orcus | ece849a1ae5c71db8aaac5ad98d2022e05448083120ff3f1f758c2c020d1d03e

Analysis

max time kernel
168s
max time network
210s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 15:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

newResultprot.exe
Size

3.3MB
MD5

3ee4cc4a7fe52761e3cb486a6c2d8e3e
SHA1

c96c9bcdcc57cfc497f4b831398145b307c42b73
SHA256

ece849a1ae5c71db8aaac5ad98d2022e05448083120ff3f1f758c2c020d1d03e
SHA512

848e1a6dde72c3e3bdecdfb9bbe8e8e9d126fed1996a95b0294f18aee19f23c61a0d8a8947294a3a01f587edf37a59df11ce249611effd54832cbad940398515
SSDEEP

98304:F49p/IqTL48s8QLbr4jYgc3TZyd2H+L05kJj9878I:Fm5xzgLQjYg6NsvrGQ

Score

10^/10

orcus isehaaa collection persistence rat spyware stealer

Malware Config

Extracted

Family

orcus

Botnet

Isehaaa

graphics-absorption.at.ply.gg:34218

Mutex

0dae1eed35bd43dc93a1d73544aa5ccf

Attributes

autostart_method
Registry
enable_keylogger
true
install_path
C:\Program Files\Java\jdk-19\lib\javaw.exe
reconnect_delay
10000
registry_keyname
javaww
taskscheduler_taskname
javawww
watchdog_path
Temp\Runtime Broker.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus main payload 6 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\javaw.exe	family_orcus
C:\Users\Admin\AppData\Local\Temp\javaw.exe	family_orcus
C:\Users\Admin\AppData\Local\Temp\javaw.exe	family_orcus
C:\Program Files\Java\jdk-19\lib\javaw.exe	family_orcus
C:\Program Files\Java\jdk-19\lib\javaw.exe	family_orcus
C:\Program Files\Java\jdk-19\lib\javaw.exe	family_orcus

Orcurs Rat Executable 10 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\javaw.exe	orcus
C:\Users\Admin\AppData\Local\Temp\javaw.exe	orcus
C:\Users\Admin\AppData\Local\Temp\javaw.exe	orcus
behavioral1/memory/1628-63-0x0000000000400000-0x0000000000A04000-memory.dmp	orcus
behavioral1/memory/1232-67-0x0000000140000000-0x00000001405E8000-memory.dmp	orcus
behavioral1/memory/1628-69-0x0000000000400000-0x0000000000A04000-memory.dmp	orcus
C:\Program Files\Java\jdk-19\lib\javaw.exe	orcus
behavioral1/memory/1284-100-0x0000000001350000-0x0000000001440000-memory.dmp	orcus
C:\Program Files\Java\jdk-19\lib\javaw.exe	orcus
C:\Program Files\Java\jdk-19\lib\javaw.exe	orcus

Executes dropped EXE 8 IoCs

Processes:

javaw.exebuild.exeWindowsInput.exeWindowsInput.exejavaw.exejavaw.exeRuntime Broker.exeRuntime Broker.exe

pid process

1732 javaw.exe
1720 build.exe
1712 WindowsInput.exe
1172 WindowsInput.exe
1284 javaw.exe
316 javaw.exe
2044 Runtime Broker.exe
1016 Runtime Broker.exe
Loads dropped DLL 3 IoCs

Processes:

newResultprot.exeRuntime Broker.exe

pid process

1628 newResultprot.exe
1628 newResultprot.exe
2044 Runtime Broker.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1732	javaw.exe
1720	build.exe
1712	WindowsInput.exe
1172	WindowsInput.exe
1284	javaw.exe
316	javaw.exe
2044	Runtime Broker.exe
1016	Runtime Broker.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

build.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	build.exe
Key opened	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	build.exe
Key opened	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	build.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

javaw.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\javaww = "\"C:\\Program Files\\Java\\jdk-19\\lib\\javaw.exe\""	javaw.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

