orcus | 471b1264bcc332dcfa69187ff322df257d039bc2503765fec497b3b5fdbda0e9

Analysis

max time kernel
1779s
max time network
1797s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07-05-2024 00:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BlitzedGrabberX96.rar
Size

5.7MB
MD5

ee64a0b68d67da34ac76c56b2c66d4ba
SHA1

ecff5c05e9b6ba69bcc79994fe6aaf2a4721a103
SHA256

471b1264bcc332dcfa69187ff322df257d039bc2503765fec497b3b5fdbda0e9
SHA512

98be317b5535464d377ac522428472381f45fb9c2329059c565c18e52fb82a52a2dad91ab85a88dd6669bce340f8b87312d7e41d66b7d0f71429702c922d2fb1
SSDEEP

98304:+du79TVRun1hrRp4RAGzh8e5k1hH+QE20CMlSoe0mMfg+MWYJmvj5luj:AW9pIbRch/NQE20drg9WYJ+uj

Score

10^/10

orcus agilenet execution persistence rat spyware stealer

Malware Config

Extracted

Family

orcus

209.25.141.181:40489

Mutex

690c4574d03b45e4b89aa16b415b7baf

Attributes

autostart_method
TaskScheduler
enable_keylogger
true
install_path
%programdata%\Chrome\Plugins\chromedriver.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
svchost
watchdog_path
AppData\svchost.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcurs Rat Executable 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1364-102-0x00000000010E0000-0x00000000011CC000-memory.dmp	orcus

Executes dropped EXE 16 IoCs

Processes:

BlitzedGrabberX96 Installer.exeBlitzedGrabberX96 Install.exeUnityCrashHandler.EXEchromedriver.exeWindowsInput.exeWindowsInput.exechromedriver.exechromedriver.exesvchost.exesvchost.exeKyanite.exechromedriver.exechromedriver.exechromedriver.exechromedriver.exechromedriver.exe

pid	process
2564	BlitzedGrabberX96 Installer.exe
2552	BlitzedGrabberX96 Install.exe
2432	UnityCrashHandler.EXE
2976	chromedriver.exe
2684	WindowsInput.exe
2856	WindowsInput.exe
1364	chromedriver.exe
2420	chromedriver.exe
540	svchost.exe
1100	svchost.exe
2188	Kyanite.exe
1680	chromedriver.exe
2824	chromedriver.exe
2708	chromedriver.exe
344	chromedriver.exe
2572	chromedriver.exe

Loads dropped DLL 34 IoCs

Processes:

BlitzedGrabberX96 Installer.exeBlitzedGrabberX96 Install.exeKyanite.exe

pid	process
2564	BlitzedGrabberX96 Installer.exe
2552	BlitzedGrabberX96 Install.exe
2552	BlitzedGrabberX96 Install.exe
2552	BlitzedGrabberX96 Install.exe
2552	BlitzedGrabberX96 Install.exe
2552	BlitzedGrabberX96 Install.exe
2552	BlitzedGrabberX96 Install.exe
2552	BlitzedGrabberX96 Install.exe
2552	BlitzedGrabberX96 Install.exe
2552	BlitzedGrabberX96 Install.exe
2552	BlitzedGrabberX96 Install.exe
2552	BlitzedGrabberX96 Install.exe
2188	Kyanite.exe
2188	Kyanite.exe
2188	Kyanite.exe
2188	Kyanite.exe
2188	Kyanite.exe
2188	Kyanite.exe
2188	Kyanite.exe
2188	Kyanite.exe
2188	Kyanite.exe
2188	Kyanite.exe
2188	Kyanite.exe
2188	Kyanite.exe
2188	Kyanite.exe
2188	Kyanite.exe
2188	Kyanite.exe
2188	Kyanite.exe
2188	Kyanite.exe
2188	Kyanite.exe
2188	Kyanite.exe
2188	Kyanite.exe
2188	Kyanite.exe
2188	Kyanite.exe

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
\Program Files\BlitzedGrabberX96\Guna.UI2.dll	agile_net
behavioral1/memory/2188-172-0x0000000004E30000-0x0000000005022000-memory.dmp	agile_net

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

UnityCrashHandler.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	UnityCrashHandler.EXE

Legitimate hosting services abused for malware hosting/C2 1 TTPs 16 IoCs

Web Service

T1102

Processes:

flow	ioc
6	raw.githubusercontent.com
55	discord.com
117	discord.com
138	discord.com
20	discord.com
118	discord.com
132	discord.com
133	discord.com
5	raw.githubusercontent.com
54	discord.com
128	discord.com
21	discord.com
22	discord.com
56	discord.com
137	discord.com
145	discord.com

Drops file in System32 directory 3 IoCs

Processes:

chromedriver.exeWindowsInput.exe

description	ioc	process
File created	C:\Windows\SysWOW64\WindowsInput.exe	chromedriver.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe.config	chromedriver.exe
File created	C:\Windows\SysWOW64\WindowsInput.InstallState	WindowsInput.exe

Drops file in Program Files directory 8 IoCs

Processes:

BlitzedGrabberX96 Install.exe

description	ioc	process
File created	C:\Program Files\BlitzedGrabberX96\APIFOR.DLL	BlitzedGrabberX96 Install.exe
File created	C:\Program Files\BlitzedGrabberX96\Bunifu_UI_v1.5.3.dll	BlitzedGrabberX96 Install.exe
File created	C:\Program Files\BlitzedGrabberX96\Guna.UI.dll	BlitzedGrabberX96 Install.exe
File created	C:\Program Files\BlitzedGrabberX96\Guna.UI2.dll	BlitzedGrabberX96 Install.exe
File created	C:\Program Files\BlitzedGrabberX96\Kyanite.exe	BlitzedGrabberX96 Install.exe
File created	C:\Program Files\BlitzedGrabberX96\Kyanite.exe.config	BlitzedGrabberX96 Install.exe
File created	C:\Program Files\BlitzedGrabberX96\Login Theme.dll	BlitzedGrabberX96 Install.exe
File created	C:\Program Files\BlitzedGrabberX96\Siticone.UI.dll	BlitzedGrabberX96 Install.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2512 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exe7zFM.exechromedriver.exesvchost.exe

pid	process
2512	powershell.exe
1720	7zFM.exe
1720	7zFM.exe
1364	chromedriver.exe
1364	chromedriver.exe
1364	chromedriver.exe
1100	svchost.exe
1100	svchost.exe
1100	svchost.exe
1364	chromedriver.exe
1100	svchost.exe
1364	chromedriver.exe
1100	svchost.exe
1364	chromedriver.exe
1100	svchost.exe
1364	chromedriver.exe
1100	svchost.exe
1364	chromedriver.exe
1100	svchost.exe
1720	7zFM.exe
1364	chromedriver.exe
1100	svchost.exe
1364	chromedriver.exe
1100	svchost.exe
1364	chromedriver.exe
1100	svchost.exe
1364	chromedriver.exe
1100	svchost.exe
1364	chromedriver.exe
1100	svchost.exe
1364	chromedriver.exe
1100	svchost.exe
1364	chromedriver.exe
1100	svchost.exe
1364	chromedriver.exe
1100	svchost.exe
1364	chromedriver.exe
1100	svchost.exe
1364	chromedriver.exe
1100	svchost.exe
1364	chromedriver.exe
1100	svchost.exe
1364	chromedriver.exe
1100	svchost.exe
1364	chromedriver.exe
1100	svchost.exe
1364	chromedriver.exe
1100	svchost.exe
1364	chromedriver.exe
1100	svchost.exe
1364	chromedriver.exe
1100	svchost.exe
1364	chromedriver.exe
1100	svchost.exe
1364	chromedriver.exe
1100	svchost.exe
1364	chromedriver.exe
1100	svchost.exe
1364	chromedriver.exe
1100	svchost.exe
1364	chromedriver.exe
1100	svchost.exe
1364	chromedriver.exe
1100	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

7zFM.exechromedriver.exe

pid process

1720 7zFM.exe
1364 chromedriver.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

7zFM.exepowershell.exechromedriver.exesvchost.exesvchost.exeKyanite.exechrome.exe

description	pid	process
Token: SeRestorePrivilege	1720	7zFM.exe
Token: 35	1720	7zFM.exe
Token: SeSecurityPrivilege	1720	7zFM.exe
Token: SeDebugPrivilege	2512	powershell.exe
Token: SeDebugPrivilege	1364	chromedriver.exe
Token: SeDebugPrivilege	540	svchost.exe
Token: SeDebugPrivilege	1100	svchost.exe
Token: SeDebugPrivilege	2188	Kyanite.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

Processes:

7zFM.exechrome.exe

pid	process
1720	7zFM.exe
1720	7zFM.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

chrome.exe

pid	process
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

BlitzedGrabberX96 Install.exechromedriver.exeKyanite.exe

pid process

2552 BlitzedGrabberX96 Install.exe
2552 BlitzedGrabberX96 Install.exe
1364 chromedriver.exe
2188 Kyanite.exe
2188 Kyanite.exe

pid	process
2552	BlitzedGrabberX96 Install.exe
2552	BlitzedGrabberX96 Install.exe
1364	chromedriver.exe
2188	Kyanite.exe
2188	Kyanite.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exe7zFM.exeBlitzedGrabberX96 Installer.exeUnityCrashHandler.EXEchromedriver.execsc.exetaskeng.exechromedriver.exesvchost.exechrome.exe

