orcus | 7a080f9390658ba441e845e04644e6e05ef865fdf986e8a2bfeb57dd1e4b7dee

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-11-2024 06:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a461d8d06c7859b09524ceb0f3d7e4a.exe
Size

3.0MB
MD5

7a461d8d06c7859b09524ceb0f3d7e4a
SHA1

aa27353c3883ef1ce5728dd0112e79fec7ee2fa6
SHA256

7a080f9390658ba441e845e04644e6e05ef865fdf986e8a2bfeb57dd1e4b7dee
SHA512

22d4fe1a52d16bc45ed5d8cedb8fd98149bb236f2b23f39b37fcd59652e165198180aa7e4a9e2952229a10d9613747485a6891f94ef9019557af39da676aadea
SSDEEP

49152:4i9R1/op1fAZeM9/NtRaO5NYAxC48VYrJAypQxbn32o9JnCmxJWncFfSIH4Duis:4EMtQR9TYW8V0OypSbGo9JCmx

Score

10^/10

orcus discovery persistence rat spyware stealer

Malware Config

Extracted

Family

orcus

45.10.151.182:10134

Mutex

064acb3fed56475eaee5e20cdd2d83c3

Attributes

autostart_method
Registry
enable_keylogger
true
install_path
%programfiles%\Orcus\svchost.exe
reconnect_delay
10000
registry_keyname
svchost
taskscheduler_taskname
svchost
watchdog_path
AppData\csrss.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Orcurs Rat Executable 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2112-1-0x0000000000D50000-0x000000000104C000-memory.dmp	orcus
C:\Program Files\Orcus\svchost.exe	orcus
behavioral1/memory/2640-28-0x00000000009F0000-0x0000000000CEC000-memory.dmp	orcus

Executes dropped EXE 30 IoCs

Processes:

WindowsInput.exeWindowsInput.exesvchost.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe

pid	process
2944	WindowsInput.exe
2596	WindowsInput.exe
2640	svchost.exe
576	csrss.exe
1624	csrss.exe
1084	csrss.exe
2696	csrss.exe
2012	csrss.exe
1444	csrss.exe
3024	csrss.exe
2216	csrss.exe
1440	csrss.exe
1096	csrss.exe
2036	csrss.exe
2788	csrss.exe
2816	csrss.exe
2088	csrss.exe
1696	csrss.exe
2096	csrss.exe
2536	csrss.exe
2340	csrss.exe
2244	csrss.exe
1844	csrss.exe
2236	csrss.exe
2088	csrss.exe
3084	csrss.exe
3344	csrss.exe
3584	csrss.exe
3772	csrss.exe
3312	csrss.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Program Files\\Orcus\\svchost.exe\""	svchost.exe

Drops file in System32 directory 3 IoCs

Processes:

7a461d8d06c7859b09524ceb0f3d7e4a.exeWindowsInput.exe

description	ioc	process
File created	C:\Windows\SysWOW64\WindowsInput.exe.config	7a461d8d06c7859b09524ceb0f3d7e4a.exe
File created	C:\Windows\SysWOW64\WindowsInput.InstallState	WindowsInput.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe	7a461d8d06c7859b09524ceb0f3d7e4a.exe

Drops file in Program Files directory 3 IoCs

Processes:

7a461d8d06c7859b09524ceb0f3d7e4a.exe

description	ioc	process
File created	C:\Program Files\Orcus\svchost.exe	7a461d8d06c7859b09524ceb0f3d7e4a.exe
File opened for modification	C:\Program Files\Orcus\svchost.exe	7a461d8d06c7859b09524ceb0f3d7e4a.exe
File created	C:\Program Files\Orcus\svchost.exe.config	7a461d8d06c7859b09524ceb0f3d7e4a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 40 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

csrss.exeIEXPLORE.EXEcsrss.execsrss.execsrss.execsrss.exeIEXPLORE.EXEcsrss.execsrss.execsrss.exeIEXPLORE.EXEcsrss.execsrss.exeIEXPLORE.EXEIEXPLORE.EXEcsrss.execsrss.execsrss.exeIEXPLORE.EXEcsrss.execsrss.exeIEXPLORE.EXEcsrss.execsrss.exeIEXPLORE.EXEcsrss.execsrss.execsrss.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEcsrss.execsrss.execsrss.execsrss.exeIEXPLORE.EXEcsrss.exeIEXPLORE.EXEcsrss.execsrss.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe

Modifies Internet Explorer settings 1 TTPs 46 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10575e9ccd34db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D558EAD1-A0C0-11EF-9C5B-523A95B0E536} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078a0cc6b0b830b4fbbc12dd3fac6f54200000000020000000000106600000001000020000000e3f3afa3c490d75fd5a820876d715b52a368ba1c87fc4b7c0aaa99fc0c07a9e7000000000e80000000020000200000003748a0b63363da32cc59eaab7571a01ecce299d839c2ff51c43db18fa6ed2bfe200000007fed288d51998ee493b9c12e303ab6a38d2fa3c18288f990d3bec359b1169338400000008761f68f6b52d6b95b36fbd8f87e0cd770df84117cd2397fb2078364661a8b81a0e16ae1771eea8557ece1a8364a0e8f46dd01bd6aea390b6f79858bdab46ced	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078a0cc6b0b830b4fbbc12dd3fac6f542000000000200000000001066000000010000200000000f0823b372089e2a7e6aecef8fa222637ea99cd130d9be3e83ef7da759735ddd000000000e800000000200002000000082962ca7b85819c78aabdda9916c50f3e907903ad0bdb76870560b51a139a6ee90000000b41622a37b2b904e6cd7c01a2ef85134665ed593a735ed2f5efd4d29182a2df1820c61bfc5f3e699e80f423e0e56a6ac9aabfe99925510a0e3c7e6fd2f93433e2f382322a811ba35da76249dfaefb5d29ebe86c49ae446d4ced1e3b95d21e32fc8696123e399758eacb5134ac8920a4aabe549bf6ae129e0e6a4286fb433313c796d04c4bf94f938f02f2cd1b258860340000000a5930c8715ba130d99a494d1f1af0c7d1a86fa40e57dcb0294509484d80fcf619869580a268bdf6565d89f568865e1a7645aab30a475159b9906e01e44bd0d90	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437555421"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

