orcus | cc7dc07df5e85f948998b1d711b7ea362e529799b2f47d35f256ccd901ab3af9

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07-10-2022 05:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

260KB
MD5

2c7eeef34a1b35c0b025c43c7233f453
SHA1

82e361e77aaf426fcc8d18a46391ce2bf064f493
SHA256

cc7dc07df5e85f948998b1d711b7ea362e529799b2f47d35f256ccd901ab3af9
SHA512

50178b34dadedcd370d031b668906ed3016fd79706b87fd665cfdab942a487625d552629d7ec97a300b63b012a412226b0c128a88e96a17f6189896cb2473010
SSDEEP

6144:8ea7tvhFs3Huy3Pu2eAHNabHtqY+dpEnPM43:67FPeOy3Pu8hNdpEk4

Score

10^/10

orcus plaguebot quasar skynet botnet evasion persistence rat spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

SKYNET

173.225.115.99:7702

Mutex

938cda17-a814-4925-8420-83a35a350164

Attributes

encryption_key
F04A75E6507173FAEEC2BB82C564030A5E8413FF
install_name
FileHistory.exe
log_directory
Logs
reconnect_delay
4000
startup_key
FileHistory
subdirectory
FileHistory

Extracted

Family

orcus

146.70.143.176:81

Mutex

712d31c7a3f54904a08d968a15b836e9

Attributes

autostart_method
Registry
enable_keylogger
false
install_path
%programfiles%\orc\orc.exe
reconnect_delay
10000
registry_keyname
orc
taskscheduler_taskname
orc
watchdog_path
AppData\Watchdog.exe

Signatures

Contains code to disable Windows Defender 3 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\sqls921.exe	disable_win_def
C:\Users\Admin\AppData\Local\Temp\sqls921.exe	disable_win_def
behavioral1/memory/1324-77-0x0000000001260000-0x000000000126A000-memory.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

sqls921.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	sqls921.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	sqls921.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	sqls921.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	sqls921.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	sqls921.exe

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

sqls921.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	sqls921.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\WinDefend\Start = "4"	sqls921.exe

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus main payload 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\orc.exe	family_orcus
C:\Users\Admin\AppData\Local\Temp\orc.exe	family_orcus
\Users\Admin\AppData\Local\Temp\orc.exe	family_orcus
C:\Program Files\orc\orc.exe	family_orcus
C:\Program Files\orc\orc.exe	family_orcus
C:\Program Files\orc\orc.exe	family_orcus

PlagueBot
PlagueBot is an open source Bot written in Pascal.
botnet plaguebot
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 7 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\FileHistory.exe	family_quasar
C:\Users\Admin\AppData\Local\Temp\FileHistory.exe	family_quasar
C:\Users\Admin\AppData\Local\Temp\FileHistory.exe	family_quasar
behavioral1/memory/1624-96-0x0000000001140000-0x000000000140A000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\FileHistory\FileHistory.exe	family_quasar
C:\Users\Admin\AppData\Roaming\FileHistory\FileHistory.exe	family_quasar
behavioral1/memory/944-122-0x0000000000F50000-0x000000000121A000-memory.dmp	family_quasar

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

tmp.exe

description pid process target process

PID 1996 created 1208 1996 tmp.exe Explorer.EXE

description	pid	process	target process
PID 1996 created 1208	1996	tmp.exe	Explorer.EXE

Orcurs Rat Executable 7 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\orc.exe	orcus
C:\Users\Admin\AppData\Local\Temp\orc.exe	orcus
\Users\Admin\AppData\Local\Temp\orc.exe	orcus
C:\Program Files\orc\orc.exe	orcus
C:\Program Files\orc\orc.exe	orcus
behavioral1/memory/1128-153-0x0000000000FC0000-0x00000000010AA000-memory.dmp	orcus
C:\Program Files\orc\orc.exe	orcus

PlagueBot Executable 9 IoCs

Processes:

resource	yara_rule
\Users\Admin\Downloads\plage.exe	plaguebot
\Users\Admin\Downloads\plage.exe	plaguebot
C:\Users\Admin\Downloads\plage.exe	plaguebot
C:\Users\Admin\Downloads\plage.exe	plaguebot
\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe	plaguebot
\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe	plaguebot
C:\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe	plaguebot
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winmgr.exe	plaguebot
C:\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe	plaguebot

Downloads MZ/PE file

Executes dropped EXE 19 IoCs

Processes:

joined.exesqls921.exenitrsso64.exeFileHistory.exeorc.exeplage.exewinmgr.exeFileHistory.exeWindowsInput.exeWindowsInput.exeblmkgrp.exeblmkgrp.exeorc.exeWatchdog.exeWatchdog.exeorc.exeExplorer.EXEnitrsso64.exenitrsso64.exe

pid	process
888	joined.exe
1324	sqls921.exe
2000	nitrsso64.exe
1624	FileHistory.exe
1836	orc.exe
1200	plage.exe
432	winmgr.exe
944	FileHistory.exe
1376	WindowsInput.exe
976	WindowsInput.exe
1996	blmkgrp.exe
680	blmkgrp.exe
1128	orc.exe
948	Watchdog.exe
1872	Watchdog.exe
1344	orc.exe
1208	Explorer.EXE
432	nitrsso64.exe
788	nitrsso64.exe

Drops startup file 3 IoCs

Processes:

plage.exewinmgr.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winmgr.exe	plage.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winmgr.exe	plage.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winmgr.exe	winmgr.exe

Loads dropped DLL 14 IoCs

Processes:

tmp.exetmp.exeplage.exeblmkgrp.exeblmkgrp.exeExplorer.EXEtaskeng.exe

pid	process
1996	tmp.exe
1996	tmp.exe
1600	tmp.exe
1600	tmp.exe
1600	tmp.exe
1600	tmp.exe
1600	tmp.exe
1200	plage.exe
1200	plage.exe
1600	tmp.exe
1996	blmkgrp.exe
680	blmkgrp.exe
1208	Explorer.EXE
1580	taskeng.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

sqls921.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	sqls921.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	sqls921.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

plage.exeorc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinManager = "C:\\Users\\Admin\\AppData\\Roaming\\discordnitro\\winmgr.exe"	plage.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\orc = "\"C:\\Program Files\\orc\\orc.exe\""	orc.exe

Drops file in System32 directory 2 IoCs

Processes:

orc.exe

description ioc process

File created C:\Windows\SysWOW64\WindowsInput.exe orc.exe
File created C:\Windows\SysWOW64\WindowsInput.exe.config orc.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

tmp.exe

description pid process target process

PID 1996 set thread context of 1600 1996 tmp.exe tmp.exe

description	ioc	process
File created	C:\Windows\SysWOW64\WindowsInput.exe	orc.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe.config	orc.exe

description	pid	process	target process
PID 1996 set thread context of 1600	1996	tmp.exe	tmp.exe

