orcus | c4d9d25dedcb02acf6eae98dec3fae4e53585ef8486d755f2b77740dd7ba7797

Analysis

max time kernel
151s
max time network
177s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
20-05-2022 23:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4d9d25dedcb02acf6eae98dec3fae4e53585ef8486d755f2b77740dd7ba7797.exe
Size

2.8MB
MD5

f7a46b53afa7814e739d59fcdbd527fc
SHA1

b1d3158156a63d3981c3d49c33bb94ef899611d6
SHA256

c4d9d25dedcb02acf6eae98dec3fae4e53585ef8486d755f2b77740dd7ba7797
SHA512

0bb5d13d55fd27f1feb8c055118ba43fa0a611a2512abafbaceba0d2d3c0e5e9a45520d2f8093070589df422721f568fcc6b59fc2c994288ab5d2ec898b6b5da

Score

10^/10

orcus rat spyware stealer

Malware Config

Extracted

Family

orcus

18.221.17.220:1604

Mutex

1141a9276f324b1f8a2d4f8f2fec0ac5

Attributes

autostart_method
Registry
enable_keylogger
false
install_path
%temp%\drivers\ac2ftsdgj8m5ms5.exe
reconnect_delay
10000
registry_keyname
steam
taskscheduler_taskname
steam
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus Main Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\tmp.exe	family_orcus
C:\Users\Admin\AppData\Local\Temp\tmp.exe	family_orcus

Orcurs Rat Executable 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\tmp.exe	orcus
C:\Users\Admin\AppData\Local\Temp\tmp.exe	orcus
behavioral2/memory/552-169-0x0000000000400000-0x00000000004E8000-memory.dmp	orcus
behavioral2/memory/1620-171-0x00000000004C0000-0x00000000005A8000-memory.dmp	orcus

Executes dropped EXE 8 IoCs

Processes:

tmp.exesvhost.exeProcessHacker.exesvchost.exesvñhost.exesvhost.exetmp.exesvñhost.exe

pid process

1496 tmp.exe
2228 svhost.exe
3372 ProcessHacker.exe
3716 svchost.exe
4532 svñhost.exe
4160 svhost.exe
1620 tmp.exe
552 svñhost.exe

pid	process
1496	tmp.exe
2228	svhost.exe
3372	ProcessHacker.exe
3716	svchost.exe
4532	svñhost.exe
4160	svhost.exe
1620	tmp.exe
552	svñhost.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c4d9d25dedcb02acf6eae98dec3fae4e53585ef8486d755f2b77740dd7ba7797.exetmp.exesvñhost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	c4d9d25dedcb02acf6eae98dec3fae4e53585ef8486d755f2b77740dd7ba7797.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	svñhost.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 3 IoCs

Processes:

c4d9d25dedcb02acf6eae98dec3fae4e53585ef8486d755f2b77740dd7ba7797.exesvchost.exesvñhost.exe

description	pid	process	target process
PID 2320 set thread context of 2228	2320	c4d9d25dedcb02acf6eae98dec3fae4e53585ef8486d755f2b77740dd7ba7797.exe	svhost.exe
PID 3716 set thread context of 4160	3716	svchost.exe	svhost.exe
PID 4532 set thread context of 552	4532	svñhost.exe	svñhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

ProcessHacker.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	ProcessHacker.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	ProcessHacker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	ProcessHacker.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	ProcessHacker.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	ProcessHacker.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	ProcessHacker.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c00000001000000040000000008000004000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	ProcessHacker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	ProcessHacker.exe

NTFS ADS 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\MsDrvOp.exe:Zone.Identifier cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\MsDrvOp.exe:Zone.Identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

c4d9d25dedcb02acf6eae98dec3fae4e53585ef8486d755f2b77740dd7ba7797.exeProcessHacker.exesvchost.exesvñhost.exe

pid	process
2320	c4d9d25dedcb02acf6eae98dec3fae4e53585ef8486d755f2b77740dd7ba7797.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3716	svchost.exe
4532	svñhost.exe
4532	svñhost.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

