44caliber | b2117810ce796c98090c62b23a4141f13861f6b1e401cfd23214416e1d34a7d4

Resubmissions

24-01-2023 13:22

230124-ql79fsdd5v 10

Analysis

max time kernel
27s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24-01-2023 13:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

joined2023.exe
Size

3.9MB
MD5

e32d1c9ffd23662ed5ca10a55935b0d6
SHA1

d8e9bc81ff71cecbb5c4a761ab078c00afb25e2c
SHA256

b2117810ce796c98090c62b23a4141f13861f6b1e401cfd23214416e1d34a7d4
SHA512

21985146e9919222a2afec3fa4fdda4725c7137eee26f078372f4fcea2370e0b7e437cbdb392d9648872bb987e18fbbe5af8c1b81b93de2bf30210681a284e40
SSDEEP

98304:kKBFq4/pXUb0JKQv9EbSr8kVSr+MgsXJFQ91J:BJ+LSrJ9MpiD

Score

10^/10

44caliber asyncrat mercurialgrabber njrat orcus stealerium stormkitty default hacked evasion persistence rat spyware stealer trojan

Malware Config

Extracted

Family

orcus

applications-tri.at.ply.gg:28896

Mutex

d13fa6fd01354c1cb13a471f4d115873

Attributes

autostart_method
Registry
enable_keylogger
false
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Extracted

Family

stealerium

https://discord.com/api/webhooks/1055148664328306759/bxAEZTZ-kRLn3WPZNdGtreQXlAKfCVmcqjAkhu0eKmIIUgcgVFvENadDczyX96Jco6EC

Extracted

Family

44caliber

https://discord.com/api/webhooks/1059949869067944116/125-PuomaUyQ_Agw7Jz405pbRMMFoA7YzL1fuXr9W9SnxqrIA0uro1tBguC8qGaNiNyj

Extracted

Family

mercurialgrabber

https://discord.com/api/webhooks/1059951133780619324/DkJrb9sMyvvnTtNeg9xAQnaPAnQx81HiLYIxO9HjmOmu8BiipsU0tuvk_9Wo22Nk0A0W

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
svchost.exe
install_folder
%AppData%
pastebin_config
https://pastebin.com/raw/AGYCqrDm

aes.plain

Extracted

Family

njrat

Version

im523

Botnet

HacKed

applications-tri.at.ply.gg:28896

Mutex

0796887e761bffbbe87ade248de931cd

Attributes

reg_key
0796887e761bffbbe87ade248de931cd
splitter
|'|'|

Extracted

Family

njrat

Version

v4.0

Botnet

HacKed

applications-tri.at.ply.gg:28896

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Contains code to disable Windows Defender 3 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\aio.exe	disable_win_def
C:\Users\Admin\AppData\Local\Temp\aio.exe	disable_win_def
behavioral1/memory/3196-147-0x0000000000390000-0x00000000003AA000-memory.dmp	disable_win_def

Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
stealer mercurialgrabber
Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus main payload 5 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\2023.exe	family_orcus
C:\Users\Admin\AppData\Local\Temp\2023.exe	family_orcus
C:\Program Files (x86)\Orcus\Orcus.exe	family_orcus
C:\Program Files (x86)\Orcus\Orcus.exe	family_orcus
C:\Program Files (x86)\Orcus\Orcus.exe	family_orcus

Stealerium
An open source info stealer written in C# first seen in May 2022.
stealer stealerium
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\blitzed12_Protect.exe	family_stormkitty
C:\Users\Admin\AppData\Local\Temp\blitzed12_Protect.exe	family_stormkitty
behavioral1/memory/644-139-0x0000000000D70000-0x0000000000E96000-memory.dmp	family_stormkitty
C:\Users\Admin\AppData\Local\Temp\aio.exe	family_stormkitty
C:\Users\Admin\AppData\Local\Temp\aio.exe	family_stormkitty
behavioral1/memory/3196-147-0x0000000000390000-0x00000000003AA000-memory.dmp	family_stormkitty

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Async RAT payload 9 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\AsyncMod.exe	asyncrat
C:\Users\Admin\AppData\Local\Temp\AsyncMod.exe	asyncrat
behavioral1/memory/2928-144-0x0000000000690000-0x0000000000716000-memory.dmp	asyncrat
C:\Users\Admin\AppData\Local\Temp\RAT.exe	asyncrat
behavioral1/memory/1844-163-0x0000000000F10000-0x0000000000F22000-memory.dmp	asyncrat
C:\Users\Admin\AppData\Local\Temp\RAT.exe	asyncrat
C:\Users\Admin\AppData\Roaming\svchost.exe	asyncrat
C:\Users\Admin\AppData\Roaming\Microsoft APIMethod\OneDriveStandaloneAPIMethod.exe	asyncrat
C:\Users\Admin\AppData\Roaming\Microsoft APIMethod\OneDriveStandaloneAPIMethod.exe	asyncrat

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Mercial.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions Mercial.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	Mercial.exe

Orcurs Rat Executable 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\2023.exe	orcus
C:\Users\Admin\AppData\Local\Temp\2023.exe	orcus
behavioral1/memory/1128-143-0x0000000000D80000-0x0000000000E6A000-memory.dmp	orcus
C:\Program Files (x86)\Orcus\Orcus.exe	orcus
C:\Program Files (x86)\Orcus\Orcus.exe	orcus
C:\Program Files (x86)\Orcus\Orcus.exe	orcus

Executes dropped EXE 13 IoCs

Processes:

blitzed12_Protect.exe2023.exeAsyncMod.exeaio.exebuild.exeInsidious.exeMercial.exeRAT.exeServer2022nada.exesvchost2.exesvchost.exeOrcus.exesvchost.exe

pid	process
644	blitzed12_Protect.exe
1128	2023.exe
2928	AsyncMod.exe
3196	aio.exe
2136	build.exe
3624	Insidious.exe
228	Mercial.exe
1844	RAT.exe
3008	Server2022nada.exe
4564	svchost2.exe
2340	svchost.exe
3744	Orcus.exe
4128	svchost.exe

Looks for VMWare Tools registry key 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Mercial.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools Mercial.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

4040 netsh.exe
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Mercial.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Mercial.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools	Mercial.exe

pid	process
4040	netsh.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Mercial.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost2.exe2023.exeServer2022nada.exejoined2023.exeRAT.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	svchost2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	2023.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	Server2022nada.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	joined2023.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	RAT.exe

Drops startup file 2 IoCs

Processes:

svchost2.exesvchost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	svchost2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	svchost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost2.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\ProgramData\\svchost.exe"	svchost2.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

56 icanhazip.com
9 ip4.seeip.org
10 ip4.seeip.org
11 freegeoip.app
12 checkip.dyndns.org
14 freegeoip.app
17 ip-api.com
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

flow	ioc
56	icanhazip.com
9	ip4.seeip.org
10	ip4.seeip.org
11	freegeoip.app
12	checkip.dyndns.org
14	freegeoip.app
17	ip-api.com

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Mercial.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	Mercial.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	Mercial.exe

Drops file in Program Files directory 3 IoCs

Processes:

