.exe
2732	svhost.exe
2732	svhost.exe
2732	svhost.exe
1068	cmd.exe
1068	cmd.exe
1964	svchost.exe
1964	svchost.exe
2708	Windows Defender.exe
1068	cmd.exe
1068	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Windows Defender.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "\"C:\\Program Files\\Windows Defender\\Windows Defender.exe\""	Windows Defender.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

Processes:

tasklist.exetasklist.exe

pid	Process
2724	tasklist.exe
1716	tasklist.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exesvchost.exe

description	pid	Process	procid_target
PID 2764 set thread context of 2732	2764	87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe	31
PID 1964 set thread context of 1912	1964	svchost.exe	54

Drops file in Program Files directory 6 IoCs

Processes:

tmp.exesvhost.exe

description	ioc	Process
File created	C:\Program Files\Windows Defender\Windows Defender.exe.config	tmp.exe
File created	C:\Program Files (x86)\Windows Defender\Windows Defender.exe	svhost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\Windows Defender.exe	svhost.exe
File created	C:\Program Files (x86)\Windows Defender\Windows Defender.exe.config	svhost.exe
File created	C:\Program Files\Windows Defender\Windows Defender.exe	tmp.exe
File opened for modification	C:\Program Files\Windows Defender\Windows Defender.exe	tmp.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

Processes:

cmd.execmd.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\FolderN\svchost.exe:Zone.Identifier	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\FolderN\svchost.exe:Zone.Identifier	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

tasklist.exesvchost.exetimeout.execmd.exeWindows Defender.execmd.exeWindows Defender.exesvchost.exesvhost.execmd.exe87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exesvhost.execmd.exeWindows Defender.exereg.execmd.exetimeout.exereg.execmd.exetasklist.execmd.exefind.exefind.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows Defender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows Defender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows Defender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe

Delays execution with timeout.exe 2 IoCs

evasion

Processes:

timeout.exetimeout.exe

pid	Process
2384	timeout.exe
2316	timeout.exe

NTFS ADS 2 IoCs

Processes:

cmd.execmd.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\FolderN\svchost.exe:Zone.Identifier	cmd.exe
File created	C:\Users\Admin\AppData\Local\Temp\FolderN\svchost.exe:Zone.Identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exesvchost.exeWindows Defender.exeWindows Defender.exe

pid	Process
2764	87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe
2764	87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe
2764	87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe
2764	87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe
1964	svchost.exe
1964	svchost.exe
1964	svchost.exe
1964	svchost.exe
2980	Windows Defender.exe
2980	Windows Defender.exe
2072	Windows Defender.exe
2072	Windows Defender.exe
2980	Windows Defender.exe
2072	Windows Defender.exe
2072	Windows Defender.exe
2980	Windows Defender.exe
2980	Windows Defender.exe
2072	Windows Defender.exe
2072	Windows Defender.exe
2980	Windows Defender.exe
2072	Windows Defender.exe
2980	Windows Defender.exe
2980	Windows Defender.exe
2072	Windows Defender.exe
2980	Windows Defender.exe
2072	Windows Defender.exe
2072	Windows Defender.exe
2980	Windows Defender.exe
2980	Windows Defender.exe
2072	Windows Defender.exe
2980	Windows Defender.exe
2072	Windows Defender.exe
2980	Windows Defender.exe
2072	Windows Defender.exe
2980	Windows Defender.exe
2072	Windows Defender.exe
2980	Windows Defender.exe
2072	Windows Defender.exe
2980	Windows Defender.exe
2072	Windows Defender.exe
2072	Windows Defender.exe
2980	Windows Defender.exe
2980	Windows Defender.exe
2072	Windows Defender.exe
2072	Windows Defender.exe
2980	Windows Defender.exe
2072	Windows Defender.exe
2980	Windows Defender.exe
2072	Windows Defender.exe
2980	Windows Defender.exe
2980	Windows Defender.exe
2072	Windows Defender.exe
2980	Windows Defender.exe
2072	Windows Defender.exe
2072	Windows Defender.exe
2980	Windows Defender.exe
2072	Windows Defender.exe
2980	Windows Defender.exe
2072	Windows Defender.exe
2980	Windows Defender.exe
2072	Windows Defender.exe
2980	Windows Defender.exe
2980	Windows Defender.exe
2072	Windows Defender.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exetasklist.exesvchost.exeWindows Defender.exeWindows Defender.exeWindows Defender.exetasklist.exesvchost.exe

