44caliber | f6649b36f8f7cc9680e319e715291358d5ee4ed3eafd739b53ab8fed3fee5126

Analysis

max time kernel
14s
max time network
151s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12-02-2024 01:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6649b36f8f7cc9680e319e715291358d5ee4ed3eafd739b53ab8fed3fee5126.exe
Size

2.9MB
MD5

795cad191a335ac30addd0c963bd6517
SHA1

c1c36d77734f105b62bcb662c4ee5bfe68377e33
SHA256

f6649b36f8f7cc9680e319e715291358d5ee4ed3eafd739b53ab8fed3fee5126
SHA512

a3ae9f8035c366cd5c8dc3d765447517d88245e189844d5eb25e1a2e75af5638ada69f2e313594224bdc8f970b9288e9912c22c1067bd044154509a9b8ca6bb8
SSDEEP

49152:Dyu3MbyTrWLL98QIhidAWs1885v01ashxTFUkXZZifVYDkEmCq+XOue/suKiFGjr:DNMGTtgdA/8hXzZQfVYQE8+J0KiAS8

Score

10^/10

44caliber orcus xmrig miner rat spyware stealer

Malware Config

Extracted

Family

orcus

192.168.0.200:10134

Mutex

afa5401f54984aaa863b79961927d3dd

Attributes

autostart_method
TaskScheduler
enable_keylogger
false
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
GitHub
watchdog_path
Temp\nurik.exe

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus main payload 4 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\Image-O.gpj.scr	family_orcus
C:\Program Files\Orcus\Orcus.exe	family_orcus
C:\Program Files\Orcus\Orcus.exe	family_orcus
C:\Program Files\Orcus\Orcus.exe	family_orcus

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Orcurs Rat Executable 5 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\Image-O.gpj.scr	orcus
C:\Program Files\Orcus\Orcus.exe	orcus
C:\Program Files\Orcus\Orcus.exe	orcus
behavioral1/memory/2296-141-0x0000000000A00000-0x0000000000AEE000-memory.dmp	orcus
C:\Program Files\Orcus\Orcus.exe	orcus

XMRig Miner payload 21 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2776-207-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral1/memory/2776-208-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral1/memory/2776-209-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral1/memory/2776-210-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral1/memory/2776-211-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral1/memory/2776-212-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral1/memory/2776-213-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral1/memory/2776-216-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral1/memory/2776-214-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral1/memory/2776-218-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral1/memory/2776-221-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral1/memory/2776-223-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral1/memory/2776-225-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral1/memory/2776-226-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral1/memory/2776-227-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral1/memory/2776-228-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral1/memory/2776-229-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral1/memory/2776-231-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral1/memory/2776-232-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral1/memory/2776-233-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral1/memory/2776-234-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig

Executes dropped EXE 9 IoCs

Processes:

Image-O.gpj.scrnursultan_client.exenurik.exeoboxd.exeWindowsInput.exeWindowsInput.exeOrcus.exesihost64.exeServices.exe

pid	process
3048	Image-O.gpj.scr
2856	nursultan_client.exe
2864	nurik.exe
2976	oboxd.exe
268	WindowsInput.exe
804	WindowsInput.exe
2296	Orcus.exe
1792	sihost64.exe
1728	Services.exe

Loads dropped DLL 7 IoCs

Processes:

f6649b36f8f7cc9680e319e715291358d5ee4ed3eafd739b53ab8fed3fee5126.exenursultan_client.exeoboxd.exe

pid	process
1976	f6649b36f8f7cc9680e319e715291358d5ee4ed3eafd739b53ab8fed3fee5126.exe
1976	f6649b36f8f7cc9680e319e715291358d5ee4ed3eafd739b53ab8fed3fee5126.exe
1976	f6649b36f8f7cc9680e319e715291358d5ee4ed3eafd739b53ab8fed3fee5126.exe
2856	nursultan_client.exe
2856	nursultan_client.exe
2976	oboxd.exe
2976	oboxd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