2023.exe

description	ioc	process
File created	C:\Program Files (x86)\Orcus\Orcus.exe	2023.exe
File opened for modification	C:\Program Files (x86)\Orcus\Orcus.exe	2023.exe
File created	C:\Program Files (x86)\Orcus\Orcus.exe.config	2023.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1720 3196 WerFault.exe aio.exe
Checks SCSI registry key(s) 3 TTPs 1 IoCs
SCSI information is often read in order to detect sandboxing environments.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

Mercial.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S Mercial.exe

pid	pid_target	process	target process
1720	3196	WerFault.exe	aio.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	Mercial.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Mercial.exeInsidious.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Mercial.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Insidious.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Insidious.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Mercial.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4920 schtasks.exe
1224 schtasks.exe
Delays execution with timeout.exe 3 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exe

pid process

5792 timeout.exe
3736 timeout.exe
5228 timeout.exe

pid	process
4920	schtasks.exe
1224	schtasks.exe

pid	process
5792	timeout.exe
3736	timeout.exe
5228	timeout.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Mercial.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	Mercial.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	Mercial.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	Mercial.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	Mercial.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4028 taskkill.exe

pid	process
4028	taskkill.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

Processes:

Insidious.exeAsyncMod.exeaio.exeRAT.exe

pid	process
3624	Insidious.exe
3624	Insidious.exe
3624	Insidious.exe
2928	AsyncMod.exe
2928	AsyncMod.exe
2928	AsyncMod.exe
2928	AsyncMod.exe
3624	Insidious.exe
2928	AsyncMod.exe
3196	aio.exe
3196	aio.exe
2928	AsyncMod.exe
2928	AsyncMod.exe
2928	AsyncMod.exe
2928	AsyncMod.exe
2928	AsyncMod.exe
2928	AsyncMod.exe
1844	RAT.exe
1844	RAT.exe
1844	RAT.exe
1844	RAT.exe
1844	RAT.exe
1844	RAT.exe
1844	RAT.exe
1844	RAT.exe
1844	RAT.exe
1844	RAT.exe
1844	RAT.exe
1844	RAT.exe
1844	RAT.exe
1844	RAT.exe
1844	RAT.exe
1844	RAT.exe
1844	RAT.exe
1844	RAT.exe
1844	RAT.exe
1844	RAT.exe
1844	RAT.exe
1844	RAT.exe
1844	RAT.exe
1844	RAT.exe
2928	AsyncMod.exe
2928	AsyncMod.exe
2928	AsyncMod.exe
2928	AsyncMod.exe
2928	AsyncMod.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

Insidious.exeaio.exeMercial.exeAsyncMod.exeblitzed12_Protect.exeRAT.exebuild.exe

description	pid	process
Token: SeDebugPrivilege	3624	Insidious.exe
Token: SeDebugPrivilege	3196	aio.exe
Token: SeDebugPrivilege	228	Mercial.exe
Token: SeDebugPrivilege	2928	AsyncMod.exe
Token: SeDebugPrivilege	644	blitzed12_Protect.exe
Token: SeDebugPrivilege	1844	RAT.exe
Token: SeDebugPrivilege	2136	build.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

chrome.exejoined2023.exeblitzed12_Protect.exeOrcusWatchdog.exeRAT.exesvchost2.exe2023.execmd.execmd.exeServer2022nada.exe

description	pid	process	target process
PID 3372 wrote to memory of 5028	3372	chrome.exe	chrome.exe
PID 3372 wrote to memory of 5028	3372	chrome.exe	chrome.exe
PID 2892 wrote to memory of 644	2892	joined2023.exe	blitzed12_Protect.exe
PID 2892 wrote to memory of 644	2892	joined2023.exe	blitzed12_Protect.exe
PID 2892 wrote to memory of 1128	2892	joined2023.exe	2023.exe
PID 2892 wrote to memory of 1128	2892	joined2023.exe	2023.exe
PID 2892 wrote to memory of 1128	2892	joined2023.exe	2023.exe
PID 2892 wrote to memory of 2928	2892	joined2023.exe	AsyncMod.exe
PID 2892 wrote to memory of 2928	2892	joined2023.exe	AsyncMod.exe
PID 2892 wrote to memory of 2928	2892	joined2023.exe	AsyncMod.exe
PID 2892 wrote to memory of 3196	2892	joined2023.exe	aio.exe
PID 2892 wrote to memory of 3196	2892	joined2023.exe	aio.exe
PID 2892 wrote to memory of 2136	2892	joined2023.exe	build.exe
PID 2892 wrote to memory of 2136	2892	joined2023.exe	build.exe
PID 2892 wrote to memory of 2136	2892	joined2023.exe	build.exe
PID 2892 wrote to memory of 3624	2892	joined2023.exe	Insidious.exe
PID 2892 wrote to memory of 3624	2892	joined2023.exe	Insidious.exe
PID 2892 wrote to memory of 228	2892	joined2023.exe	Mercial.exe
PID 2892 wrote to memory of 228	2892	joined2023.exe	Mercial.exe
PID 2892 wrote to memory of 1844	2892	joined2023.exe	RAT.exe
PID 2892 wrote to memory of 1844	2892	joined2023.exe	RAT.exe
PID 2892 wrote to memory of 1844	2892	joined2023.exe	RAT.exe
PID 2892 wrote to memory of 3008	2892	joined2023.exe	Server2022nada.exe
PID 2892 wrote to memory of 3008	2892	joined2023.exe	Server2022nada.exe
PID 2892 wrote to memory of 3008	2892	joined2023.exe	Server2022nada.exe
PID 2892 wrote to memory of 4564	2892	joined2023.exe	svchost2.exe
PID 2892 wrote to memory of 4564	2892	joined2023.exe	svchost2.exe
PID 2892 wrote to memory of 4564	2892	joined2023.exe	svchost2.exe
PID 2892 wrote to memory of 1968	2892	joined2023.exe	cmd.exe
PID 2892 wrote to memory of 1968	2892	joined2023.exe	cmd.exe
PID 2892 wrote to memory of 1968	2892	joined2023.exe	cmd.exe
PID 644 wrote to memory of 4160	644	blitzed12_Protect.exe	OrcusWatchdog.exe
PID 644 wrote to memory of 4160	644	blitzed12_Protect.exe	OrcusWatchdog.exe
PID 4160 wrote to memory of 4004	4160	OrcusWatchdog.exe	chcp.com
PID 4160 wrote to memory of 4004	4160	OrcusWatchdog.exe	chcp.com
PID 1844 wrote to memory of 2868	1844	RAT.exe	cmd.exe
PID 1844 wrote to memory of 2868	1844	RAT.exe	cmd.exe
PID 1844 wrote to memory of 2868	1844	RAT.exe	cmd.exe
PID 1844 wrote to memory of 4400	1844	RAT.exe	cmd.exe
PID 1844 wrote to memory of 4400	1844	RAT.exe	cmd.exe
PID 1844 wrote to memory of 4400	1844	RAT.exe	cmd.exe
PID 4160 wrote to memory of 3920	4160	OrcusWatchdog.exe	netsh.exe
PID 4160 wrote to memory of 3920	4160	OrcusWatchdog.exe	netsh.exe
PID 4564 wrote to memory of 2340	4564	svchost2.exe	svchost.exe
PID 4564 wrote to memory of 2340	4564	svchost2.exe	svchost.exe
PID 4564 wrote to memory of 2340	4564	svchost2.exe	svchost.exe
PID 4160 wrote to memory of 4932	4160	OrcusWatchdog.exe	findstr.exe
PID 4160 wrote to memory of 4932	4160	OrcusWatchdog.exe	findstr.exe
PID 4564 wrote to memory of 748	4564	svchost2.exe	attrib.exe
PID 4564 wrote to memory of 748	4564	svchost2.exe	attrib.exe
PID 4564 wrote to memory of 748	4564	svchost2.exe	attrib.exe
PID 1128 wrote to memory of 3744	1128	2023.exe	Orcus.exe
PID 1128 wrote to memory of 3744	1128	2023.exe	Orcus.exe
PID 1128 wrote to memory of 3744	1128	2023.exe	Orcus.exe
PID 2868 wrote to memory of 4920	2868	cmd.exe	schtasks.exe
PID 2868 wrote to memory of 4920	2868	cmd.exe	schtasks.exe
PID 2868 wrote to memory of 4920	2868	cmd.exe	schtasks.exe
PID 4400 wrote to memory of 3736	4400	cmd.exe	timeout.exe
PID 4400 wrote to memory of 3736	4400	cmd.exe	timeout.exe
PID 4400 wrote to memory of 3736	4400	cmd.exe	timeout.exe
PID 3008 wrote to memory of 4128	3008	Server2022nada.exe	svchost.exe
PID 3008 wrote to memory of 4128	3008	Server2022nada.exe	svchost.exe
PID 3008 wrote to memory of 4128	3008	Server2022nada.exe	svchost.exe