20 ip-api.com
34 icanhazip.com
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

flow	ioc
20	ip-api.com
34	icanhazip.com

Drops file in System32 directory 3 IoCs

Processes:

javaw.exeWindowsInput.exe

description	ioc	process
File created	C:\Windows\SysWOW64\WindowsInput.exe	javaw.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe.config	javaw.exe
File created	C:\Windows\SysWOW64\WindowsInput.InstallState	WindowsInput.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

newResultprot.exe

pid process

1628 newResultprot.exe

Drops file in Program Files directory 3 IoCs

Processes:

javaw.exe

description	ioc	process
File created	C:\Program Files\Java\jdk-19\lib\javaw.exe	javaw.exe
File opened for modification	C:\Program Files\Java\jdk-19\lib\javaw.exe	javaw.exe
File created	C:\Program Files\Java\jdk-19\lib\javaw.exe.config	javaw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

perfmon.exebuild.exeperfmon.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	perfmon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	perfmon.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	build.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	build.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	perfmon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	perfmon.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

build.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	build.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	build.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	build.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	build.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	build.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	build.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	build.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	build.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

newResultprot.exetaskmgr.exeperfmon.exeperfmon.exe

pid	process
1628	newResultprot.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1624	perfmon.exe
1748	perfmon.exe
1624	perfmon.exe
1624	perfmon.exe
1748	perfmon.exe
1748	perfmon.exe
1232	taskmgr.exe
1624	perfmon.exe
1232	taskmgr.exe
1748	perfmon.exe
1748	perfmon.exe
1232	taskmgr.exe
1624	perfmon.exe
1748	perfmon.exe
1232	taskmgr.exe
1624	perfmon.exe
1748	perfmon.exe
1624	perfmon.exe
1232	taskmgr.exe
1748	perfmon.exe
1624	perfmon.exe
1232	taskmgr.exe
1748	perfmon.exe
1748	perfmon.exe
1624	perfmon.exe
1624	perfmon.exe
1232	taskmgr.exe
1748	perfmon.exe
1624	perfmon.exe
1232	taskmgr.exe
1232	taskmgr.exe
1748	perfmon.exe
1624	perfmon.exe
1232	taskmgr.exe
1748	perfmon.exe
1624	perfmon.exe
1232	taskmgr.exe
1748	perfmon.exe
1624	perfmon.exe
1232	taskmgr.exe
1748	perfmon.exe
1624	perfmon.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

Processes:

taskmgr.exeperfmon.exejavaw.exe

pid process

1232 taskmgr.exe
1748 perfmon.exe
1284 javaw.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

taskmgr.exeperfmon.exeperfmon.exebuild.exejavaw.exeRuntime Broker.exeRuntime Broker.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	1232	taskmgr.exe
Token: SeDebugPrivilege	1624	perfmon.exe
Token: SeSystemProfilePrivilege	1624	perfmon.exe
Token: SeCreateGlobalPrivilege	1624	perfmon.exe
Token: SeDebugPrivilege	1748	perfmon.exe
Token: SeSystemProfilePrivilege	1748	perfmon.exe
Token: SeCreateGlobalPrivilege	1748	perfmon.exe
Token: SeDebugPrivilege	1720	build.exe
Token: SeDebugPrivilege	1284	javaw.exe
Token: SeDebugPrivilege	2044	Runtime Broker.exe
Token: SeDebugPrivilege	1016	Runtime Broker.exe
Token: SeRestorePrivilege	2736	msiexec.exe
Token: SeTakeOwnershipPrivilege	2736	msiexec.exe
Token: SeSecurityPrivilege	2736	msiexec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exe

pid	process
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	process
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

newResultprot.exejavaw.exe

pid process

1628 newResultprot.exe
1284 javaw.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

newResultprot.exetaskmgr.exejavaw.execsc.exetaskeng.exejavaw.exeRuntime Broker.exebuild.execmd.execmd.exe