svchost.exeiexplore.exe

pid	process
2640	svchost.exe
2640	svchost.exe
2640	svchost.exe
2640	svchost.exe
2640	svchost.exe
2640	svchost.exe
2640	svchost.exe
2640	svchost.exe
592	iexplore.exe
2640	svchost.exe
2640	svchost.exe
592	iexplore.exe
592	iexplore.exe
592	iexplore.exe
592	iexplore.exe
2640	svchost.exe
2640	svchost.exe
592	iexplore.exe
592	iexplore.exe
592	iexplore.exe
2640	svchost.exe
2640	svchost.exe
592	iexplore.exe
592	iexplore.exe
592	iexplore.exe
592	iexplore.exe
592	iexplore.exe
592	iexplore.exe
592	iexplore.exe
592	iexplore.exe
2640	svchost.exe
2640	svchost.exe
592	iexplore.exe
592	iexplore.exe
592	iexplore.exe
592	iexplore.exe
592	iexplore.exe
2640	svchost.exe
2640	svchost.exe
592	iexplore.exe
592	iexplore.exe
592	iexplore.exe
592	iexplore.exe
592	iexplore.exe
2640	svchost.exe
2640	svchost.exe
2640	svchost.exe
2640	svchost.exe
592	iexplore.exe
592	iexplore.exe
592	iexplore.exe
592	iexplore.exe
2640	svchost.exe
2640	svchost.exe
592	iexplore.exe
592	iexplore.exe
592	iexplore.exe
592	iexplore.exe
592	iexplore.exe
2640	svchost.exe
2640	svchost.exe
592	iexplore.exe
592	iexplore.exe
592	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

svchost.exe

pid process

2640 svchost.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svchost.exe

description pid process

Token: SeDebugPrivilege 2640 svchost.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

592 iexplore.exe

description	pid	process
Token: SeDebugPrivilege	2640	svchost.exe

pid	process
592	iexplore.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

svchost.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
2640	svchost.exe
592	iexplore.exe
592	iexplore.exe
1988	IEXPLORE.EXE
1988	IEXPLORE.EXE
2384	IEXPLORE.EXE
2384	IEXPLORE.EXE
2776	IEXPLORE.EXE
2776	IEXPLORE.EXE
2776	IEXPLORE.EXE
2776	IEXPLORE.EXE
2468	IEXPLORE.EXE
2468	IEXPLORE.EXE
2468	IEXPLORE.EXE
2468	IEXPLORE.EXE
1820	IEXPLORE.EXE
1820	IEXPLORE.EXE
1820	IEXPLORE.EXE
1820	IEXPLORE.EXE
1988	IEXPLORE.EXE
1988	IEXPLORE.EXE
1988	IEXPLORE.EXE
1988	IEXPLORE.EXE
2344	IEXPLORE.EXE
2344	IEXPLORE.EXE
2344	IEXPLORE.EXE
2344	IEXPLORE.EXE
2384	IEXPLORE.EXE
2384	IEXPLORE.EXE
2384	IEXPLORE.EXE
2384	IEXPLORE.EXE
2228	IEXPLORE.EXE
2228	IEXPLORE.EXE
2776	IEXPLORE.EXE
2776	IEXPLORE.EXE
2468	IEXPLORE.EXE
2468	IEXPLORE.EXE
1328	IEXPLORE.EXE
1328	IEXPLORE.EXE
1328	IEXPLORE.EXE
1328	IEXPLORE.EXE
928	IEXPLORE.EXE
928	IEXPLORE.EXE
928	IEXPLORE.EXE
928	IEXPLORE.EXE
1820	IEXPLORE.EXE
1820	IEXPLORE.EXE
1820	IEXPLORE.EXE
1820	IEXPLORE.EXE
3012	IEXPLORE.EXE
3012	IEXPLORE.EXE
2344	IEXPLORE.EXE
2344	IEXPLORE.EXE
3012	IEXPLORE.EXE
3012	IEXPLORE.EXE
2344	IEXPLORE.EXE
2344	IEXPLORE.EXE
2228	IEXPLORE.EXE
2228	IEXPLORE.EXE
2228	IEXPLORE.EXE
2228	IEXPLORE.EXE
1328	IEXPLORE.EXE
1328	IEXPLORE.EXE
2352	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7a461d8d06c7859b09524ceb0f3d7e4a.exesvchost.execsrss.exeiexplore.exe