Views/modifies file attributes 1 TTPs 3 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exe

pid process

748 attrib.exe
1044 attrib.exe
2828 attrib.exe

pid	process
748	attrib.exe
1044	attrib.exe
2828	attrib.exe

C:\Users\Admin\AppData\Local\Temp\joined2023.exe
"C:\Users\Admin\AppData\Local\Temp\joined2023.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2892

C:\Users\Admin\AppData\Local\Temp\blitzed12_Protect.exe
"C:\Users\Admin\AppData\Local\Temp\blitzed12_Protect.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:644

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
3⤵
PID:4160

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:4004

C:\Windows\system32\netsh.exe
netsh wlan show profile
4⤵
PID:3920

C:\Windows\system32\findstr.exe
findstr All
4⤵
PID:4932

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile name=65001 key=clear | findstr Key
3⤵
PID:4704

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:2828

C:\Windows\system32\findstr.exe
findstr Key
4⤵
PID:3100

C:\Windows\system32\netsh.exe
netsh wlan show profile name=65001 key=clear
4⤵
PID:3436

C:\Users\Admin\AppData\Local\Temp\2023.exe
"C:\Users\Admin\AppData\Local\Temp\2023.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1128

C:\Program Files (x86)\Orcus\Orcus.exe
"C:\Program Files (x86)\Orcus\Orcus.exe"
3⤵
- Executes dropped EXE
PID:3744

C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
"C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /launchSelfAndExit "C:\Program Files (x86)\Orcus\Orcus.exe" 3744 /protectFile
4⤵
PID:4036

C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
"C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /watchProcess "C:\Program Files (x86)\Orcus\Orcus.exe" 3744 "/protectFile"
5⤵
- Suspicious use of WriteProcessMemory
PID:4160

C:\Users\Admin\AppData\Local\Temp\AsyncMod.exe
"C:\Users\Admin\AppData\Local\Temp\AsyncMod.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2928

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /tn OneDriveStandaloneAPIMethod /tr "C:\Users\Admin\AppData\Roaming\Microsoft APIMethod\OneDriveStandaloneAPIMethod.exe" /st 14:28 /du 23:59 /sc daily /ri 1 /f
3⤵
- Creates scheduled task(s)
PID:1224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB323.tmp.bat""
3⤵
PID:4248

C:\Users\Admin\AppData\Roaming\Microsoft APIMethod\OneDriveStandaloneAPIMethod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft APIMethod\OneDriveStandaloneAPIMethod.exe"
4⤵
PID:5212

C:\Windows\SysWOW64\timeout.exe
timeout 4
4⤵
- Delays execution with timeout.exe
PID:5228

C:\Users\Admin\AppData\Local\Temp\aio.exe
"C:\Users\Admin\AppData\Local\Temp\aio.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3196

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3196 -s 1340
3⤵
- Program crash
PID:1720

C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2136

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
3⤵
PID:3212

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:4164

C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile
4⤵
PID:3124

C:\Windows\SysWOW64\findstr.exe
findstr All
4⤵
PID:4192

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
3⤵
PID:1204

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:1600

C:\Windows\SysWOW64\netsh.exe
netsh wlan show networks mode=bssid
4⤵
PID:1352

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp620A.tmp.bat
3⤵
PID:3308

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:4168

C:\Windows\SysWOW64\taskkill.exe
TaskKill /F /IM 2136
4⤵
- Kills process with taskkill
PID:4028

C:\Windows\SysWOW64\timeout.exe
Timeout /T 2 /Nobreak
4⤵
- Delays execution with timeout.exe
PID:5792

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3624

C:\Users\Admin\AppData\Local\Temp\Mercial.exe
"C:\Users\Admin\AppData\Local\Temp\Mercial.exe"
2⤵
- Looks for VirtualBox Guest Additions in registry
- Executes dropped EXE
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:228

C:\Users\Admin\AppData\Local\Temp\Server2022nada.exe
"C:\Users\Admin\AppData\Local\Temp\Server2022nada.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3008

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
3⤵
- Executes dropped EXE
PID:4128

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svchost.exe" "svchost.exe" ENABLE
4⤵
- Modifies Windows Firewall
PID:4040

C:\Users\Admin\AppData\Local\Temp\svchost2.exe
"C:\Users\Admin\AppData\Local\Temp\svchost2.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4564

C:\ProgramData\svchost.exe
"C:\ProgramData\svchost.exe"
3⤵
- Executes dropped EXE
- Drops startup file
PID:2340

C:\Windows\SysWOW64\attrib.exe
attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe"
4⤵
- Views/modifies file attributes
PID:1044

C:\Windows\SysWOW64\attrib.exe
attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.exe"
4⤵
- Views/modifies file attributes
PID:2828

C:\Windows\SysWOW64\attrib.exe
attrib +h +r +s "C:\ProgramData\svchost.exe"
3⤵
- Views/modifies file attributes
PID:748

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\joined2023.exe" >> NUL
2⤵
PID:1968

C:\Users\Admin\AppData\Local\Temp\RAT.exe
"C:\Users\Admin\AppData\Local\Temp\RAT.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1844

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:2868

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
4⤵
- Creates scheduled task(s)
PID:4920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4362.tmp.bat""
3⤵
- Suspicious use of WriteProcessMemory
PID:4400