description	pid	process	target process
PID 1628 wrote to memory of 1732	1628	newResultprot.exe	javaw.exe
PID 1628 wrote to memory of 1732	1628	newResultprot.exe	javaw.exe
PID 1628 wrote to memory of 1732	1628	newResultprot.exe	javaw.exe
PID 1628 wrote to memory of 1732	1628	newResultprot.exe	javaw.exe
PID 1628 wrote to memory of 1720	1628	newResultprot.exe	build.exe
PID 1628 wrote to memory of 1720	1628	newResultprot.exe	build.exe
PID 1628 wrote to memory of 1720	1628	newResultprot.exe	build.exe
PID 1628 wrote to memory of 1720	1628	newResultprot.exe	build.exe
PID 1232 wrote to memory of 1624	1232	taskmgr.exe	perfmon.exe
PID 1232 wrote to memory of 1624	1232	taskmgr.exe	perfmon.exe
PID 1232 wrote to memory of 1624	1232	taskmgr.exe	perfmon.exe
PID 1232 wrote to memory of 1748	1232	taskmgr.exe	perfmon.exe
PID 1232 wrote to memory of 1748	1232	taskmgr.exe	perfmon.exe
PID 1232 wrote to memory of 1748	1232	taskmgr.exe	perfmon.exe
PID 1732 wrote to memory of 1452	1732	javaw.exe	csc.exe
PID 1732 wrote to memory of 1452	1732	javaw.exe	csc.exe
PID 1732 wrote to memory of 1452	1732	javaw.exe	csc.exe
PID 1452 wrote to memory of 1980	1452	csc.exe	cvtres.exe
PID 1452 wrote to memory of 1980	1452	csc.exe	cvtres.exe
PID 1452 wrote to memory of 1980	1452	csc.exe	cvtres.exe
PID 1732 wrote to memory of 1712	1732	javaw.exe	WindowsInput.exe
PID 1732 wrote to memory of 1712	1732	javaw.exe	WindowsInput.exe
PID 1732 wrote to memory of 1712	1732	javaw.exe	WindowsInput.exe
PID 1732 wrote to memory of 1284	1732	javaw.exe	javaw.exe
PID 1732 wrote to memory of 1284	1732	javaw.exe	javaw.exe
PID 1732 wrote to memory of 1284	1732	javaw.exe	javaw.exe
PID 1100 wrote to memory of 316	1100	taskeng.exe	javaw.exe
PID 1100 wrote to memory of 316	1100	taskeng.exe	javaw.exe
PID 1100 wrote to memory of 316	1100	taskeng.exe	javaw.exe
PID 1284 wrote to memory of 2044	1284	javaw.exe	Runtime Broker.exe
PID 1284 wrote to memory of 2044	1284	javaw.exe	Runtime Broker.exe
PID 1284 wrote to memory of 2044	1284	javaw.exe	Runtime Broker.exe
PID 1284 wrote to memory of 2044	1284	javaw.exe	Runtime Broker.exe
PID 2044 wrote to memory of 1016	2044	Runtime Broker.exe	Runtime Broker.exe
PID 2044 wrote to memory of 1016	2044	Runtime Broker.exe	Runtime Broker.exe
PID 2044 wrote to memory of 1016	2044	Runtime Broker.exe	Runtime Broker.exe
PID 2044 wrote to memory of 1016	2044	Runtime Broker.exe	Runtime Broker.exe
PID 1720 wrote to memory of 2208	1720	build.exe	cmd.exe
PID 1720 wrote to memory of 2208	1720	build.exe	cmd.exe
PID 1720 wrote to memory of 2208	1720	build.exe	cmd.exe
PID 1720 wrote to memory of 2208	1720	build.exe	cmd.exe
PID 2208 wrote to memory of 2236	2208	cmd.exe	chcp.com
PID 2208 wrote to memory of 2236	2208	cmd.exe	chcp.com
PID 2208 wrote to memory of 2236	2208	cmd.exe	chcp.com
PID 2208 wrote to memory of 2236	2208	cmd.exe	chcp.com
PID 2208 wrote to memory of 2256	2208	cmd.exe	netsh.exe
PID 2208 wrote to memory of 2256	2208	cmd.exe	netsh.exe
PID 2208 wrote to memory of 2256	2208	cmd.exe	netsh.exe
PID 2208 wrote to memory of 2256	2208	cmd.exe	netsh.exe
PID 2208 wrote to memory of 2276	2208	cmd.exe	findstr.exe
PID 2208 wrote to memory of 2276	2208	cmd.exe	findstr.exe
PID 2208 wrote to memory of 2276	2208	cmd.exe	findstr.exe
PID 2208 wrote to memory of 2276	2208	cmd.exe	findstr.exe
PID 1720 wrote to memory of 2488	1720	build.exe	cmd.exe
PID 1720 wrote to memory of 2488	1720	build.exe	cmd.exe
PID 1720 wrote to memory of 2488	1720	build.exe	cmd.exe
PID 1720 wrote to memory of 2488	1720	build.exe	cmd.exe
PID 2488 wrote to memory of 2520	2488	cmd.exe	chcp.com
PID 2488 wrote to memory of 2520	2488	cmd.exe	chcp.com
PID 2488 wrote to memory of 2520	2488	cmd.exe	chcp.com
PID 2488 wrote to memory of 2520	2488	cmd.exe	chcp.com
PID 2488 wrote to memory of 2536	2488	cmd.exe	netsh.exe
PID 2488 wrote to memory of 2536	2488	cmd.exe	netsh.exe
PID 2488 wrote to memory of 2536	2488	cmd.exe	netsh.exe

