orcus | 471b1264bcc332dcfa69187ff322df257d039bc2503765fec497b3b5fdbda0e9

Analysis

max time kernel
1123s
max time network
1801s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07-05-2024 00:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BlitzedGrabberX96/BlitzedGrabberX96 Installer.exe
Size

922.0MB
MD5

579579c7f692ec28c4b198f6dd30f372
SHA1

5eeeaf129ba78eec60d3a5cdb16d3d31eeb4a015
SHA256

245806b93b9d8c782086ddd542a45e3f8920031ef450335c18fe2402b963b365
SHA512

18ff96211d56d076c3b1ee29d18591cdc483761ddf0284dba26a6751d91db595d65500c0d3a5a92cc3c1512c53dad42fc8ee6d9d0a4b51a1789453c7eaecb31c
SSDEEP

49152:p9sij7wmgm0JRjaXUVPJUdDrAZY6DQAJE8lIZCmT3KxX9xtARkN2AWUoWHF08xGw:Mij7wgEVPJU+ZHDPtqn3QjtAFIFKIz

Score

10^/10

orcus agilenet execution persistence rat spyware stealer

Malware Config

Extracted

Family

orcus

209.25.141.181:40489

Mutex

690c4574d03b45e4b89aa16b415b7baf

Attributes

autostart_method
TaskScheduler
enable_keylogger
true
install_path
%programdata%\Chrome\Plugins\chromedriver.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
svchost
watchdog_path
AppData\svchost.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcurs Rat Executable 1 IoCs

Processes:

resource	yara_rule
behavioral19/memory/1492-71-0x0000000001200000-0x00000000012EC000-memory.dmp	orcus

Executes dropped EXE 13 IoCs

Processes:

BlitzedGrabberX96 Install.exeUnityCrashHandler.EXEchromedriver.exeWindowsInput.exeWindowsInput.exechromedriver.exechromedriver.exesvchost.exesvchost.exechromedriver.exechromedriver.exeKyanite.exechromedriver.exe

pid	process
1184	BlitzedGrabberX96 Install.exe
2568	UnityCrashHandler.EXE
2356	chromedriver.exe
2720	WindowsInput.exe
2912	WindowsInput.exe
1492	chromedriver.exe
1316	chromedriver.exe
1304	svchost.exe
2088	svchost.exe
2356	chromedriver.exe
2424	chromedriver.exe
572	Kyanite.exe
2052	chromedriver.exe

Loads dropped DLL 33 IoCs

Processes:

BlitzedGrabberX96 Installer.exeBlitzedGrabberX96 Install.exeKyanite.exe

pid	process
2380	BlitzedGrabberX96 Installer.exe
1184	BlitzedGrabberX96 Install.exe
1184	BlitzedGrabberX96 Install.exe
1184	BlitzedGrabberX96 Install.exe
1184	BlitzedGrabberX96 Install.exe
1184	BlitzedGrabberX96 Install.exe
1184	BlitzedGrabberX96 Install.exe
1184	BlitzedGrabberX96 Install.exe
1184	BlitzedGrabberX96 Install.exe
1184	BlitzedGrabberX96 Install.exe
1184	BlitzedGrabberX96 Install.exe
572	Kyanite.exe
572	Kyanite.exe
572	Kyanite.exe
572	Kyanite.exe
572	Kyanite.exe
572	Kyanite.exe
572	Kyanite.exe
572	Kyanite.exe
572	Kyanite.exe
572	Kyanite.exe
572	Kyanite.exe
572	Kyanite.exe
572	Kyanite.exe
572	Kyanite.exe
572	Kyanite.exe
572	Kyanite.exe
572	Kyanite.exe
572	Kyanite.exe
572	Kyanite.exe
572	Kyanite.exe
572	Kyanite.exe
572	Kyanite.exe

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
\Program Files\BlitzedGrabberX96\Guna.UI2.dll	agile_net
behavioral19/memory/572-139-0x0000000004DB0000-0x0000000004FA2000-memory.dmp	agile_net

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

UnityCrashHandler.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	UnityCrashHandler.EXE

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

58 raw.githubusercontent.com
59 raw.githubusercontent.com
142 discord.com
143 discord.com

flow	ioc
58	raw.githubusercontent.com
59	raw.githubusercontent.com
142	discord.com
143	discord.com

Drops file in System32 directory 3 IoCs

Processes:

chromedriver.exeWindowsInput.exe

description	ioc	process
File created	C:\Windows\SysWOW64\WindowsInput.exe	chromedriver.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe.config	chromedriver.exe
File created	C:\Windows\SysWOW64\WindowsInput.InstallState	WindowsInput.exe

Drops file in Program Files directory 8 IoCs

Processes:

BlitzedGrabberX96 Install.exe

description	ioc	process
File created	C:\Program Files\BlitzedGrabberX96\Kyanite.exe.config	BlitzedGrabberX96 Install.exe
File created	C:\Program Files\BlitzedGrabberX96\Login Theme.dll	BlitzedGrabberX96 Install.exe
File created	C:\Program Files\BlitzedGrabberX96\Siticone.UI.dll	BlitzedGrabberX96 Install.exe
File created	C:\Program Files\BlitzedGrabberX96\APIFOR.DLL	BlitzedGrabberX96 Install.exe
File created	C:\Program Files\BlitzedGrabberX96\Bunifu_UI_v1.5.3.dll	BlitzedGrabberX96 Install.exe
File created	C:\Program Files\BlitzedGrabberX96\Guna.UI.dll	BlitzedGrabberX96 Install.exe
File created	C:\Program Files\BlitzedGrabberX96\Guna.UI2.dll	BlitzedGrabberX96 Install.exe
File created	C:\Program Files\BlitzedGrabberX96\Kyanite.exe	BlitzedGrabberX96 Install.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2636 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exesvchost.exechromedriver.exe

pid	process
2636	powershell.exe
2088	svchost.exe
2088	svchost.exe
2088	svchost.exe
1492	chromedriver.exe
1492	chromedriver.exe
1492	chromedriver.exe
2088	svchost.exe
1492	chromedriver.exe
2088	svchost.exe
1492	chromedriver.exe
2088	svchost.exe
1492	chromedriver.exe
2088	svchost.exe
1492	chromedriver.exe
2088	svchost.exe
1492	chromedriver.exe
2088	svchost.exe
1492	chromedriver.exe
2088	svchost.exe
1492	chromedriver.exe
2088	svchost.exe
1492	chromedriver.exe
2088	svchost.exe
1492	chromedriver.exe
2088	svchost.exe
1492	chromedriver.exe
2088	svchost.exe
1492	chromedriver.exe
2088	svchost.exe
1492	chromedriver.exe
2088	svchost.exe
1492	chromedriver.exe
2088	svchost.exe
1492	chromedriver.exe
2088	svchost.exe
1492	chromedriver.exe
2088	svchost.exe
1492	chromedriver.exe
2088	svchost.exe
1492	chromedriver.exe
2088	svchost.exe
1492	chromedriver.exe
2088	svchost.exe
1492	chromedriver.exe
2088	svchost.exe
1492	chromedriver.exe
2088	svchost.exe
1492	chromedriver.exe
2088	svchost.exe
1492	chromedriver.exe
2088	svchost.exe
1492	chromedriver.exe
2088	svchost.exe
1492	chromedriver.exe
2088	svchost.exe
1492	chromedriver.exe
2088	svchost.exe
1492	chromedriver.exe
2088	svchost.exe
1492	chromedriver.exe
2088	svchost.exe
1492	chromedriver.exe
2088	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

BlitzedGrabberX96 Install.exechromedriver.exe

pid process

1184 BlitzedGrabberX96 Install.exe
1492 chromedriver.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exechromedriver.exesvchost.exesvchost.exeAUDIODG.EXEKyanite.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	2636	powershell.exe
Token: SeDebugPrivilege	1492	chromedriver.exe
Token: SeDebugPrivilege	1304	svchost.exe
Token: SeDebugPrivilege	2088	svchost.exe
Token: 33	2396	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2396	AUDIODG.EXE
Token: 33	2396	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2396	AUDIODG.EXE
Token: SeDebugPrivilege	572	Kyanite.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

Processes:

chrome.exe

pid	process
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

chrome.exe

pid	process
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

BlitzedGrabberX96 Install.exechromedriver.exeKyanite.exe

pid process

1184 BlitzedGrabberX96 Install.exe
1184 BlitzedGrabberX96 Install.exe
1492 chromedriver.exe
572 Kyanite.exe
572 Kyanite.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

BlitzedGrabberX96 Installer.exeUnityCrashHandler.EXEchromedriver.execsc.exetaskeng.exechromedriver.exesvchost.exeKyanite.exechrome.exe