ProcessHacker.exe

pid process

3372 ProcessHacker.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

c4d9d25dedcb02acf6eae98dec3fae4e53585ef8486d755f2b77740dd7ba7797.exeProcessHacker.exesvchost.exesvñhost.exe

description	pid	process
Token: SeDebugPrivilege	2320	c4d9d25dedcb02acf6eae98dec3fae4e53585ef8486d755f2b77740dd7ba7797.exe
Token: SeDebugPrivilege	3372	ProcessHacker.exe
Token: SeIncBasePriorityPrivilege	3372	ProcessHacker.exe
Token: 33	3372	ProcessHacker.exe
Token: SeLoadDriverPrivilege	3372	ProcessHacker.exe
Token: SeProfSingleProcessPrivilege	3372	ProcessHacker.exe
Token: SeRestorePrivilege	3372	ProcessHacker.exe
Token: SeShutdownPrivilege	3372	ProcessHacker.exe
Token: SeTakeOwnershipPrivilege	3372	ProcessHacker.exe
Token: SeDebugPrivilege	3716	svchost.exe
Token: SeDebugPrivilege	4532	svñhost.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

ProcessHacker.exe

pid	process
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

ProcessHacker.exe

pid	process
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe
3372	ProcessHacker.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

c4d9d25dedcb02acf6eae98dec3fae4e53585ef8486d755f2b77740dd7ba7797.exetmp.exesvchost.exesvñhost.execmd.exe

