orcus | 2ad50133104bbae5d82e85737296e39eecbfec15c270afd2a3b6aa981d53215f

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
02-10-2022 15:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

18KB
MD5

89ad448d079c97e6223bd48892a4c8b1
SHA1

c864447470fe553ccbb0574f8596200c72283145
SHA256

2ad50133104bbae5d82e85737296e39eecbfec15c270afd2a3b6aa981d53215f
SHA512

ad594497d29d3eebddc6ca56bc9cd5ae64fd5c27fb1087634e198e846cdaa92fa60043ee64d9712b45d8833d7485c64f7bfab3a1cdbb3bee0c8d02125d47562c
SSDEEP

384:UKsy+FgAgVXn4S4gy2OVP3WKgieC+qcLoJfPp2IJB/kr:UxfSnk0eKilcEJHpv/k

Score

10^/10

orcus plaguebot botnet persistence rat spyware stealer

Malware Config

Extracted

Family

orcus

146.70.143.176:81

Mutex

712d31c7a3f54904a08d968a15b836e9

Attributes

autostart_method
Registry
enable_keylogger
false
install_path
%programfiles%\orc\orc.exe
reconnect_delay
10000
registry_keyname
orc
taskscheduler_taskname
orc
watchdog_path
AppData\Watchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus main payload 6 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\orc.exe	family_orcus
C:\Users\Admin\AppData\Local\Temp\orc.exe	family_orcus
C:\Users\Admin\AppData\Local\Temp\orc.exe	family_orcus
C:\Program Files\orc\orc.exe	family_orcus
C:\Program Files\orc\orc.exe	family_orcus
C:\Program Files\orc\orc.exe	family_orcus

PlagueBot
PlagueBot is an open source Bot written in Pascal.
botnet plaguebot

Orcurs Rat Executable 7 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\orc.exe	orcus
C:\Users\Admin\AppData\Local\Temp\orc.exe	orcus
C:\Users\Admin\AppData\Local\Temp\orc.exe	orcus
C:\Program Files\orc\orc.exe	orcus
C:\Program Files\orc\orc.exe	orcus
behavioral1/memory/1532-106-0x0000000001180000-0x000000000126A000-memory.dmp	orcus
C:\Program Files\orc\orc.exe	orcus

PlagueBot Executable 8 IoCs

Processes:

resource	yara_rule
\Users\Admin\Downloads\plage.exe	plaguebot
\Users\Admin\Downloads\plage.exe	plaguebot
C:\Users\Admin\Downloads\plage.exe	plaguebot
C:\Users\Admin\Downloads\plage.exe	plaguebot
\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe	plaguebot
\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe	plaguebot
C:\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe	plaguebot
C:\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe	plaguebot

Downloads MZ/PE file

Executes dropped EXE 12 IoCs

Processes:

blmkgrp.exeorc.exeblmkgrp.exeplage.exewinmgr.exeWindowsInput.exeWindowsInput.exeorc.exeWatchdog.exeWatchdog.exeorc.exe

pid	process
584	blmkgrp.exe
1824	orc.exe
360	blmkgrp.exe
1168	plage.exe
1392
296	winmgr.exe
1560	WindowsInput.exe
1628	WindowsInput.exe
1532	orc.exe
1916	Watchdog.exe
2012	Watchdog.exe
1460	orc.exe

Loads dropped DLL 8 IoCs

Processes:

tmp.exeblmkgrp.exeblmkgrp.exeplage.exe

pid process

1464 tmp.exe
1464 tmp.exe
584 blmkgrp.exe
1464 tmp.exe
1464 tmp.exe
360 blmkgrp.exe
1168 plage.exe
1168 plage.exe

pid	process
1464	tmp.exe
1464	tmp.exe
584	blmkgrp.exe
1464	tmp.exe
1464	tmp.exe
360	blmkgrp.exe
1168	plage.exe
1168	plage.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

orc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\orc = "\"C:\\Program Files\\orc\\orc.exe\""	orc.exe

Drops file in System32 directory 3 IoCs

Processes:

orc.exeWindowsInput.exe

description	ioc	process
File created	C:\Windows\SysWOW64\WindowsInput.exe.config	orc.exe
File created	C:\Windows\SysWOW64\WindowsInput.InstallState	WindowsInput.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe	orc.exe

