orcus | 7a080f9390658ba441e845e04644e6e05ef865fdf986e8a2bfeb57dd1e4b7dee

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-11-2024 02:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a080f9390658ba441e845e04644e6e05ef865fdf986e8a2bfeb57dd1e4b7dee.exe
Size

3.0MB
MD5

7a461d8d06c7859b09524ceb0f3d7e4a
SHA1

aa27353c3883ef1ce5728dd0112e79fec7ee2fa6
SHA256

7a080f9390658ba441e845e04644e6e05ef865fdf986e8a2bfeb57dd1e4b7dee
SHA512

22d4fe1a52d16bc45ed5d8cedb8fd98149bb236f2b23f39b37fcd59652e165198180aa7e4a9e2952229a10d9613747485a6891f94ef9019557af39da676aadea
SSDEEP

49152:4i9R1/op1fAZeM9/NtRaO5NYAxC48VYrJAypQxbn32o9JnCmxJWncFfSIH4Duis:4EMtQR9TYW8V0OypSbGo9JCmx

Score

10^/10

orcus discovery persistence rat spyware stealer

Malware Config

Extracted

Family

orcus

45.10.151.182:10134

Mutex

064acb3fed56475eaee5e20cdd2d83c3

Attributes

autostart_method
Registry
enable_keylogger
true
install_path
%programfiles%\Orcus\svchost.exe
reconnect_delay
10000
registry_keyname
svchost
taskscheduler_taskname
svchost
watchdog_path
AppData\csrss.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Orcurs Rat Executable 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2348-1-0x00000000009A0000-0x0000000000C9C000-memory.dmp	orcus
C:\Program Files\Orcus\svchost.exe	orcus
behavioral1/memory/2720-28-0x0000000000370000-0x000000000066C000-memory.dmp	orcus

Executes dropped EXE 29 IoCs

Processes:

WindowsInput.exeWindowsInput.exesvchost.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe

pid	process
2456	WindowsInput.exe
2188	WindowsInput.exe
2720	svchost.exe
2600	csrss.exe
2940	csrss.exe
2976	csrss.exe
2568	csrss.exe
1072	csrss.exe
3056	csrss.exe
1244	csrss.exe
2756	csrss.exe
3028	csrss.exe
1956	csrss.exe
2984	csrss.exe
1128	csrss.exe
2436	csrss.exe
2740	csrss.exe
2628	csrss.exe
1288	csrss.exe
2672	csrss.exe
1548	csrss.exe
1736	csrss.exe
1048	csrss.exe
2420	csrss.exe
3108	csrss.exe
3436	csrss.exe
3704	csrss.exe
4020	csrss.exe
3456	csrss.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Program Files\\Orcus\\svchost.exe\""	svchost.exe

Drops file in System32 directory 3 IoCs

Processes:

7a080f9390658ba441e845e04644e6e05ef865fdf986e8a2bfeb57dd1e4b7dee.exeWindowsInput.exe

description	ioc	process
File created	C:\Windows\SysWOW64\WindowsInput.exe	7a080f9390658ba441e845e04644e6e05ef865fdf986e8a2bfeb57dd1e4b7dee.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe.config	7a080f9390658ba441e845e04644e6e05ef865fdf986e8a2bfeb57dd1e4b7dee.exe
File created	C:\Windows\SysWOW64\WindowsInput.InstallState	WindowsInput.exe

Drops file in Program Files directory 3 IoCs

Processes:

7a080f9390658ba441e845e04644e6e05ef865fdf986e8a2bfeb57dd1e4b7dee.exe

description	ioc	process
File created	C:\Program Files\Orcus\svchost.exe	7a080f9390658ba441e845e04644e6e05ef865fdf986e8a2bfeb57dd1e4b7dee.exe
File opened for modification	C:\Program Files\Orcus\svchost.exe	7a080f9390658ba441e845e04644e6e05ef865fdf986e8a2bfeb57dd1e4b7dee.exe
File created	C:\Program Files\Orcus\svchost.exe.config	7a080f9390658ba441e845e04644e6e05ef865fdf986e8a2bfeb57dd1e4b7dee.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 39 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