description	pid	process	target process
PID 2320 wrote to memory of 1496	2320	c4d9d25dedcb02acf6eae98dec3fae4e53585ef8486d755f2b77740dd7ba7797.exe	tmp.exe
PID 2320 wrote to memory of 1496	2320	c4d9d25dedcb02acf6eae98dec3fae4e53585ef8486d755f2b77740dd7ba7797.exe	tmp.exe
PID 2320 wrote to memory of 1496	2320	c4d9d25dedcb02acf6eae98dec3fae4e53585ef8486d755f2b77740dd7ba7797.exe	tmp.exe
PID 2320 wrote to memory of 2228	2320	c4d9d25dedcb02acf6eae98dec3fae4e53585ef8486d755f2b77740dd7ba7797.exe	svhost.exe
PID 2320 wrote to memory of 2228	2320	c4d9d25dedcb02acf6eae98dec3fae4e53585ef8486d755f2b77740dd7ba7797.exe	svhost.exe
PID 2320 wrote to memory of 2228	2320	c4d9d25dedcb02acf6eae98dec3fae4e53585ef8486d755f2b77740dd7ba7797.exe	svhost.exe
PID 2320 wrote to memory of 2228	2320	c4d9d25dedcb02acf6eae98dec3fae4e53585ef8486d755f2b77740dd7ba7797.exe	svhost.exe
PID 2320 wrote to memory of 2228	2320	c4d9d25dedcb02acf6eae98dec3fae4e53585ef8486d755f2b77740dd7ba7797.exe	svhost.exe
PID 2320 wrote to memory of 2228	2320	c4d9d25dedcb02acf6eae98dec3fae4e53585ef8486d755f2b77740dd7ba7797.exe	svhost.exe
PID 2320 wrote to memory of 2228	2320	c4d9d25dedcb02acf6eae98dec3fae4e53585ef8486d755f2b77740dd7ba7797.exe	svhost.exe
PID 2320 wrote to memory of 2228	2320	c4d9d25dedcb02acf6eae98dec3fae4e53585ef8486d755f2b77740dd7ba7797.exe	svhost.exe
PID 2320 wrote to memory of 2228	2320	c4d9d25dedcb02acf6eae98dec3fae4e53585ef8486d755f2b77740dd7ba7797.exe	svhost.exe
PID 1496 wrote to memory of 3372	1496	tmp.exe	ProcessHacker.exe
PID 1496 wrote to memory of 3372	1496	tmp.exe	ProcessHacker.exe
PID 1496 wrote to memory of 3716	1496	tmp.exe	svchost.exe
PID 1496 wrote to memory of 3716	1496	tmp.exe	svchost.exe
PID 1496 wrote to memory of 3716	1496	tmp.exe	svchost.exe
PID 1496 wrote to memory of 4532	1496	tmp.exe	svñhost.exe
PID 1496 wrote to memory of 4532	1496	tmp.exe	svñhost.exe
PID 1496 wrote to memory of 4532	1496	tmp.exe	svñhost.exe
PID 3716 wrote to memory of 4160	3716	svchost.exe	svhost.exe
PID 3716 wrote to memory of 4160	3716	svchost.exe	svhost.exe
PID 3716 wrote to memory of 4160	3716	svchost.exe	svhost.exe
PID 3716 wrote to memory of 4160	3716	svchost.exe	svhost.exe
PID 3716 wrote to memory of 4160	3716	svchost.exe	svhost.exe
PID 3716 wrote to memory of 4160	3716	svchost.exe	svhost.exe
PID 3716 wrote to memory of 4160	3716	svchost.exe	svhost.exe
PID 3716 wrote to memory of 4160	3716	svchost.exe	svhost.exe
PID 3716 wrote to memory of 4160	3716	svchost.exe	svhost.exe
PID 4532 wrote to memory of 4628	4532	svñhost.exe	cmd.exe
PID 4532 wrote to memory of 4628	4532	svñhost.exe	cmd.exe
PID 4532 wrote to memory of 4628	4532	svñhost.exe	cmd.exe
PID 4532 wrote to memory of 4596	4532	svñhost.exe	cmd.exe
PID 4532 wrote to memory of 4596	4532	svñhost.exe	cmd.exe
PID 4532 wrote to memory of 4596	4532	svñhost.exe	cmd.exe
PID 4596 wrote to memory of 4544	4596	cmd.exe	reg.exe
PID 4596 wrote to memory of 4544	4596	cmd.exe	reg.exe
PID 4596 wrote to memory of 4544	4596	cmd.exe	reg.exe
PID 4532 wrote to memory of 3428	4532	svñhost.exe	cmd.exe
PID 4532 wrote to memory of 3428	4532	svñhost.exe	cmd.exe
PID 4532 wrote to memory of 3428	4532	svñhost.exe	cmd.exe
PID 4532 wrote to memory of 1960	4532	svñhost.exe	cmd.exe
PID 4532 wrote to memory of 1960	4532	svñhost.exe	cmd.exe
PID 4532 wrote to memory of 1960	4532	svñhost.exe	cmd.exe
PID 4532 wrote to memory of 1620	4532	svñhost.exe	tmp.exe
PID 4532 wrote to memory of 1620	4532	svñhost.exe	tmp.exe
PID 4532 wrote to memory of 552	4532	svñhost.exe	svñhost.exe
PID 4532 wrote to memory of 552	4532	svñhost.exe	svñhost.exe
PID 4532 wrote to memory of 552	4532	svñhost.exe	svñhost.exe
PID 4532 wrote to memory of 552	4532	svñhost.exe	svñhost.exe
PID 4532 wrote to memory of 552	4532	svñhost.exe	svñhost.exe
PID 4532 wrote to memory of 552	4532	svñhost.exe	svñhost.exe
PID 4532 wrote to memory of 552	4532	svñhost.exe	svñhost.exe
PID 4532 wrote to memory of 552	4532	svñhost.exe	svñhost.exe

C:\Users\Admin\AppData\Local\Temp\c4d9d25dedcb02acf6eae98dec3fae4e53585ef8486d755f2b77740dd7ba7797.exe
"C:\Users\Admin\AppData\Local\Temp\c4d9d25dedcb02acf6eae98dec3fae4e53585ef8486d755f2b77740dd7ba7797.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2320

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1496

C:\Users\Admin\AppData\Local\Temp\ProcessHacker.exe
"C:\Users\Admin\AppData\Local\Temp\ProcessHacker.exe"
3⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3372

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3716

C:\Users\Admin\AppData\Local\Temp\svhost.exe
"C:\Users\Admin\AppData\Local\Temp\svhost.exe"
4⤵
- Executes dropped EXE
PID:4160