Drops file in Program Files directory 3 IoCs

Processes:

orc.exe

description	ioc	process
File created	C:\Program Files\orc\orc.exe	orc.exe
File opened for modification	C:\Program Files\orc\orc.exe	orc.exe
File created	C:\Program Files\orc\orc.exe.config	orc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1704 schtasks.exe
1880 schtasks.exe
1984 schtasks.exe
1068 schtasks.exe
1740 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1520 timeout.exe

pid	process
1704	schtasks.exe
1880	schtasks.exe
1984	schtasks.exe
1068	schtasks.exe
1740	schtasks.exe

pid	process
1520	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exeWatchdog.exeorc.exe

pid	process
968	powershell.exe
1872	Watchdog.exe
1872	Watchdog.exe
1128	orc.exe
1128	orc.exe
1128	orc.exe
1872	Watchdog.exe
1128	orc.exe
1872	Watchdog.exe
1128	orc.exe
1872	Watchdog.exe
1128	orc.exe
1872	Watchdog.exe
1128	orc.exe
1872	Watchdog.exe
1128	orc.exe
1872	Watchdog.exe
1128	orc.exe
1872	Watchdog.exe
1128	orc.exe
1872	Watchdog.exe
1128	orc.exe
1872	Watchdog.exe
1128	orc.exe
1872	Watchdog.exe
1128	orc.exe
1872	Watchdog.exe
1128	orc.exe
1872	Watchdog.exe
1128	orc.exe
1872	Watchdog.exe
1128	orc.exe
1872	Watchdog.exe
1128	orc.exe
1872	Watchdog.exe
1128	orc.exe
1872	Watchdog.exe
1128	orc.exe
1872	Watchdog.exe
1128	orc.exe
1872	Watchdog.exe
1128	orc.exe
1872	Watchdog.exe
1128	orc.exe
1872	Watchdog.exe
1128	orc.exe
1872	Watchdog.exe
1128	orc.exe
1872	Watchdog.exe
1128	orc.exe
1872	Watchdog.exe
1128	orc.exe
1872	Watchdog.exe
1128	orc.exe
1872	Watchdog.exe
1128	orc.exe
1872	Watchdog.exe
1128	orc.exe
1872	Watchdog.exe
1128	orc.exe
1872	Watchdog.exe
1128	orc.exe
1872	Watchdog.exe
1128	orc.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

powershell.exenitrsso64.exeFileHistory.exeFileHistory.exeWatchdog.exeWatchdog.exeorc.exenitrsso64.exenitrsso64.exe

description	pid	process
Token: SeDebugPrivilege	968	powershell.exe
Token: SeDebugPrivilege	2000	nitrsso64.exe
Token: SeDebugPrivilege	1624	FileHistory.exe
Token: SeDebugPrivilege	944	FileHistory.exe
Token: SeDebugPrivilege	948	Watchdog.exe
Token: SeDebugPrivilege	1872	Watchdog.exe
Token: SeDebugPrivilege	1128	orc.exe
Token: SeDebugPrivilege	432	nitrsso64.exe
Token: SeDebugPrivilege	788	nitrsso64.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

nitrsso64.exeFileHistory.exenitrsso64.exe

pid process

2000 nitrsso64.exe
944 FileHistory.exe
432 nitrsso64.exe

pid	process
2000	nitrsso64.exe
944	FileHistory.exe
432	nitrsso64.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

tmp.exejoined.exesqls921.exetmp.exenitrsso64.exeplage.exeFileHistory.exeFileHistory.exe

