orcus | c4d9d25dedcb02acf6eae98dec3fae4e53585ef8486d755f2b77740dd7ba7797

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26-09-2024 05:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f7a46b53afa7814e739d59fcdbd527fc_JaffaCakes118.exe
Size

2.8MB
MD5

f7a46b53afa7814e739d59fcdbd527fc
SHA1

b1d3158156a63d3981c3d49c33bb94ef899611d6
SHA256

c4d9d25dedcb02acf6eae98dec3fae4e53585ef8486d755f2b77740dd7ba7797
SHA512

0bb5d13d55fd27f1feb8c055118ba43fa0a611a2512abafbaceba0d2d3c0e5e9a45520d2f8093070589df422721f568fcc6b59fc2c994288ab5d2ec898b6b5da
SSDEEP

49152:Kkqgee3wKnRhpv83eiLG36HlHVQZTpzRcxen5+saw9FF9+4eIDTeWY5g:LeegihkpzHlHoFRcgn/B3P+eeW

Score

10^/10

orcus credential_access defense_evasion discovery rat spyware stealer

Malware Config

Extracted

Family

orcus

18.221.17.220:1604

Mutex

1141a9276f324b1f8a2d4f8f2fec0ac5

Attributes

autostart_method
Registry
enable_keylogger
false
install_path
%temp%\drivers\ac2ftsdgj8m5ms5.exe
reconnect_delay
10000
registry_keyname
steam
taskscheduler_taskname
steam
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus main payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\tmp.exe	family_orcus

Orcurs Rat Executable 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\tmp.exe	orcus
behavioral2/memory/4732-162-0x0000000000400000-0x00000000004E8000-memory.dmp	orcus
behavioral2/memory/2708-164-0x0000000000570000-0x0000000000658000-memory.dmp	orcus

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svñhost.exesvñhost.exef7a46b53afa7814e739d59fcdbd527fc_JaffaCakes118.exetmp.exesvhost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	svñhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	svñhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	f7a46b53afa7814e739d59fcdbd527fc_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	svhost.exe

Executes dropped EXE 14 IoCs

Processes:

tmp.exesvhost.exeProcessHacker.exeProcessHacker.exesvchost.exesvchost.exesvñhost.exesvñhost.exesvhost.exesvhost.exetmp.exetmp.exesvñhost.exesvñhost.exe

pid	process
2916	tmp.exe
4884	svhost.exe
2036	ProcessHacker.exe
644	ProcessHacker.exe
4564	svchost.exe
4436	svchost.exe
4192	svñhost.exe
976	svñhost.exe
3316	svhost.exe
220	svhost.exe
2708	tmp.exe
4920	tmp.exe
4732	svñhost.exe
3680	svñhost.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 5 IoCs

Processes:

f7a46b53afa7814e739d59fcdbd527fc_JaffaCakes118.exesvchost.exesvchost.exesvñhost.exesvñhost.exe

description	pid	process	target process
PID 2296 set thread context of 4884	2296	f7a46b53afa7814e739d59fcdbd527fc_JaffaCakes118.exe	svhost.exe
PID 4436 set thread context of 3316	4436	svchost.exe	svhost.exe
PID 4564 set thread context of 220	4564	svchost.exe	svhost.exe
PID 4192 set thread context of 4732	4192	svñhost.exe	svñhost.exe
PID 976 set thread context of 3680	976	svñhost.exe	svñhost.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

Processes:

cmd.execmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\MsDrvOp.exe:Zone.Identifier	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\MsDrvOp.exe:Zone.Identifier	cmd.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exesvhost.exesvñhost.exesvñhost.exesvhost.exereg.execmd.execmd.exereg.execmd.execmd.exesvñhost.exetmp.exesvchost.execmd.execmd.exesvñhost.exef7a46b53afa7814e739d59fcdbd527fc_JaffaCakes118.exesvchost.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svñhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svñhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svñhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svñhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f7a46b53afa7814e739d59fcdbd527fc_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

ProcessHacker.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	ProcessHacker.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	ProcessHacker.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	ProcessHacker.exe