Drops file in Program Files directory 3 IoCs

Processes:

orc.exe

description	ioc	process
File opened for modification	C:\Program Files\orc\orc.exe	orc.exe
File created	C:\Program Files\orc\orc.exe.config	orc.exe
File created	C:\Program Files\orc\orc.exe	orc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

832 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1560 timeout.exe

pid	process
832	schtasks.exe

pid	process
1560	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

orc.exeWatchdog.exe

pid	process
1532	orc.exe
1532	orc.exe
1532	orc.exe
2012	Watchdog.exe
2012	Watchdog.exe
2012	Watchdog.exe
1532	orc.exe
2012	Watchdog.exe
1532	orc.exe
2012	Watchdog.exe
1532	orc.exe
2012	Watchdog.exe
1532	orc.exe
2012	Watchdog.exe
1532	orc.exe
2012	Watchdog.exe
1532	orc.exe
2012	Watchdog.exe
1532	orc.exe
2012	Watchdog.exe
1532	orc.exe
2012	Watchdog.exe
1532	orc.exe
2012	Watchdog.exe
1532	orc.exe
2012	Watchdog.exe
1532	orc.exe
2012	Watchdog.exe
1532	orc.exe
2012	Watchdog.exe
1532	orc.exe
2012	Watchdog.exe
1532	orc.exe
2012	Watchdog.exe
1532	orc.exe
2012	Watchdog.exe
1532	orc.exe
2012	Watchdog.exe
1532	orc.exe
2012	Watchdog.exe
1532	orc.exe
2012	Watchdog.exe
1532	orc.exe
2012	Watchdog.exe
1532	orc.exe
2012	Watchdog.exe
1532	orc.exe
2012	Watchdog.exe
1532	orc.exe
2012	Watchdog.exe
1532	orc.exe
2012	Watchdog.exe
1532	orc.exe
2012	Watchdog.exe
1532	orc.exe
2012	Watchdog.exe
1532	orc.exe
2012	Watchdog.exe
1532	orc.exe
2012	Watchdog.exe
1532	orc.exe
2012	Watchdog.exe
1532	orc.exe
2012	Watchdog.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Watchdog.exeorc.exeWatchdog.exe

description pid process

Token: SeDebugPrivilege 1916 Watchdog.exe
Token: SeDebugPrivilege 1532 orc.exe
Token: SeDebugPrivilege 2012 Watchdog.exe

description	pid	process
Token: SeDebugPrivilege	1916	Watchdog.exe
Token: SeDebugPrivilege	1532	orc.exe
Token: SeDebugPrivilege	2012	Watchdog.exe

Suspicious use of WriteProcessMemory 62 IoCs

Processes:

tmp.exeblmkgrp.exeplage.exeorc.execsc.exeorc.exeWatchdog.exetaskeng.exewinmgr.execmd.exe