description	pid	process	target process
PID 1996 wrote to memory of 888	1996	tmp.exe	joined.exe
PID 1996 wrote to memory of 888	1996	tmp.exe	joined.exe
PID 1996 wrote to memory of 888	1996	tmp.exe	joined.exe
PID 1996 wrote to memory of 888	1996	tmp.exe	joined.exe
PID 1996 wrote to memory of 1600	1996	tmp.exe	tmp.exe
PID 1996 wrote to memory of 1600	1996	tmp.exe	tmp.exe
PID 1996 wrote to memory of 1600	1996	tmp.exe	tmp.exe
PID 1996 wrote to memory of 1600	1996	tmp.exe	tmp.exe
PID 1996 wrote to memory of 1600	1996	tmp.exe	tmp.exe
PID 1996 wrote to memory of 1600	1996	tmp.exe	tmp.exe
PID 1996 wrote to memory of 1600	1996	tmp.exe	tmp.exe
PID 1996 wrote to memory of 1600	1996	tmp.exe	tmp.exe
PID 1996 wrote to memory of 1600	1996	tmp.exe	tmp.exe
PID 888 wrote to memory of 1324	888	joined.exe	sqls921.exe
PID 888 wrote to memory of 1324	888	joined.exe	sqls921.exe
PID 888 wrote to memory of 1324	888	joined.exe	sqls921.exe
PID 888 wrote to memory of 1324	888	joined.exe	sqls921.exe
PID 1324 wrote to memory of 968	1324	sqls921.exe	powershell.exe
PID 1324 wrote to memory of 968	1324	sqls921.exe	powershell.exe
PID 1324 wrote to memory of 968	1324	sqls921.exe	powershell.exe
PID 1324 wrote to memory of 968	1324	sqls921.exe	powershell.exe
PID 1324 wrote to memory of 1068	1324	sqls921.exe	schtasks.exe
PID 1324 wrote to memory of 1068	1324	sqls921.exe	schtasks.exe
PID 1324 wrote to memory of 1068	1324	sqls921.exe	schtasks.exe
PID 1324 wrote to memory of 1068	1324	sqls921.exe	schtasks.exe
PID 1600 wrote to memory of 2000	1600	tmp.exe	nitrsso64.exe
PID 1600 wrote to memory of 2000	1600	tmp.exe	nitrsso64.exe
PID 1600 wrote to memory of 2000	1600	tmp.exe	nitrsso64.exe
PID 1600 wrote to memory of 2000	1600	tmp.exe	nitrsso64.exe
PID 2000 wrote to memory of 1740	2000	nitrsso64.exe	schtasks.exe
PID 2000 wrote to memory of 1740	2000	nitrsso64.exe	schtasks.exe
PID 2000 wrote to memory of 1740	2000	nitrsso64.exe	schtasks.exe
PID 1600 wrote to memory of 1624	1600	tmp.exe	FileHistory.exe
PID 1600 wrote to memory of 1624	1600	tmp.exe	FileHistory.exe
PID 1600 wrote to memory of 1624	1600	tmp.exe	FileHistory.exe
PID 1600 wrote to memory of 1624	1600	tmp.exe	FileHistory.exe
PID 1600 wrote to memory of 1836	1600	tmp.exe	orc.exe
PID 1600 wrote to memory of 1836	1600	tmp.exe	orc.exe
PID 1600 wrote to memory of 1836	1600	tmp.exe	orc.exe
PID 1600 wrote to memory of 1836	1600	tmp.exe	orc.exe
PID 1600 wrote to memory of 1200	1600	tmp.exe	plage.exe
PID 1600 wrote to memory of 1200	1600	tmp.exe	plage.exe
PID 1600 wrote to memory of 1200	1600	tmp.exe	plage.exe
PID 1600 wrote to memory of 1200	1600	tmp.exe	plage.exe
PID 1200 wrote to memory of 1704	1200	plage.exe	schtasks.exe
PID 1200 wrote to memory of 1704	1200	plage.exe	schtasks.exe
PID 1200 wrote to memory of 1704	1200	plage.exe	schtasks.exe
PID 1200 wrote to memory of 1704	1200	plage.exe	schtasks.exe
PID 1200 wrote to memory of 1828	1200	plage.exe	schtasks.exe
PID 1200 wrote to memory of 1828	1200	plage.exe	schtasks.exe
PID 1200 wrote to memory of 1828	1200	plage.exe	schtasks.exe
PID 1200 wrote to memory of 1828	1200	plage.exe	schtasks.exe
PID 1200 wrote to memory of 432	1200	plage.exe	winmgr.exe
PID 1200 wrote to memory of 432	1200	plage.exe	winmgr.exe
PID 1200 wrote to memory of 432	1200	plage.exe	winmgr.exe
PID 1200 wrote to memory of 432	1200	plage.exe	winmgr.exe
PID 1624 wrote to memory of 1880	1624	FileHistory.exe	schtasks.exe
PID 1624 wrote to memory of 1880	1624	FileHistory.exe	schtasks.exe
PID 1624 wrote to memory of 1880	1624	FileHistory.exe	schtasks.exe
PID 1624 wrote to memory of 944	1624	FileHistory.exe	FileHistory.exe
PID 1624 wrote to memory of 944	1624	FileHistory.exe	FileHistory.exe
PID 1624 wrote to memory of 944	1624	FileHistory.exe	FileHistory.exe
PID 944 wrote to memory of 1984	944	FileHistory.exe	schtasks.exe
PID 944 wrote to memory of 1984	944	FileHistory.exe	schtasks.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1208
- C:\Users\Admin\AppData\Local\Temp\tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1996
- - C:\Users\Admin\AppData\Local\Temp\joined.exe
    "C:\Users\Admin\AppData\Local\Temp\joined.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:888
  - - C:\Users\Admin\AppData\Local\Temp\sqls921.exe
      "C:\Users\Admin\AppData\Local\Temp\sqls921.exe"
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Modifies security service
      Executes dropped EXE
      Windows security modification
      Suspicious use of WriteProcessMemory
      PID:1324
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" Get-MpPreference -verbose
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:968
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\sqls921.exe" /rl HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:1068
- C:\Users\Admin\AppData\Local\Temp\tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1600
- - C:\Users\Admin\AppData\Local\Temp\nitrsso64.exe
    "C:\Users\Admin\AppData\Local\Temp\nitrsso64.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2000
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "nitro64" /tr "C:\Users\Admin\AppData\Local\nitrsso64.exe"
      4⤵
      Creates scheduled task(s)
      PID:1740
- - C:\Users\Admin\AppData\Local\Temp\FileHistory.exe
    "C:\Users\Admin\AppData\Local\Temp\FileHistory.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1624
  - - C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "FileHistory" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\FileHistory.exe" /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:1880
  - - C:\Users\Admin\AppData\Roaming\FileHistory\FileHistory.exe
      "C:\Users\Admin\AppData\Roaming\FileHistory\FileHistory.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:944
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "FileHistory" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\FileHistory\FileHistory.exe" /rl HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:1984
- - C:\Users\Admin\AppData\Local\Temp\orc.exe
    "C:\Users\Admin\AppData\Local\Temp\orc.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Program Files directory
    PID:1836
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mbfhjm-p.cmdline"
      4⤵
      PID:1408
    - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES29D0.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC29CF.tmp"
        5⤵
        
        PID:108
  - - C:\Windows\SysWOW64\WindowsInput.exe
      "C:\Windows\SysWOW64\WindowsInput.exe" --install
      4⤵
      Executes dropped EXE
      PID:1376
  - - C:\Program Files\orc\orc.exe
      "C:\Program Files\orc\orc.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1128
    - - C:\Users\Admin\AppData\Roaming\Watchdog.exe
        
        "C:\Users\Admin\AppData\Roaming\Watchdog.exe" /launchSelfAndExit "C:\Program Files\orc\orc.exe" 1128 /protectFile
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:948
      - C:\Users\Admin\AppData\Roaming\Watchdog.exe
        
        "C:\Users\Admin\AppData\Roaming\Watchdog.exe" /watchProcess "C:\Program Files\orc\orc.exe" 1128 "/protectFile"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1872
- - C:\Users\Admin\Downloads\plage.exe
    "C:\Users\Admin\Downloads\plage.exe"
    3⤵
    - Executes dropped EXE
    - Drops startup file
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1200
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /TN "WinManager" /XML "C:\Users\Admin\AppData\Local\Temp\NewTask.xml"
      4⤵
      Creates scheduled task(s)
      PID:1704
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Query /FO "LIST" /TN "WinManager"
      4⤵
      PID:1828
  - - C:\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe
      "C:\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe" /wait
      4⤵
      Executes dropped EXE
      Drops startup file
      PID:432
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Delete /F /TN "WinManager"
        5⤵
        
        PID:1100
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C timeout 5 & del /F /Q "C:\Users\Admin\AppData\Roaming\discordnitro\*.*" & rmdir "C:\Users\Admin\AppData\Roaming\discordnitro"
        5⤵
        
        PID:1164
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        6⤵
        Delays execution with timeout.exe
        
        PID:1520
- - C:\Users\Admin\AppData\Local\Temp\blmkgrp.exe
    "C:\Users\Admin\AppData\Local\Temp\blmkgrp.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1996
  - - C:\Users\Admin\AppData\Local\Temp\blmkgrp.exe
      "C:\Users\Admin\AppData\Local\Temp\blmkgrp.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:680

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
1⤵
- Executes dropped EXE
PID:976

C:\Windows\system32\taskeng.exe
taskeng.exe {BABAC9C3-73AF-4561-B09E-2F96761C5595} S-1-5-21-3845472200-3839195424-595303356-1000:ZERMMMDR\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
PID:1580
- C:\Program Files\orc\orc.exe
  "C:\Program Files\orc\orc.exe"
  2⤵
  - Executes dropped EXE
  PID:1344
- C:\Users\Admin\AppData\Local\nitrsso64.exe
  C:\Users\Admin\AppData\Local\nitrsso64.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:432
- C:\Users\Admin\AppData\Local\nitrsso64.exe
  C:\Users\Admin\AppData\Local\nitrsso64.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:788

