orcus | 481449cf6fc783f0ec2057882640f1952ceaf8c34ddcd26ed76d20654cb30374

Analysis

max time kernel
502s
max time network
503s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
21-09-2024 01:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

123123123qw3qew.exe
Size

903KB
MD5

ac40df4b922b8476be86ce4f3b4576d1
SHA1

b7b4ba3424288ae52178b0190574b252a7f9cdbe
SHA256

481449cf6fc783f0ec2057882640f1952ceaf8c34ddcd26ed76d20654cb30374
SHA512

579e71de8c28d0eebcb7324e298d110837f9d41423a77576fef21ee4044fe584c280b4c82a9c3da083885404b0148cc81b15d0b2f0b16bcc23407c91ee9966ab
SSDEEP

12288:hTUZ/Y95eo6L4ce7dG1lFlWcYT70pxnnaaoawZRVcTqSA+9rZNrI0AilFEvxHvBu:xqI4MROxnFMLqrZlI0AilFEvxHi9B

Score

10^/10

orcus discovery rat spyware stealer

Malware Config

Extracted

Family

orcus

act-predictions.gl.at.ply.gg:53002

Mutex

ccda6c301bcc4bffbcfcf707e51e3319

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000200000002a9d7-37.dat	family_orcus

Orcurs Rat Executable 2 IoCs

resource	yara_rule
behavioral1/files/0x000200000002a9d7-37.dat	orcus
behavioral1/memory/1540-47-0x0000000000A80000-0x0000000000B68000-memory.dmp	orcus

Executes dropped EXE 1 IoCs

pid	Process
1540	Orcus.exe

Loads dropped DLL 2 IoCs

pid	Process
1540	Orcus.exe
1540	Orcus.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\Desktop.ini	123123123qw3qew.exe
File created	C:\Windows\assembly\Desktop.ini	123123123qw3qew.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Orcus\Orcus.exe	123123123qw3qew.exe
File opened for modification	C:\Program Files\Orcus\Orcus.exe	123123123qw3qew.exe
File created	C:\Program Files\Orcus\Orcus.exe.config	123123123qw3qew.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	123123123qw3qew.exe
File created	C:\Windows\assembly\Desktop.ini	123123123qw3qew.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	123123123qw3qew.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Orcus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Orcus.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133713561438010297"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1540	Orcus.exe
1540	Orcus.exe
1540	Orcus.exe
1540	Orcus.exe
1540	Orcus.exe
1540	Orcus.exe
1540	Orcus.exe
1540	Orcus.exe
1540	Orcus.exe
1540	Orcus.exe
1540	Orcus.exe
1540	Orcus.exe
1540	Orcus.exe
1540	Orcus.exe
1540	Orcus.exe
1540	Orcus.exe
1540	Orcus.exe
1540	Orcus.exe
1540	Orcus.exe
1540	Orcus.exe
1540	Orcus.exe
1540	Orcus.exe
1540	Orcus.exe
1540	Orcus.exe
1540	Orcus.exe
1540	Orcus.exe
1540	Orcus.exe
1540	Orcus.exe
1540	Orcus.exe
1540	Orcus.exe
1540	Orcus.exe
1540	Orcus.exe
1540	Orcus.exe
1540	Orcus.exe
1540	Orcus.exe
1540	Orcus.exe
1540	Orcus.exe
1540	Orcus.exe
1540	Orcus.exe
1540	Orcus.exe
1540	Orcus.exe
1540	Orcus.exe
1540	Orcus.exe
1540	Orcus.exe
1540	Orcus.exe
1540	Orcus.exe
1540	Orcus.exe
1540	Orcus.exe
1540	Orcus.exe
1540	Orcus.exe
1540	Orcus.exe
1540	Orcus.exe
1540	Orcus.exe