C:\Users\Admin\AppData\Local\Temp\svñhost.exe
"C:\Users\Admin\AppData\Local\Temp\svñhost.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4532

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/svñhost.exe" "%appdata%\Microsoft\MsDrvOp.exe" /Y
4⤵
PID:4628

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%appdata%\Microsoft\MsDrvOp.exe.lnk" /f
4⤵
- Suspicious use of WriteProcessMemory
PID:4596

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\MsDrvOp.exe.lnk" /f
5⤵
PID:4544

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %appdata%\Microsoft\MsDrvOp.exe:Zone.Identifier
4⤵
- NTFS ADS
PID:3428

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ren "%appdata%\Microsoft\MsDrvOp.exe.jpg" MsDrvOp.exe
4⤵
PID:1960

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
4⤵
- Executes dropped EXE
PID:1620

C:\Users\Admin\AppData\Local\Temp\svñhost.exe
"C:/Users/Admin/AppData/Local/Temp/svñhost.exe"
4⤵
- Executes dropped EXE
PID:552

C:\Users\Admin\AppData\Local\Temp\svhost.exe
"C:\Users\Admin\AppData\Local\Temp\svhost.exe"
2⤵
- Executes dropped EXE
PID:2228

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svñhost.exe.log
Filesize
522B

MD5
8334a471a4b492ece225b471b8ad2fc8

SHA1
1cb24640f32d23e8f7800bd0511b7b9c3011d992

SHA256
5612afe347d8549cc95a0c710602bcc7d7b224361b613c0a6ba362092300c169

SHA512
56ae2e83355c331b00d782797f5664c2f373eac240e811aab978732503ae05eb20b08730d2427ed90efa5a706d71b42b57153596a45a6b5592e3dd9128b81c36

Download Submit
C:\Users\Admin\AppData\Local\Temp\ProcessHacker.exe
Filesize
1.6MB

MD5
b365af317ae730a67c936f21432b9c71

SHA1
a0bdfac3ce1880b32ff9b696458327ce352e3b1d

SHA256
bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4

SHA512
cc3359e16c6fe905a9e176a87acf4c4ed5e22c29bfca11949799caf8442e00ec0d1679b3d8754dbc3e313528d3e8e82c0ec1941e2c3530b48229c1cb337f6b8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ProcessHacker.exe
Filesize
1.6MB

MD5
b365af317ae730a67c936f21432b9c71

SHA1
a0bdfac3ce1880b32ff9b696458327ce352e3b1d

SHA256
bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4

SHA512
cc3359e16c6fe905a9e176a87acf4c4ed5e22c29bfca11949799caf8442e00ec0d1679b3d8754dbc3e313528d3e8e82c0ec1941e2c3530b48229c1cb337f6b8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
408KB

MD5
bcc445de41fcfbbad5c4b0b0a4ea859a

SHA1
520466387cc8283238d2b69252051de0853e2e74

SHA256
aac1eb531b6f215859319664221f762e837d5c19db39f75193ff28f768170bf0

SHA512
c2696bba3ffd74e2421de45a55c76a6dbbdd0c1c3266d711a533b9d38d9cee5a33c55b1053044ca7373b625aba37aa87d6b0b1ea61bc899ac113fdac31e92c5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
408KB

MD5
bcc445de41fcfbbad5c4b0b0a4ea859a

SHA1
520466387cc8283238d2b69252051de0853e2e74

SHA256
aac1eb531b6f215859319664221f762e837d5c19db39f75193ff28f768170bf0

SHA512
c2696bba3ffd74e2421de45a55c76a6dbbdd0c1c3266d711a533b9d38d9cee5a33c55b1053044ca7373b625aba37aa87d6b0b1ea61bc899ac113fdac31e92c5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe
Filesize
256KB

MD5
8fdf47e0ff70c40ed3a17014aeea4232

SHA1
e6256a0159688f0560b015da4d967f41cbf8c9bd

SHA256
ed9884bac608c06b7057037cc91d90e4ae5f74dd2dbce2af476699c6d4492d82

SHA512
bd69d092ed4f9c5e1f24eaf5ec79fb316469d53849dc798fae0fcba5e90869b77ee924c23cc6f692198ff25827ab60ad47bb46cadd6e0aadde7731cbafb013be