C:\Windows\SysWOW64\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:3736

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
4⤵
PID:4164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x100,0x104,0x108,0xd8,0x10c,0x7ff9f4ed4f50,0x7ff9f4ed4f60,0x7ff9f4ed4f70
2⤵
PID:5028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1660,5073992227167281117,10542435971654373630,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1668 /prefetch:2
2⤵
PID:4720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1660,5073992227167281117,10542435971654373630,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1984 /prefetch:8
2⤵
PID:4748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1660,5073992227167281117,10542435971654373630,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2344 /prefetch:8
2⤵
PID:3052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,5073992227167281117,10542435971654373630,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2924 /prefetch:1
2⤵
PID:2372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,5073992227167281117,10542435971654373630,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3108 /prefetch:1
2⤵
PID:4752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,5073992227167281117,10542435971654373630,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3712 /prefetch:8
2⤵
PID:2892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,5073992227167281117,10542435971654373630,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4184 /prefetch:1
2⤵
PID:5344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,5073992227167281117,10542435971654373630,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4768 /prefetch:8
2⤵
PID:5520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,5073992227167281117,10542435971654373630,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4716 /prefetch:8
2⤵
PID:5556

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1660,5073992227167281117,10542435971654373630,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4928 /prefetch:8
2⤵
PID:5764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1660,5073992227167281117,10542435971654373630,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5296 /prefetch:8
2⤵
PID:1148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,5073992227167281117,10542435971654373630,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5560 /prefetch:8
2⤵
PID:5316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,5073992227167281117,10542435971654373630,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=212 /prefetch:8
2⤵
PID:4396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,5073992227167281117,10542435971654373630,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5036 /prefetch:8
2⤵
PID:3212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,5073992227167281117,10542435971654373630,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5592 /prefetch:8
2⤵
PID:5380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,5073992227167281117,10542435971654373630,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4952 /prefetch:8
2⤵
PID:5372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1660,5073992227167281117,10542435971654373630,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1548 /prefetch:8
2⤵
PID:904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,5073992227167281117,10542435971654373630,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:8
2⤵
PID:4764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1660,5073992227167281117,10542435971654373630,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5520 /prefetch:8
2⤵
PID:3140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1660,5073992227167281117,10542435971654373630,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5484 /prefetch:8
2⤵
PID:5488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,5073992227167281117,10542435971654373630,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4504 /prefetch:8
2⤵
PID:2800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,5073992227167281117,10542435971654373630,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4512 /prefetch:8
2⤵
PID:5660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,5073992227167281117,10542435971654373630,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5036 /prefetch:8
2⤵
PID:5648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,5073992227167281117,10542435971654373630,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5116 /prefetch:8
2⤵
PID:5644

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,5073992227167281117,10542435971654373630,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4660 /prefetch:8
2⤵
PID:5276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,5073992227167281117,10542435971654373630,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5100 /prefetch:8
2⤵
PID:1428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,5073992227167281117,10542435971654373630,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4532 /prefetch:8
2⤵
PID:5892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,5073992227167281117,10542435971654373630,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1496 /prefetch:1
2⤵
PID:6116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,5073992227167281117,10542435971654373630,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4528 /prefetch:8
2⤵
PID:3624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,5073992227167281117,10542435971654373630,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4656 /prefetch:1
2⤵
PID:4464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1660,5073992227167281117,10542435971654373630,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1472 /prefetch:8
2⤵
PID:3604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1660,5073992227167281117,10542435971654373630,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3556 /prefetch:2
2⤵
PID:2072

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 3196 -ip 3196
1⤵
PID:4516

C:\Program Files (x86)\Orcus\Orcus.exe
"C:\Program Files (x86)\Orcus\Orcus.exe"
1⤵
PID:1364

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:4448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9f4ed4f50,0x7ff9f4ed4f60,0x7ff9f4ed4f70
2⤵
PID:4280

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:4348

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Hidden Files and Directories

T1158

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Orcus\Orcus.exe
Filesize
917KB

MD5
146b3618b2e56aee03e212355730316b

SHA1
8f0b0e2f0a2cf0afb81d69247d449a9ad77da7b1

SHA256
82cc38f97def6e5bf1516cef6f5e030313e1049a3ff7ef1ce354a4a6b1fe73c9

SHA512
a2c66b518c40a93543a149045021e18741a8b8bef2c46883a6e6b9324ef848432ab4cd059645ccf33094a3ffb0452ea40fbcb7bfeb8d53934a2783ad6da01af9

Download Submit
C:\Program Files (x86)\Orcus\Orcus.exe
Filesize
917KB

MD5
146b3618b2e56aee03e212355730316b

SHA1
8f0b0e2f0a2cf0afb81d69247d449a9ad77da7b1

SHA256
82cc38f97def6e5bf1516cef6f5e030313e1049a3ff7ef1ce354a4a6b1fe73c9

SHA512
a2c66b518c40a93543a149045021e18741a8b8bef2c46883a6e6b9324ef848432ab4cd059645ccf33094a3ffb0452ea40fbcb7bfeb8d53934a2783ad6da01af9

Download Submit
C:\Program Files (x86)\Orcus\Orcus.exe
Filesize
917KB

MD5
146b3618b2e56aee03e212355730316b

SHA1
8f0b0e2f0a2cf0afb81d69247d449a9ad77da7b1

SHA256
82cc38f97def6e5bf1516cef6f5e030313e1049a3ff7ef1ce354a4a6b1fe73c9

SHA512
a2c66b518c40a93543a149045021e18741a8b8bef2c46883a6e6b9324ef848432ab4cd059645ccf33094a3ffb0452ea40fbcb7bfeb8d53934a2783ad6da01af9

Download Submit
C:\Program Files (x86)\Orcus\Orcus.exe.config
Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\ProgramData\svchost.exe
Filesize
27KB

MD5
83a49e5309d8b2f07ed0815b5eb847d6

SHA1
65b0eb7129e99bece9977a7b4e9c0df7a83fbaa0

SHA256
d3b44f1ddedb449fa0e7d56a96f42a9060f3feba03d93dbf900db66498bd47fd

SHA512
5565bb6a4507ba41409d33bebb3216455e5791f486687a3248fbdf83b642d27e2e8ec8eb034843bed05aaa49468f62c1a0d3f6c24707423685e94e5d4af974b7

Download Submit
C:\ProgramData\svchost.exe
Filesize
27KB

MD5
83a49e5309d8b2f07ed0815b5eb847d6

SHA1
65b0eb7129e99bece9977a7b4e9c0df7a83fbaa0

SHA256
d3b44f1ddedb449fa0e7d56a96f42a9060f3feba03d93dbf900db66498bd47fd

SHA512
5565bb6a4507ba41409d33bebb3216455e5791f486687a3248fbdf83b642d27e2e8ec8eb034843bed05aaa49468f62c1a0d3f6c24707423685e94e5d4af974b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
60cd6e50a74c45f9514c2ec70fe16a0d

SHA1
4d09cb4351688681c28912f89869703fc3a98c0a

SHA256
32fc80412bdafb44620e9694a7a9e1328c6067977021068d93061ee7753522d1

SHA512
cbab6f727cfedfeddd32fb9763479530530b79df262d09f319fecac9f89d9e08a5f38331f85f26930a35bf6e5bac01821b8edea4bd2b3abec5db55ff4468857e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
60cd6e50a74c45f9514c2ec70fe16a0d

