orcus | e67c3d893e403f8974605d2c77bf66930c880de94dddb02dc13ce7c8d40ad700

Analysis

max time kernel
79s
max time network
51s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
28-10-2024 08:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

xda.exe
Size

3.0MB
MD5

cf6aa82e9cb164a4ddd30a1f77db1eb7
SHA1

60790744a396419695221c39aee74672bc67fa66
SHA256

e67c3d893e403f8974605d2c77bf66930c880de94dddb02dc13ce7c8d40ad700
SHA512

e9465d2469199972ece28fde93be701e15d97bb495ee75545161ebb8712591b04867110d8632fce712295399c89338fdfe2c7c5179f597bffd8e3c679b95ae09
SSDEEP

49152:XzTEKO3T5adZKM0sz5otCeEvsDKx+msbfGGW8wlBKJwAypQxbxEo9JnCmmWrZEIN:XzTtODUKTslWp2MpbfGGilIJPypSbxE8

Score

10^/10

orcus defense_evasion discovery evasion persistence privilege_escalation rat spyware stealer trojan

Malware Config

Extracted

Family

orcus

89.23.100.155:1337

Mutex

d058ef377b7f46bea0e52b669562775b

Attributes

autostart_method
Registry
enable_keylogger
false
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/memory/2604-22-0x0000000000500000-0x000000000050A000-memory.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	xda.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	xda.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Orcus.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Orcus.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Orcus.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	xda.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	xda.exe

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0009000000016dc8-235.dat	family_orcus

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	xda.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	xda.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	Orcus.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Orcus.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Orcus.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	xda.exe

Orcurs Rat Executable 2 IoCs

resource	yara_rule
behavioral1/memory/2604-53-0x000000001CB30000-0x000000001CE30000-memory.dmp	orcus
behavioral1/files/0x0009000000016dc8-235.dat	orcus

Executes dropped EXE 6 IoCs

pid	Process
2824	WindowsInput.exe
2984	WindowsInput.exe
2488	Orcus.exe
1328	Orcus.exe
2016	OrcusWatchdog.exe
2192	OrcusWatchdog.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	xda.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	Orcus.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Orcus = "\"C:\\Program Files\\Orcus\\Orcus.exe\""	Orcus.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	xda.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	xda.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Orcus.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	Orcus.exe

Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 2 IoCs

Possible Turn off User Account Control's privilege elevation for standard users.