description	pid	process	target process
PID 2940 wrote to memory of 1720	2940	cmd.exe	7zFM.exe
PID 2940 wrote to memory of 1720	2940	cmd.exe	7zFM.exe
PID 2940 wrote to memory of 1720	2940	cmd.exe	7zFM.exe
PID 1720 wrote to memory of 2564	1720	7zFM.exe	BlitzedGrabberX96 Installer.exe
PID 1720 wrote to memory of 2564	1720	7zFM.exe	BlitzedGrabberX96 Installer.exe
PID 1720 wrote to memory of 2564	1720	7zFM.exe	BlitzedGrabberX96 Installer.exe
PID 2564 wrote to memory of 2552	2564	BlitzedGrabberX96 Installer.exe	BlitzedGrabberX96 Install.exe
PID 2564 wrote to memory of 2552	2564	BlitzedGrabberX96 Installer.exe	BlitzedGrabberX96 Install.exe
PID 2564 wrote to memory of 2552	2564	BlitzedGrabberX96 Installer.exe	BlitzedGrabberX96 Install.exe
PID 2564 wrote to memory of 2552	2564	BlitzedGrabberX96 Installer.exe	BlitzedGrabberX96 Install.exe
PID 2564 wrote to memory of 2552	2564	BlitzedGrabberX96 Installer.exe	BlitzedGrabberX96 Install.exe
PID 2564 wrote to memory of 2552	2564	BlitzedGrabberX96 Installer.exe	BlitzedGrabberX96 Install.exe
PID 2564 wrote to memory of 2552	2564	BlitzedGrabberX96 Installer.exe	BlitzedGrabberX96 Install.exe
PID 2564 wrote to memory of 2432	2564	BlitzedGrabberX96 Installer.exe	UnityCrashHandler.EXE
PID 2564 wrote to memory of 2432	2564	BlitzedGrabberX96 Installer.exe	UnityCrashHandler.EXE
PID 2564 wrote to memory of 2432	2564	BlitzedGrabberX96 Installer.exe	UnityCrashHandler.EXE
PID 2432 wrote to memory of 2512	2432	UnityCrashHandler.EXE	powershell.exe
PID 2432 wrote to memory of 2512	2432	UnityCrashHandler.EXE	powershell.exe
PID 2432 wrote to memory of 2512	2432	UnityCrashHandler.EXE	powershell.exe
PID 2564 wrote to memory of 2976	2564	BlitzedGrabberX96 Installer.exe	chromedriver.exe
PID 2564 wrote to memory of 2976	2564	BlitzedGrabberX96 Installer.exe	chromedriver.exe
PID 2564 wrote to memory of 2976	2564	BlitzedGrabberX96 Installer.exe	chromedriver.exe
PID 2976 wrote to memory of 2784	2976	chromedriver.exe	csc.exe
PID 2976 wrote to memory of 2784	2976	chromedriver.exe	csc.exe
PID 2976 wrote to memory of 2784	2976	chromedriver.exe	csc.exe
PID 2784 wrote to memory of 1640	2784	csc.exe	cvtres.exe
PID 2784 wrote to memory of 1640	2784	csc.exe	cvtres.exe
PID 2784 wrote to memory of 1640	2784	csc.exe	cvtres.exe
PID 2976 wrote to memory of 2684	2976	chromedriver.exe	WindowsInput.exe
PID 2976 wrote to memory of 2684	2976	chromedriver.exe	WindowsInput.exe
PID 2976 wrote to memory of 2684	2976	chromedriver.exe	WindowsInput.exe
PID 2976 wrote to memory of 1364	2976	chromedriver.exe	chromedriver.exe
PID 2976 wrote to memory of 1364	2976	chromedriver.exe	chromedriver.exe
PID 2976 wrote to memory of 1364	2976	chromedriver.exe	chromedriver.exe
PID 2180 wrote to memory of 2420	2180	taskeng.exe	chromedriver.exe
PID 2180 wrote to memory of 2420	2180	taskeng.exe	chromedriver.exe
PID 2180 wrote to memory of 2420	2180	taskeng.exe	chromedriver.exe
PID 1364 wrote to memory of 540	1364	chromedriver.exe	svchost.exe
PID 1364 wrote to memory of 540	1364	chromedriver.exe	svchost.exe
PID 1364 wrote to memory of 540	1364	chromedriver.exe	svchost.exe
PID 1364 wrote to memory of 540	1364	chromedriver.exe	svchost.exe
PID 540 wrote to memory of 1100	540	svchost.exe	svchost.exe
PID 540 wrote to memory of 1100	540	svchost.exe	svchost.exe
PID 540 wrote to memory of 1100	540	svchost.exe	svchost.exe
PID 540 wrote to memory of 1100	540	svchost.exe	svchost.exe
PID 2712 wrote to memory of 2692	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 2692	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 2692	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 1196	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 1196	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 1196	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 1196	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 1196	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 1196	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 1196	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 1196	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 1196	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 1196	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 1196	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 1196	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 1196	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 1196	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 1196	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 1196	2712	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96.rar
1⤵
- Suspicious use of WriteProcessMemory
PID:2940

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96.rar"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1720

C:\Users\Admin\AppData\Local\Temp\7zO8B674A76\BlitzedGrabberX96 Installer.exe
"C:\Users\Admin\AppData\Local\Temp\7zO8B674A76\BlitzedGrabberX96 Installer.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2564

C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96 Install.exe
"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96 Install.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:2552

C:\Users\Admin\AppData\Local\Temp\UnityCrashHandler.EXE
"C:\Users\Admin\AppData\Local\Temp\UnityCrashHandler.EXE"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2432

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -File poo.ps1
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2512

C:\Users\Admin\AppData\Local\Temp\chromedriver.exe
"C:\Users\Admin\AppData\Local\Temp\chromedriver.exe"
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2976

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hb5tn6vd.cmdline"
5⤵
- Suspicious use of WriteProcessMemory
PID:2784

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8DC0.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8DBF.tmp"
6⤵
PID:1640

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe" --install
5⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2684

C:\ProgramData\Chrome\Plugins\chromedriver.exe
"C:\ProgramData\Chrome\Plugins\chromedriver.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1364

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\ProgramData\Chrome\Plugins\chromedriver.exe" 1364 /protectFile
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:540

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\ProgramData\Chrome\Plugins\chromedriver.exe" 1364 "/protectFile"
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1100

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
1⤵
- Executes dropped EXE
PID:2856

C:\Windows\system32\taskeng.exe
taskeng.exe {2DBE0A76-0775-4DC2-8D68-94BB841EE7DB} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2180

C:\ProgramData\Chrome\Plugins\chromedriver.exe
C:\ProgramData\Chrome\Plugins\chromedriver.exe
2⤵
- Executes dropped EXE
PID:2420

C:\ProgramData\Chrome\Plugins\chromedriver.exe
C:\ProgramData\Chrome\Plugins\chromedriver.exe
2⤵
- Executes dropped EXE
PID:1680

C:\ProgramData\Chrome\Plugins\chromedriver.exe
C:\ProgramData\Chrome\Plugins\chromedriver.exe
2⤵
- Executes dropped EXE
PID:2824