description	pid	process	target process
PID 2380 wrote to memory of 1184	2380	BlitzedGrabberX96 Installer.exe	BlitzedGrabberX96 Install.exe
PID 2380 wrote to memory of 1184	2380	BlitzedGrabberX96 Installer.exe	BlitzedGrabberX96 Install.exe
PID 2380 wrote to memory of 1184	2380	BlitzedGrabberX96 Installer.exe	BlitzedGrabberX96 Install.exe
PID 2380 wrote to memory of 1184	2380	BlitzedGrabberX96 Installer.exe	BlitzedGrabberX96 Install.exe
PID 2380 wrote to memory of 1184	2380	BlitzedGrabberX96 Installer.exe	BlitzedGrabberX96 Install.exe
PID 2380 wrote to memory of 1184	2380	BlitzedGrabberX96 Installer.exe	BlitzedGrabberX96 Install.exe
PID 2380 wrote to memory of 1184	2380	BlitzedGrabberX96 Installer.exe	BlitzedGrabberX96 Install.exe
PID 2380 wrote to memory of 2568	2380	BlitzedGrabberX96 Installer.exe	UnityCrashHandler.EXE
PID 2380 wrote to memory of 2568	2380	BlitzedGrabberX96 Installer.exe	UnityCrashHandler.EXE
PID 2380 wrote to memory of 2568	2380	BlitzedGrabberX96 Installer.exe	UnityCrashHandler.EXE
PID 2568 wrote to memory of 2636	2568	UnityCrashHandler.EXE	powershell.exe
PID 2568 wrote to memory of 2636	2568	UnityCrashHandler.EXE	powershell.exe
PID 2568 wrote to memory of 2636	2568	UnityCrashHandler.EXE	powershell.exe
PID 2380 wrote to memory of 2356	2380	BlitzedGrabberX96 Installer.exe	chromedriver.exe
PID 2380 wrote to memory of 2356	2380	BlitzedGrabberX96 Installer.exe	chromedriver.exe
PID 2380 wrote to memory of 2356	2380	BlitzedGrabberX96 Installer.exe	chromedriver.exe
PID 2356 wrote to memory of 2420	2356	chromedriver.exe	csc.exe
PID 2356 wrote to memory of 2420	2356	chromedriver.exe	csc.exe
PID 2356 wrote to memory of 2420	2356	chromedriver.exe	csc.exe
PID 2420 wrote to memory of 2596	2420	csc.exe	cvtres.exe
PID 2420 wrote to memory of 2596	2420	csc.exe	cvtres.exe
PID 2420 wrote to memory of 2596	2420	csc.exe	cvtres.exe
PID 2356 wrote to memory of 2720	2356	chromedriver.exe	WindowsInput.exe
PID 2356 wrote to memory of 2720	2356	chromedriver.exe	WindowsInput.exe
PID 2356 wrote to memory of 2720	2356	chromedriver.exe	WindowsInput.exe
PID 2356 wrote to memory of 1492	2356	chromedriver.exe	chromedriver.exe
PID 2356 wrote to memory of 1492	2356	chromedriver.exe	chromedriver.exe
PID 2356 wrote to memory of 1492	2356	chromedriver.exe	chromedriver.exe
PID 2384 wrote to memory of 1316	2384	taskeng.exe	chromedriver.exe
PID 2384 wrote to memory of 1316	2384	taskeng.exe	chromedriver.exe
PID 2384 wrote to memory of 1316	2384	taskeng.exe	chromedriver.exe
PID 1492 wrote to memory of 1304	1492	chromedriver.exe	svchost.exe
PID 1492 wrote to memory of 1304	1492	chromedriver.exe	svchost.exe
PID 1492 wrote to memory of 1304	1492	chromedriver.exe	svchost.exe
PID 1492 wrote to memory of 1304	1492	chromedriver.exe	svchost.exe
PID 1304 wrote to memory of 2088	1304	svchost.exe	svchost.exe
PID 1304 wrote to memory of 2088	1304	svchost.exe	svchost.exe
PID 1304 wrote to memory of 2088	1304	svchost.exe	svchost.exe
PID 1304 wrote to memory of 2088	1304	svchost.exe	svchost.exe
PID 2384 wrote to memory of 2356	2384	taskeng.exe	chromedriver.exe
PID 2384 wrote to memory of 2356	2384	taskeng.exe	chromedriver.exe
PID 2384 wrote to memory of 2356	2384	taskeng.exe	chromedriver.exe
PID 2384 wrote to memory of 2424	2384	taskeng.exe	chromedriver.exe
PID 2384 wrote to memory of 2424	2384	taskeng.exe	chromedriver.exe
PID 2384 wrote to memory of 2424	2384	taskeng.exe	chromedriver.exe
PID 572 wrote to memory of 2220	572	Kyanite.exe	csc.exe
PID 572 wrote to memory of 2220	572	Kyanite.exe	csc.exe
PID 572 wrote to memory of 2220	572	Kyanite.exe	csc.exe
PID 572 wrote to memory of 2220	572	Kyanite.exe	csc.exe
PID 2332 wrote to memory of 2680	2332	chrome.exe	chrome.exe
PID 2332 wrote to memory of 2680	2332	chrome.exe	chrome.exe
PID 2332 wrote to memory of 2680	2332	chrome.exe	chrome.exe
PID 2332 wrote to memory of 2380	2332	chrome.exe	chrome.exe
PID 2332 wrote to memory of 2380	2332	chrome.exe	chrome.exe
PID 2332 wrote to memory of 2380	2332	chrome.exe	chrome.exe
PID 2332 wrote to memory of 2380	2332	chrome.exe	chrome.exe
PID 2332 wrote to memory of 2380	2332	chrome.exe	chrome.exe
PID 2332 wrote to memory of 2380	2332	chrome.exe	chrome.exe
PID 2332 wrote to memory of 2380	2332	chrome.exe	chrome.exe
PID 2332 wrote to memory of 2380	2332	chrome.exe	chrome.exe
PID 2332 wrote to memory of 2380	2332	chrome.exe	chrome.exe
PID 2332 wrote to memory of 2380	2332	chrome.exe	chrome.exe
PID 2332 wrote to memory of 2380	2332	chrome.exe	chrome.exe
PID 2332 wrote to memory of 2380	2332	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96\BlitzedGrabberX96 Installer.exe
"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96\BlitzedGrabberX96 Installer.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2380

C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96 Install.exe
"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96 Install.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1184

C:\Users\Admin\AppData\Local\Temp\UnityCrashHandler.EXE
"C:\Users\Admin\AppData\Local\Temp\UnityCrashHandler.EXE"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2568