description	pid	Process
Token: SeDebugPrivilege	2764	87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe
Token: 33	2764	87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2764	87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe
Token: SeDebugPrivilege	2724	tasklist.exe
Token: SeDebugPrivilege	1964	svchost.exe
Token: 33	1964	svchost.exe
Token: SeIncBasePriorityPrivilege	1964	svchost.exe
Token: SeDebugPrivilege	2980	Windows Defender.exe
Token: SeDebugPrivilege	2708	Windows Defender.exe
Token: SeDebugPrivilege	2072	Windows Defender.exe
Token: SeDebugPrivilege	1716	tasklist.exe
Token: SeDebugPrivilege	2484	svchost.exe
Token: 33	2484	svchost.exe
Token: SeIncBasePriorityPrivilege	2484	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Windows Defender.exe

pid	Process
2980	Windows Defender.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.execmd.execmd.exetmp.execsc.exesvhost.exesvchost.exetmp.exe

description	pid	Process	procid_target
PID 2764 wrote to memory of 1928	2764	87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe	30
PID 2764 wrote to memory of 1928	2764	87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe	30
PID 2764 wrote to memory of 1928	2764	87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe	30
PID 2764 wrote to memory of 1928	2764	87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe	30
PID 2764 wrote to memory of 2732	2764	87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe	31
PID 2764 wrote to memory of 2732	2764	87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe	31
PID 2764 wrote to memory of 2732	2764	87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe	31
PID 2764 wrote to memory of 2732	2764	87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe	31
PID 2764 wrote to memory of 2732	2764	87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe	31
PID 2764 wrote to memory of 2732	2764	87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe	31
PID 2764 wrote to memory of 2732	2764	87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe	31
PID 2764 wrote to memory of 2732	2764	87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe	31
PID 2764 wrote to memory of 2732	2764	87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe	31
PID 2764 wrote to memory of 2580	2764	87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe	32
PID 2764 wrote to memory of 2580	2764	87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe	32
PID 2764 wrote to memory of 2580	2764	87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe	32
PID 2764 wrote to memory of 2580	2764	87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe	32
PID 2764 wrote to memory of 2612	2764	87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe	34
PID 2764 wrote to memory of 2612	2764	87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe	34
PID 2764 wrote to memory of 2612	2764	87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe	34
PID 2764 wrote to memory of 2612	2764	87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe	34
PID 2612 wrote to memory of 1064	2612	cmd.exe	36
PID 2612 wrote to memory of 1064	2612	cmd.exe	36
PID 2612 wrote to memory of 1064	2612	cmd.exe	36
PID 2612 wrote to memory of 1064	2612	cmd.exe	36
PID 2764 wrote to memory of 2828	2764	87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe	37
PID 2764 wrote to memory of 2828	2764	87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe	37
PID 2764 wrote to memory of 2828	2764	87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe	37
PID 2764 wrote to memory of 2828	2764	87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe	37
PID 2764 wrote to memory of 1068	2764	87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe	39
PID 2764 wrote to memory of 1068	2764	87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe	39
PID 2764 wrote to memory of 1068	2764	87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe	39
PID 2764 wrote to memory of 1068	2764	87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe	39
PID 1068 wrote to memory of 2384	1068	cmd.exe	41
PID 1068 wrote to memory of 2384	1068	cmd.exe	41
PID 1068 wrote to memory of 2384	1068	cmd.exe	41
PID 1068 wrote to memory of 2384	1068	cmd.exe	41
PID 1928 wrote to memory of 636	1928	tmp.exe	42
PID 1928 wrote to memory of 636	1928	tmp.exe	42
PID 1928 wrote to memory of 636	1928	tmp.exe	42
PID 636 wrote to memory of 3056	636	csc.exe	44
PID 636 wrote to memory of 3056	636	csc.exe	44
PID 636 wrote to memory of 3056	636	csc.exe	44
PID 2732 wrote to memory of 1916	2732	svhost.exe	45
PID 2732 wrote to memory of 1916	2732	svhost.exe	45
PID 2732 wrote to memory of 1916	2732	svhost.exe	45
PID 2732 wrote to memory of 1916	2732	svhost.exe	45
PID 1068 wrote to memory of 2724	1068	cmd.exe	47
PID 1068 wrote to memory of 2724	1068	cmd.exe	47
PID 1068 wrote to memory of 2724	1068	cmd.exe	47
PID 1068 wrote to memory of 2724	1068	cmd.exe	47
PID 1068 wrote to memory of 1968	1068	cmd.exe	48
PID 1068 wrote to memory of 1968	1068	cmd.exe	48
PID 1068 wrote to memory of 1968	1068	cmd.exe	48
PID 1068 wrote to memory of 1968	1068	cmd.exe	48
PID 1068 wrote to memory of 1964	1068	cmd.exe	50
PID 1068 wrote to memory of 1964	1068	cmd.exe	50
PID 1068 wrote to memory of 1964	1068	cmd.exe	50
PID 1068 wrote to memory of 1964	1068	cmd.exe	50
PID 1964 wrote to memory of 2336	1964	svchost.exe	51
PID 1964 wrote to memory of 2336	1964	svchost.exe	51
PID 1964 wrote to memory of 2336	1964	svchost.exe	51
PID 1964 wrote to memory of 2336	1964	svchost.exe	51
PID 2336 wrote to memory of 2676	2336	tmp.exe	52