description	pid	process	target process
PID 1464 wrote to memory of 584	1464	tmp.exe	blmkgrp.exe
PID 1464 wrote to memory of 584	1464	tmp.exe	blmkgrp.exe
PID 1464 wrote to memory of 584	1464	tmp.exe	blmkgrp.exe
PID 1464 wrote to memory of 584	1464	tmp.exe	blmkgrp.exe
PID 1464 wrote to memory of 1824	1464	tmp.exe	orc.exe
PID 1464 wrote to memory of 1824	1464	tmp.exe	orc.exe
PID 1464 wrote to memory of 1824	1464	tmp.exe	orc.exe
PID 1464 wrote to memory of 1824	1464	tmp.exe	orc.exe
PID 584 wrote to memory of 360	584	blmkgrp.exe	blmkgrp.exe
PID 584 wrote to memory of 360	584	blmkgrp.exe	blmkgrp.exe
PID 584 wrote to memory of 360	584	blmkgrp.exe	blmkgrp.exe
PID 1464 wrote to memory of 1168	1464	tmp.exe	plage.exe
PID 1464 wrote to memory of 1168	1464	tmp.exe	plage.exe
PID 1464 wrote to memory of 1168	1464	tmp.exe	plage.exe
PID 1464 wrote to memory of 1168	1464	tmp.exe	plage.exe
PID 1168 wrote to memory of 832	1168	plage.exe	schtasks.exe
PID 1168 wrote to memory of 832	1168	plage.exe	schtasks.exe
PID 1168 wrote to memory of 832	1168	plage.exe	schtasks.exe
PID 1168 wrote to memory of 832	1168	plage.exe	schtasks.exe
PID 1168 wrote to memory of 1896	1168	plage.exe	schtasks.exe
PID 1168 wrote to memory of 1896	1168	plage.exe	schtasks.exe
PID 1168 wrote to memory of 1896	1168	plage.exe	schtasks.exe
PID 1168 wrote to memory of 1896	1168	plage.exe	schtasks.exe
PID 1168 wrote to memory of 296	1168	plage.exe	winmgr.exe
PID 1168 wrote to memory of 296	1168	plage.exe	winmgr.exe
PID 1168 wrote to memory of 296	1168	plage.exe	winmgr.exe
PID 1168 wrote to memory of 296	1168	plage.exe	winmgr.exe
PID 1824 wrote to memory of 1040	1824	orc.exe	csc.exe
PID 1824 wrote to memory of 1040	1824	orc.exe	csc.exe
PID 1824 wrote to memory of 1040	1824	orc.exe	csc.exe
PID 1040 wrote to memory of 1656	1040	csc.exe	cvtres.exe
PID 1040 wrote to memory of 1656	1040	csc.exe	cvtres.exe
PID 1040 wrote to memory of 1656	1040	csc.exe	cvtres.exe
PID 1824 wrote to memory of 1560	1824	orc.exe	WindowsInput.exe
PID 1824 wrote to memory of 1560	1824	orc.exe	WindowsInput.exe
PID 1824 wrote to memory of 1560	1824	orc.exe	WindowsInput.exe
PID 1824 wrote to memory of 1532	1824	orc.exe	orc.exe
PID 1824 wrote to memory of 1532	1824	orc.exe	orc.exe
PID 1824 wrote to memory of 1532	1824	orc.exe	orc.exe
PID 1532 wrote to memory of 1916	1532	orc.exe	Watchdog.exe
PID 1532 wrote to memory of 1916	1532	orc.exe	Watchdog.exe
PID 1532 wrote to memory of 1916	1532	orc.exe	Watchdog.exe
PID 1532 wrote to memory of 1916	1532	orc.exe	Watchdog.exe
PID 1916 wrote to memory of 2012	1916	Watchdog.exe	Watchdog.exe
PID 1916 wrote to memory of 2012	1916	Watchdog.exe	Watchdog.exe
PID 1916 wrote to memory of 2012	1916	Watchdog.exe	Watchdog.exe
PID 1916 wrote to memory of 2012	1916	Watchdog.exe	Watchdog.exe
PID 1544 wrote to memory of 1460	1544	taskeng.exe	orc.exe
PID 1544 wrote to memory of 1460	1544	taskeng.exe	orc.exe
PID 1544 wrote to memory of 1460	1544	taskeng.exe	orc.exe
PID 296 wrote to memory of 584	296	winmgr.exe	schtasks.exe
PID 296 wrote to memory of 584	296	winmgr.exe	schtasks.exe
PID 296 wrote to memory of 584	296	winmgr.exe	schtasks.exe
PID 296 wrote to memory of 584	296	winmgr.exe	schtasks.exe
PID 296 wrote to memory of 1972	296	winmgr.exe	cmd.exe
PID 296 wrote to memory of 1972	296	winmgr.exe	cmd.exe
PID 296 wrote to memory of 1972	296	winmgr.exe	cmd.exe
PID 296 wrote to memory of 1972	296	winmgr.exe	cmd.exe
PID 1972 wrote to memory of 1560	1972	cmd.exe	timeout.exe
PID 1972 wrote to memory of 1560	1972	cmd.exe	timeout.exe
PID 1972 wrote to memory of 1560	1972	cmd.exe	timeout.exe
PID 1972 wrote to memory of 1560	1972	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1464

C:\Users\Admin\AppData\Local\Temp\blmkgrp.exe
"C:\Users\Admin\AppData\Local\Temp\blmkgrp.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:584

C:\Users\Admin\AppData\Local\Temp\blmkgrp.exe
"C:\Users\Admin\AppData\Local\Temp\blmkgrp.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:360

C:\Users\Admin\AppData\Local\Temp\orc.exe
"C:\Users\Admin\AppData\Local\Temp\orc.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1824

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\-iamjzcn.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:1040

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6B81.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6B71.tmp"
4⤵
PID:1656

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe" --install
3⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1560