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -File poo.ps1
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2636

C:\Users\Admin\AppData\Local\Temp\chromedriver.exe
"C:\Users\Admin\AppData\Local\Temp\chromedriver.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2356

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gld7wssg.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:2420

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3B9B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3B9A.tmp"
4⤵
PID:2596

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe" --install
3⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2720

C:\ProgramData\Chrome\Plugins\chromedriver.exe
"C:\ProgramData\Chrome\Plugins\chromedriver.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1492

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\ProgramData\Chrome\Plugins\chromedriver.exe" 1492 /protectFile
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1304

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\ProgramData\Chrome\Plugins\chromedriver.exe" 1492 "/protectFile"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2088

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
1⤵
- Executes dropped EXE
PID:2912

C:\Windows\system32\taskeng.exe
taskeng.exe {D54F50DB-6476-4FC3-8B3D-6BE94CF1A994} S-1-5-21-3452737119-3959686427-228443150-1000:QGTQZTRE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2384

C:\ProgramData\Chrome\Plugins\chromedriver.exe
C:\ProgramData\Chrome\Plugins\chromedriver.exe
2⤵
- Executes dropped EXE
PID:1316

C:\ProgramData\Chrome\Plugins\chromedriver.exe
C:\ProgramData\Chrome\Plugins\chromedriver.exe
2⤵
- Executes dropped EXE
PID:2356

C:\ProgramData\Chrome\Plugins\chromedriver.exe
C:\ProgramData\Chrome\Plugins\chromedriver.exe
2⤵
- Executes dropped EXE
PID:2424

C:\ProgramData\Chrome\Plugins\chromedriver.exe
C:\ProgramData\Chrome\Plugins\chromedriver.exe
2⤵
- Executes dropped EXE
PID:2052

C:\ProgramData\Chrome\Plugins\chromedriver.exe
C:\ProgramData\Chrome\Plugins\chromedriver.exe
2⤵
PID:1252

C:\ProgramData\Chrome\Plugins\chromedriver.exe
C:\ProgramData\Chrome\Plugins\chromedriver.exe
2⤵
PID:1340

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:868

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x58c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2396

C:\Program Files\BlitzedGrabberX96\Kyanite.exe
"C:\Program Files\BlitzedGrabberX96\Kyanite.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4wr4rqgu\4wr4rqgu.cmdline"
2⤵
PID:2220

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\foaha4td\foaha4td.cmdline"
2⤵
PID:1496

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lpfwe3pw\lpfwe3pw.cmdline"
2⤵
PID:668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2332

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef4259758,0x7fef4259768,0x7fef4259778
2⤵
PID:2680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1200 --field-trial-handle=1228,i,2263879075740319480,5835046317293487254,131072 /prefetch:2
2⤵
PID:2380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1464 --field-trial-handle=1228,i,2263879075740319480,5835046317293487254,131072 /prefetch:8
2⤵
PID:2300

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1620 --field-trial-handle=1228,i,2263879075740319480,5835046317293487254,131072 /prefetch:8
2⤵
PID:2504

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2340 --field-trial-handle=1228,i,2263879075740319480,5835046317293487254,131072 /prefetch:1
2⤵
PID:2720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2372 --field-trial-handle=1228,i,2263879075740319480,5835046317293487254,131072 /prefetch:1
2⤵
PID:2516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1492 --field-trial-handle=1228,i,2263879075740319480,5835046317293487254,131072 /prefetch:2
2⤵
PID:2924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3200 --field-trial-handle=1228,i,2263879075740319480,5835046317293487254,131072 /prefetch:1
2⤵
PID:2004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3332 --field-trial-handle=1228,i,2263879075740319480,5835046317293487254,131072 /prefetch:8
2⤵
PID:2372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3580 --field-trial-handle=1228,i,2263879075740319480,5835046317293487254,131072 /prefetch:8
2⤵
PID:2948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3740 --field-trial-handle=1228,i,2263879075740319480,5835046317293487254,131072 /prefetch:8
2⤵
PID:2604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=2052 --field-trial-handle=1228,i,2263879075740319480,5835046317293487254,131072 /prefetch:1
2⤵
PID:2668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2476 --field-trial-handle=1228,i,2263879075740319480,5835046317293487254,131072 /prefetch:8
2⤵
PID:2064

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1996

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\BlitzedGrabberX96\Kyanite.exe.config
Filesize
189B

MD5
9dbad5517b46f41dbb0d8780b20ab87e

SHA1
ef6aef0b1ea5d01b6e088a8bf2f429773c04ba5e

SHA256
47e5a0f101af4151d7f13d2d6bfa9b847d5b5e4a98d1f4674b7c015772746cdf

SHA512
43825f5c26c54e1fc5bffcce30caad1449a28c0c9a9432e9ce17d255f8bf6057c1a1002d9471e5b654ab1de08fb6eabf96302cdb3e0fb4b63ba0ff186e903be8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416
Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416
Filesize
230B