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Users\Admin\AppData\Local\Temp\tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1928
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\28p877-8.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:636
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5F41.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5F40.tmp"
      4⤵
      PID:3056
- C:\Users\Admin\AppData\Local\Temp\svhost.exe
  "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Program Files (x86)\Windows Defender\Windows Defender.exe
    "C:\Program Files (x86)\Windows Defender\Windows Defender.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1916
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe" "%temp%\FolderN\svchost.exe" /Y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2580
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\svchost.exe.lnk" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\svchost.exe.lnk" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1064
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\svchost.exe:Zone.Identifier
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  PID:2828
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\FolderN\svchost.exe.bat
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1068
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 60
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:2384
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /nh /fi "imagename eq .exe"
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2724
- - C:\Windows\SysWOW64\find.exe
    find /i ".exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1968
- - C:\Users\Admin\AppData\Local\Temp\FolderN\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\FolderN\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1964
  - - C:\Users\Admin\AppData\Local\Temp\tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of WriteProcessMemory
      PID:2336
    - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wcy9g5qy.cmdline"
        5⤵
        
        PID:2676
      - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5DDA.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5DD9.tmp"
        6⤵
        
        PID:2436
    - - C:\Program Files\Windows Defender\Windows Defender.exe
        
        "C:\Program Files\Windows Defender\Windows Defender.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2980
      - C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe" /launchSelfAndExit "C:\Program Files\Windows Defender\Windows Defender.exe" 2980 /protectFile
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe" /watchProcess "C:\Program Files\Windows Defender\Windows Defender.exe" 2980 "/protectFile"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2072
  - - C:\Users\Admin\AppData\Local\Temp\svhost.exe
      "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1912
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/FolderN/svchost.exe" "%temp%\FolderN\svchost.exe" /Y
      4⤵
      System Location Discovery: System Language Discovery
      PID:1248
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\svchost.exe.lnk" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2864
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\svchost.exe.lnk" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1084
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\svchost.exe:Zone.Identifier
      4⤵
      Subvert Trust Controls: Mark-of-the-Web Bypass
      System Location Discovery: System Language Discovery
      NTFS ADS
      PID:2812
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 60
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:2316
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /nh /fi "imagename eq .exe"
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1716
- - C:\Windows\SysWOW64\find.exe
    find /i ".exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2620
- - C:\Users\Admin\AppData\Local\Temp\FolderN\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\FolderN\svchost.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2484