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\orc\orc.exe

Filesize
916KB

MD5
ac0431f34683bcbbb2cf23aaf29ea8cf

SHA1
275ec0e362cb074d5f080aaa41c25a8ecebe3205

SHA256
1780430ff5ad71b8c89b9c59d2924b16cb7fd07da479b8b394846c792f7523cb

SHA512
156da3158d29d293daf9a74cf04d855ec162836fef87473afcc861688630f2da01234e1f40a4f84235ba457c0a6ae1770c3cc55fb0375cbea6813d0186a87b9c

Download Submit
C:\Program Files\orc\orc.exe

Filesize
916KB

MD5
ac0431f34683bcbbb2cf23aaf29ea8cf

SHA1
275ec0e362cb074d5f080aaa41c25a8ecebe3205

SHA256
1780430ff5ad71b8c89b9c59d2924b16cb7fd07da479b8b394846c792f7523cb

SHA512
156da3158d29d293daf9a74cf04d855ec162836fef87473afcc861688630f2da01234e1f40a4f84235ba457c0a6ae1770c3cc55fb0375cbea6813d0186a87b9c

Download Submit
C:\Program Files\orc\orc.exe

Filesize
916KB

MD5
ac0431f34683bcbbb2cf23aaf29ea8cf

SHA1
275ec0e362cb074d5f080aaa41c25a8ecebe3205

SHA256
1780430ff5ad71b8c89b9c59d2924b16cb7fd07da479b8b394846c792f7523cb

SHA512
156da3158d29d293daf9a74cf04d855ec162836fef87473afcc861688630f2da01234e1f40a4f84235ba457c0a6ae1770c3cc55fb0375cbea6813d0186a87b9c

Download Submit
C:\Program Files\orc\orc.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I9NA5QYV\nitro64[1].exe

Filesize
54KB

MD5
ebd7887003feaad033856253c14de51c

SHA1
1ef092f6c79df2e57c8a49469e4b44815d384948

SHA256
faca607d5b505b97923a02c6a7b92517aaa6523d611126609663b0deaf23a315

SHA512
969b45cad215ce2632e044b0d5712a7dfdd1c43083477fc1277a981d3771d2738e0972dc81c82cc8fb198c345b5afa235c306ffb85b8c5f493482fc70d8d929a

Download Submit
C:\Users\Admin\AppData\Local\Temp\FileHistory.exe

Filesize
2.8MB

MD5
a73e083297e46d8e23f012d66a08f3a3

SHA1
83527df5a484494894ad2c71908a170a115751af

SHA256
0ef4667fb2bd5b2184048913181bd7b03bf63d0e7959214b879efa4d6b75ad5d

SHA512
78c2231eb48ed1f246b960b1afbd2b6b1c9b99495b2a1e8b45ea1aa90a21fbd23fd10223dbc7eba9aa057b5932290e20cdcfe2df583b1a93d2cea2bf350495f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\FileHistory.exe

Filesize
2.8MB

MD5
a73e083297e46d8e23f012d66a08f3a3

SHA1
83527df5a484494894ad2c71908a170a115751af

SHA256
0ef4667fb2bd5b2184048913181bd7b03bf63d0e7959214b879efa4d6b75ad5d

SHA512
78c2231eb48ed1f246b960b1afbd2b6b1c9b99495b2a1e8b45ea1aa90a21fbd23fd10223dbc7eba9aa057b5932290e20cdcfe2df583b1a93d2cea2bf350495f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\NewTask.xml

Filesize
1KB

MD5
176a7d7fe16ee2475fd31a9234b388b9

SHA1
0493f3b0765719d40f2a839ff69136bb8754b772

SHA256
4f866be5c34027dd77f6ab21a1e15c3be03db0de811c1d5bbe65480cb88fb6c1

SHA512
a312c9fff6301040c86c9f488185966727d23862f7bd8200737ca23932ae5aa0f41aaed56e3a5379dcbd271362c8c083897ed8539fd013c2fcb63ee547083301

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES29D0.tmp

Filesize
1KB

MD5
9f927b51cc2fc738ac430ec176581a8a

SHA1
039b3bbf6f53f73f0e9615e60f2266de8ab81466

SHA256
9dd0dad0e7fae4334cf0a20db13fcf510280abe7ce03503706b5938e44572e80

SHA512
ae7b63e9416084ab6dcdd9cf4dd616ed2abef11066f9a521ca5dd5b339ab612ec8eda3186b5a188869afa1cdac496425698cb6f8450fb132ffd08a039d444c10

Download Submit
C:\Users\Admin\AppData\Local\Temp\blmkgrp.exe

Filesize
7.6MB

MD5
cb565c1afd8469f43dd6917af55b733f

SHA1
e71a56a7b13536d686ab9f4f2492d60c02a7790e

SHA256
4a6b790629a17abb31de40da6a9faafdedbbc794f3e23816776621a83b068056

SHA512
d4ae535bdc800581c0fbcd186edd9d03067c08280376f06ec2e96e3118eb682663de260be6e756a85c4f6240fa9ba2c1ab265b54a56b57865b273af68d650645

Download Submit
C:\Users\Admin\AppData\Local\Temp\blmkgrp.exe

Filesize
7.6MB

MD5
cb565c1afd8469f43dd6917af55b733f

SHA1
e71a56a7b13536d686ab9f4f2492d60c02a7790e

SHA256
4a6b790629a17abb31de40da6a9faafdedbbc794f3e23816776621a83b068056

SHA512
d4ae535bdc800581c0fbcd186edd9d03067c08280376f06ec2e96e3118eb682663de260be6e756a85c4f6240fa9ba2c1ab265b54a56b57865b273af68d650645

Download Submit
C:\Users\Admin\AppData\Local\Temp\blmkgrp.exe

Filesize
7.6MB

MD5
cb565c1afd8469f43dd6917af55b733f

SHA1
e71a56a7b13536d686ab9f4f2492d60c02a7790e

SHA256
4a6b790629a17abb31de40da6a9faafdedbbc794f3e23816776621a83b068056

SHA512
d4ae535bdc800581c0fbcd186edd9d03067c08280376f06ec2e96e3118eb682663de260be6e756a85c4f6240fa9ba2c1ab265b54a56b57865b273af68d650645

Download Submit
C:\Users\Admin\AppData\Local\Temp\github.com_Blank-c_19962\python310.dll