C:\Program Files\orc\orc.exe
"C:\Program Files\orc\orc.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1532

C:\Users\Admin\AppData\Roaming\Watchdog.exe
"C:\Users\Admin\AppData\Roaming\Watchdog.exe" /launchSelfAndExit "C:\Program Files\orc\orc.exe" 1532 /protectFile
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1916

C:\Users\Admin\AppData\Roaming\Watchdog.exe
"C:\Users\Admin\AppData\Roaming\Watchdog.exe" /watchProcess "C:\Program Files\orc\orc.exe" 1532 "/protectFile"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2012

C:\Users\Admin\Downloads\plage.exe
"C:\Users\Admin\Downloads\plage.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1168

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /TN "WinManager" /XML "C:\Users\Admin\AppData\Local\Temp\NewTask.xml"
3⤵
- Creates scheduled task(s)
PID:832

C:\Windows\SysWOW64\schtasks.exe
schtasks /Query /FO "LIST" /TN "WinManager"
3⤵
PID:1896

C:\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe
"C:\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe" /wait
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:296

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /F /TN "WinManager"
4⤵
PID:584

C:\Windows\SysWOW64\cmd.exe
cmd /C timeout 5 & del /F /Q "C:\Users\Admin\AppData\Roaming\discordnitro\*.*" & rmdir "C:\Users\Admin\AppData\Roaming\discordnitro"
4⤵
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\SysWOW64\timeout.exe
timeout 5
5⤵
- Delays execution with timeout.exe
PID:1560

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
1⤵
- Executes dropped EXE
PID:1628

C:\Windows\system32\taskeng.exe
taskeng.exe {DCCE906B-50B0-4953-8311-FE805EF6BE72} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1544

C:\Program Files\orc\orc.exe
"C:\Program Files\orc\orc.exe"
2⤵
- Executes dropped EXE
PID:1460

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\orc\orc.exe
Filesize
916KB

MD5
ac0431f34683bcbbb2cf23aaf29ea8cf

SHA1
275ec0e362cb074d5f080aaa41c25a8ecebe3205

SHA256
1780430ff5ad71b8c89b9c59d2924b16cb7fd07da479b8b394846c792f7523cb

SHA512
156da3158d29d293daf9a74cf04d855ec162836fef87473afcc861688630f2da01234e1f40a4f84235ba457c0a6ae1770c3cc55fb0375cbea6813d0186a87b9c

Download Submit
C:\Program Files\orc\orc.exe
Filesize
916KB

MD5
ac0431f34683bcbbb2cf23aaf29ea8cf

SHA1
275ec0e362cb074d5f080aaa41c25a8ecebe3205

SHA256
1780430ff5ad71b8c89b9c59d2924b16cb7fd07da479b8b394846c792f7523cb

SHA512
156da3158d29d293daf9a74cf04d855ec162836fef87473afcc861688630f2da01234e1f40a4f84235ba457c0a6ae1770c3cc55fb0375cbea6813d0186a87b9c

Download Submit
C:\Program Files\orc\orc.exe
Filesize
916KB

MD5
ac0431f34683bcbbb2cf23aaf29ea8cf

SHA1
275ec0e362cb074d5f080aaa41c25a8ecebe3205

SHA256
1780430ff5ad71b8c89b9c59d2924b16cb7fd07da479b8b394846c792f7523cb

SHA512
156da3158d29d293daf9a74cf04d855ec162836fef87473afcc861688630f2da01234e1f40a4f84235ba457c0a6ae1770c3cc55fb0375cbea6813d0186a87b9c

Download Submit
C:\Program Files\orc\orc.exe.config
Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\-iamjzcn.dll
Filesize
76KB

MD5
043e037d8e174f03e7b76181cfc95c96

SHA1
e85d26e805084e3187fbebf5161f36af2ba08f0c

SHA256
8d690255d7366e92eba7aa2cd6a87c043b1d58daa7ba84c71a61ee2581efb8a8

SHA512
36ea53a8edbd8398c672f6b18bef3574528d22d11eb3d849703b8aaa15ed9b4eff1a8f20f25a65baa17e8dabb6cc46f8eea929fed91617e13c099a3f1bc5f3ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\NewTask.xml
Filesize
1KB