C:\Windows\system32\taskeng.exe
taskeng.exe {CD54DC01-1CBC-4017-AFCC-06A094AAE76B} S-1-5-21-3502430532-24693940-2469786940-1000:PSBQWFYT\Admin:Interactive:[1]
1⤵
PID:2636
- C:\Program Files\Windows Defender\Windows Defender.exe
  "C:\Program Files\Windows Defender\Windows Defender.exe"
  2⤵
  - Executes dropped EXE
  PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Defender\Windows Defender.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\28p877-8.dll

Filesize
76KB

MD5
8d9a2ab10b62cf96ed30f48201539541

SHA1
1da1fccd975e9e324239a5be24a12f6db7c78410

SHA256
582b4edaad8dba10403744a1b6cdef459a4a10cbff877cc42690b39d21546a7d

SHA512
a35016f9528290b63cf4478c4b78429c0af45067ae07fc6e499c87ed5fb0821e78b1fb1ea43e80e3b076cea84540ee21dffb6b4a36ebe262a08e22a08ca421aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderN\svchost.exe

Filesize
2.3MB

MD5
87f7d55dbf9bd13dd5440ef0a51fec2e

SHA1
b57facd3bda38c5fca68a44898cc7930d727e48c

SHA256
098c48ea4fb2c2f4efefba74a6e4c3c4c0367ed8a257786fcf3cc9d9d08f8377

SHA512
b887e2b340a22a0a6607ef5396bb5d75ac68c6a7d06e0def3fbaa86fb59696c89399b6b83a870f7fb88f5804e055ce8f873d811d2b58ff6471e700c6bc3d1659

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderN\svchost.exe.bat

Filesize
194B

MD5
d09b6e9cef61c36a40e11f365a1ac118

SHA1
6c9deeb56ecbeb2a4a4388b63a1bc4a889ed82c9

SHA256
d1e14b1fc5ac0d3d70e1c227d63d4371e7fae6bf0198d741ee889c2c935ed952

SHA512
26b31b1e3f6c86b381549127e533a1d20b68fecc1b6c3fab94a82ce5a4acab19a570928bc3666a3752f65a09138ac3dc5ac7d726763fceb16662e823ebb8b331

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderN\svchost.exe.lnk

Filesize
964B

MD5
aaffedd403224bca4e71ae2e4870ab0f

SHA1
50bee8ff90a78b3beb54ac86705e456f08059b00

SHA256
4df60f803e12b2f8c616ff7ca1b986dd5f4deca188ed0ccd74f121017afca3ca

SHA512
066685b430c383fca239a19843b1e37375637364602d5524bcc8b4a71809700f4a969af4a7fa0ee46db97f6319bd0879eba2afb081ccd45645b4852de63ab47e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5DDA.tmp

Filesize
1KB

MD5
13ad57f03a8a979bf3f147923ce15a68

SHA1
697074966d16c846b676879684cfb9a0faf9eed1

SHA256
058257b4ac3c96b858ba617ecec424d6ad47e65e57e1f70e8508d88ef20adfba

SHA512
4980027c83ca62afd7dbc60f2740f0e38ed74ca1e762813db4f1e51d00744b8e4fdd21ded0a27fa43b5410ddde76d2ee576f51bd89a439cdd641997827e3a74a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5F41.tmp

Filesize
1KB

MD5
90fbafc305face723f6cc0ae2f9e6cbe

SHA1
f5a8cf0045f87520b603e373e12eb6a28696b5d4

SHA256
6fc4b6a0004e3714e015cd7eeb9a8fb3beb34ece15f626a0827ebf908ded18fe

SHA512
d0e527c91e271b4ab5a2e573bc55519b803d04ca25c41a0c2725968c954a51fb014234cb20dde4e8bec2bae95c3051554c4aa6cd22cad7e65878798e4465e81b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe

Filesize
9KB

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.exe

Filesize
918KB

MD5
51842fb9ba927d1a3ef14819f508b670

SHA1
ce113069ff7137fd812e9df67c6c46a367fb9eb3

SHA256
5c83c924a159e999326d20004b40f0de029b55502fe9faca30a52b0c80486061

SHA512
36872e35893ba1b301560d1788c8081156c5d1fde9dadd049b59a587b8c094c0de18b8b5fd1265a2577f0e854b6735690fbf300e9537ddf6739d43fda6a2a011