1540	Orcus.exe
1540	Orcus.exe
1540	Orcus.exe
1540	Orcus.exe
1540	Orcus.exe
1540	Orcus.exe
1540	Orcus.exe
1540	Orcus.exe
1540	Orcus.exe
1540	Orcus.exe
1540	Orcus.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1540	Orcus.exe
Token: 33	4700	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4700	AUDIODG.EXE
Token: SeBackupPrivilege	1540	Orcus.exe
Token: SeSecurityPrivilege	1540	Orcus.exe
Token: SeSecurityPrivilege	1540	Orcus.exe
Token: SeSecurityPrivilege	1540	Orcus.exe
Token: SeSecurityPrivilege	1540	Orcus.exe
Token: SeSecurityPrivilege	1540	Orcus.exe
Token: SeSecurityPrivilege	1540	Orcus.exe
Token: SeSecurityPrivilege	1540	Orcus.exe
Token: SeSecurityPrivilege	1540	Orcus.exe
Token: SeSecurityPrivilege	1540	Orcus.exe
Token: SeSecurityPrivilege	1540	Orcus.exe
Token: SeSecurityPrivilege	1540	Orcus.exe
Token: SeSecurityPrivilege	1540	Orcus.exe
Token: SeSecurityPrivilege	1540	Orcus.exe
Token: SeSecurityPrivilege	1540	Orcus.exe
Token: SeSecurityPrivilege	1540	Orcus.exe
Token: SeSecurityPrivilege	1540	Orcus.exe
Token: SeSecurityPrivilege	1540	Orcus.exe
Token: SeSecurityPrivilege	1540	Orcus.exe
Token: SeSecurityPrivilege	1540	Orcus.exe
Token: SeSecurityPrivilege	1540	Orcus.exe
Token: SeSecurityPrivilege	1540	Orcus.exe
Token: SeSecurityPrivilege	1540	Orcus.exe
Token: SeSecurityPrivilege	1540	Orcus.exe
Token: SeSecurityPrivilege	1540	Orcus.exe
Token: SeSecurityPrivilege	1540	Orcus.exe
Token: SeSecurityPrivilege	1540	Orcus.exe
Token: SeSecurityPrivilege	1540	Orcus.exe
Token: SeSecurityPrivilege	1540	Orcus.exe
Token: SeSecurityPrivilege	1540	Orcus.exe
Token: SeSecurityPrivilege	1540	Orcus.exe
Token: SeSecurityPrivilege	1540	Orcus.exe
Token: SeSecurityPrivilege	1540	Orcus.exe
Token: SeSecurityPrivilege	1540	Orcus.exe
Token: SeSecurityPrivilege	1540	Orcus.exe
Token: SeSecurityPrivilege	1540	Orcus.exe
Token: SeSecurityPrivilege	1540	Orcus.exe
Token: SeSecurityPrivilege	1540	Orcus.exe
Token: SeSecurityPrivilege	1540	Orcus.exe
Token: SeSecurityPrivilege	1540	Orcus.exe
Token: SeSecurityPrivilege	1540	Orcus.exe
Token: SeSecurityPrivilege	1540	Orcus.exe
Token: SeSecurityPrivilege	1540	Orcus.exe
Token: SeSecurityPrivilege	1540	Orcus.exe
Token: SeSecurityPrivilege	1540	Orcus.exe
Token: SeSecurityPrivilege	1540	Orcus.exe
Token: SeSecurityPrivilege	1540	Orcus.exe
Token: SeSecurityPrivilege	1540	Orcus.exe
Token: SeSecurityPrivilege	1540	Orcus.exe
Token: SeSecurityPrivilege	1540	Orcus.exe
Token: SeSecurityPrivilege	1540	Orcus.exe
Token: SeSecurityPrivilege	1540	Orcus.exe
Token: SeSecurityPrivilege	1540	Orcus.exe
Token: SeSecurityPrivilege	1540	Orcus.exe
Token: SeSecurityPrivilege	1540	Orcus.exe
Token: SeSecurityPrivilege	1540	Orcus.exe
Token: SeSecurityPrivilege	1540	Orcus.exe
Token: SeSecurityPrivilege	1540	Orcus.exe
Token: SeSecurityPrivilege	1540	Orcus.exe
Token: SeSecurityPrivilege	1540	Orcus.exe
Token: SeSecurityPrivilege	1540	Orcus.exe