csrss.execsrss.execsrss.execsrss.exeIEXPLORE.EXEcsrss.exeIEXPLORE.EXEIEXPLORE.EXEcsrss.exeIEXPLORE.EXEcsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exeIEXPLORE.EXEcsrss.exeIEXPLORE.EXEIEXPLORE.EXEcsrss.execsrss.execsrss.exeIEXPLORE.EXEcsrss.exeIEXPLORE.EXEcsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exeIEXPLORE.EXEIEXPLORE.EXEcsrss.exeIEXPLORE.EXEcsrss.execsrss.exeIEXPLORE.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 46 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 2061d96e7435db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A77E2421-A167-11EF-87E3-523A95B0E536} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437627071"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045c0dde48c11474f81d9a2c02be4ea22000000000200000000001066000000010000200000004c417967a5490dd0b752f2700e131affdd0069cb3dae0776cbcddf696496eeeb000000000e8000000002000020000000dda8707c69e5b3fe1fefac9d1f87c4718750c9cfdb684e643c8098e89df5676d90000000919c056890bd7d56b979f6192f3b8dc7a3864d504861511ddd5b4cd089e5b7d54492b045fa2820c8d700e997c646d6f01abbd6e014c3b392ee54d0d296061215ac3d199c2dae4a9b0d9bbf5ed89ad4918682c92a0693ed1194887ac1b4b9413599c2da42dcf821d4d9e03ff01f934c195c94a39bc3c8b174d958701cb8e9f20e4624bf652c3d286ba6e9f300dc635bd940000000b4a400b49973e5412e5ac3c5ef08cd5360f4bf922b7acb5036299e43b95c843b701266ccf91c840c29cc630ad20efb711a2e9b5f785dbc47a48080c0e2a1ff0f	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045c0dde48c11474f81d9a2c02be4ea2200000000020000000000106600000001000020000000f1d43ddce58f7d3ffc8504804157ba14728bfaa4e0fff1f08c4f940e3e4fc915000000000e8000000002000020000000a8a1f46c44b0e6e755386467b54e304e09402737692827d58bf7dffd41a458382000000008a8b0e828bdc31b39f50d1676a255a46d397b7dcfa0953202c1e3b92c9d03f540000000f789ffc489ae330c2019ca897452ec0431591947413324ec29ffcb85848e299b11f9478235b1814206e6b391ddb0870d33feb120d3bbca4e69a6a0f0ccfb037d	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

svchost.exeiexplore.exe

pid	process
2720	svchost.exe
2720	svchost.exe
2720	svchost.exe
2720	svchost.exe
2720	svchost.exe
2720	svchost.exe
2720	svchost.exe
2720	svchost.exe
2584	iexplore.exe
2720	svchost.exe
2720	svchost.exe
2584	iexplore.exe
2584	iexplore.exe
2584	iexplore.exe
2584	iexplore.exe
2720	svchost.exe
2720	svchost.exe
2584	iexplore.exe
2584	iexplore.exe
2584	iexplore.exe
2720	svchost.exe
2720	svchost.exe
2584	iexplore.exe
2584	iexplore.exe
2584	iexplore.exe
2584	iexplore.exe
2720	svchost.exe
2720	svchost.exe
2584	iexplore.exe
2584	iexplore.exe
2584	iexplore.exe
2584	iexplore.exe
2584	iexplore.exe
2720	svchost.exe
2720	svchost.exe
2584	iexplore.exe
2584	iexplore.exe
2584	iexplore.exe
2584	iexplore.exe
2584	iexplore.exe
2720	svchost.exe
2720	svchost.exe
2720	svchost.exe
2720	svchost.exe
2584	iexplore.exe
2584	iexplore.exe
2584	iexplore.exe
2584	iexplore.exe
2584	iexplore.exe
2584	iexplore.exe
2584	iexplore.exe
2584	iexplore.exe
2584	iexplore.exe
2584	iexplore.exe
2584	iexplore.exe
2584	iexplore.exe
2584	iexplore.exe
2584	iexplore.exe
2584	iexplore.exe
2720	svchost.exe
2720	svchost.exe
2720	svchost.exe
2720	svchost.exe
2584	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

svchost.exe

pid process

2720 svchost.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svchost.exe

description pid process

Token: SeDebugPrivilege 2720 svchost.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2584 iexplore.exe