MD5
0d9bdc05180b19f19d4979a2f5e36ca7

SHA1
ed263f679e00908b644dd21bd55eb579d8c53375

SHA256
0cbcb988e5ee21358b340c649fb2660c3518ab778cef01dae13d7172ba57e562

SHA512
bdaac696d0e55d6e06e23160d414cade63dd640f5bd543b8d971c17dbf5190641561b27f6017673c358b85ed82b1dc5cd396771c1066f14ee0efa15dfbf253ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6B81.tmp
Filesize
1KB

MD5
f0a5adfa34b9baa8319e8e9683c33937

SHA1
514ef9c7001bc007815d7e76b0a3e44929956edd

SHA256
63cc9d3e13d48e63785b66906820405c08b3600182b346fb1c447aefba49c301

SHA512
7ba0eca89264648d4040e845997d8d1573dc1da2b48f6af847f30689bc5cecbd9293083a5f49b9bc479cf625538f16f818dab97a6d0e1e5a6c1a83708a39d5dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\blmkgrp.exe
Filesize
7.6MB

MD5
cb565c1afd8469f43dd6917af55b733f

SHA1
e71a56a7b13536d686ab9f4f2492d60c02a7790e

SHA256
4a6b790629a17abb31de40da6a9faafdedbbc794f3e23816776621a83b068056

SHA512
d4ae535bdc800581c0fbcd186edd9d03067c08280376f06ec2e96e3118eb682663de260be6e756a85c4f6240fa9ba2c1ab265b54a56b57865b273af68d650645

Download Submit
C:\Users\Admin\AppData\Local\Temp\blmkgrp.exe
Filesize
7.6MB

MD5
cb565c1afd8469f43dd6917af55b733f

SHA1
e71a56a7b13536d686ab9f4f2492d60c02a7790e

SHA256
4a6b790629a17abb31de40da6a9faafdedbbc794f3e23816776621a83b068056

SHA512
d4ae535bdc800581c0fbcd186edd9d03067c08280376f06ec2e96e3118eb682663de260be6e756a85c4f6240fa9ba2c1ab265b54a56b57865b273af68d650645

Download Submit
C:\Users\Admin\AppData\Local\Temp\blmkgrp.exe
Filesize
7.6MB

MD5
cb565c1afd8469f43dd6917af55b733f

SHA1
e71a56a7b13536d686ab9f4f2492d60c02a7790e

SHA256
4a6b790629a17abb31de40da6a9faafdedbbc794f3e23816776621a83b068056

SHA512
d4ae535bdc800581c0fbcd186edd9d03067c08280376f06ec2e96e3118eb682663de260be6e756a85c4f6240fa9ba2c1ab265b54a56b57865b273af68d650645

Download Submit
C:\Users\Admin\AppData\Local\Temp\github.com_Blank-c_5842\python310.dll
Filesize
1.5MB

MD5
e06ce8146da66871aa8aeedc950fd12b

SHA1
6ee749bdd0bc857a41ac8018c5553e895784b961

SHA256
aabd51782e4edb80561dd2ff065079a8381c7c86a6db1c6884bc09c73cde07a4

SHA512
0d8c16832d5242595eff4993a1563de09f1eba988ca6e9bcd9afdb0891a164ea2972ac9df40f575e8e1021d535c3b807ce025bc15788f08f84c71246d64f1198

Download Submit
C:\Users\Admin\AppData\Local\Temp\orc.exe
Filesize
916KB

MD5
ac0431f34683bcbbb2cf23aaf29ea8cf

SHA1
275ec0e362cb074d5f080aaa41c25a8ecebe3205

SHA256
1780430ff5ad71b8c89b9c59d2924b16cb7fd07da479b8b394846c792f7523cb

SHA512
156da3158d29d293daf9a74cf04d855ec162836fef87473afcc861688630f2da01234e1f40a4f84235ba457c0a6ae1770c3cc55fb0375cbea6813d0186a87b9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\orc.exe
Filesize
916KB

MD5
ac0431f34683bcbbb2cf23aaf29ea8cf

SHA1
275ec0e362cb074d5f080aaa41c25a8ecebe3205

SHA256
1780430ff5ad71b8c89b9c59d2924b16cb7fd07da479b8b394846c792f7523cb

SHA512
156da3158d29d293daf9a74cf04d855ec162836fef87473afcc861688630f2da01234e1f40a4f84235ba457c0a6ae1770c3cc55fb0375cbea6813d0186a87b9c