outlook_office_path 1 IoCs

Processes:

build.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	build.exe

outlook_win_path 1 IoCs

Processes:

build.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	build.exe

C:\Users\Admin\AppData\Local\Temp\newResultprot.exe
"C:\Users\Admin\AppData\Local\Temp\newResultprot.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1628

C:\Users\Admin\AppData\Local\Temp\javaw.exe
"C:\Users\Admin\AppData\Local\Temp\javaw.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1732

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zyoymbwy.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:1452

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES50E0.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC50DF.tmp"
4⤵
PID:1980

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe" --install
3⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1712

C:\Program Files\Java\jdk-19\lib\javaw.exe
"C:\Program Files\Java\jdk-19\lib\javaw.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1284

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe" /launchSelfAndExit "C:\Program Files\Java\jdk-19\lib\javaw.exe" 1284 /protectFile
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe" /watchProcess "C:\Program Files\Java\jdk-19\lib\javaw.exe" 1284 "/protectFile"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1016

C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1720

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
3⤵
- Suspicious use of WriteProcessMemory
PID:2208

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:2236

C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile
4⤵
PID:2256

C:\Windows\SysWOW64\findstr.exe
findstr All
4⤵
PID:2276

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
3⤵
- Suspicious use of WriteProcessMemory
PID:2488

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:2520

C:\Windows\SysWOW64\netsh.exe
netsh wlan show networks mode=bssid
4⤵
PID:2536

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1232

C:\Windows\System32\perfmon.exe
"C:\Windows\System32\perfmon.exe" /res
2⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Windows\System32\perfmon.exe
"C:\Windows\System32\perfmon.exe" /res
2⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1748

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
1⤵
- Executes dropped EXE
PID:1172

C:\Windows\system32\taskeng.exe
taskeng.exe {BCEEE2ED-EC5E-44E0-B1D5-CCA0D7850387} S-1-5-21-3385717845-2518323428-350143044-1000:SABDUHNY\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1100

C:\Program Files\Java\jdk-19\lib\javaw.exe
"C:\Program Files\Java\jdk-19\lib\javaw.exe"
2⤵
- Executes dropped EXE
PID:316

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2736

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk-19\lib\javaw.exe

Filesize
938KB

MD5
63e784f82ebd4a7daa66c3478970f36b

SHA1
f319bcf48e9f647fc79aa084de027228444966e6

SHA256
282679b3e43b8c5be4671268eb8808c72f987e1977ef685a21ff7b230dab9b51

SHA512
d3ab5b2699c2fb955bda21de2e7715478ea5498c650c3219585ab623bec957da7e5398cb0d9a52a8fe021053e157a615e1d5e575ce514a140e10b565bb72a9df

Download Submit
C:\Program Files\Java\jdk-19\lib\javaw.exe

Filesize
938KB

MD5
63e784f82ebd4a7daa66c3478970f36b

SHA1
f319bcf48e9f647fc79aa084de027228444966e6

SHA256
282679b3e43b8c5be4671268eb8808c72f987e1977ef685a21ff7b230dab9b51

SHA512
d3ab5b2699c2fb955bda21de2e7715478ea5498c650c3219585ab623bec957da7e5398cb0d9a52a8fe021053e157a615e1d5e575ce514a140e10b565bb72a9df