C:\ProgramData\Chrome\Plugins\chromedriver.exe
C:\ProgramData\Chrome\Plugins\chromedriver.exe
2⤵
- Executes dropped EXE
PID:2708

C:\ProgramData\Chrome\Plugins\chromedriver.exe
C:\ProgramData\Chrome\Plugins\chromedriver.exe
2⤵
- Executes dropped EXE
PID:344

C:\ProgramData\Chrome\Plugins\chromedriver.exe
C:\ProgramData\Chrome\Plugins\chromedriver.exe
2⤵
- Executes dropped EXE
PID:2572

C:\Program Files\BlitzedGrabberX96\Kyanite.exe
"C:\Program Files\BlitzedGrabberX96\Kyanite.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2188

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef69b9758,0x7fef69b9768,0x7fef69b9778
2⤵
PID:2692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1124 --field-trial-handle=1296,i,9695471915986490193,7365199033529951468,131072 /prefetch:2
2⤵
PID:1196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1524 --field-trial-handle=1296,i,9695471915986490193,7365199033529951468,131072 /prefetch:8
2⤵
PID:1488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1616 --field-trial-handle=1296,i,9695471915986490193,7365199033529951468,131072 /prefetch:8
2⤵
PID:684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2308 --field-trial-handle=1296,i,9695471915986490193,7365199033529951468,131072 /prefetch:1
2⤵
PID:344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2356 --field-trial-handle=1296,i,9695471915986490193,7365199033529951468,131072 /prefetch:1
2⤵
PID:1136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1212 --field-trial-handle=1296,i,9695471915986490193,7365199033529951468,131072 /prefetch:2
2⤵
PID:2760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3228 --field-trial-handle=1296,i,9695471915986490193,7365199033529951468,131072 /prefetch:1
2⤵
PID:2480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3292 --field-trial-handle=1296,i,9695471915986490193,7365199033529951468,131072 /prefetch:8
2⤵
PID:2500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3600 --field-trial-handle=1296,i,9695471915986490193,7365199033529951468,131072 /prefetch:8
2⤵
PID:2644

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3708 --field-trial-handle=1296,i,9695471915986490193,7365199033529951468,131072 /prefetch:8
2⤵
PID:932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3868 --field-trial-handle=1296,i,9695471915986490193,7365199033529951468,131072 /prefetch:1
2⤵
PID:1748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3856 --field-trial-handle=1296,i,9695471915986490193,7365199033529951468,131072 /prefetch:1
2⤵
PID:2824

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2464 --field-trial-handle=1296,i,9695471915986490193,7365199033529951468,131072 /prefetch:8
2⤵
PID:2512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3984 --field-trial-handle=1296,i,9695471915986490193,7365199033529951468,131072 /prefetch:1
2⤵
PID:1944

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2312

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x580
1⤵
PID:2032

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\BlitzedGrabberX96\Kyanite.exe.config
Filesize
189B

MD5
9dbad5517b46f41dbb0d8780b20ab87e

SHA1
ef6aef0b1ea5d01b6e088a8bf2f429773c04ba5e

SHA256
47e5a0f101af4151d7f13d2d6bfa9b847d5b5e4a98d1f4674b7c015772746cdf

SHA512
43825f5c26c54e1fc5bffcce30caad1449a28c0c9a9432e9ce17d255f8bf6057c1a1002d9471e5b654ab1de08fb6eabf96302cdb3e0fb4b63ba0ff186e903be8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
570121d53ecab80e693bc1081c5a818f

SHA1
ed22c4991ceaba24836a683016be6c0a24a8f28e

SHA256
4ed810f8a6c776a984cc5c7cb87f238544739916b6631978d486cdb323de7bf0

SHA512
fde848a69359838e6151ec673d86773b07bdc0a304b398494044598108571afad83263d29bf232842a98905e822a3321f1570211a9194d36e47c2bc86e729651

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00003a
Filesize
17KB

MD5
dd920c06a01e5bb8b09678581e29d56f

SHA1
aaa4a71151f55534d815bebc937ff64915ad9974

SHA256
31ad0482eee7770597b8aa723a80fd041ade0b076679b12293664f1f1777211b

SHA512
859fd3497e508c69d8298c8d365b97ab5d5da21cd2f471e69d4deb306ecf1f0c86347b2c2cfb4fd9fcd6db5b63f3da12d32043150c08ef7197a997379193dcbd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
438db939a60a122c9a3616437fb6d588

SHA1
609bee189015f9df7fffce0cf57b5d71d9f5210e

SHA256
820ab9bec698b9f90ee2adb53308c7d37adda24a8e95c8cd2f7b627690c1da49

SHA512
caf66a6329a001d58936c67c9a6ed0f137c2132c26cd37ec00d85b520546dbf8a34ee214c2f30fccdfbbed42ee48c591115de039e62bc92668f024356b02ac6d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp
Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
3KB

MD5
b64ebd2d3abf63c1876fa0d4e8c2f38f

SHA1
d5483b1c859426eb83d413dc1ac1c870f7a1e09a

SHA256
f2adbe926a0df08e63095b4001be1f277d86d5b26987b31095d75dae2a7a86fb

SHA512
e70ec7267d269bb073ec6affaeec0c4ecce51fee4de1d972b2f25cb79f7bff2ca7fd2a2ca07e72d315a83ccfbf478e53cd7f77040efa762156898ffd9a7f7501