13 raw.githubusercontent.com
10 pastebin.com
11 pastebin.com
12 raw.githubusercontent.com
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 freegeoip.app
5 freegeoip.app

flow	ioc
13	raw.githubusercontent.com
10	pastebin.com
11	pastebin.com
12	raw.githubusercontent.com

flow	ioc
4	freegeoip.app
5	freegeoip.app

Drops file in System32 directory 3 IoCs

Processes:

Image-O.gpj.scrWindowsInput.exe

description	ioc	process
File created	C:\Windows\SysWOW64\WindowsInput.exe	Image-O.gpj.scr
File created	C:\Windows\SysWOW64\WindowsInput.exe.config	Image-O.gpj.scr
File created	C:\Windows\SysWOW64\WindowsInput.InstallState	WindowsInput.exe

Drops file in Program Files directory 3 IoCs

Processes:

Image-O.gpj.scr

description	ioc	process
File created	C:\Program Files\Orcus\Orcus.exe	Image-O.gpj.scr
File opened for modification	C:\Program Files\Orcus\Orcus.exe	Image-O.gpj.scr
File created	C:\Program Files\Orcus\Orcus.exe.config	Image-O.gpj.scr

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

nurik.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	nurik.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	nurik.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1044 schtasks.exe
1636 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

nurik.exeoboxd.exe

pid process

2864 nurik.exe
2864 nurik.exe
2864 nurik.exe
2976 oboxd.exe
2864 nurik.exe
2976 oboxd.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

nurik.exeoboxd.exe

description pid process

Token: SeDebugPrivilege 2864 nurik.exe
Token: SeDebugPrivilege 2976 oboxd.exe

pid	process
1044	schtasks.exe
1636	schtasks.exe

pid	process
2864	nurik.exe
2864	nurik.exe
2864	nurik.exe
2976	oboxd.exe
2864	nurik.exe
2976	oboxd.exe

description	pid	process
Token: SeDebugPrivilege	2864	nurik.exe
Token: SeDebugPrivilege	2976	oboxd.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

f6649b36f8f7cc9680e319e715291358d5ee4ed3eafd739b53ab8fed3fee5126.exenursultan_client.exeImage-O.gpj.scrcsc.exeoboxd.execmd.exe