Download Submit
C:\Program Files\Java\jdk-19\lib\javaw.exe

Filesize
938KB

MD5
63e784f82ebd4a7daa66c3478970f36b

SHA1
f319bcf48e9f647fc79aa084de027228444966e6

SHA256
282679b3e43b8c5be4671268eb8808c72f987e1977ef685a21ff7b230dab9b51

SHA512
d3ab5b2699c2fb955bda21de2e7715478ea5498c650c3219585ab623bec957da7e5398cb0d9a52a8fe021053e157a615e1d5e575ce514a140e10b565bb72a9df

Download Submit
C:\Program Files\Java\jdk-19\lib\javaw.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES50E0.tmp

Filesize
1KB

MD5
c2eb2efc8a5b26b84d03544eb39bc0c5

SHA1
3ccabd86bdcdb421952ab747871e8abbb1fb139d

SHA256
f32ced46f890a9859d93c187d76471b3443ef870ebb357fb6f28fb803a749e7e

SHA512
d3593d16ac7c6feaef4050c1c5b47d791184656d819cf0ac288c5adce50b6fa5452d61f1fe453e4790fc7f482e30099d1188d44864e7d7faf9e7da333de4b2ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

Filesize
9KB

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

Filesize
9KB

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

Filesize
9KB

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\build.exe

Filesize
1.5MB

MD5
e9124859247c5c5cae6190c03fa36cb7

SHA1
c2d39eee48cb315cae5e3d038b1db2a6ec909bd6

SHA256
0106f2d291f51aabb8f97cb63bf1be337616018c7788faefc64b609dff3a5a33

SHA512
53fee718152c51c276ea468943eeea9b61c1f14c420b054af914b3500375998cfc556b29eec518a14556e0cc77bfd4221ef7448bbbcedacce4f8cce5949a8683

Download Submit
C:\Users\Admin\AppData\Local\Temp\build.exe

Filesize
1.5MB

MD5
e9124859247c5c5cae6190c03fa36cb7

SHA1
c2d39eee48cb315cae5e3d038b1db2a6ec909bd6

SHA256
0106f2d291f51aabb8f97cb63bf1be337616018c7788faefc64b609dff3a5a33

SHA512
53fee718152c51c276ea468943eeea9b61c1f14c420b054af914b3500375998cfc556b29eec518a14556e0cc77bfd4221ef7448bbbcedacce4f8cce5949a8683

Download Submit
C:\Users\Admin\AppData\Local\Temp\err_0dae1eed35bd43dc93a1d73544aa5ccf.dat

Filesize
1KB

MD5
20b2a207eabe9bdbe140f4cd71797eb8

SHA1
b7d2a3c736f7dddd5261ee02c4a96ea0948e8f55

SHA256
a10a37093360f1140ec9456ebe5222d8a78749f5760bfcc1a281a45ba7d57b05

SHA512
1d2b904b1149ca38225dd0be2eca5b81e2ecf92e7bd94d445b86dd3c3fa46ffd0e690c5fafaa73e35d3ebb46f0d757df3eafd1f1cc228924fc0e9cc9833176df

Download Submit
C:\Users\Admin\AppData\Local\Temp\javaw.exe

Filesize
938KB

MD5
63e784f82ebd4a7daa66c3478970f36b

SHA1
f319bcf48e9f647fc79aa084de027228444966e6

SHA256
282679b3e43b8c5be4671268eb8808c72f987e1977ef685a21ff7b230dab9b51

SHA512
d3ab5b2699c2fb955bda21de2e7715478ea5498c650c3219585ab623bec957da7e5398cb0d9a52a8fe021053e157a615e1d5e575ce514a140e10b565bb72a9df

Download Submit
C:\Users\Admin\AppData\Local\Temp\javaw.exe

Filesize
938KB

MD5
63e784f82ebd4a7daa66c3478970f36b

SHA1
f319bcf48e9f647fc79aa084de027228444966e6

SHA256
282679b3e43b8c5be4671268eb8808c72f987e1977ef685a21ff7b230dab9b51

SHA512
d3ab5b2699c2fb955bda21de2e7715478ea5498c650c3219585ab623bec957da7e5398cb0d9a52a8fe021053e157a615e1d5e575ce514a140e10b565bb72a9df