SHA1
4d09cb4351688681c28912f89869703fc3a98c0a

SHA256
32fc80412bdafb44620e9694a7a9e1328c6067977021068d93061ee7753522d1

SHA512
cbab6f727cfedfeddd32fb9763479530530b79df262d09f319fecac9f89d9e08a5f38331f85f26930a35bf6e5bac01821b8edea4bd2b3abec5db55ff4468857e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2023.exe
Filesize
917KB

MD5
146b3618b2e56aee03e212355730316b

SHA1
8f0b0e2f0a2cf0afb81d69247d449a9ad77da7b1

SHA256
82cc38f97def6e5bf1516cef6f5e030313e1049a3ff7ef1ce354a4a6b1fe73c9

SHA512
a2c66b518c40a93543a149045021e18741a8b8bef2c46883a6e6b9324ef848432ab4cd059645ccf33094a3ffb0452ea40fbcb7bfeb8d53934a2783ad6da01af9

Download Submit
C:\Users\Admin\AppData\Local\Temp\2023.exe
Filesize
917KB

MD5
146b3618b2e56aee03e212355730316b

SHA1
8f0b0e2f0a2cf0afb81d69247d449a9ad77da7b1

SHA256
82cc38f97def6e5bf1516cef6f5e030313e1049a3ff7ef1ce354a4a6b1fe73c9

SHA512
a2c66b518c40a93543a149045021e18741a8b8bef2c46883a6e6b9324ef848432ab4cd059645ccf33094a3ffb0452ea40fbcb7bfeb8d53934a2783ad6da01af9

Download Submit
C:\Users\Admin\AppData\Local\Temp\AsyncMod.exe
Filesize
512KB

MD5
db88ebe0f68bb36db663a9484682e34e

SHA1
2ef9a91349be9cd2b2e6b44f2c493e42562076c7

SHA256
276993c5ae23f4dbbbb6f8112bb73aa0507fe4145044fd38741fd6fa7e326c20

SHA512
9da51a283067869131bb49092413c54b0941d14f4a5b2f65f38ac8517159d48d78c778a2bfa38a35b533c47cc8eb933ffb8af419b882a3dbbb3de5db7daddae6

Download Submit
C:\Users\Admin\AppData\Local\Temp\AsyncMod.exe
Filesize
512KB

MD5
db88ebe0f68bb36db663a9484682e34e

SHA1
2ef9a91349be9cd2b2e6b44f2c493e42562076c7

SHA256
276993c5ae23f4dbbbb6f8112bb73aa0507fe4145044fd38741fd6fa7e326c20

SHA512
9da51a283067869131bb49092413c54b0941d14f4a5b2f65f38ac8517159d48d78c778a2bfa38a35b533c47cc8eb933ffb8af419b882a3dbbb3de5db7daddae6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Insidious.exe
Filesize
274KB

MD5
87a18b11c7765f6405b1829a52eaf15e

SHA1
9c097625928c71c896981095a2ddf40c0c409c68

SHA256
4c2ba9fb246b43db949ebd3b243c5023c4b05316c829e02e05cfb382610a11d0

SHA512
9c41c65680176676db6b31ee36b669dabec55240607cad7c27cdc8034399099eab843eb2c29dda8f1568eb4be82c145ad6f66025bc1596d967f14d7b9e5a8215

Download Submit
C:\Users\Admin\AppData\Local\Temp\Insidious.exe
Filesize
274KB

MD5
87a18b11c7765f6405b1829a52eaf15e

SHA1
9c097625928c71c896981095a2ddf40c0c409c68

SHA256
4c2ba9fb246b43db949ebd3b243c5023c4b05316c829e02e05cfb382610a11d0

SHA512
9c41c65680176676db6b31ee36b669dabec55240607cad7c27cdc8034399099eab843eb2c29dda8f1568eb4be82c145ad6f66025bc1596d967f14d7b9e5a8215

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mercial.exe
Filesize
41KB

MD5
add353d2f6309a5af6a6f8a51d93c8e9

SHA1
ce059a73bc606c63f2ab1cb18596d0c1908950d2

SHA256
bc072c475126f9e8cd972a8f81c751bf91d196a17e202f5a0d00e5328e4df951

SHA512
170a53021655a2e115872ff68c74f2a0765cb8793c056b0026d57511b0ca83dd9199b2860c20c321a2d9007272088a13b960f68e47d256f19dbe1a504e3b9a87

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mercial.exe
Filesize
41KB

MD5
add353d2f6309a5af6a6f8a51d93c8e9

SHA1
ce059a73bc606c63f2ab1cb18596d0c1908950d2

SHA256
bc072c475126f9e8cd972a8f81c751bf91d196a17e202f5a0d00e5328e4df951

SHA512
170a53021655a2e115872ff68c74f2a0765cb8793c056b0026d57511b0ca83dd9199b2860c20c321a2d9007272088a13b960f68e47d256f19dbe1a504e3b9a87

Download Submit
C:\Users\Admin\AppData\Local\Temp\RAT.exe
Filesize
48KB

MD5
824b6d94e834e611f6aed8091a62e9d6

SHA1
5771fd73ca90d27fac3425358fcaa45c16ea62ff

SHA256
b912edf461afbc58b7684deb88addaeb0a2b50359261c1c310df17ddb2de0d38

SHA512
b23c681e6cb5ea3be688b98d6b5e532e7dd60240ec7e3b96249a5205670dc64007380b94c3f19efd8ec5fea8ec4ad034fa0cac091deadd64185e70f3e119e179

Download Submit
C:\Users\Admin\AppData\Local\Temp\RAT.exe
Filesize
48KB

MD5
824b6d94e834e611f6aed8091a62e9d6

SHA1
5771fd73ca90d27fac3425358fcaa45c16ea62ff

SHA256
b912edf461afbc58b7684deb88addaeb0a2b50359261c1c310df17ddb2de0d38

SHA512
b23c681e6cb5ea3be688b98d6b5e532e7dd60240ec7e3b96249a5205670dc64007380b94c3f19efd8ec5fea8ec4ad034fa0cac091deadd64185e70f3e119e179

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server2022nada.exe
Filesize
37KB

MD5
0f649e94783dfbd5ab19501286be1ee6

SHA1
d2e14af3dc729d16e034ee22e051ffec7fb3e614

SHA256
a969f285276f1462796f9b89b6e8d23eb2d8682761a85070842a3215fda795d2

SHA512
fb95c44ea3a36e5f8c2d3393481f304c85b6ccc3bd92f8886007570598d20df746d39fc93659607ef0fee620303bb9a794aedfbd1954e5767bc9200f7300a9d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server2022nada.exe
Filesize
37KB

MD5
0f649e94783dfbd5ab19501286be1ee6

SHA1
d2e14af3dc729d16e034ee22e051ffec7fb3e614

SHA256
a969f285276f1462796f9b89b6e8d23eb2d8682761a85070842a3215fda795d2

SHA512
fb95c44ea3a36e5f8c2d3393481f304c85b6ccc3bd92f8886007570598d20df746d39fc93659607ef0fee620303bb9a794aedfbd1954e5767bc9200f7300a9d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\aio.exe
Filesize
82KB

MD5
73fd97e41d3b7717079d52b75b8348d0

SHA1
916c3593c5e8bc52318c32ec7ef3c55753b462fa

SHA256
0d16d6b085182eef42d731d5f22fdb1cfd2bba596ca650f2354c31f871a5c845

SHA512
4bd6e0d6aeb30a0d88f1614d0847e5879031d6a801632addc78d251f6892dc3491fe14d039b7674209259ec1cd82ba1df86f3cb87ae7e9208d34fef28c4bd880