description	pid	process	target process
PID 1976 wrote to memory of 3048	1976	f6649b36f8f7cc9680e319e715291358d5ee4ed3eafd739b53ab8fed3fee5126.exe	Image-O.gpj.scr
PID 1976 wrote to memory of 3048	1976	f6649b36f8f7cc9680e319e715291358d5ee4ed3eafd739b53ab8fed3fee5126.exe	Image-O.gpj.scr
PID 1976 wrote to memory of 3048	1976	f6649b36f8f7cc9680e319e715291358d5ee4ed3eafd739b53ab8fed3fee5126.exe	Image-O.gpj.scr
PID 1976 wrote to memory of 3048	1976	f6649b36f8f7cc9680e319e715291358d5ee4ed3eafd739b53ab8fed3fee5126.exe	Image-O.gpj.scr
PID 1976 wrote to memory of 2856	1976	f6649b36f8f7cc9680e319e715291358d5ee4ed3eafd739b53ab8fed3fee5126.exe	nursultan_client.exe
PID 1976 wrote to memory of 2856	1976	f6649b36f8f7cc9680e319e715291358d5ee4ed3eafd739b53ab8fed3fee5126.exe	nursultan_client.exe
PID 1976 wrote to memory of 2856	1976	f6649b36f8f7cc9680e319e715291358d5ee4ed3eafd739b53ab8fed3fee5126.exe	nursultan_client.exe
PID 1976 wrote to memory of 2856	1976	f6649b36f8f7cc9680e319e715291358d5ee4ed3eafd739b53ab8fed3fee5126.exe	nursultan_client.exe
PID 2856 wrote to memory of 2864	2856	nursultan_client.exe	nurik.exe
PID 2856 wrote to memory of 2864	2856	nursultan_client.exe	nurik.exe
PID 2856 wrote to memory of 2864	2856	nursultan_client.exe	nurik.exe
PID 2856 wrote to memory of 2864	2856	nursultan_client.exe	nurik.exe
PID 2856 wrote to memory of 2976	2856	nursultan_client.exe	oboxd.exe
PID 2856 wrote to memory of 2976	2856	nursultan_client.exe	oboxd.exe
PID 2856 wrote to memory of 2976	2856	nursultan_client.exe	oboxd.exe
PID 2856 wrote to memory of 2976	2856	nursultan_client.exe	oboxd.exe
PID 3048 wrote to memory of 2748	3048	Image-O.gpj.scr	csc.exe
PID 3048 wrote to memory of 2748	3048	Image-O.gpj.scr	csc.exe
PID 3048 wrote to memory of 2748	3048	Image-O.gpj.scr	csc.exe
PID 2748 wrote to memory of 2988	2748	csc.exe	cvtres.exe
PID 2748 wrote to memory of 2988	2748	csc.exe	cvtres.exe
PID 2748 wrote to memory of 2988	2748	csc.exe	cvtres.exe
PID 2976 wrote to memory of 1700	2976	oboxd.exe	cmd.exe
PID 2976 wrote to memory of 1700	2976	oboxd.exe	cmd.exe
PID 2976 wrote to memory of 1700	2976	oboxd.exe	cmd.exe
PID 1700 wrote to memory of 1044	1700	cmd.exe	schtasks.exe
PID 1700 wrote to memory of 1044	1700	cmd.exe	schtasks.exe
PID 1700 wrote to memory of 1044	1700	cmd.exe	schtasks.exe
PID 3048 wrote to memory of 268	3048	Image-O.gpj.scr	WindowsInput.exe
PID 3048 wrote to memory of 268	3048	Image-O.gpj.scr	WindowsInput.exe
PID 3048 wrote to memory of 268	3048	Image-O.gpj.scr	WindowsInput.exe
PID 3048 wrote to memory of 2296	3048	Image-O.gpj.scr	Orcus.exe
PID 3048 wrote to memory of 2296	3048	Image-O.gpj.scr	Orcus.exe
PID 3048 wrote to memory of 2296	3048	Image-O.gpj.scr	Orcus.exe
PID 2976 wrote to memory of 1792	2976	oboxd.exe	sihost64.exe
PID 2976 wrote to memory of 1792	2976	oboxd.exe	sihost64.exe
PID 2976 wrote to memory of 1792	2976	oboxd.exe	sihost64.exe
PID 2976 wrote to memory of 1728	2976	oboxd.exe	Services.exe
PID 2976 wrote to memory of 1728	2976	oboxd.exe	Services.exe
PID 2976 wrote to memory of 1728	2976	oboxd.exe	Services.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f6649b36f8f7cc9680e319e715291358d5ee4ed3eafd739b53ab8fed3fee5126.exe
"C:\Users\Admin\AppData\Local\Temp\f6649b36f8f7cc9680e319e715291358d5ee4ed3eafd739b53ab8fed3fee5126.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1976

C:\Users\Admin\AppData\Local\Temp\Image-O.gpj.scr
"C:\Users\Admin\AppData\Local\Temp\Image-O.gpj.scr" /S
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3048

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rxcrzlcs.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:2748

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES55CF.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC55CE.tmp"
4⤵
PID:2988

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe" --install
3⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:268

C:\Program Files\Orcus\Orcus.exe
"C:\Program Files\Orcus\Orcus.exe"
3⤵
- Executes dropped EXE
PID:2296

C:\Users\Admin\AppData\Local\Temp\nurik.exe
"C:\Users\Admin\AppData\Local\Temp\nurik.exe" /launchSelfAndExit "C:\Program Files\Orcus\Orcus.exe" 2296
4⤵
PID:296

C:\Users\Admin\AppData\Local\Temp\nurik.exe
"C:\Users\Admin\AppData\Local\Temp\nurik.exe" /watchProcess "C:\Program Files\Orcus\Orcus.exe" 2296
5⤵
PID:1068