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
4KB

MD5
a4ccbd4d283bc6f41e71528c12c18b48

SHA1
9aae5e011cef89e92a3b0f06359ede3cf385ed1d

SHA256
657dee106087a175d2b40378a2488af13499cde92278c6dabce35e57068a4589

SHA512
576c771b27c81ab3054159d9c32fea7c634feff8d3335881bc8a64e395eaa0dc59b88f2fff89717da179d454a5a57b749d2400b79de9491f4ee7c499407bfdec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
853B

MD5
bd9ea165dc6040952b526b2dbd792eed

SHA1
38c2f6b799ce0e85ae28ce1fc6f4ff56c1375081

SHA256
eb2c9b0a136c163c9afb0f3c125f9de652d4214b331ca78a1eb8ec35732a475c

SHA512
4d296ed2c0db38ec953c35e1e5d9dda234a6fb158fb8abb56b6518aac208a8035d9464bd6a69528103daa7704bc329656e0800374d2924da37fa310a7628c066

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
023f53ef02dfc3ad50fef725afd46700

SHA1
a89a87ab144b4ee5bcac8c62674d07d47466f26d

SHA256
71747d3c08c459e3b4aa61260b2f963055ff298fb2d0cce7fe58de159b057ffc

SHA512
9cc2a65b288a63b810a27e2ae8ce4a8913b1d69ecda729b8882bbd9fb80319312ee7be7de18451fc4cc6f58cc31750daa792a6082759b4802d9e46da6ce7349a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
b8c15bdd2e44b0f5e7182112cbd3af35

SHA1
73d1634f08314e74a0044bf47db3e256e04d9886

SHA256
7656a236be2dd11ac23a2551ee3097fc791d293a8cbdc316be5cfcb51e93e88f

SHA512
8a0adf6327a38bb3c44ebc6b20810ad294c8005202e9a2041d6899b4163236ee536f020dca81a5670719bcd787252de6195229338f3cb73a0e2f2f964389b018

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
d940e42675e62595d6a5be9d43fc8bf1

SHA1
2a7e0d4618e3238374452f09ae522c14042a4f6d

SHA256
191b4e9ea6858682d22cd6c8b75979a2d7fb2a0849a55a1f2e250b0b6ee958e9

SHA512
2812c2702bb29193a5d91a18ac7a73715b67e4fa4559372004654ef9987b8efc390294cfc4346f4bf7eaf0a2e871345dcc18b6f84d3c8f2f3e3054e83fcb00a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
527B

MD5
a8ed1797a8b2b83eb7589c22d7e0e2cd

SHA1
4c772e8be99e916d286d190263858ac50d1f6edd

SHA256
2d5bc4de1fe1d29491eac7b89e3eccdfe4457e7bcdca2e544a1ecc320b98859a

SHA512
b2c5d96b54f57b925714f4d7655edbac300ac3b5be08c75dfdd05ec5c1f00ed27499437fd54f31b67dc871ec698db1c0c47d3fc078b1f07a5602c61b9969a69a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
fec4cc8c9d706bd76370ab51d0cd5876

SHA1
1f92e4792b6d1b49e49115b267cb86315452f11d

SHA256
4fbf3eb0cd71a33c771b20823142160d757516cb8449b46eaf184a7f065a9a14

SHA512
62d0988818dc749a13b2547d52f99104f87f276a6bf29dd88e9ae2dac6be21c1a12da5e27779f669b2249fd3d77828cde8eb3eb190101b8e851c7c5569218f83

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
a91ef98e709bd7f1505830607a7c16ba

SHA1
08124d50b65aa3398e60945cc49dfbc16ea399e6

SHA256
c666c312bb741003e689a8e9ba532b4bbfd1bd54bc523ef46830b8d4f6b32fb5

SHA512
69758c17a3f1b704a839b430d19b5543003ada49c8e25efb4ef3cce10195a7ef9a83dd7158fbf5353668c042a92dbceb5ac644d3684e23300519cd2558f45203

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
aae906276dd3b14e177c6e4184610fec

SHA1
4778ce7ba41bc66aad7b7d7fbe545ec4f3f5e503

SHA256
318631cebb7ece089335298ecb002386c4e03bcc871025ef60e418cdd4aa67f2

SHA512
cd49b142e18e70cf92db1f9b023b0062f2895d496747ff4ca5c15ee3f5d3aa8870ff2097d6671237e6a1669dc97286d18f8c880c3780abdebc9e55dc99854ee1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
52840281c6954d8d220ea265c1873b6c

SHA1
fc9f6ef4b84e76dc1ecdc1bb214fdefa69300469

SHA256
cd86ecb0bb7709d0dd6d4a4a795aba4f6bfff527cf7069493256766f57a200d8

SHA512
a6402ecf7a57a47d2e271219b11829079a3f87663a2b05ad43a4d67e28c938c3ad2a1ca2147fc0bd021e4cc2f57422240e6b2e58e8017668a19a32e302cc87a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
bec7b03f18570838b68696ac07ce3dae

SHA1
7e7add1412580cd4aee778aec46748bcc8405d40

SHA256
0bf2bb1b1819351f295e866a228492ca6a687cfbc20146ac900e79a60a255983

SHA512
3363249628dcde45405c57a724acaf1de227b03323b855519ee3cb47c84d1644ca54defec297045cc152b1d0854aecb341d0a4d59dceef192f7c111996dfc19d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
d0cb198f755c4ac3463fe8cd5e467609

SHA1
cf5b26d985f0253d0fd35cecc8ab1935b2dc82c0

SHA256
9a25c6e5e471ae6ab82860fbec64c3258c9981ceaa2a595927b964e9ba8ca1bf

SHA512
0d7a294f83a356ade20fb048ecd30f3ca62d385a009e854dee5879d0b1319dfb0b5a31b0c3f8eafbe6b84466555f1a95563ca199ce20c77e2275e5fca8e4f75b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\dcbbef07-5487-42d6-ab45-f3541f811fc4.tmp
Filesize
4KB