description	pid	process	target process
PID 2112 wrote to memory of 2944	2112	7a461d8d06c7859b09524ceb0f3d7e4a.exe	WindowsInput.exe
PID 2112 wrote to memory of 2944	2112	7a461d8d06c7859b09524ceb0f3d7e4a.exe	WindowsInput.exe
PID 2112 wrote to memory of 2944	2112	7a461d8d06c7859b09524ceb0f3d7e4a.exe	WindowsInput.exe
PID 2112 wrote to memory of 2640	2112	7a461d8d06c7859b09524ceb0f3d7e4a.exe	svchost.exe
PID 2112 wrote to memory of 2640	2112	7a461d8d06c7859b09524ceb0f3d7e4a.exe	svchost.exe
PID 2112 wrote to memory of 2640	2112	7a461d8d06c7859b09524ceb0f3d7e4a.exe	svchost.exe
PID 2640 wrote to memory of 576	2640	svchost.exe	csrss.exe
PID 2640 wrote to memory of 576	2640	svchost.exe	csrss.exe
PID 2640 wrote to memory of 576	2640	svchost.exe	csrss.exe
PID 2640 wrote to memory of 576	2640	svchost.exe	csrss.exe
PID 576 wrote to memory of 592	576	csrss.exe	iexplore.exe
PID 576 wrote to memory of 592	576	csrss.exe	iexplore.exe
PID 576 wrote to memory of 592	576	csrss.exe	iexplore.exe
PID 576 wrote to memory of 592	576	csrss.exe	iexplore.exe
PID 592 wrote to memory of 1988	592	iexplore.exe	IEXPLORE.EXE
PID 592 wrote to memory of 1988	592	iexplore.exe	IEXPLORE.EXE
PID 592 wrote to memory of 1988	592	iexplore.exe	IEXPLORE.EXE
PID 592 wrote to memory of 1988	592	iexplore.exe	IEXPLORE.EXE
PID 2640 wrote to memory of 1624	2640	svchost.exe	csrss.exe
PID 2640 wrote to memory of 1624	2640	svchost.exe	csrss.exe
PID 2640 wrote to memory of 1624	2640	svchost.exe	csrss.exe
PID 2640 wrote to memory of 1624	2640	svchost.exe	csrss.exe
PID 592 wrote to memory of 2384	592	iexplore.exe	IEXPLORE.EXE
PID 592 wrote to memory of 2384	592	iexplore.exe	IEXPLORE.EXE
PID 592 wrote to memory of 2384	592	iexplore.exe	IEXPLORE.EXE
PID 592 wrote to memory of 2384	592	iexplore.exe	IEXPLORE.EXE
PID 2640 wrote to memory of 1084	2640	svchost.exe	csrss.exe
PID 2640 wrote to memory of 1084	2640	svchost.exe	csrss.exe
PID 2640 wrote to memory of 1084	2640	svchost.exe	csrss.exe
PID 2640 wrote to memory of 1084	2640	svchost.exe	csrss.exe
PID 592 wrote to memory of 2776	592	iexplore.exe	IEXPLORE.EXE
PID 592 wrote to memory of 2776	592	iexplore.exe	IEXPLORE.EXE
PID 592 wrote to memory of 2776	592	iexplore.exe	IEXPLORE.EXE
PID 592 wrote to memory of 2776	592	iexplore.exe	IEXPLORE.EXE
PID 2640 wrote to memory of 2696	2640	svchost.exe	csrss.exe
PID 2640 wrote to memory of 2696	2640	svchost.exe	csrss.exe
PID 2640 wrote to memory of 2696	2640	svchost.exe	csrss.exe
PID 2640 wrote to memory of 2696	2640	svchost.exe	csrss.exe
PID 592 wrote to memory of 2468	592	iexplore.exe	IEXPLORE.EXE
PID 592 wrote to memory of 2468	592	iexplore.exe	IEXPLORE.EXE
PID 592 wrote to memory of 2468	592	iexplore.exe	IEXPLORE.EXE
PID 592 wrote to memory of 2468	592	iexplore.exe	IEXPLORE.EXE
PID 2640 wrote to memory of 2012	2640	svchost.exe	csrss.exe
PID 2640 wrote to memory of 2012	2640	svchost.exe	csrss.exe
PID 2640 wrote to memory of 2012	2640	svchost.exe	csrss.exe
PID 2640 wrote to memory of 2012	2640	svchost.exe	csrss.exe
PID 592 wrote to memory of 1820	592	iexplore.exe	IEXPLORE.EXE
PID 592 wrote to memory of 1820	592	iexplore.exe	IEXPLORE.EXE
PID 592 wrote to memory of 1820	592	iexplore.exe	IEXPLORE.EXE
PID 592 wrote to memory of 1820	592	iexplore.exe	IEXPLORE.EXE
PID 2640 wrote to memory of 1444	2640	svchost.exe	csrss.exe
PID 2640 wrote to memory of 1444	2640	svchost.exe	csrss.exe
PID 2640 wrote to memory of 1444	2640	svchost.exe	csrss.exe
PID 2640 wrote to memory of 1444	2640	svchost.exe	csrss.exe
PID 2640 wrote to memory of 3024	2640	svchost.exe	csrss.exe
PID 2640 wrote to memory of 3024	2640	svchost.exe	csrss.exe
PID 2640 wrote to memory of 3024	2640	svchost.exe	csrss.exe
PID 2640 wrote to memory of 3024	2640	svchost.exe	csrss.exe
PID 592 wrote to memory of 2344	592	iexplore.exe	IEXPLORE.EXE
PID 592 wrote to memory of 2344	592	iexplore.exe	IEXPLORE.EXE
PID 592 wrote to memory of 2344	592	iexplore.exe	IEXPLORE.EXE
PID 592 wrote to memory of 2344	592	iexplore.exe	IEXPLORE.EXE
PID 2640 wrote to memory of 2216	2640	svchost.exe	csrss.exe
PID 2640 wrote to memory of 2216	2640	svchost.exe	csrss.exe

C:\Users\Admin\AppData\Local\Temp\7a461d8d06c7859b09524ceb0f3d7e4a.exe
"C:\Users\Admin\AppData\Local\Temp\7a461d8d06c7859b09524ceb0f3d7e4a.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Windows\SysWOW64\WindowsInput.exe
  "C:\Windows\SysWOW64\WindowsInput.exe" --install
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:2944
- C:\Program Files\Orcus\svchost.exe
  "C:\Program Files\Orcus\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2640 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:576
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch&plcid=0x409&o1=.NETFramework,Version=v4.8&processName=csrss.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
      4⤵
      Modifies Internet Explorer settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:592
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:592 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1988
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:592 CREDAT:209935 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2384
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:592 CREDAT:472082 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2776
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:592 CREDAT:275494 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2468
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:592 CREDAT:865315 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1820
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:592 CREDAT:1061927 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2344
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:592 CREDAT:4142113 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2228
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:592 CREDAT:1455138 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1328
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:592 CREDAT:1389618 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:928
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:592 CREDAT:406598 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:3012
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:592 CREDAT:1979450 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2352
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:592 CREDAT:2045029 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:2820
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:592 CREDAT:1061983 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:3672
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2640 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1624
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2640 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1084
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2640 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2696
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2640 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2012
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2640 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1444
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2640 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3024
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2640 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2216
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2640 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1440
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2640 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1096
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2640 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2036
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2640 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2788
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2640 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2816
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2640 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2088
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2640 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1696
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2640 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2096
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2640 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2536
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2640 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2340
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2640 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2244
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2640 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1844
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2640 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2236
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2640 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2088
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2640 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3084
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2640 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3344
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2640 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3584
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2640 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3772
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2640 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3312