C:\Users\Admin\AppData\Local\Temp\nursultan_client.exe
"C:\Users\Admin\AppData\Local\Temp\nursultan_client.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2856

C:\Users\Admin\AppData\Local\Temp\nurik.exe
"C:\Users\Admin\AppData\Local\Temp\nurik.exe"
3⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2864

C:\Users\Admin\AppData\Local\Temp\oboxd.exe
"C:\Users\Admin\AppData\Local\Temp\oboxd.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2976

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"' & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:1700

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"'
5⤵
- Creates scheduled task(s)
PID:1044

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
4⤵
- Executes dropped EXE
PID:1792

C:\Users\Admin\AppData\Local\Temp\Services.exe
"C:\Users\Admin\AppData\Local\Temp\Services.exe"
4⤵
- Executes dropped EXE
PID:1728

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"' & exit
5⤵
PID:1760

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"'
6⤵
- Creates scheduled task(s)
PID:1636

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
5⤵
PID:2788

C:\Windows\explorer.exe
C:\Windows\explorer.exe -B --coin=monero --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=mine.bmpool.org:6004 --user=7144275 --pass= --cpu-max-threads-hint=60 --donate-level=5 --unam-idle-wait=1 --unam-idle-cpu=80
5⤵
PID:2776

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
1⤵
- Executes dropped EXE
PID:804

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Orcus\Orcus.exe
Filesize
2.4MB

MD5
42c7cea8b636682d6b10a936cc50493d

SHA1
ea30cdce63dd3fae4ed2c8e695394711f43252ee

SHA256
176a0c62689e5274051694bc73a1ebce5625561c5309e5c41c920a3682fbbd3f

SHA512
682ae949147523736708b5a2d190c549553aa1594913e848f165ced31a59f1e9626d3d1f7dbcfe2ee7e492b3aee71daad518dbded75bff7a37728413aa6d4937

Download Submit
C:\Program Files\Orcus\Orcus.exe
Filesize
2.0MB

MD5
dc52ceca65c6282d067b99d231afa94e

SHA1
3dd91c037c8e257867ef3b721595a6967bb57b9b

SHA256
364b4c0b1e5ef8206fc8ed82068f9e61078f6c185971b259cd322a6b80132e30

SHA512
d7a7593dec5206a16e7abcb7cf430fd5cf720e4ff6e63ae139fe6e046cdafafc52c76080c5b0286bc26235274bfedf9423d4572f442a3e05f0d9f40cda20ef61

Download Submit
C:\Program Files\Orcus\Orcus.exe
Filesize
1.6MB

MD5
609ce7378c40c0103790fc06aac05d84

SHA1
21b1d9ba39ce530f8e63133205d2eee3f164e0f2

SHA256
aca95997171c85014fad0a0e7017ecc7bf91790571e59167f1274ed0265f42b5

SHA512
fbd3fade510786e13066c987f0abd4802d68e27fe338bee4c12f2117dfb801294203340888600d89de24e6ec5987d295b833ccc0544cfb8c4eab0d4d845cf954

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES55CF.tmp
Filesize
1KB

MD5
90f9a7acf2f2f7bb30e331a53f66bf7d

SHA1
dcc11126a7f4803509937eb1673b62c7f0d4e9c2

SHA256
75d67ddd4d15efb85a2e83d044f07fab2527340f511dc06fa21204e404975fa8

SHA512
469f8a00ccdd3772db76ef2050890d2445059f8a21219b4c792aaa0706383036fa0c7435848e911d210c18f28481c1724744f693e3a6d373f55846e1c48521c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Services.exe
Filesize
1.4MB

MD5
2cf55503b46f3421355564a277b1065d

SHA1
3b827541d61e82c6f3360ceab14d3aec0c1d8a09

SHA256
02b066e211b9a783153fce67c7b8c8038cbe5258dddd47caaa798cc28bbc860c

SHA512
68ee03f5e5e1377af0aa58eae588c73456d73d0915dbb49c74051de8986519b47d2b657a61c6dd89a3d669ca4a35c4bf0d4cf4e3f602b281ade07d435651d5f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Services.exe
Filesize
1.5MB