Suspicious use of FindShellTrayWindow 56 IoCs

pid	Process
1540	Orcus.exe
1540	Orcus.exe
1540	Orcus.exe
1540	Orcus.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe

Suspicious use of SendNotifyMessage 30 IoCs

pid	Process
1540	Orcus.exe
1540	Orcus.exe
1540	Orcus.exe
1540	Orcus.exe
1540	Orcus.exe
1540	Orcus.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3464	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4148 wrote to memory of 1084	4148	123123123qw3qew.exe	78
PID 4148 wrote to memory of 1084	4148	123123123qw3qew.exe	78
PID 1084 wrote to memory of 2780	1084	csc.exe	80
PID 1084 wrote to memory of 2780	1084	csc.exe	80
PID 4148 wrote to memory of 1540	4148	123123123qw3qew.exe	81
PID 4148 wrote to memory of 1540	4148	123123123qw3qew.exe	81
PID 1540 wrote to memory of 3124	1540	Orcus.exe	83
PID 1540 wrote to memory of 3124	1540	Orcus.exe	83
PID 3124 wrote to memory of 2460	3124	csc.exe	85
PID 3124 wrote to memory of 2460	3124	csc.exe	85
PID 2384 wrote to memory of 2788	2384	chrome.exe	92
PID 2384 wrote to memory of 2788	2384	chrome.exe	92
PID 2384 wrote to memory of 1684	2384	chrome.exe	93
PID 2384 wrote to memory of 1684	2384	chrome.exe	93
PID 2384 wrote to memory of 1684	2384	chrome.exe	93
PID 2384 wrote to memory of 1684	2384	chrome.exe	93
PID 2384 wrote to memory of 1684	2384	chrome.exe	93
PID 2384 wrote to memory of 1684	2384	chrome.exe	93
PID 2384 wrote to memory of 1684	2384	chrome.exe	93
PID 2384 wrote to memory of 1684	2384	chrome.exe	93
PID 2384 wrote to memory of 1684	2384	chrome.exe	93
PID 2384 wrote to memory of 1684	2384	chrome.exe	93
PID 2384 wrote to memory of 1684	2384	chrome.exe	93
PID 2384 wrote to memory of 1684	2384	chrome.exe	93
PID 2384 wrote to memory of 1684	2384	chrome.exe	93
PID 2384 wrote to memory of 1684	2384	chrome.exe	93
PID 2384 wrote to memory of 1684	2384	chrome.exe	93
PID 2384 wrote to memory of 1684	2384	chrome.exe	93
PID 2384 wrote to memory of 1684	2384	chrome.exe	93
PID 2384 wrote to memory of 1684	2384	chrome.exe	93
PID 2384 wrote to memory of 1684	2384	chrome.exe	93
PID 2384 wrote to memory of 1684	2384	chrome.exe	93
PID 2384 wrote to memory of 1684	2384	chrome.exe	93
PID 2384 wrote to memory of 1684	2384	chrome.exe	93
PID 2384 wrote to memory of 1684	2384	chrome.exe	93
PID 2384 wrote to memory of 1684	2384	chrome.exe	93
PID 2384 wrote to memory of 1684	2384	chrome.exe	93
PID 2384 wrote to memory of 1684	2384	chrome.exe	93
PID 2384 wrote to memory of 1684	2384	chrome.exe	93
PID 2384 wrote to memory of 1684	2384	chrome.exe	93
PID 2384 wrote to memory of 1684	2384	chrome.exe	93
PID 2384 wrote to memory of 1684	2384	chrome.exe	93
PID 2384 wrote to memory of 1952	2384	chrome.exe	94
PID 2384 wrote to memory of 1952	2384	chrome.exe	94
PID 2384 wrote to memory of 3140	2384	chrome.exe	95
PID 2384 wrote to memory of 3140	2384	chrome.exe	95
PID 2384 wrote to memory of 3140	2384	chrome.exe	95
PID 2384 wrote to memory of 3140	2384	chrome.exe	95
PID 2384 wrote to memory of 3140	2384	chrome.exe	95
PID 2384 wrote to memory of 3140	2384	chrome.exe	95
PID 2384 wrote to memory of 3140	2384	chrome.exe	95
PID 2384 wrote to memory of 3140	2384	chrome.exe	95
PID 2384 wrote to memory of 3140	2384	chrome.exe	95
PID 2384 wrote to memory of 3140	2384	chrome.exe	95
PID 2384 wrote to memory of 3140	2384	chrome.exe	95
PID 2384 wrote to memory of 3140	2384	chrome.exe	95
PID 2384 wrote to memory of 3140	2384	chrome.exe	95
PID 2384 wrote to memory of 3140	2384	chrome.exe	95
PID 2384 wrote to memory of 3140	2384	chrome.exe	95
PID 2384 wrote to memory of 3140	2384	chrome.exe	95
PID 2384 wrote to memory of 3140	2384	chrome.exe	95
PID 2384 wrote to memory of 3140	2384	chrome.exe	95
PID 2384 wrote to memory of 3140	2384	chrome.exe	95
PID 2384 wrote to memory of 3140	2384	chrome.exe	95

C:\Users\Admin\AppData\Local\Temp\123123123qw3qew.exe
"C:\Users\Admin\AppData\Local\Temp\123123123qw3qew.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4148
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\li4jdo0q.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1084
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC0EF.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC0EE.tmp"
    3⤵
    PID:2780
- C:\Program Files\Orcus\Orcus.exe
  "C:\Program Files\Orcus\Orcus.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1540
- - C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\a3ku31be\a3ku31be.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3124
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9B32.tmp" "c:\Users\Admin\AppData\Local\Temp\a3ku31be\CSC9B31.tmp"
      4⤵
      PID:2460

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3464

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E0 0x00000000000004BC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xd8,0x10c,0x7ffd657bcc40,0x7ffd657bcc4c,0x7ffd657bcc58
  2⤵
  PID:2788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1796,i,13659781681152649336,3719346506012679599,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1792 /prefetch:2
  2⤵
  PID:1684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2064,i,13659781681152649336,3719346506012679599,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2132 /prefetch:3
  2⤵
  PID:1952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2192,i,13659781681152649336,3719346506012679599,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2208 /prefetch:8
  2⤵
  PID:3140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3068,i,13659781681152649336,3719346506012679599,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3104 /prefetch:1
  2⤵
  PID:1028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3300,i,13659781681152649336,3719346506012679599,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:3004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4456,i,13659781681152649336,3719346506012679599,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4464 /prefetch:8
  2⤵
  PID:3460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4452,i,13659781681152649336,3719346506012679599,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4592 /prefetch:1
  2⤵
  PID:3076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4512,i,13659781681152649336,3719346506012679599,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3748 /prefetch:8
  2⤵
  PID:552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5008,i,13659781681152649336,3719346506012679599,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5024 /prefetch:1
  2⤵
  PID:4308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5076,i,13659781681152649336,3719346506012679599,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4412 /prefetch:8
  2⤵
  PID:4280

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffd657bcc40,0x7ffd657bcc4c,0x7ffd657bcc58
  2⤵
  PID:3848

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4268

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:1084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Orcus\Orcus.exe