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
1⤵
- Executes dropped EXE
PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Orcus\svchost.exe

Filesize
3.0MB

MD5
7a461d8d06c7859b09524ceb0f3d7e4a

SHA1
aa27353c3883ef1ce5728dd0112e79fec7ee2fa6

SHA256
7a080f9390658ba441e845e04644e6e05ef865fdf986e8a2bfeb57dd1e4b7dee

SHA512
22d4fe1a52d16bc45ed5d8cedb8fd98149bb236f2b23f39b37fcd59652e165198180aa7e4a9e2952229a10d9613747485a6891f94ef9019557af39da676aadea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f6a12d31533f005f75e6e8a808b39ba2

SHA1
3116096a4793974da359d71a7bf5b235ea555656

SHA256
d3104a7365a0d279f3b08179e392fdb58e90b981ed250471a8d88c4bfe681a8c

SHA512
e94713c342507835b0fd8eb70adedecb4b9f68c3cbb684eefe8a3ad3f130d93091059f1d180eae488602321cb72d084bee65f74708eb933f18ef7c08033c5f48

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
898cfbe335f26d30f463ce6a892013e3

SHA1
645e9c3dc5f6e6049989b354e7af8f54a832a50c

SHA256
20ed517ee54f753ba0ebc817ee2e87eb462154f9c6340bbcb011e98b6c7e0d7d

SHA512
fff7f05368f02c1510efd51bb8a259f53d4e3aff718570e97b6b5008ee0defc5bce8f2a2204c5f57474ecfc6bd986f4202a4896237d49d2e78b8e19e0b60fca5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4fa97a868ceb00735b7189d657c26594

SHA1
889736195fb54f49bb944c08a6ade0c152a3985f

SHA256
2833262d6a2e06e383d293c32aebc432be99d3b5b7cd287221d2c1de88db5a72

SHA512
fa96ed8cf1ae80166293ed934b20eb2519b5af4340d042f4364c8a6dbb9e552347c80af377d41b3bd4e338c50c9897c549d372aba146dba9003983e944b2fa84

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
201fcb3c778c906437a0b2b2a564f952

SHA1
34e8c181e8737d7c81f12efac63ebf198f86f842

SHA256
493827276fcc7d1be5d94462ac52a9f52bc228d1ae0f9a6760bd8511edddf783

SHA512
c66cf22e4261b9d6d31b65eea91c4bc60247f0f4d11cbf2f78458a09bb9e535b21202a210571168f6133cb98881494842975db6eabde7ab43f4e5e01f92014a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
508b81a83b2117f65232d9761a200a57

SHA1
a5c9114d25d7391591075b2b51484f36c676f13c

SHA256
09f2c096fc33ebff872604efa2708e19bb74f40b50b52d6d496c635f2a7eb827

SHA512
94189da1fae51ee6ce0e0e1a78c8f5d37a6ecf43c3b6d128969b67fcb2a1e428bfc912affaa24391c2f0e7c7d3e7a81647c2ef4b34d3f0aeb3b88fed3cadbf71

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
862c84b61bf83e187339bbaa4f2e5da8

SHA1
2d27dd82fd5ba73a61b75a0336cce82227543f8a

SHA256
d9374839a5df2b935a17dd52eb24f11ce5ccd3e1c32e80cfa9d8f76985419d7c

SHA512
efc6d1dafbed2c964a32252a10f8dedcb9781b4ab08d524cec8cde421d3f6e400834bd73b549f6f76f4b57c8bb67948954525c2f92404234093397afa12841af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d46f11dc4b732a4d8b4d96d2c9634e87

SHA1
977c2aad697a328d961d36285f96e00d77abea7c

SHA256
8de71263e56946cffbe54d60e39c546b28618fc36f70a8f873537850fa91d2b7

SHA512
a5db7df91619d558e4b2abdb9df43010ffd6e63a2901a8b6f412314f728fd2a9bd205c66761c5fbb817a7a4dda0c9ddfb91302b6d332c792932a073f9c2ebd4b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f351b83645107396ed497178db22363d

SHA1
4e48730dc25e8eb2fcd4da03d3020a755ef69398

SHA256
e3fa4857436a33091ce1492f53e5ef7ce4a2091c559f829c4e33497611064479

SHA512
16f3e03e8fa4f6940b0f0364eabf48b3f9e532d31225782853e4a2999c13a3fdd62281948d1969e6aefcdfab4105eddb947db5ee3e0db3ecca88004e3d004436

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0b406e823935f934bafcff52d1301c78

SHA1
98471e5527ac8757b149440f080488dc8532da1f

SHA256
021fbc007b18e118e317c9ab5ca589940a8972b0d8a6d189baf2a749c03636f7

SHA512
cfe0569a4243beb7471ea93535c23cdf39e9fd0909b1bf4c02fa6b2962edf7a375aca74142a2576148f50d7ca563601a1f55405191660ee4c0518fbad9494af3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c3ebf26208792ec2b33a34f2401f48d8

SHA1
33f7bcababe9af17897dc34d85e899ddf51d34f3

SHA256
c6b32ab522c4a34d5a46ee7a85bd137831b50673a32e7b405af41b873cc0d175

SHA512
711bae2ec321f38ab43a96e34526f32281eb4a88c8ad809c8f557e044a0d316372575da261032e444446d3d147192a8616582fb757fa2447efc707897da196fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
65703fec447d55036fa8b642d59a391a