Filesize
1.5MB

MD5
e06ce8146da66871aa8aeedc950fd12b

SHA1
6ee749bdd0bc857a41ac8018c5553e895784b961

SHA256
aabd51782e4edb80561dd2ff065079a8381c7c86a6db1c6884bc09c73cde07a4

SHA512
0d8c16832d5242595eff4993a1563de09f1eba988ca6e9bcd9afdb0891a164ea2972ac9df40f575e8e1021d535c3b807ce025bc15788f08f84c71246d64f1198

Download Submit
C:\Users\Admin\AppData\Local\Temp\joined.exe

Filesize
56KB

MD5
cf96dc2c8aa103b404761701c0e9e38e

SHA1
84c300ec07b1182ee095e9550395e1d5669934ca

SHA256
6dc79af279e0324e3afb2621d812510d47fe29226cf3af1b37beee37fe2cada8

SHA512
2e66127e212f014da3cb2f2e0fd2b969639d3e7ffb18d343e107e0449d889ebc262d96ac7b47ca8b95909790d7175afd509b9e3a1d7f34d5cb0bcb49058a9ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\joined.exe

Filesize
56KB

MD5
cf96dc2c8aa103b404761701c0e9e38e

SHA1
84c300ec07b1182ee095e9550395e1d5669934ca

SHA256
6dc79af279e0324e3afb2621d812510d47fe29226cf3af1b37beee37fe2cada8

SHA512
2e66127e212f014da3cb2f2e0fd2b969639d3e7ffb18d343e107e0449d889ebc262d96ac7b47ca8b95909790d7175afd509b9e3a1d7f34d5cb0bcb49058a9ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\mbfhjm-p.dll

Filesize
76KB

MD5
3f641731f5fe26d14cfe24c806791720

SHA1
7f2d7d843d0fcd611b895cfda31ab43e8a71f989

SHA256
173cce128fee385ab8dc15455c9c3d425d0824130efc48bf77f290c3f4ec5a1b

SHA512
3467832d6bda58a157978c96af62746ba842727bde6ed509b368a046ea6740957d9c6530543fe9f915f8175823d192fb28814a21f671b6da401ad58f088076b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nitrsso64.exe

Filesize
54KB

MD5
ebd7887003feaad033856253c14de51c

SHA1
1ef092f6c79df2e57c8a49469e4b44815d384948

SHA256
faca607d5b505b97923a02c6a7b92517aaa6523d611126609663b0deaf23a315

SHA512
969b45cad215ce2632e044b0d5712a7dfdd1c43083477fc1277a981d3771d2738e0972dc81c82cc8fb198c345b5afa235c306ffb85b8c5f493482fc70d8d929a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nitrsso64.exe

Filesize
54KB

MD5
ebd7887003feaad033856253c14de51c

SHA1
1ef092f6c79df2e57c8a49469e4b44815d384948

SHA256
faca607d5b505b97923a02c6a7b92517aaa6523d611126609663b0deaf23a315

SHA512
969b45cad215ce2632e044b0d5712a7dfdd1c43083477fc1277a981d3771d2738e0972dc81c82cc8fb198c345b5afa235c306ffb85b8c5f493482fc70d8d929a

Download Submit
C:\Users\Admin\AppData\Local\Temp\orc.exe

Filesize
916KB

MD5
ac0431f34683bcbbb2cf23aaf29ea8cf

SHA1
275ec0e362cb074d5f080aaa41c25a8ecebe3205

SHA256
1780430ff5ad71b8c89b9c59d2924b16cb7fd07da479b8b394846c792f7523cb

SHA512
156da3158d29d293daf9a74cf04d855ec162836fef87473afcc861688630f2da01234e1f40a4f84235ba457c0a6ae1770c3cc55fb0375cbea6813d0186a87b9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\orc.exe

Filesize
916KB

MD5
ac0431f34683bcbbb2cf23aaf29ea8cf

SHA1
275ec0e362cb074d5f080aaa41c25a8ecebe3205

SHA256
1780430ff5ad71b8c89b9c59d2924b16cb7fd07da479b8b394846c792f7523cb

SHA512
156da3158d29d293daf9a74cf04d855ec162836fef87473afcc861688630f2da01234e1f40a4f84235ba457c0a6ae1770c3cc55fb0375cbea6813d0186a87b9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqls921.exe

Filesize
16KB

MD5
d7f2c50640108c104286ef71923c70d7

SHA1
7ccd84daed8ca9572ae3a8c98c38adf753fb8f33

SHA256
53aef6261df3f802393d9196a5c87e69d1e07e2aaff45a606344b91f5801255a

SHA512
eeb34a038920d0ff833f3140afd256dd6a0ea589052223d9bf61135d4557e8302e582782893348a7d40ef07af0c68a3068a052822d244ad65b7365cd0aeea0f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqls921.exe

Filesize
16KB

MD5
d7f2c50640108c104286ef71923c70d7

SHA1
7ccd84daed8ca9572ae3a8c98c38adf753fb8f33

SHA256
53aef6261df3f802393d9196a5c87e69d1e07e2aaff45a606344b91f5801255a

SHA512
eeb34a038920d0ff833f3140afd256dd6a0ea589052223d9bf61135d4557e8302e582782893348a7d40ef07af0c68a3068a052822d244ad65b7365cd0aeea0f0

Download Submit
C:\Users\Admin\AppData\Local\nitrsso64.exe

Filesize
54KB

MD5
ebd7887003feaad033856253c14de51c

SHA1
1ef092f6c79df2e57c8a49469e4b44815d384948

SHA256
faca607d5b505b97923a02c6a7b92517aaa6523d611126609663b0deaf23a315

SHA512
969b45cad215ce2632e044b0d5712a7dfdd1c43083477fc1277a981d3771d2738e0972dc81c82cc8fb198c345b5afa235c306ffb85b8c5f493482fc70d8d929a

Download Submit
C:\Users\Admin\AppData\Local\nitrsso64.exe

Filesize
54KB

MD5
ebd7887003feaad033856253c14de51c

SHA1
1ef092f6c79df2e57c8a49469e4b44815d384948

SHA256
faca607d5b505b97923a02c6a7b92517aaa6523d611126609663b0deaf23a315

SHA512
969b45cad215ce2632e044b0d5712a7dfdd1c43083477fc1277a981d3771d2738e0972dc81c82cc8fb198c345b5afa235c306ffb85b8c5f493482fc70d8d929a

Download Submit
C:\Users\Admin\AppData\Local\nitrsso64.exe

Filesize
54KB

MD5
ebd7887003feaad033856253c14de51c

SHA1
1ef092f6c79df2e57c8a49469e4b44815d384948

SHA256
faca607d5b505b97923a02c6a7b92517aaa6523d611126609663b0deaf23a315

SHA512
969b45cad215ce2632e044b0d5712a7dfdd1c43083477fc1277a981d3771d2738e0972dc81c82cc8fb198c345b5afa235c306ffb85b8c5f493482fc70d8d929a