Filesize
903KB

MD5
ac40df4b922b8476be86ce4f3b4576d1

SHA1
b7b4ba3424288ae52178b0190574b252a7f9cdbe

SHA256
481449cf6fc783f0ec2057882640f1952ceaf8c34ddcd26ed76d20654cb30374

SHA512
579e71de8c28d0eebcb7324e298d110837f9d41423a77576fef21ee4044fe584c280b4c82a9c3da083885404b0148cc81b15d0b2f0b16bcc23407c91ee9966ab

Download Submit
C:\Program Files\Orcus\Orcus.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
355a34426afd246dae98ee75b90b79c2

SHA1
3011156636ac09b2665b8521d662f391c906e912

SHA256
f073bb41e3fb1650fdaa5ab3a2fe7f3db91f53b9457d65d58eb29bcc853d58e0

SHA512
e848fd8ff071e49f584c9cf27c4c6b3bddc522e18ce636fce5802fcc1da8c36c90d331ae5097b60e795f0f967141b2c4293d39632e10334cba3fdc0f9cd1bc34

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
4f75f7fc554d6cc5dc7ebc65c18240e5

SHA1
6897989c68182110d61b7791caabca41e8d5b381

SHA256
b568646cdbccdfb23834392ac1b2c056bf2f2fc483a7d8677dc32bbe241a87ff

SHA512
80dcfefc93ead3a8383cf5c08cda131f462f6d036203d8b9ac4939babf33c5d788c3da1002b8367caf21b306226bd17b1b5397c58d5b7ba3e9611893dc5644a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
212KB

MD5
08ec57068db9971e917b9046f90d0e49

SHA1
28b80d73a861f88735d89e301fa98f2ae502e94b

SHA256
7a68efe41e5d8408eed6e9d91a7b7b965a3062e4e28eeffeefb8cdba6391f4d1

SHA512
b154142173145122bc49ddd7f9530149100f6f3c5fd2f2e7503b13f7b160147b8b876344f6faae5e8616208c51311633df4c578802ac5d34c005bb154e9057cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
b2794caae1509b6e094bd0f4993273ce

SHA1
df9e6262e01770b34885fa3912dff4f095af847e

SHA256
af93ca69b5be424897c5d193144a2609373f6a9ee2362fdc949e9236de398729

SHA512
34e7cb18b556d92ead81f9a317f991a6c1143f11914736c462e598fb0b0c43225a4e8d06d3f4ca7dbcf7eae1912ecbc43c1a1d3df72d28a65bd438509c91f207

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
36e32ef2404b89d7e34c5aeaa58141ac

SHA1
8fe859657f5ec21cd27efadbda4cf9a1d75c44e3

SHA256
7f809fda24d3f76c4ddd99bd6b83a5acebc812e4184b5301e12183e4d88eb4b5

SHA512
7d79cce10033792ddacd8d7fec7f911c969948f2528376a7d70fa47b4f7992e16471dbefd6de7a15f229b3dd9c44b0161dcb9367564a532e220bcbad3f664332

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
6e225cda142a716d18d0ec8a787bf9eb

SHA1
0e71cd4590fa1551bd80a63d6c29f16dd39e4727

SHA256
bcce815c6bd5c9b74e4c93d8919ff391f24cc9c5490c5d298942e588f1ae2455

SHA512
c31d377d80865dc87f94863cdbbcae738907f6f4e3a2a390fea564b781c3b8bc7c962e82c3be1f399e26da5ebe1d1a2e0e6ae1aa926f9dd7767b96018a0d4e19

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
123776a28743abdf2d0e3796cb2d4c4d

SHA1
f7a3d6dd89d0bf5e4bab86342f49f0acefac9769

SHA256
bbc1580705b1af8c4261a352ab2233d90aa0b01e51c89d653c37598b2f3f914e

SHA512
55549c176deaaf6f0d8d21eeb9d636e0f38c3bd98aacf1d247fd106a0c2008b4fddac879673bf2096cecd3073e5111c6a029e2321eb313abe5f522bfbf9600e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
4b789560745b0720358870b30d4a9c32

SHA1
b998dc769e2c7d2b36891b35ff37a19aa2437f85

SHA256
9153c78f4d9f7daf875587353f24dc43b020551a983eccf5def8990fb8086812

SHA512
85f5b13706671f9a68ac670d36614515cd73ee70bc07b5c52c4440b316ec9985c19c4da0b23079d141910a2bc7f353e01d56d8ac1cf6c245cefcbf17adae8d33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f906921b08b42b91a448cfb1119ed361

SHA1
ce24a32c5c40f6c341047acf871993da1342878c

SHA256
4835afa126d47ac1aa5903ba6a4f88d62b629ecbd2c239e234b13000aaefbe51

SHA512
8240644b01fb3f4b43d45f851ed86c319ed94fbe88d3780dad0bf71719a3eb8a0905a6fc48e70463cdbe1b2ef388145989d88328f83bae5795629890df2d58ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7c192275354541bfc8ce82a5cde79292