defense_evasion persistence privilege_escalation

Executable Installer File Permissions Weakness

T1574.005

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	xda.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	Orcus.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsInput.exe.config	xda.exe
File created	C:\Windows\SysWOW64\WindowsInput.InstallState	WindowsInput.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe	xda.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Orcus\Orcus.exe	xda.exe
File created	C:\Program Files\Orcus\Orcus.exe.config	xda.exe
File created	C:\Program Files\Orcus\Orcus.exe	xda.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OrcusWatchdog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OrcusWatchdog.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
848	powershell.exe
2432	powershell.exe
2488	Orcus.exe
2488	Orcus.exe
2488	Orcus.exe
2192	OrcusWatchdog.exe
2192	OrcusWatchdog.exe
2192	OrcusWatchdog.exe
2488	Orcus.exe
2192	OrcusWatchdog.exe
2488	Orcus.exe
2192	OrcusWatchdog.exe
2488	Orcus.exe
2192	OrcusWatchdog.exe
2488	Orcus.exe
2192	OrcusWatchdog.exe
2488	Orcus.exe
2192	OrcusWatchdog.exe
2488	Orcus.exe
2192	OrcusWatchdog.exe
2488	Orcus.exe
2192	OrcusWatchdog.exe
2488	Orcus.exe
2192	OrcusWatchdog.exe
2488	Orcus.exe
2192	OrcusWatchdog.exe
2488	Orcus.exe
2192	OrcusWatchdog.exe
2488	Orcus.exe
2192	OrcusWatchdog.exe
2488	Orcus.exe
2192	OrcusWatchdog.exe
2488	Orcus.exe
2192	OrcusWatchdog.exe
2488	Orcus.exe
2192	OrcusWatchdog.exe
2488	Orcus.exe
2192	OrcusWatchdog.exe
2488	Orcus.exe
2192	OrcusWatchdog.exe
2488	Orcus.exe
2192	OrcusWatchdog.exe
2488	Orcus.exe
2192	OrcusWatchdog.exe
2488	Orcus.exe
2192	OrcusWatchdog.exe
2488	Orcus.exe
2192	OrcusWatchdog.exe
2488	Orcus.exe
2192	OrcusWatchdog.exe
2488	Orcus.exe
2192	OrcusWatchdog.exe
2488	Orcus.exe
2192	OrcusWatchdog.exe
2488	Orcus.exe
2192	OrcusWatchdog.exe
2488	Orcus.exe
2192	OrcusWatchdog.exe
2488	Orcus.exe
2192	OrcusWatchdog.exe
2488	Orcus.exe
2192	OrcusWatchdog.exe
2488	Orcus.exe
2192	OrcusWatchdog.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	848	powershell.exe
Token: SeDebugPrivilege	2432	powershell.exe
Token: SeDebugPrivilege	2488	Orcus.exe
Token: SeDebugPrivilege	2016	OrcusWatchdog.exe
Token: SeDebugPrivilege	2192	OrcusWatchdog.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2488	Orcus.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2488	Orcus.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 2120	2604	xda.exe	30
PID 2604 wrote to memory of 2120	2604	xda.exe	30
PID 2604 wrote to memory of 2120	2604	xda.exe	30
PID 2120 wrote to memory of 2016	2120	csc.exe	32
PID 2120 wrote to memory of 2016	2120	csc.exe	32
PID 2120 wrote to memory of 2016	2120	csc.exe	32
PID 2604 wrote to memory of 2824	2604	xda.exe	33
PID 2604 wrote to memory of 2824	2604	xda.exe	33
PID 2604 wrote to memory of 2824	2604	xda.exe	33
PID 2604 wrote to memory of 848	2604	xda.exe	35
PID 2604 wrote to memory of 848	2604	xda.exe	35
PID 2604 wrote to memory of 848	2604	xda.exe	35
PID 2604 wrote to memory of 2488	2604	xda.exe	38
PID 2604 wrote to memory of 2488	2604	xda.exe	38
PID 2604 wrote to memory of 2488	2604	xda.exe	38
PID 2488 wrote to memory of 2432	2488	Orcus.exe	40
PID 2488 wrote to memory of 2432	2488	Orcus.exe	40
PID 2488 wrote to memory of 2432	2488	Orcus.exe	40
PID 544 wrote to memory of 1328	544	taskeng.exe	42
PID 544 wrote to memory of 1328	544	taskeng.exe	42
PID 544 wrote to memory of 1328	544	taskeng.exe	42
PID 2488 wrote to memory of 2016	2488	Orcus.exe	43
PID 2488 wrote to memory of 2016	2488	Orcus.exe	43
PID 2488 wrote to memory of 2016	2488	Orcus.exe	43
PID 2488 wrote to memory of 2016	2488	Orcus.exe	43
PID 2016 wrote to memory of 2192	2016	OrcusWatchdog.exe	44
PID 2016 wrote to memory of 2192	2016	OrcusWatchdog.exe	44
PID 2016 wrote to memory of 2192	2016	OrcusWatchdog.exe	44
PID 2016 wrote to memory of 2192	2016	OrcusWatchdog.exe	44

System policy modification 1 TTPs 14 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	Orcus.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	Orcus.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	Orcus.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	xda.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	Orcus.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Orcus.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle = "0"	xda.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	xda.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	xda.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	xda.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	xda.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Orcus.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle = "0"	Orcus.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	xda.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\xda.exe
"C:\Users\Admin\AppData\Local\Temp\xda.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Windows security modification
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2604
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zvzxhga-.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAAB2.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCAAB1.tmp"
    3⤵
    PID:2016
- C:\Windows\SysWOW64\WindowsInput.exe
  "C:\Windows\SysWOW64\WindowsInput.exe" --install
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:2824
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:848
- C:\Program Files\Orcus\Orcus.exe
  "C:\Program Files\Orcus\Orcus.exe"
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - UAC bypass
  - Executes dropped EXE
  - Windows security modification
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Hijack Execution Flow: Executable Installer File Permissions Weakness
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2488
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2432
- - C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
    "C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /launchSelfAndExit "C:\Program Files\Orcus\Orcus.exe" 2488
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2016
  - - C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
      "C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /watchProcess "C:\Program Files\Orcus\Orcus.exe" 2488
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2192