NTFS ADS 2 IoCs

Processes:

cmd.execmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\MsDrvOp.exe:Zone.Identifier	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\MsDrvOp.exe:Zone.Identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f7a46b53afa7814e739d59fcdbd527fc_JaffaCakes118.exesvchost.exesvchost.exeProcessHacker.exesvñhost.exesvñhost.exe

pid	process
2296	f7a46b53afa7814e739d59fcdbd527fc_JaffaCakes118.exe
4436	svchost.exe
4564	svchost.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
4192	svñhost.exe
976	svñhost.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
4192	svñhost.exe
976	svñhost.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

ProcessHacker.exe

pid process

2036 ProcessHacker.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

f7a46b53afa7814e739d59fcdbd527fc_JaffaCakes118.exeProcessHacker.exeProcessHacker.exesvchost.exesvchost.exesvñhost.exesvñhost.exe

description	pid	process
Token: SeDebugPrivilege	2296	f7a46b53afa7814e739d59fcdbd527fc_JaffaCakes118.exe
Token: SeDebugPrivilege	2036	ProcessHacker.exe
Token: SeIncBasePriorityPrivilege	2036	ProcessHacker.exe
Token: 33	2036	ProcessHacker.exe
Token: SeLoadDriverPrivilege	2036	ProcessHacker.exe
Token: SeProfSingleProcessPrivilege	2036	ProcessHacker.exe
Token: SeRestorePrivilege	2036	ProcessHacker.exe
Token: SeShutdownPrivilege	2036	ProcessHacker.exe
Token: SeTakeOwnershipPrivilege	2036	ProcessHacker.exe
Token: SeDebugPrivilege	644	ProcessHacker.exe
Token: SeIncBasePriorityPrivilege	644	ProcessHacker.exe
Token: 33	644	ProcessHacker.exe
Token: SeLoadDriverPrivilege	644	ProcessHacker.exe
Token: SeProfSingleProcessPrivilege	644	ProcessHacker.exe
Token: SeRestorePrivilege	644	ProcessHacker.exe
Token: SeShutdownPrivilege	644	ProcessHacker.exe
Token: SeTakeOwnershipPrivilege	644	ProcessHacker.exe
Token: SeDebugPrivilege	4436	svchost.exe
Token: SeDebugPrivilege	4564	svchost.exe
Token: SeDebugPrivilege	4192	svñhost.exe
Token: SeDebugPrivilege	976	svñhost.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

ProcessHacker.exe

pid	process
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

ProcessHacker.exe

pid	process
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe
2036	ProcessHacker.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f7a46b53afa7814e739d59fcdbd527fc_JaffaCakes118.exetmp.exesvhost.exesvchost.exesvchost.exesvñhost.exesvñhost.execmd.execmd.exe