SHA1
8f4089a857d60163499f494f4a7aa4a911c75234

SHA256
94a8b13f505e443e883443f4a10b02e82aafe33f262dfea5a99d19a35c04567e

SHA512
064ffb84f755fb854cfd0f2820e6f806efccfcd0b04c83ed2a334ede98b0d0824ba1846778423c00951e60dc0f1f459f9b41078a8986afe6e4114e7d929844e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4cf23c11a794c3d92550e0cd49016ad3

SHA1
023640a6f955acf105639bd88c4125e0d0cbbce2

SHA256
912e875531288be47f4506137d8f4dbb494f82d3cc9301e2be675bf294911e12

SHA512
8af0e08fc7fc245cd60a2859cc82fcf7e8b95891e5e159df42508cf4cacd2594bd94c9b2a652c55345a1fab2a623a287b8e4b2d227c9338286e56202a21f54c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
409bf4b64d3fa5187fb2c9828ec14b68

SHA1
d3a683ebb14cfea2f66e03d0adb827469a05b3c8

SHA256
52d7f0841ad33d66693e5da51549b5d9747a0c1b185303fe7daeb58f113d41a8

SHA512
3a59f05543a4d273c62e2d5f9f326a4f6b412ffc405221be85e4a8d7ad3ace41845f77cf5a7b57c8de02ca8f87493a6e27c38dfba7588e5811715a70b2f20a85

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
036d014f678d39ff86610853da523228

SHA1
06d1d8e5c3a1db6c7aea12a6c8065bf8f0504b6a

SHA256
0194add75e823189a8204f35710055cdb1a5d745a1b272c16c2e2a2dacd80e4d

SHA512
484ca4029588cc15d283dbddeebed459609c93b62669afa2be74ca7832e35603c4202ad48e7ac51f88aaf5fd8b0b573fcc767c465c408cdd5f858d2a2ff9036b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0d3ff9af1055b769fd7767bdb61ba12b

SHA1
ecd04c88f0a8c5346a54d47117ff5c66b7b0f13a

SHA256
a73e87392dfbddb7625e553edc2d7c87c1064c3a4b14cbddd226bbc2cbfe418f

SHA512
c9cbc9e517d3e0c75dda4a6564045adcd65efd9106ed1005f11185875ca802659dfceb2ce5a192155fb41d03c2518e0577a7798af3dc4e096b89fa71a0a48000

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3d52f9f603c7cb22879bbd1f0f1b6dd5

SHA1
93e01a09e9e888819e8b5c961df6e9f063437eab

SHA256
64cd9d200a99a25991b3d81ec1c47fbe325e4a7276fc5facad9c32cd68e13308

SHA512
c3060926adb573d9e537a19605ed4f30e61aa48d35358b55458777ce0f2ace797373d4e9a647bf57a486e762419b7fb301a7a990433a6ef483c19bbe25759dbd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
42cd30f42592ee923ed6ad5ff3ae73a7

SHA1
10b0a1e43d191d584b21c3847bbd301dfee9bb3c

SHA256
2626d131f07f07d34f57064e745b68fb91ec267d2365134fa5ffc952a0ff272b

SHA512
cd763e949a09af60983bde09140a844c559048e0cef30b4d13d4eed1a922a1479bb96f5fae38f27a8bdb1769da058624f95d2ad84a8e0780e2aa1592f6ef7dfc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
45ec6ba747a0b519f2603852defa8c42

SHA1
3ef1145faa1cb169c8eed9a7777526ac4493a405

SHA256
9ac1ab3c84f68c5c81a6bda2cc5338dce6f2b08564049a8887b9d77a53d6a216

SHA512
5d3f5a9216797fcf9bb8190726c6bab7a2908f5e71443e698dcc2cac5f1df3e7253c14942d6cdda98c8d37874018fc19e7d23d7d85db1b1b666957d0949622a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fcc068e12de49ff30864d627cb9d2c6d

SHA1
eb886bd3996aa8054c1fc375db242e1a53486811

SHA256
78b111859c5a2f136dd522756faf22a49da36a08972d0e67f610fe1f74d2b09b

SHA512
587c1b95cc7c58d2508688d9e7b0ddab4e286e49e1cd4ffc77159a90ea08fac2e7c0fd1636f543bb64bada1ad4f62d6e4d1cd73accc248a74b9c14d71dcadd51

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1d5a0339b7f85aaa1542854320940ff1

SHA1
27ff8d9af6810d58cb9995d7724359d47f1e3f3b

SHA256
675856619026bcbe0e80a992bc8b8d92c40d4af569ded9f1bcf1c228977b322f

SHA512
ab5a3ad67a574504ac14404f4e05defe009cb801141800a974483b553af09cee76f56483d6ac5bc7259d9ea41af900e90d458b2d3656cf4b79103581d22668ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
eff4c1197e9a6f04d5c6330c3947a6e2

SHA1
bfd7f73c3d44370aa296c348181aeedd6d053466

SHA256
552609fb6e17188459d878304c1ecdeaa3e6322296b0e334fe80a2e119e26c32

SHA512
d6304694728a428e8ed0f28c71bfd124b5d440cd318744f8d5be8758cf75e94509d6967fa26edacb1452a677c07a94fc8929b843b51d24cca0ca2380c1b07d9a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
13KB