Download Submit
C:\Users\Admin\AppData\Local\Temp\aio.exe
Filesize
82KB

MD5
73fd97e41d3b7717079d52b75b8348d0

SHA1
916c3593c5e8bc52318c32ec7ef3c55753b462fa

SHA256
0d16d6b085182eef42d731d5f22fdb1cfd2bba596ca650f2354c31f871a5c845

SHA512
4bd6e0d6aeb30a0d88f1614d0847e5879031d6a801632addc78d251f6892dc3491fe14d039b7674209259ec1cd82ba1df86f3cb87ae7e9208d34fef28c4bd880

Download Submit
C:\Users\Admin\AppData\Local\Temp\blitzed12_Protect.exe
Filesize
1.1MB

MD5
59a5a53af34f3af1d450b58edf970958

SHA1
582e2326bf7323903f10ccb2a0abafeb58ca1a55

SHA256
a4cfe757256ea7a68b8e97a2b0de09fd2f00d2984e2dfa2d3963dfbd13d43b75

SHA512
dd76ab437b7c09c2d09d52ce4b6085e94f5d3d4515c85bb815add82c9962eee1d1388a3622ee69f43138ba0ab5b9f2baa371d8cd3d48185dc54363dcd9a27b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\blitzed12_Protect.exe
Filesize
1.1MB

MD5
59a5a53af34f3af1d450b58edf970958

SHA1
582e2326bf7323903f10ccb2a0abafeb58ca1a55

SHA256
a4cfe757256ea7a68b8e97a2b0de09fd2f00d2984e2dfa2d3963dfbd13d43b75

SHA512
dd76ab437b7c09c2d09d52ce4b6085e94f5d3d4515c85bb815add82c9962eee1d1388a3622ee69f43138ba0ab5b9f2baa371d8cd3d48185dc54363dcd9a27b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\build.exe
Filesize
1.5MB

MD5
88d889b346df525e43d62d4fa08804e2

SHA1
057bfd5754fb091513e626eb43baab69144a85a8

SHA256
228279263ea529f07e1e8e31e9185166502584d2a39e16e3084071283190698c

SHA512
d99018cf8c5fc4fd18521889ee3e68a893aca16e81de007be6bf2b004485ebea8a40bd029e6828d2978b5473af665431d5a957f9c1ee3d698acc4ebc49d4b7fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\build.exe
Filesize
1.5MB

MD5
88d889b346df525e43d62d4fa08804e2

SHA1
057bfd5754fb091513e626eb43baab69144a85a8

SHA256
228279263ea529f07e1e8e31e9185166502584d2a39e16e3084071283190698c

SHA512
d99018cf8c5fc4fd18521889ee3e68a893aca16e81de007be6bf2b004485ebea8a40bd029e6828d2978b5473af665431d5a957f9c1ee3d698acc4ebc49d4b7fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost2.exe
Filesize
27KB

MD5
83a49e5309d8b2f07ed0815b5eb847d6

SHA1
65b0eb7129e99bece9977a7b4e9c0df7a83fbaa0

SHA256
d3b44f1ddedb449fa0e7d56a96f42a9060f3feba03d93dbf900db66498bd47fd

SHA512
5565bb6a4507ba41409d33bebb3216455e5791f486687a3248fbdf83b642d27e2e8ec8eb034843bed05aaa49468f62c1a0d3f6c24707423685e94e5d4af974b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost2.exe
Filesize
27KB

MD5
83a49e5309d8b2f07ed0815b5eb847d6

SHA1
65b0eb7129e99bece9977a7b4e9c0df7a83fbaa0

SHA256
d3b44f1ddedb449fa0e7d56a96f42a9060f3feba03d93dbf900db66498bd47fd

SHA512
5565bb6a4507ba41409d33bebb3216455e5791f486687a3248fbdf83b642d27e2e8ec8eb034843bed05aaa49468f62c1a0d3f6c24707423685e94e5d4af974b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4362.tmp.bat
Filesize
151B

MD5
2af5f587990f0216c20ae1f032a746b7

SHA1
52b3be38e83160f8ff9854fa39b2f04333f22fc2

SHA256
fcb0d75e13e1b30c791067c133247aeac3bf700c977a253994ae435a6cb86231

SHA512
43e3316a5627f615567a9d59cdc7756cc73ffd43d8d2e774c14aa7489c7271daaf02e5c1e512281a18fca9344db8f1117cb3df51e027fcbd166c19f7978acc4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB323.tmp.bat
Filesize
255B

MD5
627a9408bb17595910cb2a0c3c1fae61

SHA1
1d5044f206e15decc2d781db3b67b92c1796c0d1

SHA256
25371b65ce45aa8706e8bd6fe899c7b3ed0d82ba4062309ee35afefc80bb1b99

SHA512
6842ca5f798aa0b1087dcc3744c140eb2da6266552033b64bbb8448ae098cbd7554065345161d907509db089fd655c52890f3fee2423d5eca3770de6cd70dc39

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft APIMethod\OneDriveStandaloneAPIMethod.exe
Filesize
428.1MB

MD5
86305dd470c4dfafffa4ab4a04f4d6c0

SHA1
784bbe54a3c8f2e05f299862d56d5d2bc41bea73

SHA256
a0e8f8f444163bb43f05734a461400087d4f814dacc4543fe84b4f5860fefde2

SHA512
a9d0d35126481361fac5d82cb7b298d531b00a95d0e738cf06302413c4e497679d6c9b247b5906fe7586ca2daae1f144a029e45005720a60bfcc32b2d6375b47

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft APIMethod\OneDriveStandaloneAPIMethod.exe
Filesize
427.6MB

MD5
7c98456f83b115c3891e50e2309fb8fa

SHA1
bdfce054a7eb60779215896bed1282def0328dc6

SHA256
fc71a37f512bbaf71258b6bd0553e45e013346d938d4b3edb4505efedbd257c8

SHA512
b96c10009fbc4b4298e6b38e52aea97d6ce976d6fcd84c9717775a784a8edd8d1e79e42868ccb11ecf7ec9f5ba6f0778313f1ea00ac2047f543ba7643435e126

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe
Filesize
27KB

MD5
83a49e5309d8b2f07ed0815b5eb847d6

SHA1
65b0eb7129e99bece9977a7b4e9c0df7a83fbaa0

SHA256
d3b44f1ddedb449fa0e7d56a96f42a9060f3feba03d93dbf900db66498bd47fd

SHA512
5565bb6a4507ba41409d33bebb3216455e5791f486687a3248fbdf83b642d27e2e8ec8eb034843bed05aaa49468f62c1a0d3f6c24707423685e94e5d4af974b7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk
Filesize
1KB

MD5
da0148c0c6c0d0bf83f34fd58b4b38d7

SHA1
4ddf427910944dcd3967997083573fab34cffb24

SHA256
9f39f48b886b5254214543b335f4245961d5449a87a45cc6abe52a179bbdbe66

SHA512
08589ba93eb48e2306e9d0cd9264e32b06855de80b026fe0bd7000577cce0f90668d7987c20d84fa7acafb77cccca5d9533c9928974dbd94556883acddfd93c8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk
Filesize
1KB