description	pid	process	target process
PID 2296 wrote to memory of 2916	2296	f7a46b53afa7814e739d59fcdbd527fc_JaffaCakes118.exe	tmp.exe
PID 2296 wrote to memory of 2916	2296	f7a46b53afa7814e739d59fcdbd527fc_JaffaCakes118.exe	tmp.exe
PID 2296 wrote to memory of 2916	2296	f7a46b53afa7814e739d59fcdbd527fc_JaffaCakes118.exe	tmp.exe
PID 2296 wrote to memory of 4884	2296	f7a46b53afa7814e739d59fcdbd527fc_JaffaCakes118.exe	svhost.exe
PID 2296 wrote to memory of 4884	2296	f7a46b53afa7814e739d59fcdbd527fc_JaffaCakes118.exe	svhost.exe
PID 2296 wrote to memory of 4884	2296	f7a46b53afa7814e739d59fcdbd527fc_JaffaCakes118.exe	svhost.exe
PID 2296 wrote to memory of 4884	2296	f7a46b53afa7814e739d59fcdbd527fc_JaffaCakes118.exe	svhost.exe
PID 2296 wrote to memory of 4884	2296	f7a46b53afa7814e739d59fcdbd527fc_JaffaCakes118.exe	svhost.exe
PID 2296 wrote to memory of 4884	2296	f7a46b53afa7814e739d59fcdbd527fc_JaffaCakes118.exe	svhost.exe
PID 2296 wrote to memory of 4884	2296	f7a46b53afa7814e739d59fcdbd527fc_JaffaCakes118.exe	svhost.exe
PID 2296 wrote to memory of 4884	2296	f7a46b53afa7814e739d59fcdbd527fc_JaffaCakes118.exe	svhost.exe
PID 2296 wrote to memory of 4884	2296	f7a46b53afa7814e739d59fcdbd527fc_JaffaCakes118.exe	svhost.exe
PID 2916 wrote to memory of 2036	2916	tmp.exe	ProcessHacker.exe
PID 2916 wrote to memory of 2036	2916	tmp.exe	ProcessHacker.exe
PID 4884 wrote to memory of 644	4884	svhost.exe	ProcessHacker.exe
PID 4884 wrote to memory of 644	4884	svhost.exe	ProcessHacker.exe
PID 2916 wrote to memory of 4564	2916	tmp.exe	svchost.exe
PID 2916 wrote to memory of 4564	2916	tmp.exe	svchost.exe
PID 2916 wrote to memory of 4564	2916	tmp.exe	svchost.exe
PID 4884 wrote to memory of 4436	4884	svhost.exe	svchost.exe
PID 4884 wrote to memory of 4436	4884	svhost.exe	svchost.exe
PID 4884 wrote to memory of 4436	4884	svhost.exe	svchost.exe
PID 4884 wrote to memory of 4192	4884	svhost.exe	svñhost.exe
PID 4884 wrote to memory of 4192	4884	svhost.exe	svñhost.exe
PID 4884 wrote to memory of 4192	4884	svhost.exe	svñhost.exe
PID 2916 wrote to memory of 976	2916	tmp.exe	svñhost.exe
PID 2916 wrote to memory of 976	2916	tmp.exe	svñhost.exe
PID 2916 wrote to memory of 976	2916	tmp.exe	svñhost.exe
PID 4436 wrote to memory of 3316	4436	svchost.exe	svhost.exe
PID 4436 wrote to memory of 3316	4436	svchost.exe	svhost.exe
PID 4436 wrote to memory of 3316	4436	svchost.exe	svhost.exe
PID 4436 wrote to memory of 3316	4436	svchost.exe	svhost.exe
PID 4436 wrote to memory of 3316	4436	svchost.exe	svhost.exe
PID 4436 wrote to memory of 3316	4436	svchost.exe	svhost.exe
PID 4436 wrote to memory of 3316	4436	svchost.exe	svhost.exe
PID 4436 wrote to memory of 3316	4436	svchost.exe	svhost.exe
PID 4436 wrote to memory of 3316	4436	svchost.exe	svhost.exe
PID 4564 wrote to memory of 220	4564	svchost.exe	svhost.exe
PID 4564 wrote to memory of 220	4564	svchost.exe	svhost.exe
PID 4564 wrote to memory of 220	4564	svchost.exe	svhost.exe
PID 4564 wrote to memory of 220	4564	svchost.exe	svhost.exe
PID 4564 wrote to memory of 220	4564	svchost.exe	svhost.exe
PID 4564 wrote to memory of 220	4564	svchost.exe	svhost.exe
PID 4564 wrote to memory of 220	4564	svchost.exe	svhost.exe
PID 4564 wrote to memory of 220	4564	svchost.exe	svhost.exe
PID 4564 wrote to memory of 220	4564	svchost.exe	svhost.exe
PID 4192 wrote to memory of 472	4192	svñhost.exe	cmd.exe
PID 4192 wrote to memory of 472	4192	svñhost.exe	cmd.exe
PID 4192 wrote to memory of 472	4192	svñhost.exe	cmd.exe
PID 976 wrote to memory of 412	976	svñhost.exe	cmd.exe
PID 976 wrote to memory of 412	976	svñhost.exe	cmd.exe
PID 976 wrote to memory of 412	976	svñhost.exe	cmd.exe
PID 4192 wrote to memory of 1516	4192	svñhost.exe	cmd.exe
PID 4192 wrote to memory of 1516	4192	svñhost.exe	cmd.exe
PID 4192 wrote to memory of 1516	4192	svñhost.exe	cmd.exe
PID 976 wrote to memory of 4772	976	svñhost.exe	cmd.exe
PID 976 wrote to memory of 4772	976	svñhost.exe	cmd.exe
PID 976 wrote to memory of 4772	976	svñhost.exe	cmd.exe
PID 1516 wrote to memory of 3664	1516	cmd.exe	reg.exe
PID 1516 wrote to memory of 3664	1516	cmd.exe	reg.exe