MD5
9e37f7eb9c73c9abd50ef11718b79f92

SHA1
2da7ea7e7a71993da26cc606bcc4fdfb8558311f

SHA256
e25406360a28147f492fb06c9725c6ca0341e8fdd2c37bc269fc9bc8c4e9dc2e

SHA512
de63c3cab451d661c3ba3c5aa787faa9c066737a210637a11afc23e09e3595d7975f4ddab4bce98a411ac5bd6cd0261710e984871bd2172be581960709d1db2a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
211KB

MD5
da305e779d28c75c80f2bdcff4dea159

SHA1
06a621ef3712f9aa9fa5d1191b60a58aa7c95e7b

SHA256
0bf3867583fe9e5d9dde69c0c4490336025d2a431dfe4042b928200e77fb2212

SHA512
053b195c1e6fa3b03983910ee493006e5c43c477d9492323692b393572c45c373adf7d64f123ca47baa346a9673a3fe5cc55a4fb97015e4559d7b420bc92aa7c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
211KB

MD5
b889da5cb7001278ace7367812d6fd98

SHA1
6f4f4c139446d587a472800bb8b383c123cc9a9d

SHA256
674e271fa2ece987dee80160ed48dbea5568c61f5c2fbd23629d9e9fdefed549

SHA512
b6acb50f75102642ea5b18860d023408e972bed822989bf928f9365acfde2e943e2306aa9d3902b555fa507dfa9b5e381cd594f5a8270b12357c5d8500045155

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
30f9f69bd4cb3ca8ed4af465e6bf3b72

SHA1
1f7bf3625d683c1af38485d1eb39152949648749

SHA256
fbb114871abc3901711a5f204cb370f1cc1602ad89fa0c8155288ec72e4eaf36

SHA512
ae96746716d0b47912c191ca52db48ee40aca9591444c1f0ffbc913346be1fff1e9f71c6e66cb4c175fd308e04a504367dd56bf84920f94c65142cd8508258c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9B32.tmp

Filesize
1KB

MD5
f5929f0961f63c85211441abee5a8b0e

SHA1
280404740830c376291dbd214c72e9a52de4ed51

SHA256
4375352dccfb8ccb4064b1f9fc4df0ba86b29c3eaaf5b03324781036b9d9f5c5

SHA512
fac61b91f5fa8c64274f7799a3fbecf327d070a3c7380203d15920ae2a1b086a279e7ce5046e4bf34d83bb4d1d351ef4254ac97ec3f3c6c678386c22587062cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC0EF.tmp

Filesize
1KB

MD5
b462248eb9e18475cff3838d6541dab0

SHA1
910274085f41d5f93a0d679b691de14b32583466

SHA256
a171e5db6a459b68d5b71b59bf3eb0aab5391fe70513083679893383eca5f060

SHA512
5bffe34b5e0b451f6374ae742c8b9d38a9f5b64b45306a0d87da0f89d2158e940e865d286a3bbe90804179086f0a8ea31dc536990b9d4830267150d6167fda2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a3ku31be\a3ku31be.dll

Filesize
3KB

MD5
a1b1aadda4d9b85211bbfadfcb41eb3a

SHA1
595c143d561ccaf3dc7cbb4084d8f4b6e4ee8b20

SHA256
8a305394d94cb189c9564e1b8476ab873ab1e36b734b412f67109f5c536ae6ff

SHA512
b4d3a9523e972cd48e48d84f0718f035afd8f0516c6b0234531d657ef8bf2bd11c3faa4b219d30f03fd35278191172d270d59419336ab1beeb241356f30eec11

Download Submit
C:\Users\Admin\AppData\Local\Temp\li4jdo0q.dll

Filesize
76KB

MD5
0071717eb7245d382fae6bcab4170b66

SHA1
27a0463f4224bb10e287dbda5eb044820a49e59e

SHA256
e857b720db3f19bb047b6384549e4c002d5369637933c3525892f0fa88703dc3

SHA512
fa8ee2a8f339d0b7f85e783fd84cdf17ffe70b44af68384698ca908188d3ef352a65d6990dae18d714ab95c393c6d8e6f47295c10239d1999a00523801fb61a4

Download Submit
C:\Users\Admin\AppData\Roaming\Orcus\lib_ccda6c301bcc4bffbcfcf707e51e3319\CSCore.dll

Filesize
516KB

MD5
dde3ec6e17bc518b10c99efbd09ab72e

SHA1
a2306e60b74b8a01a0dbc1199a7fffca288f2033

SHA256
60a5077b443273238e6629ce5fc3ff7ee3592ea2e377b8fc28bfe6e76bda64b8

SHA512
09a528c18291980ca7c5ddca67625035bbb21b9d95ab0854670d28c59c4e7adc6d13a356fa1d2c9ad75d16b334ae9818e06ddb10408a3e776e4ef0d7b295f877

Download Submit
C:\Users\Admin\AppData\Roaming\Orcus\lib_ccda6c301bcc4bffbcfcf707e51e3319\ICSharpCode.SharpZipLib.dll