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
1⤵
- Executes dropped EXE
PID:2984

C:\Windows\system32\taskeng.exe
taskeng.exe {3E3C6FF7-5C15-406A-8D74-7509F77FECBE} S-1-5-21-2039016743-699959520-214465309-1000:PIDEURYY\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:544
- C:\Program Files\Orcus\Orcus.exe
  "C:\Program Files\Orcus\Orcus.exe"
  2⤵
  - Executes dropped EXE
  PID:1328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

T1574.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

T1574.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

T1574.005

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Orcus\Orcus.exe

Filesize
3.0MB

MD5
cf6aa82e9cb164a4ddd30a1f77db1eb7

SHA1
60790744a396419695221c39aee74672bc67fa66

SHA256
e67c3d893e403f8974605d2c77bf66930c880de94dddb02dc13ce7c8d40ad700

SHA512
e9465d2469199972ece28fde93be701e15d97bb495ee75545161ebb8712591b04867110d8632fce712295399c89338fdfe2c7c5179f597bffd8e3c679b95ae09

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab648.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAAB2.tmp

Filesize
1KB

MD5
9b4e706649af005375c5af223234279f

SHA1
7661049e280dafcd0ec14085a977ab657283aca9

SHA256
24e5646b796b3092ea3728a9c738ffe82c7716db01d344ef5a678eb6ccdbeb36

SHA512
b6a1500a3ed927558b2af9e1bf24583cb58ffef0fe2cd4339d5452ac003a1ac93ab87d256daa8110da3b17e3bd50c76989f4df2f743d6dac9802ae80f1e0502e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6D7.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zvzxhga-.dll

Filesize
76KB

MD5
532efb4aab65339b801475cdc67c60da

SHA1
8b7b4697c54ba98a75e61fe277ca6caf0d55b638

SHA256
281f9b0a9219683b5396365fb493d293a4c1465fe16e8b83a21fedfc72ba6245

SHA512
1dafb99697bac9eace8c0bf6231598e729c0e60cb26cadf535a8e511d3abb3171a7ae0afa8bec7bbe17dbfde6cea5b050474bd241336c92900af41a3fee433c2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6R2GJY9XS3E4YVM5FUOD.temp

Filesize
7KB

MD5
fd8570e5e87278867efa415189b8655a

SHA1
e1305e6718d21e5a86ea1a12115104048d8b9910

SHA256
34e8288471d3d61def59a22bd7717c72c4986f29b7e42b275d057c503c4a9b41

SHA512
a5db393afef064fb1a7d44203cc635285b485ce3f97a2e9f3a4fb89b17f7a17a6004a6b8ad4a79c2666da453b007889019c3c05c48775fc82f457948c8ac0ddf

Download Submit
C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

Filesize
9KB

MD5
7a195b6c9de2d5cab015f649da6931a1

SHA1
89f7372dd92a90a8e13b74ee512b464412e4cf9b

SHA256
30183935449a625c2a61f6342dc3b9907028194173f2e3d594eaa3126ee316bc

SHA512
3c2aeef85b51e7f955072fba042bcedf8dd0b66ad813def58c0134355665ba56a713d58005a322561c62be5777d0adea2803da214459f362f22fe2a0dba5a1c7

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe

Filesize
21KB

MD5
f6285edd247fa58161be33f8cf662d31

SHA1
e2b49bca43cd0bd6cc1eee582ba58f0ed6de1470

SHA256
bc16993d1a774793044ca37eb2ce84ecbdb5c578e3c710ed82879e07dcef2fec

SHA512
6f3e6073a1dafc679da1caa4a4c9cb7cc2da79c3f81034d7b7b7b1d855fd5421cbb517a7d3f9520f49d4d3b7f9577f4f8f92486994c8b78fabff5033b390a788

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe.config

Filesize
349B

MD5
89817519e9e0b4e703f07e8c55247861

SHA1
4636de1f6c997a25c3190f73f46a3fd056238d78

SHA256
f40dfaa50dcbff93611d45607009158f798e9cd845170939b1d6088a7d10ee13

SHA512
b017cb7a522b9c6794f3691cb7266ec82f565a90d7d07cc9beb53b939d2e9bf34275bc25f6f32d9a9c7136a0aab2189d9556af7244450c610d11ed7a4f584ba3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCAAB1.tmp