Download Submit
C:\Users\Admin\AppData\Local\Temp\zyoymbwy.dll

Filesize
76KB

MD5
56f9deb6fd18fd7a327f1da23838e59a

SHA1
78745d808ab74e650b754f7b0862191835b39ce0

SHA256
7a681238223350a393e1db15fe9b74f520c866118bf722c05eb97bd54be21305

SHA512
7ef999370f5fb1754b6440256934b940c4b7b19c85cecc91201c97d1dfff77d6c6219adcd4dbbd0e21821ffeaf86a7251c8510defd9b80f35a04a9b1103a9a06

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe

Filesize
21KB

MD5
e6fcf516d8ed8d0d4427f86e08d0d435

SHA1
c7691731583ab7890086635cb7f3e4c22ca5e409

SHA256
8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

SHA512
c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe

Filesize
21KB

MD5
e6fcf516d8ed8d0d4427f86e08d0d435

SHA1
c7691731583ab7890086635cb7f3e4c22ca5e409

SHA256
8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

SHA512
c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe

Filesize
21KB

MD5
e6fcf516d8ed8d0d4427f86e08d0d435

SHA1
c7691731583ab7890086635cb7f3e4c22ca5e409

SHA256
8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

SHA512
c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC50DF.tmp

Filesize
676B

MD5
3999c6db04f2973deccb4dc672825489

SHA1
42d3f9fd1697ab2a8635a432307c6b772e9ef31f

SHA256
307bf45d028288519cc8d7f270a1fa74fb76abf29cc727470da91f869e134448

SHA512
f105df9257c0031502e840c28dab4539c214c5c133fa8ddbb1fdb60972750b65ff6e6ae9c61e6cc376223eefd1a4e5958a21d195daf2575d66c5c32d07e453ef

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zyoymbwy.0.cs

Filesize
208KB

MD5
2b14ae8b54d216abf4d228493ceca44a

SHA1
d134351498e4273e9d6391153e35416bc743adef

SHA256
4e1cc3da1f7bf92773aae6cffa6d61bfc3e25aead3ad947f6215f93a053f346c

SHA512
5761b605add10ae3ef80f3b8706c8241b4e8abe4ac3ce36b7be8a97d08b08da5a72fedd5e976b3c9e1c463613a943ebb5d323e6a075ef6c7c3b1abdc0d53ac05

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zyoymbwy.cmdline

Filesize
349B

MD5
3766367e2db9aff43d024b36a15e5967

SHA1
1462181a95fec1b6b53aa1dbfccdecc9ec2d6184

SHA256
a235f3530a150c98003bbe4c1c131ed50c36ea18a2531c28e057d77917461175

SHA512
07e612500992153b56d86b2158a3171b58605ad572ae9ace23d44d999c5af8f6b16db4eaab6ed1161b80881486dfef778ed0032c8ad9ff2eb49e7a68406a6023

Download Submit
\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

Filesize
9KB

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
\Users\Admin\AppData\Local\Temp\build.exe

Filesize
1.5MB

MD5
e9124859247c5c5cae6190c03fa36cb7

SHA1
c2d39eee48cb315cae5e3d038b1db2a6ec909bd6

SHA256
0106f2d291f51aabb8f97cb63bf1be337616018c7788faefc64b609dff3a5a33

SHA512
53fee718152c51c276ea468943eeea9b61c1f14c420b054af914b3500375998cfc556b29eec518a14556e0cc77bfd4221ef7448bbbcedacce4f8cce5949a8683

Download Submit
\Users\Admin\AppData\Local\Temp\javaw.exe

Filesize
938KB

MD5
63e784f82ebd4a7daa66c3478970f36b

SHA1
f319bcf48e9f647fc79aa084de027228444966e6

SHA256
282679b3e43b8c5be4671268eb8808c72f987e1977ef685a21ff7b230dab9b51

SHA512
d3ab5b2699c2fb955bda21de2e7715478ea5498c650c3219585ab623bec957da7e5398cb0d9a52a8fe021053e157a615e1d5e575ce514a140e10b565bb72a9df

Download Submit
memory/316-110-0x0000000000000000-mapping.dmp

Download
memory/1016-120-0x0000000000000000-mapping.dmp

Download
memory/1232-65-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1232-71-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1232-70-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1232-67-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1232-55-0x000007FEFBE41000-0x000007FEFBE43000-memory.dmp