MD5
28bc9f3d1420ae39c441311eb246eb38

SHA1
0e5c4527d4b97f779df8e21dbf40761f3bb0b4fc

SHA256
98c78dc970f3e459d0c7898f04b1e26cc58558cdc64e00d931c22f35f6a7a2de

SHA512
cfc592d56e4277c79478e5e16218ed848522937ebf1633b91fb7de3f389e0d5258553a960c954ba7d28b24fca78643fc997315e7280754aa80307b64c69fdee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nurik.exe
Filesize
9KB

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
C:\Users\Admin\AppData\Local\Temp\rxcrzlcs.dll
Filesize
76KB

MD5
431f1c813640b48860d0ad19ff51ae37

SHA1
34aff90dfc27cc16f4df57609cf52c26b017c4c1

SHA256
272741fb2e4c285bf971b73a32f4b1bf83c915b4c1fc2bc0bf6b9031d053038f

SHA512
ca6ee8fb35f8e0797544c0488d56eca23af1634deebfef61e092bba345f576d815ff006dc839a753f1853bc12941cdd4a66435d4969ad8022f77f6e15c9017ac

Download Submit
C:\Users\Admin\AppData\Roaming\88\Process.txt
Filesize
442B

MD5
ae33f1413715f2af9e8c45855acf5889

SHA1
c2716edd267a064cf6017a0f001f07edc1541696

SHA256
a260b23aed16e7382be3e5a24443f87d4b81d8a0a020b4655f6caa1453001ba0

SHA512
8223de780e6c27572dfad0e577bf1dfac4448bfec4d66b7e15a601292bb8d32681cd938b3ba4e0a2e9f049697760d8dd60541e9f26b07415277d6f340b30d160

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\WR64.sys
Filesize
14KB

MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
Filesize
7KB

MD5
911b19c708c9cec64ae903c37bbc130a

SHA1
4819de5bfd0f38fe7aeea41b20ed3c2dcb46e98b

SHA256
be55e2c26a1d438d3ca1b11619f1ce6f1e1bf0a97b754096de2d2e2dd51cbb6c

SHA512
d754c217d00cdc7b179a4901cd856ce3a863fd281bae4b1cc42f0a66167ecc2ac7a6b808fa5e40f7cbc6058023bb75fbcbd5baff5d9e2d8227cd5066864a4451

Download Submit
C:\Users\Admin\AppData\Roaming\Orcus\err_afa5401f54984aaa863b79961927d3dd.dat
Filesize
1KB

MD5
5d8340d3f748e14246ead5f699b7c47b

SHA1
8885161d325adf8f6e4522c00d9b9066f4f0b6ed

SHA256
67658e64c3542deb72a5967d0be53c506f3b567acde151f310562b67d6e30510

SHA512
cad66d8b247f127ce3207a4fe85c169f2eabe15d11a4e7b3eb212ee851cb8a1087a00e8dd89d4d2173ad1b5ff8de554b54a83264dbdacbdf36786eac39ee5faf

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe
Filesize
21KB

MD5
e6fcf516d8ed8d0d4427f86e08d0d435

SHA1
c7691731583ab7890086635cb7f3e4c22ca5e409

SHA256
8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

SHA512
c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe.config
Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC55CE.tmp
Filesize
676B

MD5
cc359d1ec4b61a2ee54f9a4feb22bb4c

SHA1
2cf72fb841204bb97163287556d0520d0eaa67a8

SHA256
45d32c839bc91ece448340895a8219cfdc14295f481258e15074a00f786b1bd2

SHA512
b660bebd758b5c1a396e4a032a6e4baffdabae822457c3a7b8e2163e50cc759ffe552741115f5df8067ea1e7774184293e3d47017f591bb0413b7f530bbd51fa

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rxcrzlcs.0.cs
Filesize
208KB