SHA1
89983ea2cd3f44c722440aabed61a9d40e238dc5

SHA256
28f145197da18239282ea335f9f69feb91d1e04a51db82c04c57f8abd13ea518

SHA512
b610776e938ad238c4252f7f5f2d81f65dda4a3c3a16e9b8c77084e0740c009db09e688a026fb466c046452fdb49b247944137d4b70f78d13fb610c7e09d5c96

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f63403adbe3585094d1493888ec16a67

SHA1
e4aa0ab01788077c12512fb9255d7c2124c48001

SHA256
f38c1ef2d442b242a3fe3168bfd3c3d8baa0daf2743c642888ba376e796f197d

SHA512
c76a163c5b6f44e33519c22196db720ea63ceac4008082d72d407258986b567ecd6839266672dcc97a49118676aa9d9453f7ebdef7094ff50257b37fba8dae0e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2dd946f2846bcd7f85e26d6e8b73a689

SHA1
09298b0ff1fe13c2f330347bfcbfd030797f46c9

SHA256
fb7d846b7f4f265dc8b7222ea576cac10457b24f47fac8c52ddaddda982b601f

SHA512
f88c588c3d4967e0a4b313a5b428dd7c8de138af5bbc882c47d8f0c4c4145c8672ad15d3c4cdb8e7b6d9a4e63913f77fde39192c82a132b1d32b07269bbdefb9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
217385d082450211a6517d6407e4c71f

SHA1
c65e6c648da313f6f5e233abea5c16297e6c1f48

SHA256
ac790d795c15d0e56af60fbd25bd47fca7160f3e0ba5c0f6d1fcb075bc37770c

SHA512
7d1069128207e80e174edc2ad78c875d2cdc5436bbd9617b9b770afd49707f903b47be291072c8734afbbbb27dd8dd434c7ba9f0ac0e480d8b5ac7f9b9b735f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
100f85453b7fc955432862612423a840

SHA1
299cbdd535ca78da79ea17cb4cebd02508e5a1f9

SHA256
a37be3fe1e716720c2becbc4e90d2215fe45620edb972cb3e300504a0552994a

SHA512
bebf416b363bde2bfe861f9a3dd735910829d2c8ccb1be39a0f3fc5a7c21d03b63ffc9c9fc07731f5ad5790471853524157e6631f6aacc7a410d639a9e08a3b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cbf45b48536a7de804be76bf8e0eaff2

SHA1
3bca88754984c556389b34945419e96d8dc6f0fd

SHA256
2f1757c5196dd9a05014bbc2c54f983ad0b126bf5481f33dae1b7796cd9f3323

SHA512
52425afc853b126f038361c1d46f0f27a0a2fc24b30dcf771e99e7c8e752464e7c8de7291b39d3ceb40346f2e66fbc773a64a2cfdb09fb1dc93443b151c42e70

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3479e0413bb28d50235217be8ada0160

SHA1
12a70d797db33aa5150b8c6b586bfd50eddb43ba

SHA256
71ce39ca7d21cec7fe0b4bb59f9ad9b22d4a9b07d6daeff3f1951a16028aa2ee

SHA512
8ea0f1e5a062d3dd74444f6730cde16dca68d6ce1d9ea4dc6a5108501f9f472b9fc29ce1cf04ae48b7955321dd9511da5b6879d4e7fd6f4f1502781061c11ce0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
15b2c327717a17f9fe65dc1819453ec9

SHA1
5c767c6d01a03690a094aae67e515b186643662e

SHA256
259fc84674d2b1aba0095389b0fdf51eac8f33af5fbd6e27267340c5ec0faeb6

SHA512
a18c4da464d704394832f69febf7f5f43eb09f3db8b125dc1148d36743279d56f4a8027dbf158f62408dd874d6b8261dddebae76aa7eedbdcaa5f0f154b68bf5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6f26d6133e924f7f683ce05dc3a8abd7

SHA1
876ec4aeccd5d27663de84a22a538fd9af6c687c

SHA256
2ab5e62819d8e1dc0cf5aa2d22152080c2bc78a9233a1dbb742d960b1e3e4a57

SHA512
805afdf685d9a27752dad3f32f4b7d3923b55b4b9039f32dd381b317b8d515312fc2fecd341611cc3ec7d95f75860a91f973f04b4b1ee08a404dd8e57812b9cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2a985a3ec2968311702bd2f326d4e501

SHA1
de4df9ce962b5de78a568f46ea5a7a8d3386dd1b

SHA256
e94d44edbf584fd9c4473d1bfdfbee6a72af452789c058bf8fd4c62c95d8f724

SHA512
8dbd5c2164066ba6bd3baf72cba32f22a7b269f8b3fe87a8244f25d53ff71761de28fce77c474e2e3c7c2ed0d7d7f04052a7c3b80f4f8ac19d8ec6386b7c0348

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f8cb13f1efeb2d8d70372a6b00f77e07

SHA1
b13a262f4553b827afb8f8c9426071ffba86d00e

SHA256
5d54e932fcc6cec057654861691d7e2c9401cef0a6a28df3d017e918a4e7c11c

SHA512
b3cd62a149c3ccc8818ef5020b8c2c15190dd0c12952833bf324384ed2ab9749f3c85728704941ab4e6219151139b07c927ad72887e46f65a2a43a981fdec1d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9c220cb68ec4c0c8f6812b4ab7c7160a

SHA1
40e6264fe77807252df3a9c273d396d9a94f335f

SHA256
6bde3beec984ae0d4c8f82999a0a523a99a6cfa6c727f2ee3e0d38fda13b91af

SHA512
c7b88797bc1afd6681e9ea3d94a917754a540f11a6b2b02d89d2dacb047af0e987b9a06628711a99f365099fe8b5ea6054c1d651b3454db31549f1062ba8b89a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bb6bcf7f06962239d60f12742e8ba76d