Filesize
676B

MD5
33ef91e9fa13dd3a60b01a92791c3888

SHA1
23a65a0eec5a9ad9d1b0558a9c1c1a2fd7f42bf0

SHA256
42dd62fbd824664b028943a7df5bcf0801117d1b530fabc99bba51aad51cbbf4

SHA512
b352e96487e80f988820da2c948044553f1229e28cd815c9cc8a3512e2a704cb9a5738aff08c4fcee3b06211029e88661a15037e8f488124cad0fb0df9d35506

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zvzxhga-.0.cs

Filesize
208KB

MD5
9fbf2cac269cc780248cac047146d47a

SHA1
e0db43eff4acc56ebdb71fee1ee7e0431a164f01

SHA256
3af5ccc54f61c6565b7a751e0c6efffe702f4c45fe78cb0124bf0d8e4fd2d240

SHA512
6e82b712122337ae5108049e86ff2b11bf43cd3cd0387926a806dbbf2ddcb6efaf5126e8b1627360c546f6cf19ecae6ee6bcb794035829fe6b14f3963a08624d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zvzxhga-.cmdline

Filesize
349B

MD5
ef1d95726dd76ee4f2413778cfd794a8

SHA1
03a271bb017f3d3cf965ceb8c46cfb1d1c7f81d8

SHA256
7247504710f016ad59039edff571048e3b20c570a0ce872e5f6baa4c7ae8ad0b

SHA512
59dcb5c861a2872c3e441f0437840ca21d9b5cec962c434de5a40ea203f4d68a300b94a30084bd5c32d41a322bbefdbadbfed66de46490fc93d62341dc3f9791