Download Submit
C:\Users\Admin\AppData\Local\Temp\wcy9g5qy.dll

Filesize
76KB

MD5
f11ebd2b45c88ba5af7f7a61f47ca4d1

SHA1
6a15ff2845e07c9cf612d3a4d8ac84f49c7bed96

SHA256
12c88cf7a38e8167b5dfca5a144c08d26ea9c35e68701cdd58d846033f4b7838

SHA512
b902cce7ddcc13197a9c07fd299799e8d7297ed93644b6e0d2305502016d80cd5dc42ea23672c53ea639283517ad8e768125be86e6bf138a0ff884662b4989a7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\28p877-8.0.cs

Filesize
208KB

MD5
6011503497b1b9250a05debf9690e52c

SHA1
897aea61e9bffc82d7031f1b3da12fb83efc6d82

SHA256
08f42b8d57bb61bc8f9628c8a80953b06ca4149d50108083fca6dc26bdd49434

SHA512
604c33e82e8b5bb5c54389c2899c81e5482a06e69db08268173a5b4574327ee5de656d312011d07e50a2e398a4c9b0cd79029013f76e05e18cf67ce5a916ffd9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\28p877-8.cmdline

Filesize
349B

MD5
5c6f2121e8cb5709f0667519a401616c

SHA1
b9422ee49636db826d0ce3d444492a71aa3bd953

SHA256
a29e8c6fe75a4ee8dcab4f4fc949e887a3371e42955d1ce18976904305014e4b

SHA512
269ee579c1f1b3dcb8e2dbbcf1d778ad03671ad92fb219467bbd6a7f115ccc674d7047181cafc39f34049b24ad157c626976b52a07016a36c909d87062391770

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC5DD9.tmp

Filesize
676B

MD5
c416339f13b24c46210ec5b6f87ab5d7

SHA1
7a2434be127fa62a8fb095199cdf00ec1990143e

SHA256
25ccc06317ef4ae82f858ae46d9d49b7f360c89f15e43f6586f4c5fc29d15117

SHA512
8c8885dec26a38f9b9d88e773b6a9bb511b17b02674e12e7b9f765b14afaacc6cb8c70147764f9a99511b8efced7ace22f500cfbe4cf5592acf982ec5619c7d5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC5F40.tmp

Filesize
676B

MD5
7676bc4bdd58566b2399447ab5168a13

SHA1
cbd15edae85d573f44bb8c9019931e3ee6a3fbff

SHA256
57cae220a5307642b515993a8ffeaf29efb977c70521823cdcb4488594746d55

SHA512
b108027d3ffa4bd89ca02f1bb700b93572c67e71d359dadb2d23dc9e408f61ae97c7ca0bfead4b7bc046dddf04d427dffc356083394f47d9d22709115807ad76

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wcy9g5qy.0.cs

Filesize
208KB

MD5
250321226bbc2a616d91e1c82cb4ab2b

SHA1
7cffd0b2e9c842865d8961386ab8fcfac8d04173

SHA256
ef2707f83a0c0927cfd46b115641b9cae52a41123e4826515b9eeb561785218d

SHA512
bda59ca04cdf254f837f2cec6da55eff5c3d2af00da66537b9ebaa3601c502ae63772f082fd12663b63d537d2e03efe87a3b5746ef25e842aaf1c7d88245b4e1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wcy9g5qy.cmdline

Filesize
349B

MD5
b5ebf93672e6ab5336be3a3b5588e4e7

SHA1
b9cb7cb50568f0ad8d5a9acb39861592af1c11b5

SHA256
b2d35d3669395a77e42a0a02835e4a599d56627617d0d2f7079a33496f632354

SHA512
2c10e936d6a82dd3eb14df141370fdb62eafb27f3ff931fff7dd5383b15370e455235e3891399a695248343857d9c8c1d83b39bea9da0df071a3a531554f823d

Download Submit
\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
255KB

MD5
9af17c8393f0970ee5136bd3ffa27001

SHA1
4b285b72c1a11285a25f31f2597e090da6bbc049

SHA256
71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019

SHA512
b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3

Download Submit
memory/1928-1045-0x000007FEF5570000-0x000007FEF5F0D000-memory.dmp