MD5
3c30ba04c21707bc7ecf79ea51766770

SHA1
0d771ab962978070e35f62227c555d688348e60a

SHA256
cb37360c5b8787800f17a96dcc3e0f522ff55532debf4dfc9c04dcb9143a3a03

SHA512
80bfb6c752469e75b2c5137f98aeab9b09787e14430d315509eb120d9ee324537e9a7f534be1e0ce5e41cda8aa65b19c8ce2ef08efe9167175ce50bc7f5b3515

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
522f03e0cf75980a46c7cbea55895f9b

SHA1
85702246e90d4e69237556ce5e7f52fbbdaf4f30

SHA256
5dc8296d6425c7f776966a372100fd6c83c7bfbc95d249b825953052f4ef5146

SHA512
22186f46187f99f3f6c1d51d5a63d56fc167a7d0b87bad29e07df9d212b2dde219aa078b89789bb202fa0d68c7c0edc16cc7ca0ea46f4429865abd3d909e1b8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
636a936c67d959b8c652b27ecf2d9385

SHA1
10664ba10a0a13d8aca8b46c3d748a0a31d41d5b

SHA256
4304d281fbef336d8e50f1cae63bf88bcad69d600c3eff42a6989696f95da27b

SHA512
bbb52fb0a203feb7402d505c085e446456c55bfc1b11f8cdbbfbdb3578c70dec8b93fb5b35cc30c16fba21aa44c06e2ccfcbd84d8ef526f6ee6c5471c82b46db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
45e646982818ec91584fdaf8cb649041

SHA1
db8b4e9427e3d78f2f62527b7caba1b6a78cd2e2

SHA256
e21e1ccbe2a25a5cac3113bff4de1d6e9b3383b3e165abb9ae49c10d5adb6dd9

SHA512
96521d0cfcb7de70fbc16e44701fd62c357810e48efa7898c28e399b792ebf6eab44c25464c13c23b13fbc813308db40d5b200ab866a93a6f94966c96bcc48e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
e891b33b192887ea302c858676155be2

SHA1
84bd1dd9f99b0d94f3a07a552f7e0abbe74d7bef

SHA256
4c4b13b5e54d81cdc371326bdf52d8b760e2c7a9a941e6e6ae950e874b21560c

SHA512
ee05c812408132cfa557fb2d4247f1c37fd06dd4230bd980095dba83316084a6dabf4b6ca283042654c7a93304dd8e294eb537d7164cb6e78705878105a2ccec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
795346498990e41f0b1d91b9e3ce75b6

SHA1
c4692b68bbeb852cbf2757fb3eedf7f7e4a92146

SHA256
e75f5a0def515ed6999f9b6e79d20fb35e7a851885f9e1714cad7ec7315d8e1a

SHA512
646176afc1a91a0bddb334bbdcff23aec8f6a743e76fafb386e8a88e519ee4ccdd91e24651836c78f698b7e36a65861df5f5374c42c31008d9dac00f37745177

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
98f2d200134efb34e007d10899f93c8f

SHA1
b8b8cb47f73d8998b90a36486a2ad6b46d2fc167

SHA256
573752f6a4818ecee6d3645a8c4217163e1a4cc5419fc00de30b018ccb4bf066

SHA512
8204a285269350a7ddaa20ab619a6f6d51dc3bfa6eb5fe793e5c4d475b6efb429310c583fbdc019055c89ef6f79f3d06a17278b73cead0279d96c2bdb41f24af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
9d4b6addffcf40312a98f84537c27cfc

SHA1
41781fcec30b0571f434025f9a95bb275e919c2f

SHA256
3b60e3cfaedf9df9d11cf9cf283fce550292f92e85961f2333b952b913df4c2f

SHA512
5db1c4f430d5093d6d885df91282219155b53b84199eaec2d5f1def82c0c2597aaca901c5df99f325a638b14ddf213f06e95a5b70abb7cffe8b977cb92a1637d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp
Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96 Install.exe
Filesize
2.8MB

MD5
46d8dfadf7f9d90385ab7df71b5adce3

SHA1
99482121b86c790a6f2d732b0a47a1e41922518f

SHA256
7fc18666d83d233def6dd05b7c46851e65753a7e8ab3bc6c76141ed5c0ab7d7c

SHA512
2e133aac3c749a285f5bad25ee34776065607053cff04b84bafa0f01da9409f082de624e6bd422834ce55fbb87c4effa7f84a26766ad961bb73f9b967e1a4dc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\poo.ps1
Filesize
35B

MD5
5d792fc7c4e2fd3eb595fce4883dcb2d

SHA1
ee2a88f769ad746f119e144bd06832cb55ef1e0f

SHA256
41eccaa8649345b33e57f5d494429276e9f2eb23ca981f018da33a34aabfd8eb

SHA512
4b85fe8205c705914867227c97aa1333421970d8e6f11b2ac6be8e95fef1a0f31f985547eafe52e382f13c2a16afa05462bd614b75bee250464c50734d59a92e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8DC0.tmp
Filesize
1KB

MD5
0abccbdce7a3724004582fc0333f30af

SHA1
814ee203b15d2747e65901dc59df6cf78fca9d4f

SHA256
3d152a11b49aba4b111d984406b34025b911481e31eebed787cfff1c85af7756

SHA512
09e1804509b15e12d3f1adc60c483184acb633da7b84a63e1c064bb79d7990089c00ef5ae018492a9c4a99b068a0ac1c2345d4a35d7b1f3dbc2a1add60120de7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar719.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hb5tn6vd.dll
Filesize
76KB