MD5
403e16ddaf9c3715bd0fd21158e22332

SHA1
11747376a7c652e095094d489ff2e329547e28f7

SHA256
f70e60ae483eeb52d55bad853da195671ae0c694834aa29987b3d1f7a535d279

SHA512
46ce6841c9cbda338454c93422443f20c72e6fc16c2e56d79e06274a23c1b5621cd83112e1447b25adde57ef6800af3303c0eee7e2c4a26cb7c0c1607fcc8a8c

Download Submit
C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
Filesize
9KB

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
Filesize
9KB

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
Filesize
9KB

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe.config
Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\AppData\Roaming\Orcus\err_d13fa6fd01354c1cb13a471f4d115873.dat
Filesize
1KB

MD5
fd39323f968ca7a3fdc1e24b6d4aad79

SHA1
1d23e916e25bf91bd688f590a72a2365e96ec446

SHA256
68e3ff03ea0b88506e638977260380359a821a28bccb88abab0c56898ad2d168

SHA512
8920ab21a0f7bd458d66c5c877413eef69d3776642b3f42a4825d62fc44cec0fb64a5157adc24c5662d47f5aa0bfdda0885f364990068e6487c7606288786456

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
48KB

MD5
824b6d94e834e611f6aed8091a62e9d6

SHA1
5771fd73ca90d27fac3425358fcaa45c16ea62ff

SHA256
b912edf461afbc58b7684deb88addaeb0a2b50359261c1c310df17ddb2de0d38

SHA512
b23c681e6cb5ea3be688b98d6b5e532e7dd60240ec7e3b96249a5205670dc64007380b94c3f19efd8ec5fea8ec4ad034fa0cac091deadd64185e70f3e119e179

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
37KB

MD5
0f649e94783dfbd5ab19501286be1ee6

SHA1
d2e14af3dc729d16e034ee22e051ffec7fb3e614

SHA256
a969f285276f1462796f9b89b6e8d23eb2d8682761a85070842a3215fda795d2

SHA512
fb95c44ea3a36e5f8c2d3393481f304c85b6ccc3bd92f8886007570598d20df746d39fc93659607ef0fee620303bb9a794aedfbd1954e5767bc9200f7300a9d4

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
37KB

MD5
0f649e94783dfbd5ab19501286be1ee6

SHA1
d2e14af3dc729d16e034ee22e051ffec7fb3e614

SHA256
a969f285276f1462796f9b89b6e8d23eb2d8682761a85070842a3215fda795d2

SHA512
fb95c44ea3a36e5f8c2d3393481f304c85b6ccc3bd92f8886007570598d20df746d39fc93659607ef0fee620303bb9a794aedfbd1954e5767bc9200f7300a9d4

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
37KB

MD5
0f649e94783dfbd5ab19501286be1ee6

SHA1
d2e14af3dc729d16e034ee22e051ffec7fb3e614

SHA256
a969f285276f1462796f9b89b6e8d23eb2d8682761a85070842a3215fda795d2

SHA512
fb95c44ea3a36e5f8c2d3393481f304c85b6ccc3bd92f8886007570598d20df746d39fc93659607ef0fee620303bb9a794aedfbd1954e5767bc9200f7300a9d4

Download Submit
\??\pipe\crashpad_3372_REMTLCQHQXILMAOC
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/228-165-0x0000000000090000-0x00000000000A0000-memory.dmp