Filesize
9.6MB

Download
memory/1928-30-0x000007FEF5570000-0x000007FEF5F0D000-memory.dmp

Filesize
9.6MB

Download
memory/1928-33-0x000007FEF5570000-0x000007FEF5F0D000-memory.dmp

Filesize
9.6MB

Download
memory/1928-116-0x0000000002090000-0x00000000020A6000-memory.dmp

Filesize
88KB

Download
memory/1928-29-0x0000000000730000-0x000000000073E000-memory.dmp

Filesize
56KB

Download
memory/1928-11-0x00000000021C0000-0x000000000221C000-memory.dmp

Filesize
368KB

Download
memory/1928-10-0x000007FEF582E000-0x000007FEF582F000-memory.dmp

Filesize
4KB

Download
memory/2732-1138-0x0000000004240000-0x0000000004290000-memory.dmp

Filesize
320KB

Download
memory/2732-1240-0x0000000004250000-0x0000000004260000-memory.dmp

Filesize
64KB

Download
memory/2732-55-0x00000000051D0000-0x000000000525E000-memory.dmp

Filesize
568KB

Download
memory/2732-69-0x00000000057E0000-0x0000000005892000-memory.dmp

Filesize
712KB

Download
memory/2732-74-0x0000000040000000-0x0000000040034000-memory.dmp

Filesize
208KB

Download
memory/2732-85-0x0000000040000000-0x0000000040066000-memory.dmp

Filesize
408KB

Download
memory/2732-80-0x0000000040000000-0x00000000400E6000-memory.dmp

Filesize
920KB

Download
memory/2732-95-0x0000000040000000-0x000000004017D000-memory.dmp

Filesize
1.5MB

Download
memory/2732-89-0x0000000040000000-0x0000000040061000-memory.dmp

Filesize
388KB

Download
memory/2732-45-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

Filesize
32KB

Download
memory/2732-46-0x00000000040D0000-0x00000000040D8000-memory.dmp

Filesize
32KB

Download
memory/2732-44-0x0000000001EC0000-0x0000000001ED2000-memory.dmp

Filesize
72KB

Download
memory/2732-107-0x0000000040000000-0x0000000040039000-memory.dmp

Filesize
228KB

Download
memory/2732-15-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/2732-101-0x0000000040000000-0x00000000400AC000-memory.dmp

Filesize
688KB

Download
memory/2732-222-0x0000000004210000-0x0000000004266000-memory.dmp

Filesize
344KB

Download
memory/2732-1009-0x0000000004110000-0x000000000411A000-memory.dmp

Filesize
40KB

Download
memory/2732-17-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/2732-1056-0x0000000004E40000-0x0000000004E80000-memory.dmp