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe
Filesize
256KB

MD5
8fdf47e0ff70c40ed3a17014aeea4232

SHA1
e6256a0159688f0560b015da4d967f41cbf8c9bd

SHA256
ed9884bac608c06b7057037cc91d90e4ae5f74dd2dbce2af476699c6d4492d82

SHA512
bd69d092ed4f9c5e1f24eaf5ec79fb316469d53849dc798fae0fcba5e90869b77ee924c23cc6f692198ff25827ab60ad47bb46cadd6e0aadde7731cbafb013be

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe
Filesize
2.5MB

MD5
0a7608db01cae07792cea95e792aa866

SHA1
71dff876e4d5edb6cea78fee7aa15845d4950e24

SHA256
c16336ab32195b08c1678220fbe0256fee865f623e2b32fcfa4d9825fd68977e

SHA512
990a6fa1b8adb6727b1dcd8931ad84fdcb556533b78f896a71eae2a7e3ae3222e4b8efaa4b629ced2841211750e0d8a75ddd546a983c2e586918dd8ba4e0dc42

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe
Filesize
2.5MB

MD5
0a7608db01cae07792cea95e792aa866

SHA1
71dff876e4d5edb6cea78fee7aa15845d4950e24

SHA256
c16336ab32195b08c1678220fbe0256fee865f623e2b32fcfa4d9825fd68977e

SHA512
990a6fa1b8adb6727b1dcd8931ad84fdcb556533b78f896a71eae2a7e3ae3222e4b8efaa4b629ced2841211750e0d8a75ddd546a983c2e586918dd8ba4e0dc42

Download Submit
C:\Users\Admin\AppData\Local\Temp\svñhost.exe
Filesize
1009KB

MD5
eee2282277e64485627c058793aa65e0

SHA1
ed5ae121bf074decf9b7a95214e67874733a5cf2

SHA256
79e31aa291777d936bdbd198ebf53f3b7d230972fcf95f92908872aca6bf888c

SHA512
b5ea27c4b0e14687065c94b72fa3c177fe161a92c15aad7db48a466ea34745fbfd15d7305f022ef322f41169b81df621253ace5d0720d11eb8ccc688a251767b

Download Submit
C:\Users\Admin\AppData\Local\Temp\svñhost.exe
Filesize
1009KB

MD5
eee2282277e64485627c058793aa65e0

SHA1
ed5ae121bf074decf9b7a95214e67874733a5cf2

SHA256
79e31aa291777d936bdbd198ebf53f3b7d230972fcf95f92908872aca6bf888c

SHA512
b5ea27c4b0e14687065c94b72fa3c177fe161a92c15aad7db48a466ea34745fbfd15d7305f022ef322f41169b81df621253ace5d0720d11eb8ccc688a251767b

Download Submit
C:\Users\Admin\AppData\Local\Temp\svñhost.exe
Filesize
1009KB

MD5
eee2282277e64485627c058793aa65e0

SHA1
ed5ae121bf074decf9b7a95214e67874733a5cf2

SHA256
79e31aa291777d936bdbd198ebf53f3b7d230972fcf95f92908872aca6bf888c

SHA512
b5ea27c4b0e14687065c94b72fa3c177fe161a92c15aad7db48a466ea34745fbfd15d7305f022ef322f41169b81df621253ace5d0720d11eb8ccc688a251767b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.exe
Filesize
2.5MB

MD5
79682b35bc0d20012d115b060b13d59e

SHA1
187d5ae4ce46095c2a05fe45fe768bbb92b3e164

SHA256
c06240ad1258978e6588fd6b4c9efe32e90d109e5728848b0aed413a4c568b5e

SHA512
b727075ce2f003de057f0aeb8e53bcadeaa5bc685bc606b8e94078bbb61a1ea84a4f66d60e50a1574785d9ad0352235028861e0625929d77cafa52fb3e9ff24e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.exe
Filesize
2.5MB