Filesize
64KB

Download
memory/228-155-0x0000000000000000-mapping.dmp

Download
memory/228-210-0x00007FF9F3B20000-0x00007FF9F45E1000-memory.dmp

Filesize
10.8MB

Download
memory/228-180-0x00007FF9F3B20000-0x00007FF9F45E1000-memory.dmp

Filesize
10.8MB

Download
memory/644-243-0x00007FF9F3B20000-0x00007FF9F45E1000-memory.dmp

Filesize
10.8MB

Download
memory/644-230-0x000000001DB90000-0x000000001DBA2000-memory.dmp

Filesize
72KB

Download
memory/644-176-0x000000001CF90000-0x000000001CFAA000-memory.dmp

Filesize
104KB

Download
memory/644-132-0x0000000000000000-mapping.dmp

Download
memory/644-241-0x000000001DBF0000-0x000000001DC2C000-memory.dmp

Filesize
240KB

Download
memory/644-188-0x00007FF9F3B20000-0x00007FF9F45E1000-memory.dmp

Filesize
10.8MB

Download
memory/644-158-0x00007FF9F3B20000-0x00007FF9F45E1000-memory.dmp

Filesize
10.8MB

Download
memory/644-139-0x0000000000D70000-0x0000000000E96000-memory.dmp

Filesize
1.1MB

Download
memory/748-198-0x0000000000000000-mapping.dmp

Download
memory/1044-247-0x0000000000000000-mapping.dmp

Download
memory/1128-182-0x0000000006A40000-0x0000000007058000-memory.dmp

Filesize
6.1MB

Download
memory/1128-134-0x0000000000000000-mapping.dmp

Download
memory/1128-187-0x0000000006650000-0x000000000675A000-memory.dmp

Filesize
1.0MB

Download
memory/1128-143-0x0000000000D80000-0x0000000000E6A000-memory.dmp

Filesize
936KB

Download
memory/1128-184-0x00000000064A0000-0x00000000064DC000-memory.dmp

Filesize
240KB

Download
memory/1128-183-0x0000000006440000-0x0000000006452000-memory.dmp

Filesize
72KB

Download
memory/1204-256-0x0000000000000000-mapping.dmp

Download
memory/1224-260-0x0000000000000000-mapping.dmp

Download
memory/1352-259-0x0000000000000000-mapping.dmp

Download
memory/1600-258-0x0000000000000000-mapping.dmp

Download
memory/1844-159-0x0000000000000000-mapping.dmp

Download
memory/1844-163-0x0000000000F10000-0x0000000000F22000-memory.dmp

Filesize
72KB

Download
memory/1968-175-0x0000000000000000-mapping.dmp

Download
memory/2136-148-0x0000000000000000-mapping.dmp

Download
memory/2136-178-0x0000000005830000-0x0000000005896000-memory.dmp

Filesize
408KB

Download
memory/2136-274-0x0000000006CE0000-0x0000000006D02000-memory.dmp

Filesize
136KB

Download
memory/2136-151-0x0000000000E10000-0x0000000000F94000-memory.dmp

Filesize
1.5MB

Download
memory/2340-194-0x0000000000000000-mapping.dmp

Download
memory/2828-249-0x0000000000000000-mapping.dmp

Download
memory/2828-219-0x0000000000000000-mapping.dmp

Download
memory/2868-191-0x0000000000000000-mapping.dmp

Download
memory/2928-156-0x0000000005560000-0x0000000005B04000-memory.dmp

Filesize
5.6MB

Download
memory/2928-173-0x0000000004FB0000-0x0000000005042000-memory.dmp

Filesize
584KB

Download
memory/2928-245-0x0000000004FB0000-0x0000000005554000-memory.dmp

Filesize
5.6MB

Download
memory/2928-257-0x0000000004FB0000-0x0000000005554000-memory.dmp

Filesize
5.6MB

Download
memory/2928-240-0x0000000004FB0000-0x0000000005554000-memory.dmp

Filesize
5.6MB

Download
memory/2928-233-0x0000000004F99000-0x0000000004F9F000-memory.dmp

Filesize
24KB

Download
memory/2928-255-0x0000000004FB0000-0x0000000005554000-memory.dmp

Filesize
5.6MB

Download
memory/2928-262-0x0000000004F99000-0x0000000004F9F000-memory.dmp

Filesize
24KB

Download
memory/2928-190-0x0000000004F99000-0x0000000004F9F000-memory.dmp

Filesize
24KB

Download
memory/2928-138-0x0000000000000000-mapping.dmp

Download
memory/2928-144-0x0000000000690000-0x0000000000716000-memory.dmp

Filesize
536KB

Download
memory/3008-217-0x0000000070FD0000-0x0000000071581000-memory.dmp

Filesize
5.7MB

Download
memory/3008-167-0x0000000000000000-mapping.dmp

Download
memory/3008-181-0x0000000070FD0000-0x0000000071581000-memory.dmp

Filesize
5.7MB

Download
memory/3008-213-0x0000000070FD0000-0x0000000071581000-memory.dmp

Filesize
5.7MB

Download
memory/3100-223-0x0000000000000000-mapping.dmp

Download
memory/3124-252-0x0000000000000000-mapping.dmp

Download
memory/3196-220-0x00007FF9F3B20000-0x00007FF9F45E1000-memory.dmp

Filesize
10.8MB

Download
memory/3196-209-0x00007FF9F3B20000-0x00007FF9F45E1000-memory.dmp

Filesize
10.8MB

Download
memory/3196-142-0x0000000000000000-mapping.dmp

Download
memory/3196-147-0x0000000000390000-0x00000000003AA000-memory.dmp

Filesize
104KB

Download
memory/3196-179-0x00007FF9F3B20000-0x00007FF9F45E1000-memory.dmp

Filesize
10.8MB

Download
memory/3212-246-0x0000000000000000-mapping.dmp

Download
memory/3308-277-0x0000000000000000-mapping.dmp

Download
memory/3436-222-0x0000000000000000-mapping.dmp

Download
memory/3624-166-0x00007FF9F3B20000-0x00007FF9F45E1000-memory.dmp

Filesize
10.8MB

Download
memory/3624-189-0x00007FF9F3B20000-0x00007FF9F45E1000-memory.dmp

Filesize
10.8MB

Download
memory/3624-152-0x0000000000000000-mapping.dmp

Download
memory/3624-201-0x00007FF9F3B20000-0x00007FF9F45E1000-memory.dmp

Filesize
10.8MB

Download
memory/3624-162-0x0000020D54270000-0x0000020D542BA000-memory.dmp

Filesize
296KB

Download
memory/3736-211-0x0000000000000000-mapping.dmp

Download
memory/3744-229-0x00000000077B0000-0x00000000077BA000-memory.dmp

Filesize
40KB

Download
memory/3744-203-0x0000000000000000-mapping.dmp

Download
memory/3920-193-0x0000000000000000-mapping.dmp

Download
memory/4004-186-0x0000000000000000-mapping.dmp

Download
memory/4028-279-0x0000000000000000-mapping.dmp

Download
memory/4036-232-0x0000000000000000-mapping.dmp

Download
memory/4036-237-0x0000000000550000-0x0000000000558000-memory.dmp

Filesize
32KB

Download
memory/4040-231-0x0000000000000000-mapping.dmp

Download
memory/4128-212-0x0000000000000000-mapping.dmp

Download
memory/4128-218-0x0000000070FD0000-0x0000000071581000-memory.dmp

Filesize
5.7MB

Download
memory/4128-244-0x0000000070FD0000-0x0000000071581000-memory.dmp

Filesize
5.7MB

Download
memory/4160-185-0x0000000000000000-mapping.dmp

Download
memory/4160-238-0x0000000000000000-mapping.dmp

Download
memory/4164-225-0x0000000000000000-mapping.dmp

Download
memory/4164-228-0x0000000070FD0000-0x0000000071581000-memory.dmp

Filesize
5.7MB

Download
memory/4164-248-0x0000000000000000-mapping.dmp

Download
memory/4164-242-0x0000000070FD0000-0x0000000071581000-memory.dmp

Filesize
5.7MB

Download
memory/4168-278-0x0000000000000000-mapping.dmp

Download
memory/4192-253-0x0000000000000000-mapping.dmp

Download
memory/4248-261-0x0000000000000000-mapping.dmp

Download
memory/4400-192-0x0000000000000000-mapping.dmp

Download
memory/4564-177-0x0000000005540000-0x00000000055DC000-memory.dmp

Filesize
624KB

Download
memory/4564-174-0x0000000000CD0000-0x0000000000CDE000-memory.dmp

Filesize
56KB

Download
memory/4564-170-0x0000000000000000-mapping.dmp

Download
memory/4704-216-0x0000000000000000-mapping.dmp

Download
memory/4920-207-0x0000000000000000-mapping.dmp

Download
memory/4932-195-0x0000000000000000-mapping.dmp

Download
memory/5212-271-0x0000000007114000-0x0000000007117000-memory.dmp

Filesize
12KB

Download
memory/5212-283-0x000000000711C000-0x0000000007121000-memory.dmp

Filesize
20KB

Download
memory/5212-272-0x0000000007117000-0x000000000711C000-memory.dmp

Filesize
20KB

Download
memory/5212-273-0x0000000007110000-0x0000000007114000-memory.dmp

Filesize
16KB

Download
memory/5212-270-0x0000000004B30000-0x00000000050D4000-memory.dmp

Filesize
5.6MB

Download
memory/5212-275-0x0000000007114000-0x0000000007117000-memory.dmp

Filesize
12KB

Download
memory/5212-276-0x0000000007117000-0x000000000711C000-memory.dmp

Filesize
20KB

Download
memory/5212-269-0x0000000007110000-0x0000000007114000-memory.dmp

Filesize
16KB

Download
memory/5212-268-0x0000000004B30000-0x00000000050D4000-memory.dmp

Filesize
5.6MB

Download
memory/5212-288-0x0000000007117000-0x000000000711F000-memory.dmp

Filesize
32KB

Download
memory/5212-280-0x000000000711C000-0x0000000007121000-memory.dmp

Filesize
20KB

Download
memory/5212-287-0x0000000004B30000-0x00000000050D4000-memory.dmp

Filesize
5.6MB

Download
memory/5212-282-0x0000000007121000-0x0000000007126000-memory.dmp

Filesize
20KB

Download
memory/5212-264-0x0000000000000000-mapping.dmp

Download
memory/5212-284-0x0000000007121000-0x0000000007126000-memory.dmp

Filesize
20KB

Download
memory/5212-285-0x0000000004B30000-0x00000000050D4000-memory.dmp

Filesize
5.6MB

Download
memory/5212-286-0x0000000007117000-0x000000000711F000-memory.dmp

Filesize
32KB

Download
memory/5228-266-0x0000000000000000-mapping.dmp

Download
memory/5792-281-0x0000000000000000-mapping.dmp

Download