Filesize
196KB

MD5
c8164876b6f66616d68387443621510c

SHA1
7a9df9c25d49690b6a3c451607d311a866b131f4

SHA256
40b3d590f95191f3e33e5d00e534fa40f823d9b1bb2a9afe05f139c4e0a3af8d

SHA512
44a6accc70c312a16d0e533d3287e380997c5e5d610dbeaa14b2dbb5567f2c41253b895c9817ecd96c85d286795bbe6ab35fd2352fddd9d191669a2fb0774bc4

Download Submit
C:\Users\Admin\AppData\Roaming\Orcus\lib_ccda6c301bcc4bffbcfcf707e51e3319\x64\opus.dll

Filesize
458KB

MD5
20956ba917ef3509b721461a884edcc1

SHA1
b45628c6f280aff8362bbb02c0960b20a44a5086

SHA256
b767008d63a9fce5db80f27467abb8e0a74e7edbcf0d392a6a0506d42d3bf76a

SHA512
68db640941698d6649809bfe8795e197a538f7c48d9faea04dfa0d5ef3c2dcc390d829827c6d5604f8e337243f0ad894ef3c37b4c682c775f3c1270b59331f00

Download Submit
C:\Users\Admin\AppData\Roaming\Orcus\lib_ccda6c301bcc4bffbcfcf707e51e3319\x64\turbojpeg.dll

Filesize
662KB

MD5
b36cc7f7c7148a783fbed3493bc27954

SHA1
44b39651949a00cf2a5cbba74c3210b980ae81b4

SHA256
c1ce9a872d33fb8757c59b5cd1f26c93b9eeec3e3cf57162c29a0783e6222a38

SHA512
c987c689ecc2cc57350c74ee22b66cb543535bc17b790016ec6407c3d02c539a727f5c38e1451a201e8e7ccfcb4d4639780b6e68cd38b7e67b1b28034ad738a2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCC0EE.tmp

Filesize
676B

MD5
122678cea7e247efe22961ce9cb66e59

SHA1
2294aa34eeb37e24225ec20e585e3931ef2c9b39

SHA256
c9e5ae70a3897320b932c9df461a016141eadb1674e1bb0afa0de6d24242ad0c

SHA512
f5e8698949b8933a50b31c436b11f4ce039e56a0a122a11275a6004535181f2a6d243da19b7d51ccad876f821ee3c44f25c50985ef5666ecb6a37957a90d6227

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\a3ku31be\CSC9B31.tmp

Filesize
652B

MD5
948b599398b9f94f9feba26da365a376

SHA1
19e1dd05214c3fe3fe0684db146f202584218393

SHA256
a6ac887c512c80f053ebb6f6f8a07b9876fee2e6470998dca1d23a9f23c690b2

SHA512
bdaf9ee7e4af0f606b02fa3ff44488c2465cf35369d9791609fb5caae7107a3449229eb52a99ce830dabc5cc0a63d069bbd1fb21302219219321c26cf275d88b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\a3ku31be\a3ku31be.0.cs

Filesize
285B

MD5
4d95622f967f043b01d907b419b16f48

SHA1
4ee52dfc3011311a9db8f07341a58bac5a1f3c5a

SHA256
fa701a8903493269fa20d49fbf81d06120f978d18899a9b5b2e5a7e565ec73c8

SHA512
18c1c1ba1ea6fe8e62cf279d58229673c409843c679deaca73790855267b2f4ed1db60a61d7e6bcf82f670f155606f0d7c2883cfd4cc802863b35c0a06646ee7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\a3ku31be\a3ku31be.cmdline

Filesize
279B

MD5
5a6102446e4fd81de1684117f70fef23

SHA1
3f1bcfde0349d6ff936e0e8ef5162b18bf187833

SHA256
23776abd9fa38c444da18f346cc022cfc9f1c12898342ad633f7ad5ab0ae2a82

SHA512
59bb338df4c26eacfa85c6df0db4a172da06e7086aa804cbea188ce1abae3d80f6e02cdff63f6ab813b3687f81225a3579ee77b2346f273dbf7d825d428987a0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\li4jdo0q.0.cs

Filesize
208KB

MD5
6b12f3ee085d59aa0b1a201e9c31ff52

SHA1
46a75285f784418d69ff4ee150709eb5bbe01636

SHA256
a91a7437b0623c0f6cb7ad4829c4806d67ffd116a2209c776c610aa0783e2281

SHA512
aa658f7de224cc7c0af2e82220447917885f3a1da897a246f01b370a568da0d7b22dc12fb7f3336656c1556ec5360e4b446c1ad9e8349ac6f96253eb53fc04f2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\li4jdo0q.cmdline

Filesize
349B

MD5
8d0e543fa67ba260944dbbe08126fbf5

SHA1
ca8fec447a137eea4f7119f75980f4aa0ed47e52

SHA256
b502680593bda37bf9d8edb9778481188a5f69987cd739fb8e159e1c31a72131

SHA512
86a3ba608d501b3b5cb6b84940d518ec4f7220108c40faea77bde9286a423e3a7c7310953a665182b239f9db08da538b7b0c29b73a120282b6e02848ea456a69