Download Submit
C:\Users\Admin\AppData\Roaming\Watchdog.exe
Filesize
9KB

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
C:\Users\Admin\AppData\Roaming\Watchdog.exe
Filesize
9KB

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
C:\Users\Admin\AppData\Roaming\Watchdog.exe
Filesize
9KB

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
C:\Users\Admin\AppData\Roaming\Watchdog.exe.config
Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe
Filesize
967KB

MD5
b63bb68654e7be72058398809d6c4754

SHA1
4a7b43488029a2d4c960c9ee4431b99c8640a4b0

SHA256
8db43542d501e7d65d0f1db96785d875bc7da5a51a76ae943fcd3222b66412fe

SHA512
c67280896aa63894933a6058d17a2eb9cea484f5293c095704baaf9f177d9e2779951d803548294584070eb95a3428b52eec9fd5fc1a7da74a6305e7c496e48a

Download Submit
C:\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe
Filesize
967KB

MD5
b63bb68654e7be72058398809d6c4754

SHA1
4a7b43488029a2d4c960c9ee4431b99c8640a4b0

SHA256
8db43542d501e7d65d0f1db96785d875bc7da5a51a76ae943fcd3222b66412fe

SHA512
c67280896aa63894933a6058d17a2eb9cea484f5293c095704baaf9f177d9e2779951d803548294584070eb95a3428b52eec9fd5fc1a7da74a6305e7c496e48a

Download Submit
C:\Users\Admin\Downloads\plage.exe
Filesize
967KB

MD5
b03ccade490854df220914c4430967e2

SHA1
1911a59e8c4b427d3fbc8fc9c794886bd2d81305

SHA256
81cb1fa3507209f360261e795cc68622c4163cbb0c6082dc7d8358a04492f961

SHA512
0c05ff99f2d2f448c431073b9a339e6dc1ccab43c9442be44edfd493c3d4d9bd604a0deb792b91295571817113c309bafc6d230b470a4874493561bd5aa9bc36

Download Submit
C:\Users\Admin\Downloads\plage.exe
Filesize
967KB

MD5
b03ccade490854df220914c4430967e2

SHA1
1911a59e8c4b427d3fbc8fc9c794886bd2d81305

SHA256
81cb1fa3507209f360261e795cc68622c4163cbb0c6082dc7d8358a04492f961

SHA512
0c05ff99f2d2f448c431073b9a339e6dc1ccab43c9442be44edfd493c3d4d9bd604a0deb792b91295571817113c309bafc6d230b470a4874493561bd5aa9bc36

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe
Filesize
21KB

MD5
e6fcf516d8ed8d0d4427f86e08d0d435

SHA1
c7691731583ab7890086635cb7f3e4c22ca5e409

SHA256
8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

SHA512
c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe
Filesize
21KB

MD5
e6fcf516d8ed8d0d4427f86e08d0d435

SHA1
c7691731583ab7890086635cb7f3e4c22ca5e409

SHA256
8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

SHA512
c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe
Filesize
21KB

MD5
e6fcf516d8ed8d0d4427f86e08d0d435

SHA1
c7691731583ab7890086635cb7f3e4c22ca5e409

SHA256
8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

SHA512
c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe.config
Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\-iamjzcn.0.cs
Filesize
208KB

MD5
54511f23d6e93f391ec061e65eb8ecba

SHA1
cf4d8d8b57a36cfd710d41020e09d2816c692725

SHA256
66c5f9da5b51fbe62b5c8ca38dca18f90f226df574a4caf0ffdd0e5c1211edbe

SHA512
39f77b2a752f36918b4ccd286ac428302d37a8edd566a0226cd1c000a6fc029e8c05f8cc90de21143a678fcae62c28bf05e94d454c193f32c21a3448c0046116

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\-iamjzcn.cmdline
Filesize
349B

MD5
c5bdf66d0e19cdf668b7c0c7505bbcc1

SHA1
24301a991c0441de3cdca05f2cd227c98cdefa6a

SHA256
35a1fe8d54b9be859ca0b9b5e89d44cdc073e4f6d5344311cf6effa68d0c7032

SHA512
4cac70f344f79d0b7fcb7a85ce0911528ad710438aedf956df6fcadce98bd9d782cfa4d560ea644aad1c321fbe424e56668d89975baddc76d9ae7a119ba5014b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC6B71.tmp
Filesize
676B