MD5
2b14ae8b54d216abf4d228493ceca44a

SHA1
d134351498e4273e9d6391153e35416bc743adef

SHA256
4e1cc3da1f7bf92773aae6cffa6d61bfc3e25aead3ad947f6215f93a053f346c

SHA512
5761b605add10ae3ef80f3b8706c8241b4e8abe4ac3ce36b7be8a97d08b08da5a72fedd5e976b3c9e1c463613a943ebb5d323e6a075ef6c7c3b1abdc0d53ac05

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rxcrzlcs.cmdline
Filesize
349B

MD5
804f493764317a18f9be01c39ec7f97a

SHA1
6af73d6bceea6dcec1bf00425e7614ecb2f95f0a

SHA256
3355c1556aa08d606f680b5611c87961a001d8a40088149208289270413c03c3

SHA512
ac9e4900a205d22cdb14d109e74bf573a5de15cbc69d8bb6862527b5cc4e1c3fc4318c2b8df9a82a4d1bfecc3bfd907bd1cf76497360010079e07441f334de49

Download Submit
\Users\Admin\AppData\Local\Temp\Image-O.gpj.scr
Filesize
5.0MB

MD5
3e04fd7395a78346599158a287111839

SHA1
f54df6a85e09c59b55232918a096d64613caf050

SHA256
793b7d5016b30ce138e55ffd2b513ccb19c8201c50c496c376df42603d12f700

SHA512
f5c3fa6d88932778da994653ee1f2d1bc57f3dfb9dfd9ca8205cae1507015c02e0205ca200c7c4a30c5e2c1b2fb108e096022e028218290495f16508afafd35a

Download Submit
\Users\Admin\AppData\Local\Temp\Services.exe
Filesize
1.4MB

MD5
a3781635e194cab64bfdfaa8aa6ea259

SHA1
fb6bdf6c4e69cd2f218a56358e5417562d28e3ee

SHA256
f0e47db06775a3cf28af5bd4a8753ba7b4aa46462b8970a67effe4c98cf4a1ff

SHA512
6fcba58619a1c81beb83c93ebeaa6ccae79d8d02c1a8344a87f05810a621d1f29ad0f4a972307685acfc859c456d24f80d118d6330f2fb5423b49c17cb7102fc

Download Submit
\Users\Admin\AppData\Local\Temp\nurik.exe
Filesize
274KB

MD5
7e3bc7b8a8b9a60ef978ed4e947ce915

SHA1
993627e075a124810c4f75074c7b28f9931c20e4

SHA256
07db8c1b6e027058c9e1e569ab0b2df5047085a3c85c78ee1535c421009b2a9a

SHA512
0ddeaed7358de529e28457067157dc576d289c83bf02d64e0398ee6718ce3ece7eae96cfbaa2641a0aaf819952b8d6d5cd6aa88c1cc2c4374b2a8edc5aef6cb1

Download Submit
\Users\Admin\AppData\Local\Temp\nursultan_client.exe
Filesize
2.2MB

MD5
eb6fa00cbd1f7ac6494ad51aa7bfbb9a

SHA1
0b9ae215ca6a03386a62c63d849fee31c5c03392

SHA256
82b2f29746562b6840f1bc2050143de2157362d40a34e4886a9619d8f5846edf

SHA512
a46b4bc13fc585bbc3352d17eeb52bbbd534ef3aa7762ec5982b07caad994da2a07879edc3a176501dd445353aa7c49c3d0336275a0e0b5dfde7713563cac479

Download Submit
\Users\Admin\AppData\Local\Temp\oboxd.exe
Filesize
2.0MB

MD5
d6400969781f7d6c38525f60e5b4d410

SHA1
ec70f779fa55ab1fc0065a602e4d95079e417343

SHA256
295d40b979b51e0ffc828004004422d390512438d6d70f61e1c6bfe87aabd74d

SHA512
3bfaf42fedec60704f557aa01e2fcfcdc5513d30bcd449b0ff0504d6084578bfd7f6624341cd534fa10e517e3d641485a2c5453cdcab269c7784e5dd425b7818