MD5
26615d4411b7037cb6ecfc257eafb74d

SHA1
6953bd0b58954f44f8779e1f8ef6a9d8fb186dd0

SHA256
d9e4de4de741a171188a5f91da300dff126a5f56e17d45afeb7e4bcf23f522d0

SHA512
b6b90044bd4d191ee72e4516f39dad17d5019ae4bc13cd15959c8b89fcd6f9e648f7ea9cf6143d3fc7380c84fcee5755dfb36c3dfecdee26192571fd2b6f335a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
4141ab7403e964c5c3b7215f01471e7e

SHA1
85867e3b2f951fb4b72822d81e45f7a7d50b19f8

SHA256
1b22b1a2cd729b493e40076356e72894a484a0f3f1621ff4eb5859f81be99dab

SHA512
7e4af512332cd2600480c8cb64dedaa3855bcf969d37d57b14dc1d0559f0191606e0cd03e057e4d925530dc300956fa43c1b3eff9bf8057b0b28a14fb1fd2974

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
862819edfc8e37c8a33956c259900afe

SHA1
313b477cf6bccc8a5ea8cfa94bb16934204c7ee0

SHA256
6dcf542155bd3e1e63a0ab77d293e76a2b7642fc467f5de207fc743524ef94eb

SHA512
c24d77fed3aca2d01cf10052790e58d6eae0a56b3704bee89940a18510a62c529dc5b5832912f1d01da9692050f4689ec931ece168fb83938c401b70f800a6e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
11fd3a91caebd00e7a1453932efc6603

SHA1
0b1d52545f890d9b7c739216e23a6ac15deb7244

SHA256
e1b83123c2b49c2c3b6989f25561c612dfcb1ffae0930a519a863ec3a31f8a06

SHA512
e144e6d9b1affba95d0be7bbd85eaff6973beec996cd734c803b03976effb72faee13ee78c54ebe8a2aa89031759ad66a4fc82d35e2a3e0a163aac15e8de632b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
ab3009fdcc1e00bfbd51ff965613c284

SHA1
ba5f21ce8f3951de137c1357e3dd9280bea9bf1a

SHA256
0ab024cf1f6d55ca266c6335b4fa00c87d3b93c5209c1704e7036896940a20c8

SHA512
dd79bcc5aef68c888a15aa15df54fbafd36e5699d0b36d69ea80b7402c6100607d6c4baa6852ca5e5e26f3d8237701a749da3b72832c03630445b39d73d97088

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
36ebffe78a26cf8f08fb57542da6fdbd

SHA1
8ab2cb0d900c0bc5e791deed49dd2fad52dc1554

SHA256
be9f7dcdc6793cae3d7797a20569f31551c87d60101c9041adaf4c37c389de51

SHA512
f9bc138b1d33b7d8c5ac8f9a6982352988384c40ed6896e96d7d9ac3a01bca79908d52efa091b542e9f82d6028df1e067bc90926c47c0272b2e7b042248a3ca5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
fc6f31bee5f4c2885a61e1e09b7db016

SHA1
bf5a6d72870b06f84e219ccbe2ff703d1def0f5e

SHA256
976108ed24927d859ac3289b6067cc4d506f9501833f7d9e1d082d369c350033

SHA512
f4428be83b1dc83940f770436f1681c210a2838516e4d387bbf1b141718cad30c82524a5e544c19a86711be163d54d30224bfd87b2967452da8e08672ce053f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
35a530ec781f2c470a84907e3daa16bb

SHA1
d923be5fea21f66528d022b4bbb451bf3b4ac022

SHA256
7cb773f05f9cb5a90a31f7563af95427b548ecdd2ed77c25a70426ba6bd63e5e

SHA512
54b784e22ce430e3cd5b7aa437bb7fadca3fa4ebfbf505671c525b5715ca78a0736f0ac73db487a86912e482a2a0c6a84d378b1d3c8571540c8fc972c60c6edd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
312B

MD5
36abc199bfa3590b72770818d2490b85

SHA1
d6a5962221597be6cb43f1b9b2abeeaf4b8276ed

SHA256
85c5866f45397f16c75bb9c0ac1790244baf7ab88309ce739bb929d4ec9e8eaa

SHA512
7834afdf325b2ca2481f626fa1824365b5ca7b426fd3b6075710c14e5c0b306ced2572e8deab7e1ab17f73bb0a452db1ddedc04935ab68ebd2b5c7f03eb590ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp
Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
3KB

MD5
650a49c8ce266ccfe04bd73e5bf46d40

SHA1
5fa72a8a3dd1c3acce64f5d9b92239adad23ff9f

SHA256
12f27dca5c4dbe5cd2a8a0a623292f8c797d341486c98da5ba8e24d8e1ffcb6d

SHA512
65a0e204b93df9935da5345b4fe61302807e5d335dfc81cd19172de86065c930172b035ff3a8f6e0dbf47c9cf3e34521d5d7f782b19f106f6c03060c867034b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
361B

MD5
26025ba3177111a939b221efccecfd47

SHA1
6d5bee74a668260829ef953a40cac8f5eaaf4205

SHA256
377de2ddc2dc5568e2301b12dfea1fea3144278e18b75fe1288ff04011437d0a

SHA512
766cbb56c76dacd37c4cad681a583388f2d1f66062fe30122416ae0aa6c4c48a117a217e4dd9390864462dcb232699bd592d0fdb20ba693c571514cb29a6fdce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
4edfcf2f015487292aa0a7bd9cb670da