PID 1516 wrote to memory of 3664	1516	cmd.exe	reg.exe
PID 4772 wrote to memory of 2064	4772	cmd.exe	reg.exe
PID 4772 wrote to memory of 2064	4772	cmd.exe	reg.exe
PID 4772 wrote to memory of 2064	4772	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\f7a46b53afa7814e739d59fcdbd527fc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f7a46b53afa7814e739d59fcdbd527fc_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Users\Admin\AppData\Local\Temp\tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Users\Admin\AppData\Local\Temp\ProcessHacker.exe
    "C:\Users\Admin\AppData\Local\Temp\ProcessHacker.exe"
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2036
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4564
  - - C:\Users\Admin\AppData\Local\Temp\svhost.exe
      "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:220
- - C:\Users\Admin\AppData\Local\Temp\svñhost.exe
    "C:\Users\Admin\AppData\Local\Temp\svñhost.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:976
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/svñhost.exe" "%appdata%\Microsoft\MsDrvOp.exe" /Y
      4⤵
      System Location Discovery: System Language Discovery
      PID:412
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%appdata%\Microsoft\MsDrvOp.exe.lnk" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4772
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\MsDrvOp.exe.lnk" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2064
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %appdata%\Microsoft\MsDrvOp.exe:Zone.Identifier
      4⤵
      Subvert Trust Controls: Mark-of-the-Web Bypass
      System Location Discovery: System Language Discovery
      NTFS ADS
      PID:2536
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ren "%appdata%\Microsoft\MsDrvOp.exe.jpg" MsDrvOp.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3140
  - - C:\Users\Admin\AppData\Local\Temp\tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
      4⤵
      Executes dropped EXE
      PID:4920
  - - C:\Users\Admin\AppData\Local\Temp\svñhost.exe
      "C:/Users/Admin/AppData/Local/Temp/svñhost.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3680
- C:\Users\Admin\AppData\Local\Temp\svhost.exe
  "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4884
- - C:\Users\Admin\AppData\Local\Temp\ProcessHacker.exe
    "C:\Users\Admin\AppData\Local\Temp\ProcessHacker.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:644
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4436
  - - C:\Users\Admin\AppData\Local\Temp\svhost.exe
      "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
      4⤵
      Executes dropped EXE
      PID:3316
- - C:\Users\Admin\AppData\Local\Temp\svñhost.exe
    "C:\Users\Admin\AppData\Local\Temp\svñhost.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4192
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/svñhost.exe" "%appdata%\Microsoft\MsDrvOp.exe" /Y
      4⤵
      System Location Discovery: System Language Discovery
      PID:472
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%appdata%\Microsoft\MsDrvOp.exe.lnk" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1516
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\MsDrvOp.exe.lnk" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3664
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %appdata%\Microsoft\MsDrvOp.exe:Zone.Identifier
      4⤵
      Subvert Trust Controls: Mark-of-the-Web Bypass
      System Location Discovery: System Language Discovery
      NTFS ADS
      PID:4500
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ren "%appdata%\Microsoft\MsDrvOp.exe.jpg" MsDrvOp.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2632
  - - C:\Users\Admin\AppData\Local\Temp\tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
      4⤵
      Executes dropped EXE
      PID:2708
  - - C:\Users\Admin\AppData\Local\Temp\svñhost.exe
      "C:/Users/Admin/AppData/Local/Temp/svñhost.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchost.exe.log