Download Submit
memory/268-94-0x000007FEEE950000-0x000007FEEF33C000-memory.dmp

Filesize
9.9MB

Download
memory/268-90-0x000007FEEE950000-0x000007FEEF33C000-memory.dmp

Filesize
9.9MB

Download
memory/268-89-0x0000000000160000-0x000000000016C000-memory.dmp

Filesize
48KB

Download
memory/268-91-0x0000000001F90000-0x0000000002010000-memory.dmp

Filesize
512KB

Download
memory/296-181-0x0000000000830000-0x0000000000838000-memory.dmp

Filesize
32KB

Download
memory/296-182-0x0000000073DB0000-0x000000007449E000-memory.dmp

Filesize
6.9MB

Download
memory/296-186-0x0000000073DB0000-0x000000007449E000-memory.dmp

Filesize
6.9MB

Download
memory/804-96-0x0000000000960000-0x000000000096C000-memory.dmp

Filesize
48KB

Download
memory/804-100-0x0000000019900000-0x0000000019980000-memory.dmp

Filesize
512KB

Download
memory/804-185-0x000007FEEE950000-0x000007FEEF33C000-memory.dmp

Filesize
9.9MB

Download
memory/804-188-0x0000000019900000-0x0000000019980000-memory.dmp

Filesize
512KB

Download
memory/804-98-0x000007FEEE950000-0x000007FEEF33C000-memory.dmp

Filesize
9.9MB

Download
memory/1068-187-0x0000000073DB0000-0x000000007449E000-memory.dmp

Filesize
6.9MB

Download
memory/1728-164-0x000007FEEE950000-0x000007FEEF33C000-memory.dmp

Filesize
9.9MB

Download
memory/1728-189-0x000000001C4B0000-0x000000001C530000-memory.dmp

Filesize
512KB

Download
memory/1728-215-0x000007FEEE950000-0x000007FEEF33C000-memory.dmp

Filesize
9.9MB

Download
memory/1728-203-0x0000000000740000-0x000000000074E000-memory.dmp

Filesize
56KB

Download
memory/1728-162-0x000000013F7A0000-0x000000013F9A8000-memory.dmp

Filesize
2.0MB

Download
memory/1728-220-0x000007FEEE950000-0x000007FEEF33C000-memory.dmp

Filesize
9.9MB

Download
memory/1792-190-0x000007FEEE950000-0x000007FEEF33C000-memory.dmp

Filesize
9.9MB

Download
memory/1792-163-0x000000001BC10000-0x000000001BC90000-memory.dmp

Filesize
512KB

Download
memory/1792-158-0x000007FEEE950000-0x000007FEEF33C000-memory.dmp

Filesize
9.9MB

Download
memory/1792-156-0x000000013F130000-0x000000013F136000-memory.dmp

Filesize
24KB

Download
memory/2296-172-0x000000001AD80000-0x000000001AE00000-memory.dmp

Filesize
512KB

Download
memory/2296-202-0x000000001AD80000-0x000000001AE00000-memory.dmp

Filesize
512KB

Download
memory/2296-230-0x000000001AD80000-0x000000001AE00000-memory.dmp

Filesize
512KB

Download
memory/2296-224-0x000000001AD80000-0x000000001AE00000-memory.dmp

Filesize
512KB

Download
memory/2296-148-0x0000000000480000-0x0000000000492000-memory.dmp

Filesize
72KB

Download
memory/2296-144-0x000000001AD80000-0x000000001AE00000-memory.dmp

Filesize
512KB

Download
memory/2296-142-0x000007FEEE950000-0x000007FEEF33C000-memory.dmp

Filesize
9.9MB

Download
memory/2296-141-0x0000000000A00000-0x0000000000AEE000-memory.dmp

Filesize
952KB

Download
memory/2296-200-0x000007FEEE950000-0x000007FEEF33C000-memory.dmp

Filesize
9.9MB

Download
memory/2296-171-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2296-170-0x000000001AD80000-0x000000001AE00000-memory.dmp