SHA1
316a5e20dc46bb3d2ee8ef4b15ef262be59598b3

SHA256
c06d85022e3e07b4184b1155c90d79f5719a490ac97e2709a4d6ef0e9e02499c

SHA512
6405b72290f31cfc4836c8666480f018009ce0fbf18a6711ff72e005454ee32b3397a9cc618962353c112219dc8b52b3a67dcfd492d3bc25d4982a1ba4453440

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
bd6f30ae1bf8e7e3ae0131d753f4286d

SHA1
b4ebe7f397eb3e5b0e2d30e77d3e20d89b0ad54f

SHA256
b282e9161733aa0ac7bb8f6adc37886aa3ad5798183a6cc56565615baa390dae

SHA512
557067e064147fa23b50513a4d9bec32eabfbd4fb94b5eb22cfd30bb346c4aab4402fc850377aac5f212cb366d3871f73393bb74c8d6e39a8caa06fa067a2609

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
2abf889435c7a68b4546b194602196ae

SHA1
85debb9493568f57b57f950e53c0f0789884ec2c

SHA256
a8e3c23e5b98e20ba0ef07fbe6b4b5ed4fd35bae2cf631717ead8356ab4a0aef

SHA512
867890e86e24a1791d0be4a55563f66fca72c389931091c5cdb541df7205c3cf210ae3de92e0f953d28f7efd7e2573b5c4feb39e8fcb6e8e68c8fc020246ae7e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp
Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96 Install.exe
Filesize
2.8MB

MD5
46d8dfadf7f9d90385ab7df71b5adce3

SHA1
99482121b86c790a6f2d732b0a47a1e41922518f

SHA256
7fc18666d83d233def6dd05b7c46851e65753a7e8ab3bc6c76141ed5c0ab7d7c

SHA512
2e133aac3c749a285f5bad25ee34776065607053cff04b84bafa0f01da9409f082de624e6bd422834ce55fbb87c4effa7f84a26766ad961bb73f9b967e1a4dc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabBC8E.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\poo.ps1
Filesize
35B

MD5
5d792fc7c4e2fd3eb595fce4883dcb2d

SHA1
ee2a88f769ad746f119e144bd06832cb55ef1e0f

SHA256
41eccaa8649345b33e57f5d494429276e9f2eb23ca981f018da33a34aabfd8eb

SHA512
4b85fe8205c705914867227c97aa1333421970d8e6f11b2ac6be8e95fef1a0f31f985547eafe52e382f13c2a16afa05462bd614b75bee250464c50734d59a92e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3B9B.tmp
Filesize
1KB

MD5
eb7ce72813c2985571acf6063b20bf71

SHA1
9e2b981faceeb13b41a453becec8b795103ed51b

SHA256
ff675de1b5a18f1ad2bbd5308bbc0981853f2cce5f7ad8ed1a850a7b3bd60834

SHA512
a75ac158a9942fa5724b8e73af62a9a642ac2260fed391f0577492ed17e46e9d93deda653db9c503d937e750cc3bcf82a26fe70f6286b37c572c8b1740b00d1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBD5B.tmp
Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBDF2.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcfb00f9-5ae7-4197-ba59-e48107e40d35\GunaDotNetRT.dll
Filesize
136KB

MD5
9af5eb006bb0bab7f226272d82c896c7

SHA1
c2a5bb42a5f08f4dc821be374b700652262308f0

SHA256
77dc05a6bda90757f66552ee3f469b09f1e00732b4edca0f542872fb591ed9db

SHA512
7badd41be4c1039302fda9bba19d374ec9446ce24b7db33b66bee4ef38180d1abcd666d2aea468e7e452aa1e1565eedfefed582bf1c2fe477a4171d99d48772a

Download Submit
C:\Users\Admin\AppData\Local\Temp\gld7wssg.dll
Filesize
76KB

MD5
e58ccf237b600dbdcd1eb0b9d5b0e5ea

SHA1
6ea4dae01bdf676b1007cd16983e922e6e02e265

SHA256
a025f928f5cb5ce78c7055f087a3b3d1cdce20cfd64c0a9d121ce4a47f5ef162

SHA512
fc367600ddf65d9c6ecaef6c917049e40dcacd74491f0139a00800e23bd1e204e5a2c78ce4cad2ee4bfc5baa6adb31dc45d6d1030b8fd82dfaaa11e1e9869cbc

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
9KB

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe
Filesize
21KB

MD5
e6fcf516d8ed8d0d4427f86e08d0d435

SHA1
c7691731583ab7890086635cb7f3e4c22ca5e409

SHA256
8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

SHA512
c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe.config
Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4wr4rqgu\4wr4rqgu.cmdline
Filesize
482B

MD5
6cb336f02bdb2f31223bb1965039dfc3

SHA1
17b7bf5085b09cb673a95c1a1d420ca2d459ad6f

SHA256
4566c03a717cc12399acd66a3c69ed5d26acaeea9b54a402189c94e707a508fc

SHA512
b08240fe711d53a182ee75f258eeb957e6c1e8520db69f62a9af6e4e75c3547282e604a222f89a82fec730ab7eebf38575c0c6e4685fb334926eb5a7cb2f56ea