MD5
e54d35b6ebc2e40f30a233cdb4a57446

SHA1
83bd7e69427bf424189336c6ee7b9db6541fe743

SHA256
5e3cf78c38232e841a4057b51080d51cb7e02d790135d4a70fdc230e8c02bf83

SHA512
41a0bbde80708841ec79ef35dfdb9ba88b77baed07ef08b96dca3c6dfbce0e46d14577d72d0cd254a88c78cc6c45def01017a1586d1e9bb05688174a131a83e3

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
9KB

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe
Filesize
21KB

MD5
e6fcf516d8ed8d0d4427f86e08d0d435

SHA1
c7691731583ab7890086635cb7f3e4c22ca5e409

SHA256
8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

SHA512
c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe.config
Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC8DBF.tmp
Filesize
676B

MD5
e19864b7e1f43b346e9c61b1f7515e70

SHA1
80e8c1a74618c210ece6f4b6c237203ab37d1fbb

SHA256
92fd2526c0fefd5e622cc3b7c737588af2af2b56fb5069d852d8a7a617264e4a

SHA512
14167edaec16dff795ad22e443f648af126416aa899ffdfb572acb5294e251824507092d10ef830b4a0316cece6582c5c6a9c16d512e7de25007d39c80132b53

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hb5tn6vd.0.cs
Filesize
208KB

MD5
2b14ae8b54d216abf4d228493ceca44a

SHA1
d134351498e4273e9d6391153e35416bc743adef

SHA256
4e1cc3da1f7bf92773aae6cffa6d61bfc3e25aead3ad947f6215f93a053f346c

SHA512
5761b605add10ae3ef80f3b8706c8241b4e8abe4ac3ce36b7be8a97d08b08da5a72fedd5e976b3c9e1c463613a943ebb5d323e6a075ef6c7c3b1abdc0d53ac05

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hb5tn6vd.cmdline
Filesize
349B

MD5
00eddeb4b0b39f9b799da5e0d4543be3

SHA1
c755b0ececc8a19b6e748b394dab0386c8d13328

SHA256
ba012a19a586888d6bd55b89c929d283c5674ebc194cd3992a1cc7eaecc2ac27

SHA512
39ce94cb3f28097402c606e9f99226ed9ddcf50d8be6592b3933faacef4f68f89e328d92da0c85f734cb09a823f1aba1a67f19f22e4213d52ece01d234eeb226

Download Submit
\Program Files\BlitzedGrabberX96\APIFOR.DLL
Filesize
13KB

MD5
91b4d211faddb0ebc64fb000d75d96c1

SHA1
ba496c122f8e562ff0a4fb272a68f0b9e7bf0a3c

SHA256
e47ab6fb21bd8943f63d79387533abac0c2bd98245546df44c4f333d8013c4de

SHA512
3f16b0b4618d446d0e42ed2063c611b4ffa72a5b0ff438df5286a216167881737e65d494aa12186e511690eaca2f51c00889c9eae5ab6392c1edf885e5592919

Download Submit
\Program Files\BlitzedGrabberX96\Bunifu_UI_v1.5.3.dll
Filesize
323KB

MD5
e0ef2817ee5a7c8cd1eb837195768bd2

SHA1
426ea1e201c7d3dc3fadce976536edce4cd51bce

SHA256
76e1d3ec95fdef74abaf90392dd6f4aa5e344922abf11e572707287d467f2930

SHA512
5ad95dd7f0e712d543acfe7fd4539695f7e894988c0a2c44231c43e5ee29e743cb1ffe6bdf1fbdbdcfd3aa374f036113bcc6a1befd0114954093520bac47234c

Download Submit
\Program Files\BlitzedGrabberX96\Guna.UI.dll
Filesize
876KB

MD5
6d6a1f28978d42ad2f0a8f278eaac966

SHA1
b09168ec88109422ca29cf4f1b6462d51930873d

SHA256
fb23fa4fca8f28bebe7b7e39593a211cd3c3405de5f948ec520e859b1bcaf91e

SHA512
76ddf88255a9355fc3c781880e23d94206acca4decf5623712411f7a733e91ca9ea37944860401cf9667f10e8c33a087803a4726f91faff1f23e3e0592ddf41d

Download Submit
\Program Files\BlitzedGrabberX96\Guna.UI2.dll
Filesize
1.9MB

MD5
0f07705bd42d86d77dab085c42775244

SHA1
7e4b5c367183f4753a8d610e353c458c3def3888

SHA256
cf9b66e11506fa431849350c0cb58430a71e5ec943d2db9ef1b2e2302f299443

SHA512
851b1a4c470ee7fe07ce5619c16fd391428585926c5b559694a9e445633ea51ec86c74a3bbf3bce39d943c4bf714dad2fd3c4a4d0703be2333541c79a2ee97f0

Download Submit
\Program Files\BlitzedGrabberX96\Kyanite.exe
Filesize
822KB

MD5
7cebe29a86c8bad15bbf7f190ae9c012

SHA1
a035287675af874872753aa813c2e17f712e2ff5

SHA256
808226fbf400593c702b5efe774290f0d2787d2a3fb25d0359cb3ca72a9b2b44

SHA512
add343a62e77af49870386a3d5f8976ab53bdc2b2d7820ce735238db806b95e06e111a99114b8ea5c0dd74ee38a58466a79255705c3b3b0a7746eea4beabedbe