Filesize
512KB

Download
memory/2296-169-0x0000000002350000-0x0000000002368000-memory.dmp

Filesize
96KB

Download
memory/2296-168-0x00000000009B0000-0x00000000009FE000-memory.dmp

Filesize
312KB

Download
memory/2748-44-0x0000000002110000-0x0000000002190000-memory.dmp

Filesize
512KB

Download
memory/2776-222-0x00000000000E0000-0x00000000000F4000-memory.dmp

Filesize
80KB

Download
memory/2776-223-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2776-234-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2776-208-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2776-207-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2776-233-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2776-206-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2776-231-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2776-229-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2776-228-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2776-227-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2776-226-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2776-225-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2776-210-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2776-221-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2776-218-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2776-217-0x000007FFFFFD3000-0x000007FFFFFD4000-memory.dmp

Filesize
4KB

Download
memory/2776-209-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2776-214-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2776-211-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2776-216-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2776-213-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2776-204-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2776-205-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2776-232-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2776-212-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2788-201-0x000007FEEE950000-0x000007FEEF33C000-memory.dmp

Filesize
9.9MB

Download
memory/2788-199-0x000000013FAD0000-0x000000013FAD6000-memory.dmp

Filesize
24KB

Download
memory/2864-39-0x0000000000AF0000-0x0000000000B3A000-memory.dmp

Filesize
296KB

Download
memory/2864-55-0x000000001B2F0000-0x000000001B370000-memory.dmp

Filesize
512KB

Download
memory/2864-102-0x000007FEEE950000-0x000007FEEF33C000-memory.dmp

Filesize
9.9MB

Download
memory/2864-147-0x000007FEEE950000-0x000007FEEF33C000-memory.dmp

Filesize
9.9MB

Download
memory/2864-43-0x000007FEEE950000-0x000007FEEF33C000-memory.dmp

Filesize
9.9MB

Download
memory/2976-145-0x000007FEEE950000-0x000007FEEF33C000-memory.dmp

Filesize
9.9MB

Download
memory/2976-165-0x000007FEEE950000-0x000007FEEF33C000-memory.dmp

Filesize
9.9MB

Download
memory/2976-41-0x000000013F990000-0x000000013FB98000-memory.dmp

Filesize
2.0MB

Download
memory/2976-45-0x000007FEEE950000-0x000007FEEF33C000-memory.dmp

Filesize
9.9MB

Download
memory/3048-23-0x000007FEF50C0000-0x000007FEF5A5D000-memory.dmp

Filesize
9.6MB

Download
memory/3048-97-0x000007FEF50C0000-0x000007FEF5A5D000-memory.dmp

Filesize
9.6MB

Download
memory/3048-77-0x0000000000660000-0x0000000000668000-memory.dmp

Filesize
32KB

Download
memory/3048-7-0x0000000000800000-0x000000000085C000-memory.dmp

Filesize
368KB

Download
memory/3048-143-0x000007FEF50C0000-0x000007FEF5A5D000-memory.dmp

Filesize
9.6MB

Download
memory/3048-75-0x0000000000520000-0x0000000000532000-memory.dmp

Filesize
72KB

Download
memory/3048-85-0x0000000002070000-0x00000000020F0000-memory.dmp

Filesize
512KB

Download
memory/3048-78-0x0000000002070000-0x00000000020F0000-memory.dmp

Filesize
512KB

Download
memory/3048-99-0x0000000002070000-0x00000000020F0000-memory.dmp

Filesize
512KB

Download
memory/3048-101-0x000007FEF50C0000-0x000007FEF5A5D000-memory.dmp

Filesize
9.6MB

Download
memory/3048-76-0x0000000000650000-0x0000000000658000-memory.dmp

Filesize
32KB

Download
memory/3048-10-0x00000000002F0000-0x00000000002FE000-memory.dmp

Filesize
56KB

Download
memory/3048-53-0x0000000001F90000-0x0000000001FA6000-memory.dmp

Filesize
88KB

Download
memory/3048-20-0x0000000002070000-0x00000000020F0000-memory.dmp

Filesize
512KB

Download
memory/3048-18-0x000007FEF50C0000-0x000007FEF5A5D000-memory.dmp

Filesize
9.6MB

Download