Filesize
8KB

Download
memory/1284-96-0x0000000000000000-mapping.dmp

Download
memory/1284-101-0x0000000000490000-0x00000000004EC000-memory.dmp

Filesize
368KB

Download
memory/1284-109-0x0000000000B00000-0x0000000000B10000-memory.dmp

Filesize
64KB

Download
memory/1284-108-0x0000000000AE0000-0x0000000000AF8000-memory.dmp

Filesize
96KB

Download
memory/1284-107-0x00000000009D0000-0x0000000000A1E000-memory.dmp

Filesize
312KB

Download
memory/1284-132-0x000000001B0D6000-0x000000001B0F5000-memory.dmp

Filesize
124KB

Download
memory/1284-105-0x0000000000390000-0x0000000000398000-memory.dmp

Filesize
32KB

Download
memory/1284-104-0x0000000000370000-0x0000000000378000-memory.dmp

Filesize
32KB

Download
memory/1284-103-0x0000000000380000-0x0000000000392000-memory.dmp

Filesize
72KB

Download
memory/1284-102-0x0000000000140000-0x000000000014E000-memory.dmp

Filesize
56KB

Download
memory/1284-100-0x0000000001350000-0x0000000001440000-memory.dmp

Filesize
960KB

Download
memory/1284-112-0x000000001B0D6000-0x000000001B0F5000-memory.dmp

Filesize
124KB

Download
memory/1452-78-0x0000000000000000-mapping.dmp

Download
memory/1624-68-0x0000000000000000-mapping.dmp

Download
memory/1624-86-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1624-93-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1624-87-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1628-63-0x0000000000400000-0x0000000000A04000-memory.dmp

Filesize
6.0MB

Download
memory/1628-54-0x0000000075F01000-0x0000000075F03000-memory.dmp

Filesize
8KB

Download
memory/1628-69-0x0000000000400000-0x0000000000A04000-memory.dmp

Filesize
6.0MB

Download
memory/1712-92-0x0000000001130000-0x000000000113C000-memory.dmp

Filesize
48KB

Download
memory/1712-88-0x0000000000000000-mapping.dmp

Download
memory/1720-76-0x0000000000C30000-0x0000000000DB4000-memory.dmp

Filesize
1.5MB

Download
memory/1720-136-0x00000000057E0000-0x0000000005862000-memory.dmp

Filesize
520KB

Download
memory/1720-131-0x0000000004BC5000-0x0000000004BD6000-memory.dmp

Filesize
68KB

Download
memory/1720-134-0x0000000005E60000-0x0000000005EDA000-memory.dmp

Filesize
488KB

Download
memory/1720-62-0x0000000000000000-mapping.dmp

Download
memory/1720-135-0x0000000006290000-0x0000000006340000-memory.dmp

Filesize
704KB

Download
memory/1732-75-0x000007FEF2A40000-0x000007FEF3AD6000-memory.dmp

Filesize
16.6MB

Download
memory/1732-60-0x000007FEF3AE0000-0x000007FEF4503000-memory.dmp

Filesize
10.1MB

Download
memory/1732-85-0x000007FEED790000-0x000007FEEEE63000-memory.dmp

Filesize
22.8MB

Download
memory/1732-57-0x0000000000000000-mapping.dmp

Download
memory/1748-94-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1748-72-0x0000000000000000-mapping.dmp

Download
memory/1980-81-0x0000000000000000-mapping.dmp

Download
memory/2044-117-0x0000000000CB0000-0x0000000000CB8000-memory.dmp

Filesize
32KB

Download
memory/2044-113-0x0000000000000000-mapping.dmp

Download
memory/2208-122-0x0000000000000000-mapping.dmp

Download
memory/2236-123-0x0000000000000000-mapping.dmp

Download
memory/2256-124-0x0000000000000000-mapping.dmp

Download
memory/2276-125-0x0000000000000000-mapping.dmp

Download
memory/2488-127-0x0000000000000000-mapping.dmp

Download
memory/2520-128-0x0000000000000000-mapping.dmp

Download
memory/2536-129-0x0000000000000000-mapping.dmp

Download