Download Submit
memory/848-44-0x0000000002910000-0x0000000002918000-memory.dmp

Filesize
32KB

Download
memory/848-43-0x000000001B530000-0x000000001B812000-memory.dmp

Filesize
2.9MB

Download
memory/2120-17-0x000007FEF5DE0000-0x000007FEF677D000-memory.dmp

Filesize
9.6MB

Download
memory/2120-10-0x000007FEF5DE0000-0x000007FEF677D000-memory.dmp

Filesize
9.6MB

Download
memory/2604-85-0x000000001B620000-0x000000001B64A000-memory.dmp

Filesize
168KB

Download
memory/2604-93-0x000000001B610000-0x000000001B624000-memory.dmp

Filesize
80KB

Download
memory/2604-0-0x000007FEF609E000-0x000007FEF609F000-memory.dmp

Filesize
4KB

Download
memory/2604-23-0x0000000000710000-0x0000000000718000-memory.dmp

Filesize
32KB

Download
memory/2604-22-0x0000000000500000-0x000000000050A000-memory.dmp

Filesize
40KB

Download
memory/2604-45-0x000000001B640000-0x000000001B696000-memory.dmp

Filesize
344KB

Download
memory/2604-53-0x000000001CB30000-0x000000001CE30000-memory.dmp

Filesize
3.0MB

Download
memory/2604-55-0x000000001B600000-0x000000001B60A000-memory.dmp

Filesize
40KB

Download
memory/2604-56-0x000000001B620000-0x000000001B646000-memory.dmp

Filesize
152KB

Download
memory/2604-57-0x000000001B610000-0x000000001B628000-memory.dmp

Filesize
96KB

Download
memory/2604-58-0x000000001B5F0000-0x000000001B62B000-memory.dmp

Filesize
236KB

Download
memory/2604-59-0x000000001B610000-0x000000001B626000-memory.dmp

Filesize
88KB

Download
memory/2604-60-0x000000001B620000-0x000000001B64A000-memory.dmp

Filesize
168KB

Download
memory/2604-61-0x000000001B600000-0x000000001B608000-memory.dmp

Filesize
32KB

Download
memory/2604-62-0x000000001B620000-0x000000001B646000-memory.dmp

Filesize
152KB

Download
memory/2604-63-0x000000001B610000-0x000000001B62C000-memory.dmp

Filesize
112KB

Download
memory/2604-64-0x000000001C940000-0x000000001CA4A000-memory.dmp

Filesize
1.0MB

Download
memory/2604-65-0x000000001B600000-0x000000001B60C000-memory.dmp

Filesize
48KB

Download
memory/2604-66-0x000000001B610000-0x000000001B630000-memory.dmp

Filesize
128KB

Download
memory/2604-67-0x000000001B620000-0x000000001B646000-memory.dmp

Filesize
152KB

Download
memory/2604-68-0x000000001B620000-0x000000001B646000-memory.dmp

Filesize
152KB

Download
memory/2604-69-0x000000001B5F0000-0x000000001B62B000-memory.dmp

Filesize
236KB

Download
memory/2604-70-0x000000001B610000-0x000000001B622000-memory.dmp

Filesize
72KB

Download
memory/2604-71-0x000000001B610000-0x000000001B62C000-memory.dmp

Filesize
112KB

Download
memory/2604-72-0x000000001B620000-0x000000001B646000-memory.dmp

Filesize
152KB

Download
memory/2604-73-0x000000001B600000-0x000000001B60A000-memory.dmp

Filesize
40KB

Download
memory/2604-74-0x000000001B600000-0x000000001B60C000-memory.dmp

Filesize
48KB

Download
memory/2604-75-0x000000001B600000-0x000000001B60A000-memory.dmp

Filesize
40KB

Download
memory/2604-76-0x000000001B610000-0x000000001B62E000-memory.dmp

Filesize
120KB

Download
memory/2604-77-0x000000001B610000-0x000000001B62E000-memory.dmp

Filesize
120KB

Download
memory/2604-78-0x000000001B600000-0x000000001B608000-memory.dmp

Filesize
32KB

Download
memory/2604-79-0x000000001B600000-0x000000001B608000-memory.dmp

Filesize
32KB

Download
memory/2604-80-0x000000001B600000-0x000000001B60A000-memory.dmp

Filesize
40KB

Download
memory/2604-81-0x000000001B600000-0x000000001B60E000-memory.dmp

Filesize
56KB

Download
memory/2604-82-0x000000001B610000-0x000000001B624000-memory.dmp

Filesize
80KB

Download
memory/2604-83-0x000000001B600000-0x000000001B610000-memory.dmp

Filesize
64KB

Download
memory/2604-84-0x000000001B600000-0x000000001B60C000-memory.dmp

Filesize
48KB

Download
memory/2604-21-0x0000000000530000-0x0000000000542000-memory.dmp

Filesize
72KB

Download
memory/2604-86-0x000000001BAF0000-0x000000001BBC5000-memory.dmp

Filesize
852KB

Download
memory/2604-87-0x000000001B620000-0x000000001B648000-memory.dmp

Filesize
160KB

Download
memory/2604-88-0x000000001B620000-0x000000001B646000-memory.dmp

Filesize
152KB

Download
memory/2604-89-0x000000001B600000-0x000000001B60A000-memory.dmp

Filesize
40KB

Download
memory/2604-90-0x000000001B600000-0x000000001B60C000-memory.dmp

Filesize
48KB

Download
memory/2604-91-0x000000001B600000-0x000000001B60C000-memory.dmp

Filesize
48KB

Download