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC3B9A.tmp
Filesize
676B

MD5
7c720d4d54de4ca7c68368cc30c49b93

SHA1
9ea7c07c76a5d9bf20de9fe0a7615ffdf982ccd4

SHA256
8755b86fa3c95772e4e1b994f8146a7334521c3627677fdc4f21784f81d0e0ed

SHA512
e8a0673d2139353f123cf6483e1623ce42bc0392807421a32ec965fb419ba1678f2e2cfda9d306e47611c8235c12651df45d530de851767c225259ab3e173e2b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gld7wssg.0.cs
Filesize
208KB

MD5
a873d9a6ab5a74f14f1df2db83eac798

SHA1
28f6418c0def0eea4a4acf75682d99fd4f9dc6b1

SHA256
a5ac54289ab068741c99b6e2a286ffebf1221643315089316dda870e21151da3

SHA512
d21e556c95e520ba41910486ffeabd26b23fd49403bc798fd5863d16f24b8f045d4ba3fb78ddbbd8341e31eadd59f8cd2b4c4e6835f0ea8e797d8e447a235aae

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gld7wssg.cmdline
Filesize
349B

MD5
73b1eda9855d119bc55ee45b93de54cf

SHA1
cbdb1a24b04f079d50ca6c3f3d26ad335fd2e448

SHA256
eb7f7566480e71fc89b1de5df00b8333bf67157c4e66708766a50749e5d4855b

SHA512
128d9b3567f943629bbfe75367433c69789b8c8e13a53a8475486d0b630d9e5d28579adb210fa9203df27925ac2ac22df0dd6ece0776309754ae253c5cb0ac6e

Download Submit
\Program Files\BlitzedGrabberX96\APIFOR.DLL
Filesize
13KB

MD5
91b4d211faddb0ebc64fb000d75d96c1

SHA1
ba496c122f8e562ff0a4fb272a68f0b9e7bf0a3c

SHA256
e47ab6fb21bd8943f63d79387533abac0c2bd98245546df44c4f333d8013c4de

SHA512
3f16b0b4618d446d0e42ed2063c611b4ffa72a5b0ff438df5286a216167881737e65d494aa12186e511690eaca2f51c00889c9eae5ab6392c1edf885e5592919

Download Submit
\Program Files\BlitzedGrabberX96\Bunifu_UI_v1.5.3.dll
Filesize
323KB

MD5
e0ef2817ee5a7c8cd1eb837195768bd2

SHA1
426ea1e201c7d3dc3fadce976536edce4cd51bce

SHA256
76e1d3ec95fdef74abaf90392dd6f4aa5e344922abf11e572707287d467f2930

SHA512
5ad95dd7f0e712d543acfe7fd4539695f7e894988c0a2c44231c43e5ee29e743cb1ffe6bdf1fbdbdcfd3aa374f036113bcc6a1befd0114954093520bac47234c

Download Submit
\Program Files\BlitzedGrabberX96\Guna.UI.dll
Filesize
876KB

MD5
6d6a1f28978d42ad2f0a8f278eaac966

SHA1
b09168ec88109422ca29cf4f1b6462d51930873d

SHA256
fb23fa4fca8f28bebe7b7e39593a211cd3c3405de5f948ec520e859b1bcaf91e

SHA512
76ddf88255a9355fc3c781880e23d94206acca4decf5623712411f7a733e91ca9ea37944860401cf9667f10e8c33a087803a4726f91faff1f23e3e0592ddf41d

Download Submit
\Program Files\BlitzedGrabberX96\Guna.UI2.dll
Filesize
1.9MB

MD5
0f07705bd42d86d77dab085c42775244

SHA1
7e4b5c367183f4753a8d610e353c458c3def3888

SHA256
cf9b66e11506fa431849350c0cb58430a71e5ec943d2db9ef1b2e2302f299443

SHA512
851b1a4c470ee7fe07ce5619c16fd391428585926c5b559694a9e445633ea51ec86c74a3bbf3bce39d943c4bf714dad2fd3c4a4d0703be2333541c79a2ee97f0

Download Submit
\Program Files\BlitzedGrabberX96\Kyanite.exe
Filesize
822KB

MD5
7cebe29a86c8bad15bbf7f190ae9c012

SHA1
a035287675af874872753aa813c2e17f712e2ff5

SHA256
808226fbf400593c702b5efe774290f0d2787d2a3fb25d0359cb3ca72a9b2b44

SHA512
add343a62e77af49870386a3d5f8976ab53bdc2b2d7820ce735238db806b95e06e111a99114b8ea5c0dd74ee38a58466a79255705c3b3b0a7746eea4beabedbe

Download Submit
\Program Files\BlitzedGrabberX96\Login Theme.dll
Filesize
102KB

MD5
34b9583b485e101ebbd9fd100699eab0

SHA1
63a8ed0e336f7ade8664c8ecff81eb473f9d4d05

SHA256
8879dcfb480f0b3c47414eef8ec50d57f13c6c0895644000b17a38e465896d7a

SHA512
467dea806fb1746a8eae12cf2d7cc7029a0a237790904c49fe22d809cfc582a81537bd6cb4c0fe1a34bce259bf20609924a0cc62b5335ed6d279ee26c1baa30e