Filesize
256KB

Download
memory/2732-1068-0x0000000005930000-0x0000000005A7C000-memory.dmp

Filesize
1.3MB

Download
memory/2732-1064-0x00000000051D0000-0x00000000052BC000-memory.dmp

Filesize
944KB

Download
memory/2732-1061-0x0000000004E40000-0x0000000004E80000-memory.dmp

Filesize
256KB

Download
memory/2732-1058-0x0000000005930000-0x0000000005A7C000-memory.dmp

Filesize
1.3MB

Download
memory/2732-1112-0x0000000004DD0000-0x0000000004DF6000-memory.dmp

Filesize
152KB

Download
memory/2732-1113-0x0000000004260000-0x0000000004278000-memory.dmp

Filesize
96KB

Download
memory/2732-1120-0x0000000040000000-0x000000004003B000-memory.dmp

Filesize
236KB

Download
memory/2732-1124-0x0000000004320000-0x0000000004336000-memory.dmp

Filesize
88KB

Download
memory/2732-1128-0x0000000004260000-0x000000000427C000-memory.dmp

Filesize
112KB

Download
memory/2732-1127-0x0000000004DD0000-0x0000000004DF6000-memory.dmp

Filesize
152KB

Download
memory/2732-1126-0x0000000004250000-0x0000000004258000-memory.dmp

Filesize
32KB

Download
memory/2732-1125-0x0000000004DD0000-0x0000000004DFA000-memory.dmp

Filesize
168KB

Download
memory/2732-1129-0x00000000057E0000-0x00000000058EA000-memory.dmp

Filesize
1.0MB

Download
memory/2732-1131-0x0000000004260000-0x0000000004280000-memory.dmp

Filesize
128KB

Download
memory/2732-1130-0x0000000004250000-0x000000000425C000-memory.dmp

Filesize
48KB

Download
memory/2732-1132-0x0000000004DD0000-0x0000000004DF6000-memory.dmp

Filesize
152KB

Download
memory/2732-1133-0x0000000004EF0000-0x0000000004F6B000-memory.dmp

Filesize
492KB

Download
memory/2732-1134-0x0000000004240000-0x0000000004246000-memory.dmp

Filesize
24KB

Download
memory/2732-1135-0x0000000004240000-0x000000000424C000-memory.dmp

Filesize
48KB

Download
memory/2732-1136-0x0000000004EF0000-0x0000000004FBC000-memory.dmp

Filesize
816KB

Download
memory/2732-1137-0x0000000004E40000-0x0000000004E9B000-memory.dmp

Filesize
364KB

Download
memory/2732-27-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/2732-1219-0x0000000004260000-0x000000000427C000-memory.dmp