MD5
198230c5bbbd4516f1c799ffd822b585

SHA1
26f6edab2e11e61cf5852ba6024ab4465ad57f79

SHA256
1ead368f28386aee9b0fa59bcc285b3a69151666500e726fbccbbb5614852573

SHA512
ce15255c9f72d5a1aac5c219abc29206838045147fcadd2fa0ceef6455d6e0c6ad83b4b7af091a467bfdd5c28d0597b131bdfead66762775f12d73f4ca1114f3

Download Submit
\Users\Admin\AppData\Local\Temp\blmkgrp.exe
Filesize
7.6MB

MD5
cb565c1afd8469f43dd6917af55b733f

SHA1
e71a56a7b13536d686ab9f4f2492d60c02a7790e

SHA256
4a6b790629a17abb31de40da6a9faafdedbbc794f3e23816776621a83b068056

SHA512
d4ae535bdc800581c0fbcd186edd9d03067c08280376f06ec2e96e3118eb682663de260be6e756a85c4f6240fa9ba2c1ab265b54a56b57865b273af68d650645

Download Submit
\Users\Admin\AppData\Local\Temp\blmkgrp.exe
Filesize
7.6MB

MD5
cb565c1afd8469f43dd6917af55b733f

SHA1
e71a56a7b13536d686ab9f4f2492d60c02a7790e

SHA256
4a6b790629a17abb31de40da6a9faafdedbbc794f3e23816776621a83b068056

SHA512
d4ae535bdc800581c0fbcd186edd9d03067c08280376f06ec2e96e3118eb682663de260be6e756a85c4f6240fa9ba2c1ab265b54a56b57865b273af68d650645

Download Submit
\Users\Admin\AppData\Local\Temp\blmkgrp.exe
Filesize
7.6MB

MD5
cb565c1afd8469f43dd6917af55b733f

SHA1
e71a56a7b13536d686ab9f4f2492d60c02a7790e

SHA256
4a6b790629a17abb31de40da6a9faafdedbbc794f3e23816776621a83b068056

SHA512
d4ae535bdc800581c0fbcd186edd9d03067c08280376f06ec2e96e3118eb682663de260be6e756a85c4f6240fa9ba2c1ab265b54a56b57865b273af68d650645

Download Submit
\Users\Admin\AppData\Local\Temp\github.com_Blank-c_5842\python310.dll
Filesize
1.5MB

MD5
e06ce8146da66871aa8aeedc950fd12b

SHA1
6ee749bdd0bc857a41ac8018c5553e895784b961

SHA256
aabd51782e4edb80561dd2ff065079a8381c7c86a6db1c6884bc09c73cde07a4

SHA512
0d8c16832d5242595eff4993a1563de09f1eba988ca6e9bcd9afdb0891a164ea2972ac9df40f575e8e1021d535c3b807ce025bc15788f08f84c71246d64f1198

Download Submit
\Users\Admin\AppData\Local\Temp\orc.exe
Filesize
916KB

MD5
ac0431f34683bcbbb2cf23aaf29ea8cf

SHA1
275ec0e362cb074d5f080aaa41c25a8ecebe3205

SHA256
1780430ff5ad71b8c89b9c59d2924b16cb7fd07da479b8b394846c792f7523cb

SHA512
156da3158d29d293daf9a74cf04d855ec162836fef87473afcc861688630f2da01234e1f40a4f84235ba457c0a6ae1770c3cc55fb0375cbea6813d0186a87b9c

Download Submit
\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe
Filesize
967KB

MD5
b63bb68654e7be72058398809d6c4754

SHA1
4a7b43488029a2d4c960c9ee4431b99c8640a4b0

SHA256
8db43542d501e7d65d0f1db96785d875bc7da5a51a76ae943fcd3222b66412fe

SHA512
c67280896aa63894933a6058d17a2eb9cea484f5293c095704baaf9f177d9e2779951d803548294584070eb95a3428b52eec9fd5fc1a7da74a6305e7c496e48a

Download Submit
\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe
Filesize
967KB

MD5
b63bb68654e7be72058398809d6c4754

SHA1
4a7b43488029a2d4c960c9ee4431b99c8640a4b0

SHA256
8db43542d501e7d65d0f1db96785d875bc7da5a51a76ae943fcd3222b66412fe

SHA512
c67280896aa63894933a6058d17a2eb9cea484f5293c095704baaf9f177d9e2779951d803548294584070eb95a3428b52eec9fd5fc1a7da74a6305e7c496e48a