SHA1
93c9e928219114c43f70111b4c0bafaa6bbc50c9

SHA256
0976ca3f4a34a01783eb6e37809211b7869aa7cc35688752d200620afdaa5da4

SHA512
fb4a446835722b8067ecf9463bf2c36667cb18b8839de4b6b5ae68905abeb3bac449a0f10e71e3dab410a45537e2c865a9bc666cf24ab92a29040c9cbeab79ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
262ec3c506c4b5169f33e0e85a6235a8

SHA1
9b3b13b20398e4af1e677d224bbad26938b52d66

SHA256
573c4fa97d12e699dad8f0468620ac1cdb7404ea9df931bafeb98a281bad2a14

SHA512
8530ae5310f834e8312204b9f38d8dcd2176bc76bd55081ebcc4875bde1ef6f001ab466d87dc1a203e0fa838e2092e0cc8d412685c99edcc528d5679ad543114

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6973f4eaacd2e2a535d3b458e13aaa48

SHA1
a2081a3dc938feca0c544361a716ab40c4a68d56

SHA256
875a7d9ff70c774530b0731324ca16fe9a05c93ad1290de9c645ea5be42be00e

SHA512
fada68cde02da5c72ebd2179bf9f7cfe22dd587cc686bc856649f6cca19220c6813e4dd96d9b741a9c077bc5cfacc2485492ed93c375049145e67bee804d1e3a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f17df5437d449e011d53c9878ec64c06

SHA1
4098bcb26e9a1da20a61cd4812dd8df7267a0028

SHA256
a05d0b91de9ebd7cf30979a8af42177ad2754619b90ab5c24022d8d74bc62e3e

SHA512
871e80f7cb2b1b931cc3d7e7150e2d0f5470367a0d94e10408ce421b8b69d1251785915470f10c8bb34f9cfd7632b8ccd044ea79883d8e1e7ed532b84bfc96e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
061af26efa93a701cd18b88d7dffae66

SHA1
9ef57b140a736bde174ec5b9ef27dab16827e526

SHA256
cdb971b5a54915349adf14eebed16a39ecd07c35c20d4b48d15a2b209ab89ca6

SHA512
b22ba366cf0c19f754397d020e8b08c9277e18cf87d447866ddde6264a446b1f7c61898c1800dc442f755ebfe26ba76b0f9b6400c047c954b24bfc23bbb4aedd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ac6057fb22d5279f4d3e8e3aa99ed7d1

SHA1
ae779dd9d44a95ed61582aca6735dc967f07a2d2

SHA256
7e74f930feb8297363a47703874383cd5c12e1248e2f5873becd934c9b549618

SHA512
13bd5d1e32f826d9455b066c0daf8d71bf3038b9a9ddad12649abf8a211905d3fce9b58ec161bae57caa6dd6d9b092f989e76b58452d640d3c76e7bb528aca9a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9fc0f9861c8eea1c7af5de16b43cd38a

SHA1
22e78183ab9a98c3c2c8a9cdebbcee3068667491

SHA256
56c453e3eb9d7b3b9b2b46913c5cb2634fa6320d8bea133c3a1431a665a75a04

SHA512
9fcac55a6f2033b0e99258c37e990b80d665a00e87205d3e798479ec4b9750c01491efb15d4b8dbfa2d9f7ec9e08d77795e396d3c8f41c10a995f62fe65e8df7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a013281463e25f417ece0b99ea494740

SHA1
3893aa319f4e845ce9edd226141c8f41706a8ad5

SHA256
14b502685e42a33dc3bd94ca6641b64a1b9b6ed8e7ea871875862d29c4c2ea5e

SHA512
f94231b97efee7f00a9d98ae824ec1c22d97d2296472f905282ad613214c86da6c00017f5e52387a6172a5cc761968d21f0b2114828c66f78ed0d293697800e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
376e52498f7f8d90bebb1370b6561ce7

SHA1
aa96995d7c8aaab3f207b75ae2a486f4bc9a72d2

SHA256
be0647e60acad046528d4fed147622136c70818805e8d074733b5d1ce4732469

SHA512
6cac46fdb709fe030eda54dbcc25e2e8fe2adfb4735ef72283cd21b139b28562a4abf9783009eedeb19d92e86b0d049a2a6d3ad03fd619e23ff527c91790e126

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
543361d7f8204f40c190ca85e9d21ff6

SHA1
c8372427e9f24db20d5d138a3d3ca8d5827538a3

SHA256
d6d94ad667cf0c13bce6d48c60c55e3371eabc9c7618db7716b364a7f6577bb2

SHA512
a552b92c277727d710049c6c4187898c3d4a34f0ba0dfb3d333ace837b25346d739ccc16f33da75e6dbaafa92e8b328a9a98d45db5a4a1aab4af8a793cf14ea4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a260d6e12ceb790f15580c15cbe11f71

SHA1
7013cd596a148bdb0766f70ddd02e31c671ee8a7

SHA256
69add755c46e52cd09d2618ac397fe5cc6366750879a1e800c950e7e8dc5ca12

SHA512
f9ed8eea750493e7d6fdf81ba2a164a94c9d310b603d78f52c4c7b9f2665acaa84ad82c8cf837aacbe9a9f4bb048daff7a8a619d7d298b1b6f60aac6b734acd1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
36caecf9668618d5e61ee9fd2b8d0fa8

SHA1
c290ce88e14cf0c089a6b4f711e681f297420c48

SHA256
c65645f85444ddd82db11fee83c9420ba9cb49077aa592681def55d38edddaa0

SHA512
cc6bbf087dd6de016ae28fa77083f8430dbcee0b9dac51fec8d596818d83aa70b14d4494a70fdebc54393d914a6f1f0bb78ad53a621b64f7b725e03b56bcc213

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8aa6664088af9e98f32e6d84141cdca4

SHA1
86ea5ce3fb36c6769d5134719d739c8b63c2fb17

SHA256
d4d0fc6bd78f427017686c7130681bfdb1cd5bb8633a41e100096ea012d289b5

SHA512
27cd2cef8a7dd324304a4676f0b837924ab3e96640130b4fd7a3cf006f97b2e6b0fe51ae0761115d5535a229bdc38f36651ecb326214137bcdc26405800b6bc6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
10911d326f55be7f7ee491832c1d09f5