Download Submit
\Program Files\BlitzedGrabberX96\Login Theme.dll
Filesize
102KB

MD5
34b9583b485e101ebbd9fd100699eab0

SHA1
63a8ed0e336f7ade8664c8ecff81eb473f9d4d05

SHA256
8879dcfb480f0b3c47414eef8ec50d57f13c6c0895644000b17a38e465896d7a

SHA512
467dea806fb1746a8eae12cf2d7cc7029a0a237790904c49fe22d809cfc582a81537bd6cb4c0fe1a34bce259bf20609924a0cc62b5335ed6d279ee26c1baa30e

Download Submit
\Program Files\BlitzedGrabberX96\Siticone.UI.dll
Filesize
1.6MB

MD5
ea797152ded4478107c08a9c9c28b454

SHA1
f28104d7099cca08ab84bf1ad1acb9233cbf116f

SHA256
c435f969a0150ec46e8f2414615e7cb1670322650fb632443ac9f0a146a98c14

SHA512
65d7a52243f46be4a5a4e82b0b5771be17efc7404411df9aaf95ecb4450699a5989fbed2f160b1ae917d04f6f3d71f172ad4bdaf238e37300780a781d13450ed

Download Submit
\Users\Admin\AppData\Local\Temp\UnityCrashHandler.EXE
Filesize
155KB

MD5
69bef95f8029651ff546b59544d3d6cd

SHA1
a8cf6d690064e6bdeeb4d68f4f5180eb7c4bb8b9

SHA256
0cb43f43e81730a4a92874911ac39420954174c7fd9b1faea8e891e9b814f8ac

SHA512
b3a4ac7268307a453eb903d0bc75939c9ba05f0c121fcbda0340e037ee8c7a9af1f11b212dfc6e41dea870e2005fc6896430fe84bbe360e96f75b91f459b710e

Download Submit
\Users\Admin\AppData\Local\Temp\dcfb00f9-5ae7-4197-ba59-e48107e40d35\GunaDotNetRT.dll
Filesize
136KB

MD5
9af5eb006bb0bab7f226272d82c896c7

SHA1
c2a5bb42a5f08f4dc821be374b700652262308f0

SHA256
77dc05a6bda90757f66552ee3f469b09f1e00732b4edca0f542872fb591ed9db

SHA512
7badd41be4c1039302fda9bba19d374ec9446ce24b7db33b66bee4ef38180d1abcd666d2aea468e7e452aa1e1565eedfefed582bf1c2fe477a4171d99d48772a

Download Submit
memory/540-115-0x0000000000290000-0x0000000000298000-memory.dmp

Filesize
32KB

Download
memory/1364-103-0x00000000006D0000-0x000000000071E000-memory.dmp

Filesize
312KB

Download
memory/1364-105-0x0000000000D80000-0x0000000000D90000-memory.dmp

Filesize
64KB

Download
memory/1364-102-0x00000000010E0000-0x00000000011CC000-memory.dmp

Filesize
944KB

Download
memory/1364-104-0x00000000009A0000-0x00000000009B8000-memory.dmp

Filesize
96KB

Download
memory/2188-168-0x00000000013A0000-0x0000000001474000-memory.dmp

Filesize
848KB

Download
memory/2188-216-0x0000000074800000-0x0000000074837000-memory.dmp

Filesize
220KB

Download
memory/2188-193-0x00000000058D0000-0x0000000005A78000-memory.dmp

Filesize
1.7MB

Download
memory/2188-189-0x0000000000C30000-0x0000000000C72000-memory.dmp

Filesize
264KB

Download
memory/2188-188-0x0000000005450000-0x0000000005530000-memory.dmp

Filesize
896KB

Download
memory/2188-184-0x00000000003F0000-0x0000000000412000-memory.dmp

Filesize
136KB

Download
memory/2188-180-0x0000000073D00000-0x0000000073D80000-memory.dmp

Filesize
512KB

Download
memory/2188-179-0x0000000074870000-0x00000000748A7000-memory.dmp

Filesize
220KB

Download
memory/2188-172-0x0000000004E30000-0x0000000005022000-memory.dmp

Filesize
1.9MB

Download
memory/2188-220-0x0000000000BC0000-0x0000000000BDA000-memory.dmp

Filesize
104KB

Download
memory/2188-215-0x0000000074870000-0x00000000748A7000-memory.dmp

Filesize
220KB

Download
memory/2188-200-0x0000000074800000-0x0000000074837000-memory.dmp

Filesize
220KB

Download
memory/2188-219-0x0000000000BB0000-0x0000000000BBA000-memory.dmp

Filesize
40KB

Download
memory/2512-57-0x0000000002250000-0x0000000002258000-memory.dmp

Filesize
32KB

Download
memory/2512-56-0x000000001B780000-0x000000001BA62000-memory.dmp

Filesize
2.9MB

Download
memory/2564-35-0x00000000012A0000-0x000000000173A000-memory.dmp

Filesize
4.6MB

Download
memory/2684-89-0x0000000001050000-0x000000000105C000-memory.dmp

Filesize
48KB

Download
memory/2976-81-0x0000000000A40000-0x0000000000A48000-memory.dmp

Filesize
32KB

Download
memory/2976-80-0x0000000000450000-0x0000000000462000-memory.dmp

Filesize
72KB

Download
memory/2976-78-0x000000001AEC0000-0x000000001AED6000-memory.dmp

Filesize
88KB

Download
memory/2976-65-0x0000000000420000-0x000000000042E000-memory.dmp

Filesize
56KB

Download
memory/2976-64-0x00000000022B0000-0x000000000230C000-memory.dmp

Filesize
368KB

Download