Filesize
522B

MD5
8334a471a4b492ece225b471b8ad2fc8

SHA1
1cb24640f32d23e8f7800bd0511b7b9c3011d992

SHA256
5612afe347d8549cc95a0c710602bcc7d7b224361b613c0a6ba362092300c169

SHA512
56ae2e83355c331b00d782797f5664c2f373eac240e811aab978732503ae05eb20b08730d2427ed90efa5a706d71b42b57153596a45a6b5592e3dd9128b81c36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svñhost.exe.log

Filesize
1KB

MD5
0672db2ef13237d5cb85075ff4915942

SHA1
ad8b4d3eb5e40791c47d48b22e273486f25f663f

SHA256
0a933408890369b5a178f9c30aa93d2c94f425650815cf8e8310de4e90a3b519

SHA512
84ad10ba5b695567d33a52f786405a5544aa49d8d23631ba9edf3afa877c5dbd81570d15bcf74bce5d9fb1afad2117d0a4ef913b396c0d923afefe615619c84b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ProcessHacker.exe

Filesize
1.6MB

MD5
b365af317ae730a67c936f21432b9c71

SHA1
a0bdfac3ce1880b32ff9b696458327ce352e3b1d

SHA256
bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4

SHA512
cc3359e16c6fe905a9e176a87acf4c4ed5e22c29bfca11949799caf8442e00ec0d1679b3d8754dbc3e313528d3e8e82c0ec1941e2c3530b48229c1cb337f6b8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
408KB

MD5
bcc445de41fcfbbad5c4b0b0a4ea859a

SHA1
520466387cc8283238d2b69252051de0853e2e74

SHA256
aac1eb531b6f215859319664221f762e837d5c19db39f75193ff28f768170bf0

SHA512
c2696bba3ffd74e2421de45a55c76a6dbbdd0c1c3266d711a533b9d38d9cee5a33c55b1053044ca7373b625aba37aa87d6b0b1ea61bc899ac113fdac31e92c5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
256KB

MD5
8fdf47e0ff70c40ed3a17014aeea4232

SHA1
e6256a0159688f0560b015da4d967f41cbf8c9bd

SHA256
ed9884bac608c06b7057037cc91d90e4ae5f74dd2dbce2af476699c6d4492d82

SHA512
bd69d092ed4f9c5e1f24eaf5ec79fb316469d53849dc798fae0fcba5e90869b77ee924c23cc6f692198ff25827ab60ad47bb46cadd6e0aadde7731cbafb013be

Download Submit
C:\Users\Admin\AppData\Local\Temp\svñhost.exe

Filesize
1009KB

MD5
eee2282277e64485627c058793aa65e0

SHA1
ed5ae121bf074decf9b7a95214e67874733a5cf2

SHA256
79e31aa291777d936bdbd198ebf53f3b7d230972fcf95f92908872aca6bf888c

SHA512
b5ea27c4b0e14687065c94b72fa3c177fe161a92c15aad7db48a466ea34745fbfd15d7305f022ef322f41169b81df621253ace5d0720d11eb8ccc688a251767b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.exe

Filesize
902KB

MD5
4f569bfdf48c4193795be0c012a66d9b

SHA1
9df29ae3f4c0666303204ae3d2b36b21ff483bb9

SHA256
8c46765193808e7655ea8d2a578da25b8a064dbd5eb1a42911bd26c4d82df333

SHA512
cb1c2c6539951d66d66448c64763d4efd9127bf9a593a93179ac7ff86a8100ec2380ae947cc87f22afef78489648ba8f7a8e1664b255f182efcda138c05b602f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.exe

Filesize
2.5MB

MD5
79682b35bc0d20012d115b060b13d59e

SHA1
187d5ae4ce46095c2a05fe45fe768bbb92b3e164

SHA256
c06240ad1258978e6588fd6b4c9efe32e90d109e5728848b0aed413a4c568b5e

SHA512
b727075ce2f003de057f0aeb8e53bcadeaa5bc685bc606b8e94078bbb61a1ea84a4f66d60e50a1574785d9ad0352235028861e0625929d77cafa52fb3e9ff24e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vlmi{lolz}yg.col

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\vlmi{lolz}yg.col

Filesize
114KB

MD5
2e5b34ca73bac7d39579ae5af5c50268

SHA1
910b0865cce750b73e308d0c9314edcdcf4162bb

SHA256
79f7541d73ed1744fbc041fdeaf95cae2e2a43cf9d73f6d9476b67a5c2ea9695

SHA512
95dcb404558da6bf1b58640440f3e26b13bf53b8fe05932e85b85dea7e629a544f2bfef094fdd23fd2ad0692297aad338e23c9e6e516e5c852d6d7c1c97249fc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\MsDrvOp.exe.lnk