Download Submit
memory/1084-16-0x00007FFD6B7A0000-0x00007FFD6C141000-memory.dmp

Filesize
9.6MB

Download
memory/1084-21-0x00007FFD6B7A0000-0x00007FFD6C141000-memory.dmp

Filesize
9.6MB

Download
memory/1540-155-0x000000001BC70000-0x000000001BC96000-memory.dmp

Filesize
152KB

Download
memory/1540-61-0x000000001C0F0000-0x000000001C13A000-memory.dmp

Filesize
296KB

Download
memory/1540-109-0x000000001FB60000-0x000000001FC03000-memory.dmp

Filesize
652KB

Download
memory/1540-133-0x000000001FD70000-0x000000001FE1A000-memory.dmp

Filesize
680KB

Download
memory/1540-140-0x00000000012F0000-0x0000000001334000-memory.dmp

Filesize
272KB

Download
memory/1540-145-0x0000000001340000-0x000000000138A000-memory.dmp

Filesize
296KB

Download
memory/1540-150-0x000000001BEA0000-0x000000001BEFA000-memory.dmp

Filesize
360KB

Download
memory/1540-53-0x000000001C560000-0x000000001C572000-memory.dmp

Filesize
72KB

Download
memory/1540-160-0x000000001FF80000-0x00000000200D4000-memory.dmp

Filesize
1.3MB

Download
memory/1540-104-0x000000001CE20000-0x000000001CE54000-memory.dmp

Filesize
208KB

Download
memory/1540-172-0x00000000660C0000-0x000000006615C000-memory.dmp

Filesize
624KB

Download
memory/1540-99-0x000000001BD00000-0x000000001BD16000-memory.dmp

Filesize
88KB

Download
memory/1540-50-0x0000000002C60000-0x0000000002C70000-memory.dmp

Filesize
64KB

Download
memory/1540-49-0x0000000002D00000-0x0000000002D18000-memory.dmp

Filesize
96KB

Download
memory/1540-48-0x0000000002C70000-0x0000000002C82000-memory.dmp

Filesize
72KB

Download
memory/1540-94-0x000000001CB80000-0x000000001CBBE000-memory.dmp

Filesize
248KB

Download
memory/1540-47-0x0000000000A80000-0x0000000000B68000-memory.dmp

Filesize
928KB

Download
memory/1540-54-0x000000001C5C0000-0x000000001C5FC000-memory.dmp

Filesize
240KB

Download
memory/1540-55-0x000000001C8E0000-0x000000001C9EA000-memory.dmp

Filesize
1.0MB

Download
memory/1540-56-0x000000001CBC0000-0x000000001CD82000-memory.dmp

Filesize
1.8MB

Download
memory/1540-60-0x000000001C9F0000-0x000000001CB42000-memory.dmp

Filesize
1.3MB

Download
memory/1540-118-0x0000000002B40000-0x0000000002C1A000-memory.dmp

Filesize
872KB

Download
memory/1540-74-0x000000001C0C0000-0x000000001C0C8000-memory.dmp

Filesize
32KB

Download
memory/1540-86-0x000000001CD90000-0x000000001CE16000-memory.dmp

Filesize
536KB

Download
memory/1540-89-0x000000001F3F0000-0x000000001F918000-memory.dmp

Filesize
5.2MB

Download
memory/4148-46-0x00007FFD6B7A0000-0x00007FFD6C141000-memory.dmp

Filesize
9.6MB

Download
memory/4148-23-0x000000001C0E0000-0x000000001C0F6000-memory.dmp

Filesize
88KB

Download
memory/4148-26-0x0000000000DB0000-0x0000000000DB8000-memory.dmp

Filesize
32KB

Download
memory/4148-27-0x00007FFD6B7A0000-0x00007FFD6C141000-memory.dmp

Filesize
9.6MB

Download
memory/4148-28-0x00007FFD6BA55000-0x00007FFD6BA56000-memory.dmp

Filesize
4KB

Download
memory/4148-29-0x00007FFD6B7A0000-0x00007FFD6C141000-memory.dmp

Filesize
9.6MB

Download
memory/4148-25-0x0000000000DE0000-0x0000000000DF2000-memory.dmp

Filesize
72KB

Download
memory/4148-0-0x00007FFD6BA55000-0x00007FFD6BA56000-memory.dmp

Filesize
4KB

Download
memory/4148-6-0x000000001BAA0000-0x000000001BF6E000-memory.dmp

Filesize
4.8MB

Download
memory/4148-7-0x00007FFD6B7A0000-0x00007FFD6C141000-memory.dmp

Filesize
9.6MB

Download
memory/4148-8-0x000000001C010000-0x000000001C0AC000-memory.dmp

Filesize
624KB

Download
memory/4148-5-0x000000001B5C0000-0x000000001B5CE000-memory.dmp

Filesize
56KB

Download
memory/4148-2-0x000000001B3C0000-0x000000001B41C000-memory.dmp

Filesize
368KB

Download
memory/4148-1-0x00007FFD6B7A0000-0x00007FFD6C141000-memory.dmp

Filesize
9.6MB

Download