Download Submit
\Users\Admin\Downloads\plage.exe
Filesize
967KB

MD5
b03ccade490854df220914c4430967e2

SHA1
1911a59e8c4b427d3fbc8fc9c794886bd2d81305

SHA256
81cb1fa3507209f360261e795cc68622c4163cbb0c6082dc7d8358a04492f961

SHA512
0c05ff99f2d2f448c431073b9a339e6dc1ccab43c9442be44edfd493c3d4d9bd604a0deb792b91295571817113c309bafc6d230b470a4874493561bd5aa9bc36

Download Submit
\Users\Admin\Downloads\plage.exe
Filesize
967KB

MD5
b03ccade490854df220914c4430967e2

SHA1
1911a59e8c4b427d3fbc8fc9c794886bd2d81305

SHA256
81cb1fa3507209f360261e795cc68622c4163cbb0c6082dc7d8358a04492f961

SHA512
0c05ff99f2d2f448c431073b9a339e6dc1ccab43c9442be44edfd493c3d4d9bd604a0deb792b91295571817113c309bafc6d230b470a4874493561bd5aa9bc36

Download Submit
memory/296-84-0x0000000000000000-mapping.dmp

Download
memory/360-77-0x000007FEF3B50000-0x000007FEF3FBF000-memory.dmp

Filesize
4.4MB

Download
memory/360-64-0x0000000000000000-mapping.dmp

Download
memory/584-124-0x0000000000000000-mapping.dmp

Download
memory/584-56-0x0000000000000000-mapping.dmp

Download
memory/584-58-0x000007FEFB9E1000-0x000007FEFB9E3000-memory.dmp

Filesize
8KB

Download
memory/832-78-0x0000000000000000-mapping.dmp

Download
memory/1040-88-0x0000000000000000-mapping.dmp

Download
memory/1168-68-0x0000000000000000-mapping.dmp

Download
memory/1460-121-0x0000000000000000-mapping.dmp

Download
memory/1464-54-0x00000000758B1000-0x00000000758B3000-memory.dmp

Filesize
8KB

Download
memory/1532-110-0x00000000010E0000-0x000000000112E000-memory.dmp

Filesize
312KB

Download
memory/1532-102-0x0000000000000000-mapping.dmp

Download
memory/1532-107-0x00000000003D0000-0x000000000042C000-memory.dmp

Filesize
368KB

Download
memory/1532-108-0x00000000001C0000-0x00000000001CE000-memory.dmp

Filesize
56KB

Download
memory/1532-109-0x00000000004F0000-0x0000000000502000-memory.dmp

Filesize
72KB

Download
memory/1532-123-0x0000000000A36000-0x0000000000A55000-memory.dmp

Filesize
124KB

Download
memory/1532-111-0x0000000001130000-0x0000000001148000-memory.dmp

Filesize
96KB

Download
memory/1532-112-0x0000000001150000-0x0000000001160000-memory.dmp

Filesize
64KB

Download
memory/1532-106-0x0000000001180000-0x000000000126A000-memory.dmp

Filesize
936KB

Download
memory/1560-99-0x0000000000CF0000-0x0000000000CFC000-memory.dmp

Filesize
48KB

Download
memory/1560-95-0x0000000000000000-mapping.dmp

Download
memory/1560-127-0x0000000000000000-mapping.dmp

Download
memory/1628-101-0x0000000000D80000-0x0000000000D8C000-memory.dmp

Filesize
48KB

Download
memory/1656-91-0x0000000000000000-mapping.dmp

Download
memory/1824-61-0x0000000000000000-mapping.dmp

Download
memory/1824-73-0x000007FEF3FC0000-0x000007FEF49E3000-memory.dmp

Filesize
10.1MB

Download
memory/1824-87-0x000007FEF2BF0000-0x000007FEF3C86000-memory.dmp

Filesize
16.6MB

Download
memory/1896-81-0x0000000000000000-mapping.dmp

Download
memory/1916-117-0x0000000001270000-0x0000000001278000-memory.dmp

Filesize
32KB

Download
memory/1916-113-0x0000000000000000-mapping.dmp

Download
memory/1972-126-0x0000000000000000-mapping.dmp

Download
memory/2012-119-0x0000000000000000-mapping.dmp

Download