SHA1
e4a5e2f5674732bebd35bed280ba3c6b62b8c232

SHA256
23f077416bb3fcfbfb45777cb207009186e95b6b5901dcd6d64e762f1a7c29e0

SHA512
9883cbbcaf462bdbc9a1cdfbc9db85684502ede6509b8849111249a07b7fe6a6e174a170ea5bf07d4a8ebfd917161d62421500df3dd8ccea9eb5f3e4505fdfe7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
27158ab5ba648a9c365c0867a9b3a719

SHA1
52633fd8612724f7854e548300f0f4184aea5261

SHA256
effb303023239dd7ef823d68a16d05184074133337c7a166c18e1a2edc238296

SHA512
9efe516947cdaf7bff5687d461e8698761b800c8a61f48b9bf29290bc1200b3ab0e2d46f327308e0177fc50024eb0308d0e900067ccdf696b7cc6698b941c69b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ee8e4e29e5d05a4335bcc098712cdf83

SHA1
aa6a53a27be84e2ecb5244a317445f4156a1303a

SHA256
33260e9c97fd3ed03ca0daeef119e0e8bcdecf961088dc0f81e0ab96b97b945f

SHA512
091af5b3daa60bb6086f8603dd7c2a8ab316c5c99352433d016a897ece6e49f8b1a77ea1b36872dd8958b55a2d34bb2136aa2f724b8c9ed3d2bd54479df228dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
afc53a44733d5d3efe0deb7f61f9d04d

SHA1
1f5cf052f2c94e96de5daad7649dc42305612962

SHA256
ff5db083fe3103939b05d2309193187e7f3c7edcde040dc21987bbf689eaeac5

SHA512
5a5efd0a2d59085cf8377b0e54bc630c8bcf02f0c69656d0d5a1f857f5e542e972510ca77f81308f77e81f2db15d9e3dd6053c3b1f08fded22bde6054c670ef5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\633SXO0D\background_gradient_red[1]

Filesize
868B

MD5
337038e78cf3c521402fc7352bdd5ea6

SHA1
017eaf48983c31ae36b5de5de4db36bf953b3136

SHA256
fbc23311fb5eb53c73a7ca6bfc93e8fa3530b07100a128b4905f8fb7cb145b61

SHA512
0928d382338f467d0374cce3ff3c392833fe13ac595943e7c5f2aee4ddb3af3447531916dd5ddc716dd17aef14493754ed4c2a1ab7fe6e13386301e36ee98a7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\633SXO0D\errorPageStrings[1]

Filesize
2KB

MD5
e3e4a98353f119b80b323302f26b78fa

SHA1
20ee35a370cdd3a8a7d04b506410300fd0a6a864

SHA256
9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

SHA512
d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\633SXO0D\red_shield_48[1]

Filesize
4KB

MD5
7c588d6bb88d85c7040c6ffef8d753ec

SHA1
7fdd217323d2dcc4a25b024eafd09ae34da3bfef

SHA256
5e2cd0990d6d3b0b2345c75b890493b12763227a8104de59c5142369a826e3e0

SHA512
0a3add1ff681d5190075c59caffde98245592b9a0f85828ab751e59fdf24403a4ef87214366d158e6b8a4c59c5bdaf563535ff5f097f86923620ea19a9b0dc4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\green_shield[1]

Filesize
810B

MD5
c6452b941907e0f0865ca7cf9e59b97d

SHA1
f9a2c03d1be04b53f2301d3d984d73bf27985081

SHA256
1ba122f4b39a33339fa9935bf656bb0b4b45cdded78afb16aafd73717d647439

SHA512
beb58c06c2c1016a7c7c8289d967eb7ffe5840417d9205a37c6d97bd51b153f4a053e661ad4145f23f56ce0aebda101932b8ed64b1cd4178d127c9e2a20a1f58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\httpErrorPagesScripts[1]

Filesize
8KB

MD5
3f57b781cb3ef114dd0b665151571b7b

SHA1
ce6a63f996df3a1cccb81720e21204b825e0238c

SHA256
46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad

SHA512
8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QS2MOPHD\ErrorPageTemplate[1]

Filesize
2KB

MD5
f4fe1cb77e758e1ba56b8a8ec20417c5

SHA1
f4eda06901edb98633a686b11d02f4925f827bf0

SHA256
8d018639281b33da8eb3ce0b21d11e1d414e59024c3689f92be8904eb5779b5f

SHA512
62514ab345b6648c5442200a8e9530dfb88a0355e262069e0a694289c39a4a1c06c6143e5961074bfac219949102a416c09733f24e8468984b96843dc222b436

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QS2MOPHD\down[1]

Filesize
748B

MD5
c4f558c4c8b56858f15c09037cd6625a

SHA1
ee497cc061d6a7a59bb66defea65f9a8145ba240

SHA256
39e7de847c9f731eaa72338ad9053217b957859de27b50b6474ec42971530781

SHA512
d60353d3fbea2992d96795ba30b20727b022b9164b2094b922921d33ca7ce1634713693ac191f8f5708954544f7648f4840bcd5b62cb6a032ef292a8b0e52a44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QS2MOPHD\invalidcert[1]

Filesize
2KB

MD5
8ce0833cca8957bda3ad7e4fe051e1dc

SHA1
e5b9df3b327f52a9ed2d3821851e9fdd05a4b558

SHA256
f18e9671426708c65f999ca0fd11492e699cb13edc84a7d863fa9f83eb2178c3

SHA512
283b4c6b1035b070b98e7676054c8d52608a1c9682dfe138c569adfecf84b6c5b04fe1630eb13041ad43a231f83bf38680198acd8d5a76a47ec77829282a99fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y1738IZL\invalidcert[1]