Filesize
847B

MD5
2c4d192db2e09efa88a4a28c3272756f

SHA1
d68830e926235e19e7e6eef7b4dfd9f4135834c6

SHA256
4571d3438213c48e70301ac94617f30342a8d723e0cbf03c458b5fc12bbe0e98

SHA512
88cfa1cb8463a2a9794b27beae1c829379be84367acb13ec65b611450717c7a123da98400a26a04eddaaf11d28aa449ebbebe37666af156d741a39935d9b3ef8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\MsDrvOp.exe:Zone.Identifier

Filesize
27B

MD5
130a75a932a2fe57bfea6a65b88da8f6

SHA1
b66d7530d150d45c0a390bb3c2cd4ca4fc404d1c

SHA256
f2b79cae559d6772afc1c2ed9468988178f8b6833d5028a15dea73ce47d0196e

SHA512
6cd147c6f3af95803b7b0898e97ec2ed374c1f56a487b50e3d22003a67cec26a6fa12a3920b1b5624bde156f9601469ae3c7b7354fa8cf37be76c84121767eed

Download Submit
memory/220-74-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/220-76-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/220-167-0x0000000070A20000-0x0000000070A59000-memory.dmp

Filesize
228KB

Download
memory/2296-198-0x0000000075060000-0x0000000075810000-memory.dmp

Filesize
7.7MB

Download
memory/2296-196-0x000000007506E000-0x000000007506F000-memory.dmp

Filesize
4KB

Download
memory/2296-2-0x0000000005340000-0x00000000053DC000-memory.dmp

Filesize
624KB

Download
memory/2296-3-0x0000000075060000-0x0000000075810000-memory.dmp

Filesize
7.7MB

Download
memory/2296-200-0x0000000075060000-0x0000000075810000-memory.dmp

Filesize
7.7MB

Download
memory/2296-0-0x000000007506E000-0x000000007506F000-memory.dmp

Filesize
4KB

Download
memory/2296-4-0x00000000055E0000-0x000000000586C000-memory.dmp

Filesize
2.5MB

Download
memory/2296-1-0x0000000000690000-0x0000000000956000-memory.dmp

Filesize
2.8MB

Download
memory/2708-164-0x0000000000570000-0x0000000000658000-memory.dmp

Filesize
928KB

Download
memory/4192-77-0x0000000005100000-0x00000000051E6000-memory.dmp

Filesize
920KB

Download
memory/4192-71-0x0000000000550000-0x0000000000652000-memory.dmp

Filesize
1.0MB

Download
memory/4436-61-0x0000000005800000-0x000000000584A000-memory.dmp

Filesize
296KB

Download
memory/4564-58-0x00000000008A0000-0x000000000090C000-memory.dmp

Filesize
432KB

Download
memory/4732-162-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/4732-166-0x0000000003100000-0x000000000310E000-memory.dmp

Filesize
56KB

Download
memory/4732-170-0x0000000005F60000-0x0000000006504000-memory.dmp

Filesize
5.6MB

Download
memory/4732-171-0x00000000059B0000-0x0000000005A42000-memory.dmp

Filesize
584KB

Download
memory/4884-70-0x0000000000400000-0x0000000000697000-memory.dmp

Filesize
2.6MB

Download
memory/4884-18-0x0000000000400000-0x0000000000697000-memory.dmp

Filesize
2.6MB

Download
memory/4884-24-0x0000000000400000-0x0000000000697000-memory.dmp

Filesize
2.6MB

Download
memory/4884-21-0x0000000000400000-0x0000000000697000-memory.dmp

Filesize
2.6MB

Download
memory/4920-165-0x00000000016D0000-0x000000000172C000-memory.dmp

Filesize
368KB

Download
memory/4920-174-0x0000000001690000-0x00000000016A0000-memory.dmp

Filesize
64KB

Download
memory/4920-173-0x000000001BE50000-0x000000001BE68000-memory.dmp

Filesize
96KB

Download
memory/4920-172-0x00000000016B0000-0x00000000016C2000-memory.dmp

Filesize
72KB

Download