Download Submit
C:\Users\Admin\AppData\Roaming\FileHistory\FileHistory.exe

Filesize
2.8MB

MD5
a73e083297e46d8e23f012d66a08f3a3

SHA1
83527df5a484494894ad2c71908a170a115751af

SHA256
0ef4667fb2bd5b2184048913181bd7b03bf63d0e7959214b879efa4d6b75ad5d

SHA512
78c2231eb48ed1f246b960b1afbd2b6b1c9b99495b2a1e8b45ea1aa90a21fbd23fd10223dbc7eba9aa057b5932290e20cdcfe2df583b1a93d2cea2bf350495f2

Download Submit
C:\Users\Admin\AppData\Roaming\FileHistory\FileHistory.exe

Filesize
2.8MB

MD5
a73e083297e46d8e23f012d66a08f3a3

SHA1
83527df5a484494894ad2c71908a170a115751af

SHA256
0ef4667fb2bd5b2184048913181bd7b03bf63d0e7959214b879efa4d6b75ad5d

SHA512
78c2231eb48ed1f246b960b1afbd2b6b1c9b99495b2a1e8b45ea1aa90a21fbd23fd10223dbc7eba9aa057b5932290e20cdcfe2df583b1a93d2cea2bf350495f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winmgr.exe

Filesize
967KB

MD5
b03ccade490854df220914c4430967e2

SHA1
1911a59e8c4b427d3fbc8fc9c794886bd2d81305

SHA256
81cb1fa3507209f360261e795cc68622c4163cbb0c6082dc7d8358a04492f961

SHA512
0c05ff99f2d2f448c431073b9a339e6dc1ccab43c9442be44edfd493c3d4d9bd604a0deb792b91295571817113c309bafc6d230b470a4874493561bd5aa9bc36

Download Submit
C:\Users\Admin\AppData\Roaming\Watchdog.exe

Filesize
9KB

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
C:\Users\Admin\AppData\Roaming\Watchdog.exe

Filesize
9KB

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
C:\Users\Admin\AppData\Roaming\Watchdog.exe

Filesize
9KB

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
C:\Users\Admin\AppData\Roaming\Watchdog.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe

Filesize
967KB

MD5
b63bb68654e7be72058398809d6c4754

SHA1
4a7b43488029a2d4c960c9ee4431b99c8640a4b0

SHA256
8db43542d501e7d65d0f1db96785d875bc7da5a51a76ae943fcd3222b66412fe

SHA512
c67280896aa63894933a6058d17a2eb9cea484f5293c095704baaf9f177d9e2779951d803548294584070eb95a3428b52eec9fd5fc1a7da74a6305e7c496e48a

Download Submit
C:\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe

Filesize
967KB

MD5
b63bb68654e7be72058398809d6c4754

SHA1
4a7b43488029a2d4c960c9ee4431b99c8640a4b0

SHA256
8db43542d501e7d65d0f1db96785d875bc7da5a51a76ae943fcd3222b66412fe

SHA512
c67280896aa63894933a6058d17a2eb9cea484f5293c095704baaf9f177d9e2779951d803548294584070eb95a3428b52eec9fd5fc1a7da74a6305e7c496e48a

Download Submit
C:\Users\Admin\Downloads\plage.exe

Filesize
967KB

MD5
b03ccade490854df220914c4430967e2

SHA1
1911a59e8c4b427d3fbc8fc9c794886bd2d81305

SHA256
81cb1fa3507209f360261e795cc68622c4163cbb0c6082dc7d8358a04492f961

SHA512
0c05ff99f2d2f448c431073b9a339e6dc1ccab43c9442be44edfd493c3d4d9bd604a0deb792b91295571817113c309bafc6d230b470a4874493561bd5aa9bc36

Download Submit
C:\Users\Admin\Downloads\plage.exe

Filesize
967KB

MD5
b03ccade490854df220914c4430967e2

SHA1
1911a59e8c4b427d3fbc8fc9c794886bd2d81305

SHA256
81cb1fa3507209f360261e795cc68622c4163cbb0c6082dc7d8358a04492f961

SHA512
0c05ff99f2d2f448c431073b9a339e6dc1ccab43c9442be44edfd493c3d4d9bd604a0deb792b91295571817113c309bafc6d230b470a4874493561bd5aa9bc36

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe

Filesize
21KB

MD5
e6fcf516d8ed8d0d4427f86e08d0d435

SHA1
c7691731583ab7890086635cb7f3e4c22ca5e409

SHA256
8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

SHA512
c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe

Filesize
21KB

MD5
e6fcf516d8ed8d0d4427f86e08d0d435

SHA1
c7691731583ab7890086635cb7f3e4c22ca5e409

SHA256
8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

SHA512
c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe

Filesize
21KB

MD5
e6fcf516d8ed8d0d4427f86e08d0d435

SHA1
c7691731583ab7890086635cb7f3e4c22ca5e409

SHA256
8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

SHA512
c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC29CF.tmp

Filesize
676B

MD5
1b51af4d94e4b3b829673598709a5a7f

SHA1
5fa2263993db68eec5c25c3448d6577fcd3f448d

SHA256
dc43d1a62c6bcf895d0fdace297275a4a06aacd5fc92781dfd4d96e600e8b8af

SHA512
13253022bb38731ed28b3fe456bb5e19d6a34cf7915ee6ae8f813543c231679e555c631139eac47efb778c2290c0f2ffd29f9e908a733a4856b17389c778503c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mbfhjm-p.0.cs

Filesize
208KB

MD5
c555d9796194c1d9a1310a05a2264e08

SHA1
82641fc4938680519c3b2e925e05e1001cbd71d7

SHA256
ccbb8fd27ab2f27fbbd871793886ff52ff1fbd9117c98b8d190c1a96b67e498a

SHA512
0b85ca22878998c7697c589739905b218f9b264a32c8f99a9f9dd73d0687a5de46cc7e851697ee16424baf94d301e411648aa2d061ac149a6d2e06b085e07090

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mbfhjm-p.cmdline

Filesize
349B

MD5
fd38b07de70dc6ee1cdf6a4101b2c3a6

SHA1
f98c60f1b0f0402969ccfe7043dce09d1c40911e

SHA256
d5aa030b7831f944b2f978975582b23e21e4d412e5c4232a67c73ae86096790f

SHA512
7d325d9fb25c1835009c5f8f89caf2f15f7ee00bb573646c2b33687152092a159baa81d5a8a3444262a64ef3de982924a9c7c30ba2a0e17637d3225c8ccfd9a1