Filesize
112KB

Download
memory/2732-1218-0x0000000004260000-0x0000000004272000-memory.dmp

Filesize
72KB

Download
memory/2732-1230-0x0000000004DD0000-0x0000000004DF6000-memory.dmp

Filesize
152KB

Download
memory/2732-1231-0x0000000004250000-0x000000000425A000-memory.dmp

Filesize
40KB

Download
memory/2732-1232-0x0000000004250000-0x000000000425C000-memory.dmp

Filesize
48KB

Download
memory/2732-1233-0x0000000004250000-0x000000000425A000-memory.dmp

Filesize
40KB

Download
memory/2732-1234-0x0000000004260000-0x000000000427E000-memory.dmp

Filesize
120KB

Download
memory/2732-1235-0x0000000004260000-0x000000000427E000-memory.dmp

Filesize
120KB

Download
memory/2732-1236-0x0000000004250000-0x0000000004258000-memory.dmp

Filesize
32KB

Download
memory/2732-1237-0x0000000004250000-0x000000000425A000-memory.dmp

Filesize
40KB

Download
memory/2732-1238-0x0000000004250000-0x000000000425E000-memory.dmp

Filesize
56KB

Download
memory/2732-1239-0x0000000004260000-0x0000000004274000-memory.dmp

Filesize
80KB

Download
memory/2732-61-0x00000000057E0000-0x00000000058CE000-memory.dmp

Filesize
952KB

Download
memory/2732-1241-0x0000000004250000-0x000000000425C000-memory.dmp

Filesize
48KB

Download
memory/2732-1242-0x00000000051D0000-0x00000000052A5000-memory.dmp

Filesize
852KB

Download
memory/2732-1243-0x0000000004DD0000-0x0000000004DF8000-memory.dmp

Filesize
160KB

Download
memory/2732-1245-0x0000000004DD0000-0x0000000004DF6000-memory.dmp

Filesize
152KB

Download
memory/2732-1244-0x0000000004260000-0x0000000004280000-memory.dmp

Filesize
128KB

Download
memory/2732-1246-0x0000000004250000-0x000000000425A000-memory.dmp

Filesize
40KB

Download
memory/2732-1247-0x0000000004250000-0x000000000425C000-memory.dmp

Filesize
48KB

Download
memory/2732-1248-0x0000000004250000-0x000000000425C000-memory.dmp

Filesize
48KB

Download
memory/2732-1249-0x0000000004250000-0x000000000425C000-memory.dmp

Filesize
48KB

Download
memory/2732-1250-0x0000000004260000-0x0000000004274000-memory.dmp

Filesize
80KB

Download
memory/2732-1252-0x0000000004260000-0x0000000004278000-memory.dmp

Filesize
96KB

Download
memory/2732-1251-0x0000000004260000-0x0000000004278000-memory.dmp

Filesize
96KB

Download
memory/2732-1253-0x0000000004250000-0x000000000425C000-memory.dmp

Filesize
48KB

Download
memory/2732-1254-0x0000000004250000-0x000000000425C000-memory.dmp

Filesize
48KB

Download
memory/2732-1255-0x0000000004250000-0x000000000425C000-memory.dmp

Filesize
48KB

Download
memory/2732-1256-0x0000000004250000-0x0000000004260000-memory.dmp

Filesize
64KB

Download
memory/2732-1257-0x0000000004250000-0x000000000425E000-memory.dmp

Filesize
56KB

Download
memory/2732-1258-0x0000000004DD0000-0x0000000004DF2000-memory.dmp

Filesize
136KB

Download
memory/2732-1259-0x0000000004260000-0x000000000427C000-memory.dmp

Filesize
112KB

Download
memory/2732-1260-0x0000000004DD0000-0x0000000004DFC000-memory.dmp

Filesize
176KB

Download
memory/2732-1261-0x0000000004260000-0x0000000004274000-memory.dmp

Filesize
80KB

Download
memory/2732-1262-0x0000000004250000-0x0000000004258000-memory.dmp

Filesize
32KB

Download
memory/2732-1263-0x0000000004260000-0x000000000427A000-memory.dmp

Filesize
104KB

Download
memory/2732-1264-0x0000000004250000-0x000000000425C000-memory.dmp

Filesize
48KB

Download
memory/2732-1265-0x0000000004250000-0x000000000425E000-memory.dmp

Filesize
56KB

Download
memory/2732-1267-0x0000000004E40000-0x0000000004E80000-memory.dmp

Filesize
256KB

Download
memory/2732-1266-0x0000000004250000-0x000000000425A000-memory.dmp

Filesize
40KB

Download
memory/2732-1268-0x0000000004260000-0x0000000004272000-memory.dmp

Filesize
72KB

Download
memory/2732-1269-0x0000000004250000-0x000000000425E000-memory.dmp

Filesize
56KB

Download
memory/2732-1270-0x0000000004DD0000-0x0000000004DF4000-memory.dmp

Filesize
144KB

Download
memory/2732-1271-0x0000000004DD0000-0x0000000004DF8000-memory.dmp

Filesize
160KB

Download
memory/2732-1279-0x0000000004260000-0x000000000426A000-memory.dmp

Filesize
40KB

Download
memory/2732-1283-0x0000000004260000-0x0000000004268000-memory.dmp

Filesize
32KB

Download
memory/2732-1291-0x0000000004320000-0x000000000433C000-memory.dmp

Filesize
112KB

Download
memory/2732-1303-0x0000000004320000-0x000000000433C000-memory.dmp

Filesize
112KB

Download
memory/2732-1312-0x0000000004250000-0x0000000004258000-memory.dmp

Filesize
32KB

Download
memory/2732-1317-0x0000000004250000-0x0000000004258000-memory.dmp

Filesize
32KB

Download
memory/2732-1325-0x0000000004260000-0x0000000004268000-memory.dmp

Filesize
32KB

Download
memory/2732-1326-0x0000000004250000-0x000000000425E000-memory.dmp

Filesize
56KB

Download
memory/2732-1334-0x0000000004320000-0x0000000004332000-memory.dmp

Filesize
72KB

Download
memory/2732-1346-0x0000000004260000-0x000000000426E000-memory.dmp

Filesize
56KB

Download
memory/2732-1350-0x0000000004260000-0x000000000426A000-memory.dmp

Filesize
40KB

Download
memory/2732-1355-0x0000000004DD0000-0x0000000004DFA000-memory.dmp

Filesize
168KB

Download
memory/2732-1362-0x00000000057E0000-0x00000000058B5000-memory.dmp

Filesize
852KB

Download
memory/2732-1363-0x0000000004DD0000-0x0000000004DF8000-memory.dmp

Filesize
160KB

Download
memory/2732-19-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/2732-20-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/2732-21-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2732-22-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/2732-25-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/2764-0-0x0000000073F0E000-0x0000000073F0F000-memory.dmp

Filesize
4KB

Download
memory/2764-2-0x0000000073F00000-0x00000000745EE000-memory.dmp

Filesize
6.9MB

Download
memory/2764-1-0x0000000001110000-0x000000000125C000-memory.dmp

Filesize
1.3MB

Download