MD5
79682b35bc0d20012d115b060b13d59e

SHA1
187d5ae4ce46095c2a05fe45fe768bbb92b3e164

SHA256
c06240ad1258978e6588fd6b4c9efe32e90d109e5728848b0aed413a4c568b5e

SHA512
b727075ce2f003de057f0aeb8e53bcadeaa5bc685bc606b8e94078bbb61a1ea84a4f66d60e50a1574785d9ad0352235028861e0625929d77cafa52fb3e9ff24e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.exe
Filesize
902KB

MD5
4f569bfdf48c4193795be0c012a66d9b

SHA1
9df29ae3f4c0666303204ae3d2b36b21ff483bb9

SHA256
8c46765193808e7655ea8d2a578da25b8a064dbd5eb1a42911bd26c4d82df333

SHA512
cb1c2c6539951d66d66448c64763d4efd9127bf9a593a93179ac7ff86a8100ec2380ae947cc87f22afef78489648ba8f7a8e1664b255f182efcda138c05b602f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.exe
Filesize
902KB

MD5
4f569bfdf48c4193795be0c012a66d9b

SHA1
9df29ae3f4c0666303204ae3d2b36b21ff483bb9

SHA256
8c46765193808e7655ea8d2a578da25b8a064dbd5eb1a42911bd26c4d82df333

SHA512
cb1c2c6539951d66d66448c64763d4efd9127bf9a593a93179ac7ff86a8100ec2380ae947cc87f22afef78489648ba8f7a8e1664b255f182efcda138c05b602f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\MsDrvOp.exe
Filesize
1009KB

MD5
eee2282277e64485627c058793aa65e0

SHA1
ed5ae121bf074decf9b7a95214e67874733a5cf2

SHA256
79e31aa291777d936bdbd198ebf53f3b7d230972fcf95f92908872aca6bf888c

SHA512
b5ea27c4b0e14687065c94b72fa3c177fe161a92c15aad7db48a466ea34745fbfd15d7305f022ef322f41169b81df621253ace5d0720d11eb8ccc688a251767b

Download Submit
memory/552-174-0x0000000005890000-0x0000000005922000-memory.dmp

Filesize
584KB

Download
memory/552-168-0x0000000000000000-mapping.dmp

Download
memory/552-169-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/552-172-0x0000000005D20000-0x00000000062C4000-memory.dmp

Filesize
5.6MB

Download
memory/1496-132-0x0000000000000000-mapping.dmp

Download
memory/1620-165-0x0000000000000000-mapping.dmp

Download
memory/1620-173-0x00007FF8BE210000-0x00007FF8BECD1000-memory.dmp

Filesize
10.8MB

Download
memory/1620-171-0x00000000004C0000-0x00000000005A8000-memory.dmp

Filesize
928KB

Download
memory/1960-164-0x0000000000000000-mapping.dmp

Download
memory/2228-135-0x0000000000000000-mapping.dmp

Download
memory/2228-138-0x00000000005C0000-0x0000000000857000-memory.dmp

Filesize
2.6MB

Download
memory/2320-131-0x0000000005910000-0x00000000059AC000-memory.dmp

Filesize
624KB

Download
memory/2320-130-0x0000000000E30000-0x00000000010F6000-memory.dmp

Filesize
2.8MB

Download
memory/3372-140-0x0000000000000000-mapping.dmp

Download
memory/3428-163-0x0000000000000000-mapping.dmp

Download
memory/3716-146-0x0000000000C00000-0x0000000000C6C000-memory.dmp

Filesize
432KB

Download
memory/3716-142-0x0000000000000000-mapping.dmp

Download
memory/4160-154-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4160-152-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4160-155-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4160-151-0x0000000000000000-mapping.dmp

Download
memory/4160-157-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4532-149-0x0000000000140000-0x0000000000242000-memory.dmp

Filesize
1.0MB

Download
memory/4532-145-0x0000000000000000-mapping.dmp

Download
memory/4544-160-0x0000000000000000-mapping.dmp

Download
memory/4596-158-0x0000000000000000-mapping.dmp

Download
memory/4628-156-0x0000000000000000-mapping.dmp

Download