Download Submit
\Users\Admin\AppData\Local\Temp\FileHistory.exe

Filesize
2.8MB

MD5
a73e083297e46d8e23f012d66a08f3a3

SHA1
83527df5a484494894ad2c71908a170a115751af

SHA256
0ef4667fb2bd5b2184048913181bd7b03bf63d0e7959214b879efa4d6b75ad5d

SHA512
78c2231eb48ed1f246b960b1afbd2b6b1c9b99495b2a1e8b45ea1aa90a21fbd23fd10223dbc7eba9aa057b5932290e20cdcfe2df583b1a93d2cea2bf350495f2

Download Submit
\Users\Admin\AppData\Local\Temp\blmkgrp.exe

Filesize
7.6MB

MD5
cb565c1afd8469f43dd6917af55b733f

SHA1
e71a56a7b13536d686ab9f4f2492d60c02a7790e

SHA256
4a6b790629a17abb31de40da6a9faafdedbbc794f3e23816776621a83b068056

SHA512
d4ae535bdc800581c0fbcd186edd9d03067c08280376f06ec2e96e3118eb682663de260be6e756a85c4f6240fa9ba2c1ab265b54a56b57865b273af68d650645

Download Submit
\Users\Admin\AppData\Local\Temp\blmkgrp.exe

Filesize
7.6MB

MD5
cb565c1afd8469f43dd6917af55b733f

SHA1
e71a56a7b13536d686ab9f4f2492d60c02a7790e

SHA256
4a6b790629a17abb31de40da6a9faafdedbbc794f3e23816776621a83b068056

SHA512
d4ae535bdc800581c0fbcd186edd9d03067c08280376f06ec2e96e3118eb682663de260be6e756a85c4f6240fa9ba2c1ab265b54a56b57865b273af68d650645

Download Submit
\Users\Admin\AppData\Local\Temp\blmkgrp.exe

Filesize
7.6MB

MD5
cb565c1afd8469f43dd6917af55b733f

SHA1
e71a56a7b13536d686ab9f4f2492d60c02a7790e

SHA256
4a6b790629a17abb31de40da6a9faafdedbbc794f3e23816776621a83b068056

SHA512
d4ae535bdc800581c0fbcd186edd9d03067c08280376f06ec2e96e3118eb682663de260be6e756a85c4f6240fa9ba2c1ab265b54a56b57865b273af68d650645

Download Submit
\Users\Admin\AppData\Local\Temp\blmkgrp.exe

Filesize
7.6MB

MD5
cb565c1afd8469f43dd6917af55b733f

SHA1
e71a56a7b13536d686ab9f4f2492d60c02a7790e

SHA256
4a6b790629a17abb31de40da6a9faafdedbbc794f3e23816776621a83b068056

SHA512
d4ae535bdc800581c0fbcd186edd9d03067c08280376f06ec2e96e3118eb682663de260be6e756a85c4f6240fa9ba2c1ab265b54a56b57865b273af68d650645

Download Submit
\Users\Admin\AppData\Local\Temp\github.com_Blank-c_19962\python310.dll

Filesize
1.5MB

MD5
e06ce8146da66871aa8aeedc950fd12b

SHA1
6ee749bdd0bc857a41ac8018c5553e895784b961

SHA256
aabd51782e4edb80561dd2ff065079a8381c7c86a6db1c6884bc09c73cde07a4

SHA512
0d8c16832d5242595eff4993a1563de09f1eba988ca6e9bcd9afdb0891a164ea2972ac9df40f575e8e1021d535c3b807ce025bc15788f08f84c71246d64f1198

Download Submit
\Users\Admin\AppData\Local\Temp\joined.exe

Filesize
56KB

MD5
cf96dc2c8aa103b404761701c0e9e38e

SHA1
84c300ec07b1182ee095e9550395e1d5669934ca

SHA256
6dc79af279e0324e3afb2621d812510d47fe29226cf3af1b37beee37fe2cada8

SHA512
2e66127e212f014da3cb2f2e0fd2b969639d3e7ffb18d343e107e0449d889ebc262d96ac7b47ca8b95909790d7175afd509b9e3a1d7f34d5cb0bcb49058a9ca5

Download Submit
\Users\Admin\AppData\Local\Temp\joined.exe

Filesize
56KB

MD5
cf96dc2c8aa103b404761701c0e9e38e

SHA1
84c300ec07b1182ee095e9550395e1d5669934ca

SHA256
6dc79af279e0324e3afb2621d812510d47fe29226cf3af1b37beee37fe2cada8

SHA512
2e66127e212f014da3cb2f2e0fd2b969639d3e7ffb18d343e107e0449d889ebc262d96ac7b47ca8b95909790d7175afd509b9e3a1d7f34d5cb0bcb49058a9ca5

Download Submit
\Users\Admin\AppData\Local\Temp\nitrsso64.exe

Filesize
54KB

MD5
ebd7887003feaad033856253c14de51c

SHA1
1ef092f6c79df2e57c8a49469e4b44815d384948

SHA256
faca607d5b505b97923a02c6a7b92517aaa6523d611126609663b0deaf23a315

SHA512
969b45cad215ce2632e044b0d5712a7dfdd1c43083477fc1277a981d3771d2738e0972dc81c82cc8fb198c345b5afa235c306ffb85b8c5f493482fc70d8d929a

Download Submit
\Users\Admin\AppData\Local\Temp\orc.exe

Filesize
916KB

MD5
ac0431f34683bcbbb2cf23aaf29ea8cf

SHA1
275ec0e362cb074d5f080aaa41c25a8ecebe3205

SHA256
1780430ff5ad71b8c89b9c59d2924b16cb7fd07da479b8b394846c792f7523cb

SHA512
156da3158d29d293daf9a74cf04d855ec162836fef87473afcc861688630f2da01234e1f40a4f84235ba457c0a6ae1770c3cc55fb0375cbea6813d0186a87b9c

Download Submit
\Users\Admin\AppData\Local\nitrsso64.exe

Filesize
54KB

MD5
ebd7887003feaad033856253c14de51c

SHA1
1ef092f6c79df2e57c8a49469e4b44815d384948

SHA256
faca607d5b505b97923a02c6a7b92517aaa6523d611126609663b0deaf23a315

SHA512
969b45cad215ce2632e044b0d5712a7dfdd1c43083477fc1277a981d3771d2738e0972dc81c82cc8fb198c345b5afa235c306ffb85b8c5f493482fc70d8d929a

Download Submit
\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe

Filesize
967KB

MD5
b63bb68654e7be72058398809d6c4754

SHA1
4a7b43488029a2d4c960c9ee4431b99c8640a4b0

SHA256
8db43542d501e7d65d0f1db96785d875bc7da5a51a76ae943fcd3222b66412fe

SHA512
c67280896aa63894933a6058d17a2eb9cea484f5293c095704baaf9f177d9e2779951d803548294584070eb95a3428b52eec9fd5fc1a7da74a6305e7c496e48a