Filesize
4KB

MD5
a5d6ba8403d720f2085365c16cebebef

SHA1
487dcb1af9d7be778032159f5c0bc0d25a1bf683

SHA256
59e53005e12d5c200ad84aeb73b4745875973877bd7a2f5f80512fe507de02b7

SHA512
6341b8af2f9695bb64bbf86e3b7bfb158471aef0c1b45e8b78f6e4b28d5cb03e7b25f4f0823b503d7e9f386d33a7435e5133117778291a3c543cafa677cdc82d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y1738IZL\red_shield[1]

Filesize
810B

MD5
006def2acbd0d2487dffc287b27654d6

SHA1
c95647a113afc5241bdb313f911bf338b9aeffdc

SHA256
4bd9f96d6971c7d37d03d7dea4af922420bb7c6dd46446f05b8e917c33cf9e4e

SHA512
9dabf92ce2846d8d86e20550c749efbc4a1af23c2319e6ce65a00dc8cbc75ac95a2021020cab1536c3617043a8739b0495302d0ba562f48f4d3c25104b059a04

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab126A.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar127D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF8AC769062CA5DA03.TMP

Filesize
16KB

MD5
b0f033ef1e2c698c6c305fb245bfa22c

SHA1
65b738edece616b7ea57f6afbd315faf19a7f2b6

SHA256
7064b03145418ad34e067d6d9815c9e62120875eacdccffb8f11e73852c7533c

SHA512
599e8db3eb1ace5f5e60dbbd08b52cf4d215428fb701df6f1e77354990eb41ad5a9dc58cda6597d0267ec6b512c39599165212974e4da6ced8a4919a71336f75

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms

Filesize
3KB

MD5
b5f7c2d6b024bdee8c617ae2d2438421

SHA1
a0162a5a8abfd04620ecf87f4d3dbaa51e19eaec

SHA256
4e489a7374ecdb88d4b8a3eb12d52532a4c62f4c1c29614eb678028680baa1f2

SHA512
b53f1257365b6fa88179f1db825bf5d5f30d824991d521b7733663319cbb4ec28724d7122e91c04f388ab5af0325ab76f3c9c8b6833e1db2c13666397eccf209

Download Submit
C:\Users\Admin\AppData\Roaming\csrss.exe

Filesize
9KB

MD5
484af5d2607d4c70ed4e0a350eeeee45

SHA1
1aa920ad742516f41b3722b4524acf38be5dfd57

SHA256
0f7f639c1efbff416a8ad19d6563e0bc719d789cd6aaa9b4ea050f559c8886d8

SHA512
f12f1bbe67194420a577e8123bb75b91c4d117245eed81ef78e65c2de6633bd5d3feea128be3d556d506cbd10ccd9e35c8ccca09a397207518c63cb4e2464faa

Download Submit
C:\Users\Admin\AppData\Roaming\csrss.exe.config

Filesize
157B

MD5
7efa291047eb1202fde7765adac4b00d

SHA1
22d4846caff5e45c18e50738360579fbbed2aa8d

SHA256
807fb6eeaa7c77bf53831d8a4422a53a5d8ccd90e6bbc17c655c0817460407b6

SHA512
159c95eb1e817ba2d281f39c3939dd963ab62c0cd29bf66ca3beb0aff53f4617d47f48474e58319130ae4146a044a42fc75f63c343330c1b6d2be7034b9fa724

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe

Filesize
21KB

MD5
785adb93e8dd006421c1ba3e81663d72

SHA1
0ea67d6d82b03c51a22e01de33476c70f70f8fbc

SHA256
cb29a7aba6161d96b66c9a1cdb92e293109ed7c171906fdb52d73c4226a09c74

SHA512
86dbcf36114a99228f5720c3835af24765c8c7f059ad207dfb89f3923552f9485991a41e3874c138a5fd9a1ee3ae722329380660bd92666b8ebbc68ec49baf2c

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe.config

Filesize
349B

MD5
89817519e9e0b4e703f07e8c55247861

SHA1
4636de1f6c997a25c3190f73f46a3fd056238d78

SHA256
f40dfaa50dcbff93611d45607009158f798e9cd845170939b1d6088a7d10ee13

SHA512
b017cb7a522b9c6794f3691cb7266ec82f565a90d7d07cc9beb53b939d2e9bf34275bc25f6f32d9a9c7136a0aab2189d9556af7244450c610d11ed7a4f584ba3

Download Submit
memory/2112-3-0x00000000001B0000-0x00000000001BE000-memory.dmp

Filesize
56KB

Download
memory/2112-5-0x0000000000460000-0x0000000000472000-memory.dmp

Filesize
72KB

Download
memory/2112-4-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

Filesize
9.9MB

Download
memory/2112-29-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

Filesize
9.9MB

Download
memory/2112-0-0x000007FEF5693000-0x000007FEF5694000-memory.dmp

Filesize
4KB

Download
memory/2112-1-0x0000000000D50000-0x000000000104C000-memory.dmp

Filesize
3.0MB

Download
memory/2112-2-0x00000000003D0000-0x000000000042C000-memory.dmp

Filesize
368KB

Download
memory/2640-31-0x0000000002280000-0x00000000022D8000-memory.dmp

Filesize
352KB

Download
memory/2640-32-0x0000000000310000-0x0000000000328000-memory.dmp

Filesize
96KB

Download
memory/2640-30-0x0000000000280000-0x0000000000292000-memory.dmp

Filesize
72KB

Download
memory/2640-28-0x00000000009F0000-0x0000000000CEC000-memory.dmp

Filesize
3.0MB

Download
memory/2640-33-0x0000000000330000-0x0000000000340000-memory.dmp

Filesize
64KB

Download
memory/2944-13-0x0000000001310000-0x000000000131C000-memory.dmp

Filesize
48KB

Download
memory/2944-15-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

Filesize
9.9MB

Download
memory/2944-18-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

Filesize
9.9MB

Download
memory/2944-14-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

Filesize
9.9MB

Download