memory/2604-92-0x000000001B600000-0x000000001B60C000-memory.dmp

Filesize
48KB

Download
memory/2604-2-0x00000000004D0000-0x00000000004DE000-memory.dmp

Filesize
56KB

Download
memory/2604-94-0x000000001B610000-0x000000001B628000-memory.dmp

Filesize
96KB

Download
memory/2604-95-0x000000001B610000-0x000000001B628000-memory.dmp

Filesize
96KB

Download
memory/2604-96-0x000000001B600000-0x000000001B60C000-memory.dmp

Filesize
48KB

Download
memory/2604-97-0x000000001B600000-0x000000001B60C000-memory.dmp

Filesize
48KB

Download
memory/2604-98-0x000000001B600000-0x000000001B60C000-memory.dmp

Filesize
48KB

Download
memory/2604-99-0x000000001B600000-0x000000001B610000-memory.dmp

Filesize
64KB

Download
memory/2604-100-0x000000001B600000-0x000000001B60E000-memory.dmp

Filesize
56KB

Download
memory/2604-101-0x000000001B620000-0x000000001B642000-memory.dmp

Filesize
136KB

Download
memory/2604-102-0x000000001B610000-0x000000001B62C000-memory.dmp

Filesize
112KB

Download
memory/2604-103-0x000000001B620000-0x000000001B64C000-memory.dmp

Filesize
176KB

Download
memory/2604-104-0x000000001B610000-0x000000001B624000-memory.dmp

Filesize
80KB

Download
memory/2604-105-0x000000001B600000-0x000000001B608000-memory.dmp

Filesize
32KB

Download
memory/2604-106-0x000000001B610000-0x000000001B62A000-memory.dmp

Filesize
104KB

Download
memory/2604-107-0x000000001B600000-0x000000001B60C000-memory.dmp

Filesize
48KB

Download
memory/2604-108-0x000000001B600000-0x000000001B60E000-memory.dmp

Filesize
56KB

Download
memory/2604-109-0x000000001B600000-0x000000001B60A000-memory.dmp

Filesize
40KB

Download
memory/2604-110-0x000000001B630000-0x000000001B670000-memory.dmp

Filesize
256KB

Download
memory/2604-111-0x000000001B610000-0x000000001B622000-memory.dmp

Filesize
72KB

Download
memory/2604-112-0x000000001B600000-0x000000001B60E000-memory.dmp

Filesize
56KB

Download
memory/2604-113-0x000000001B620000-0x000000001B644000-memory.dmp

Filesize
144KB

Download
memory/2604-114-0x000000001B620000-0x000000001B648000-memory.dmp

Filesize
160KB

Download
memory/2604-115-0x000000001B600000-0x000000001B60A000-memory.dmp

Filesize
40KB

Download
memory/2604-116-0x000000001B600000-0x000000001B608000-memory.dmp

Filesize
32KB

Download
memory/2604-117-0x000000001B610000-0x000000001B62C000-memory.dmp

Filesize
112KB

Download
memory/2604-118-0x000000001B610000-0x000000001B62C000-memory.dmp

Filesize
112KB

Download
memory/2604-119-0x000000001B600000-0x000000001B608000-memory.dmp

Filesize
32KB

Download
memory/2604-120-0x000000001B600000-0x000000001B608000-memory.dmp

Filesize
32KB

Download
memory/2604-121-0x000000001B600000-0x000000001B608000-memory.dmp

Filesize
32KB

Download
memory/2604-122-0x000000001B600000-0x000000001B60E000-memory.dmp

Filesize
56KB

Download
memory/2604-123-0x000000001B610000-0x000000001B622000-memory.dmp

Filesize
72KB

Download
memory/2604-124-0x000000001B600000-0x000000001B60E000-memory.dmp

Filesize
56KB

Download
memory/2604-125-0x000000001B600000-0x000000001B60A000-memory.dmp

Filesize
40KB

Download
memory/2604-126-0x000000001B620000-0x000000001B64A000-memory.dmp

Filesize
168KB

Download
memory/2604-127-0x000000001BAF0000-0x000000001BBC5000-memory.dmp

Filesize
852KB

Download
memory/2604-128-0x000000001B620000-0x000000001B648000-memory.dmp

Filesize
160KB

Download
memory/2604-129-0x000000001B610000-0x000000001B62E000-memory.dmp

Filesize
120KB

Download
memory/2604-130-0x000000001B620000-0x000000001B646000-memory.dmp

Filesize
152KB

Download
memory/2604-131-0x000000001B600000-0x000000001B60C000-memory.dmp

Filesize
48KB

Download
memory/2604-132-0x000000001B600000-0x000000001B60A000-memory.dmp

Filesize
40KB

Download
memory/2604-133-0x000000001B600000-0x000000001B60C000-memory.dmp

Filesize
48KB

Download
memory/2604-19-0x0000000002330000-0x0000000002346000-memory.dmp

Filesize
88KB

Download
memory/2604-9-0x000007FEF5DE0000-0x000007FEF677D000-memory.dmp

Filesize
9.6MB

Download
memory/2604-7-0x000007FEF5DE0000-0x000007FEF677D000-memory.dmp

Filesize
9.6MB

Download
memory/2604-1-0x000000001B100000-0x000000001B15C000-memory.dmp

Filesize
368KB

Download
memory/2824-31-0x0000000000CF0000-0x0000000000CFC000-memory.dmp

Filesize
48KB

Download
memory/2984-35-0x0000000000FA0000-0x0000000000FAC000-memory.dmp

Filesize
48KB

Download