Download Submit
\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe

Filesize
967KB

MD5
b63bb68654e7be72058398809d6c4754

SHA1
4a7b43488029a2d4c960c9ee4431b99c8640a4b0

SHA256
8db43542d501e7d65d0f1db96785d875bc7da5a51a76ae943fcd3222b66412fe

SHA512
c67280896aa63894933a6058d17a2eb9cea484f5293c095704baaf9f177d9e2779951d803548294584070eb95a3428b52eec9fd5fc1a7da74a6305e7c496e48a

Download Submit
\Users\Admin\Downloads\plage.exe

Filesize
967KB

MD5
b03ccade490854df220914c4430967e2

SHA1
1911a59e8c4b427d3fbc8fc9c794886bd2d81305

SHA256
81cb1fa3507209f360261e795cc68622c4163cbb0c6082dc7d8358a04492f961

SHA512
0c05ff99f2d2f448c431073b9a339e6dc1ccab43c9442be44edfd493c3d4d9bd604a0deb792b91295571817113c309bafc6d230b470a4874493561bd5aa9bc36

Download Submit
\Users\Admin\Downloads\plage.exe

Filesize
967KB

MD5
b03ccade490854df220914c4430967e2

SHA1
1911a59e8c4b427d3fbc8fc9c794886bd2d81305

SHA256
81cb1fa3507209f360261e795cc68622c4163cbb0c6082dc7d8358a04492f961

SHA512
0c05ff99f2d2f448c431073b9a339e6dc1ccab43c9442be44edfd493c3d4d9bd604a0deb792b91295571817113c309bafc6d230b470a4874493561bd5aa9bc36

Download Submit
memory/108-128-0x0000000000000000-mapping.dmp

Download
memory/432-115-0x0000000000000000-mapping.dmp

Download
memory/432-183-0x0000000000300000-0x0000000000312000-memory.dmp

Filesize
72KB

Download
memory/432-180-0x0000000000000000-mapping.dmp

Download
memory/680-157-0x000007FEE7C40000-0x000007FEE80AF000-memory.dmp

Filesize
4.4MB

Download
memory/680-144-0x0000000000000000-mapping.dmp

Download
memory/788-184-0x0000000000000000-mapping.dmp

Download
memory/788-186-0x0000000000EF0000-0x0000000000F02000-memory.dmp

Filesize
72KB

Download
memory/888-70-0x000007FEF33C0000-0x000007FEF3DE3000-memory.dmp

Filesize
10.1MB

Download
memory/888-58-0x0000000000000000-mapping.dmp

Download
memory/888-73-0x000007FEFB741000-0x000007FEFB743000-memory.dmp

Filesize
8KB

Download
memory/944-119-0x0000000000000000-mapping.dmp

Download
memory/944-122-0x0000000000F50000-0x000000000121A000-memory.dmp

Filesize
2.8MB

Download
memory/948-165-0x0000000000850000-0x0000000000858000-memory.dmp

Filesize
32KB

Download
memory/948-161-0x0000000000000000-mapping.dmp

Download
memory/968-80-0x0000000071130000-0x00000000716DB000-memory.dmp

Filesize
5.7MB

Download
memory/968-81-0x0000000071130000-0x00000000716DB000-memory.dmp

Filesize
5.7MB

Download
memory/968-78-0x0000000000000000-mapping.dmp

Download
memory/976-137-0x0000000000C00000-0x0000000000C0C000-memory.dmp

Filesize
48KB

Download
memory/1068-82-0x0000000000000000-mapping.dmp

Download
memory/1100-174-0x0000000000000000-mapping.dmp

Download
memory/1128-154-0x0000000000460000-0x00000000004BC000-memory.dmp

Filesize
368KB

Download
memory/1128-153-0x0000000000FC0000-0x00000000010AA000-memory.dmp

Filesize
936KB

Download
memory/1128-158-0x0000000000C50000-0x0000000000C9E000-memory.dmp

Filesize
312KB

Download
memory/1128-156-0x0000000000670000-0x0000000000682000-memory.dmp

Filesize
72KB

Download
memory/1128-171-0x000000001B026000-0x000000001B045000-memory.dmp

Filesize
124KB

Download
memory/1128-155-0x00000000001E0000-0x00000000001EE000-memory.dmp

Filesize
56KB

Download
memory/1128-149-0x0000000000000000-mapping.dmp

Download
memory/1128-160-0x0000000000CC0000-0x0000000000CD0000-memory.dmp

Filesize
64KB

Download
memory/1128-159-0x0000000000CA0000-0x0000000000CB8000-memory.dmp

Filesize
96KB

Download
memory/1164-177-0x0000000000000000-mapping.dmp

Download
memory/1200-106-0x0000000000000000-mapping.dmp

Download
memory/1324-74-0x0000000000000000-mapping.dmp

Download
memory/1324-77-0x0000000001260000-0x000000000126A000-memory.dmp

Filesize
40KB

Download
memory/1344-169-0x0000000000000000-mapping.dmp

Download
memory/1376-132-0x0000000000000000-mapping.dmp

Download
memory/1408-125-0x0000000000000000-mapping.dmp

Download
memory/1520-178-0x0000000000000000-mapping.dmp

Download
memory/1600-59-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1600-69-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1600-60-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1600-62-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1600-71-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1600-63-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1600-67-0x0000000000401000-mapping.dmp

Download
memory/1600-65-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1624-93-0x0000000000000000-mapping.dmp

Download
memory/1624-96-0x0000000001140000-0x000000000140A000-memory.dmp

Filesize
2.8MB

Download
memory/1704-110-0x0000000000000000-mapping.dmp

Download
memory/1740-91-0x0000000000000000-mapping.dmp

Download
memory/1828-112-0x0000000000000000-mapping.dmp

Download
memory/1836-99-0x0000000000000000-mapping.dmp

Download
memory/1836-102-0x000007FEEBAB0000-0x000007FEEC4D3000-memory.dmp

Filesize
10.1MB

Download
memory/1836-103-0x000007FEEAA10000-0x000007FEEBAA6000-memory.dmp

Filesize
16.6MB

Download
memory/1872-167-0x0000000000000000-mapping.dmp

Download
memory/1880-118-0x0000000000000000-mapping.dmp

Download
memory/1984-124-0x0000000000000000-mapping.dmp

Download
memory/1996-139-0x0000000000000000-mapping.dmp

Download
memory/1996-55-0x0000000075281000-0x0000000075283000-memory.dmp

Filesize
8KB

Download
memory/1996-54-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2000-89-0x0000000000590000-0x000000000059A000-memory.dmp

Filesize
40KB

Download
memory/2000-84-0x0000000000000000-mapping.dmp

Download
memory/2000-88-0x0000000000160000-0x0000000000176000-memory.dmp

Filesize
88KB

Download
memory/2000-87-0x0000000000DE0000-0x0000000000DF2000-memory.dmp

Filesize
72KB

Download