Download Submit
\Program Files\BlitzedGrabberX96\Siticone.UI.dll
Filesize
1.6MB

MD5
ea797152ded4478107c08a9c9c28b454

SHA1
f28104d7099cca08ab84bf1ad1acb9233cbf116f

SHA256
c435f969a0150ec46e8f2414615e7cb1670322650fb632443ac9f0a146a98c14

SHA512
65d7a52243f46be4a5a4e82b0b5771be17efc7404411df9aaf95ecb4450699a5989fbed2f160b1ae917d04f6f3d71f172ad4bdaf238e37300780a781d13450ed

Download Submit
\Users\Admin\AppData\Local\Temp\UnityCrashHandler.EXE
Filesize
155KB

MD5
69bef95f8029651ff546b59544d3d6cd

SHA1
a8cf6d690064e6bdeeb4d68f4f5180eb7c4bb8b9

SHA256
0cb43f43e81730a4a92874911ac39420954174c7fd9b1faea8e891e9b814f8ac

SHA512
b3a4ac7268307a453eb903d0bc75939c9ba05f0c121fcbda0340e037ee8c7a9af1f11b212dfc6e41dea870e2005fc6896430fe84bbe360e96f75b91f459b710e

Download Submit
memory/572-146-0x00000000743F0000-0x0000000074470000-memory.dmp

Filesize
512KB

Download
memory/572-139-0x0000000004DB0000-0x0000000004FA2000-memory.dmp

Filesize
1.9MB

Download
memory/572-156-0x0000000001170000-0x00000000011B2000-memory.dmp

Filesize
264KB

Download
memory/572-167-0x0000000073F90000-0x0000000073FC7000-memory.dmp

Filesize
220KB

Download
memory/572-147-0x00000000741F0000-0x0000000074227000-memory.dmp

Filesize
220KB

Download
memory/572-189-0x00000000741F0000-0x0000000074227000-memory.dmp

Filesize
220KB

Download
memory/572-160-0x0000000005810000-0x00000000059B8000-memory.dmp

Filesize
1.7MB

Download
memory/572-151-0x0000000000A60000-0x0000000000A82000-memory.dmp

Filesize
136KB

Download
memory/572-190-0x0000000073F90000-0x0000000073FC7000-memory.dmp

Filesize
220KB

Download
memory/572-135-0x00000000012F0000-0x00000000013C4000-memory.dmp

Filesize
848KB

Download
memory/572-857-0x00000000741F0000-0x0000000074227000-memory.dmp

Filesize
220KB

Download
memory/572-758-0x00000000011B0000-0x00000000011BA000-memory.dmp

Filesize
40KB

Download
memory/572-155-0x0000000005330000-0x0000000005410000-memory.dmp

Filesize
896KB

Download
memory/572-759-0x00000000011C0000-0x00000000011DA000-memory.dmp

Filesize
104KB

Download
memory/1304-84-0x0000000000310000-0x0000000000318000-memory.dmp

Filesize
32KB

Download
memory/1492-71-0x0000000001200000-0x00000000012EC000-memory.dmp

Filesize
944KB

Download
memory/1492-74-0x0000000000760000-0x0000000000770000-memory.dmp

Filesize
64KB

Download
memory/1492-73-0x0000000000730000-0x0000000000748000-memory.dmp

Filesize
96KB

Download
memory/1492-72-0x0000000000500000-0x000000000054E000-memory.dmp

Filesize
312KB

Download
memory/2356-46-0x0000000002060000-0x0000000002076000-memory.dmp

Filesize
88KB

Download
memory/2356-33-0x0000000000480000-0x000000000048E000-memory.dmp

Filesize
56KB

Download
memory/2356-32-0x00000000022E0000-0x000000000233C000-memory.dmp

Filesize
368KB

Download
memory/2356-49-0x00000000008B0000-0x00000000008B8000-memory.dmp

Filesize
32KB

Download
memory/2356-48-0x00000000005C0000-0x00000000005D2000-memory.dmp

Filesize
72KB

Download
memory/2380-0-0x000007FEF5D43000-0x000007FEF5D44000-memory.dmp

Filesize
4KB

Download
memory/2380-31-0x000007FEF5D40000-0x000007FEF672C000-memory.dmp

Filesize
9.9MB

Download
memory/2380-1-0x0000000000B70000-0x000000000100A000-memory.dmp

Filesize
4.6MB

Download
memory/2380-4-0x000007FEF5D40000-0x000007FEF672C000-memory.dmp

Filesize
9.9MB

Download
memory/2636-24-0x0000000002410000-0x0000000002418000-memory.dmp

Filesize
32KB

Download
memory/2636-23-0x000000001B720000-0x000000001BA02000-memory.dmp

Filesize
2.9MB

Download
memory/2720-57-0x0000000000BA0000-0x0000000000BAC000-memory.dmp

Filesize
48KB

Download
memory/2912-61-0x0000000000D50000-0x0000000000D5C000-memory.dmp

Filesize
48KB

Download