description	pid	process
Token: SeDebugPrivilege	2720	svchost.exe

pid	process
2584	iexplore.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

svchost.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
2720	svchost.exe
2584	iexplore.exe
2584	iexplore.exe
2120	IEXPLORE.EXE
2120	IEXPLORE.EXE
2036	IEXPLORE.EXE
2036	IEXPLORE.EXE
2104	IEXPLORE.EXE
2104	IEXPLORE.EXE
2104	IEXPLORE.EXE
2104	IEXPLORE.EXE
1596	IEXPLORE.EXE
1596	IEXPLORE.EXE
1596	IEXPLORE.EXE
1596	IEXPLORE.EXE
1480	IEXPLORE.EXE
1480	IEXPLORE.EXE
1480	IEXPLORE.EXE
1480	IEXPLORE.EXE
2120	IEXPLORE.EXE
2120	IEXPLORE.EXE
2120	IEXPLORE.EXE
2120	IEXPLORE.EXE
2036	IEXPLORE.EXE
2036	IEXPLORE.EXE
2036	IEXPLORE.EXE
2036	IEXPLORE.EXE
1588	IEXPLORE.EXE
1588	IEXPLORE.EXE
1588	IEXPLORE.EXE
1588	IEXPLORE.EXE
2104	IEXPLORE.EXE
2104	IEXPLORE.EXE
2116	IEXPLORE.EXE
2116	IEXPLORE.EXE
2116	IEXPLORE.EXE
2116	IEXPLORE.EXE
1596	IEXPLORE.EXE
1596	IEXPLORE.EXE
1596	IEXPLORE.EXE
1596	IEXPLORE.EXE
2920	IEXPLORE.EXE
2920	IEXPLORE.EXE
1480	IEXPLORE.EXE
1480	IEXPLORE.EXE
2920	IEXPLORE.EXE
2920	IEXPLORE.EXE
1480	IEXPLORE.EXE
1480	IEXPLORE.EXE
1732	IEXPLORE.EXE
1732	IEXPLORE.EXE
1732	IEXPLORE.EXE
1732	IEXPLORE.EXE
1452	IEXPLORE.EXE
1452	IEXPLORE.EXE
1452	IEXPLORE.EXE
1452	IEXPLORE.EXE
1588	IEXPLORE.EXE
1588	IEXPLORE.EXE
1588	IEXPLORE.EXE
1588	IEXPLORE.EXE
2116	IEXPLORE.EXE
2116	IEXPLORE.EXE
2116	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7a080f9390658ba441e845e04644e6e05ef865fdf986e8a2bfeb57dd1e4b7dee.exesvchost.execsrss.exeiexplore.exe

description	pid	process	target process
PID 2348 wrote to memory of 2456	2348	7a080f9390658ba441e845e04644e6e05ef865fdf986e8a2bfeb57dd1e4b7dee.exe	WindowsInput.exe
PID 2348 wrote to memory of 2456	2348	7a080f9390658ba441e845e04644e6e05ef865fdf986e8a2bfeb57dd1e4b7dee.exe	WindowsInput.exe
PID 2348 wrote to memory of 2456	2348	7a080f9390658ba441e845e04644e6e05ef865fdf986e8a2bfeb57dd1e4b7dee.exe	WindowsInput.exe
PID 2348 wrote to memory of 2720	2348	7a080f9390658ba441e845e04644e6e05ef865fdf986e8a2bfeb57dd1e4b7dee.exe	svchost.exe
PID 2348 wrote to memory of 2720	2348	7a080f9390658ba441e845e04644e6e05ef865fdf986e8a2bfeb57dd1e4b7dee.exe	svchost.exe
PID 2348 wrote to memory of 2720	2348	7a080f9390658ba441e845e04644e6e05ef865fdf986e8a2bfeb57dd1e4b7dee.exe	svchost.exe
PID 2720 wrote to memory of 2600	2720	svchost.exe	csrss.exe
PID 2720 wrote to memory of 2600	2720	svchost.exe	csrss.exe
PID 2720 wrote to memory of 2600	2720	svchost.exe	csrss.exe
PID 2720 wrote to memory of 2600	2720	svchost.exe	csrss.exe
PID 2600 wrote to memory of 2584	2600	csrss.exe	iexplore.exe
PID 2600 wrote to memory of 2584	2600	csrss.exe	iexplore.exe
PID 2600 wrote to memory of 2584	2600	csrss.exe	iexplore.exe
PID 2600 wrote to memory of 2584	2600	csrss.exe	iexplore.exe
PID 2584 wrote to memory of 2120	2584	iexplore.exe	IEXPLORE.EXE
PID 2584 wrote to memory of 2120	2584	iexplore.exe	IEXPLORE.EXE
PID 2584 wrote to memory of 2120	2584	iexplore.exe	IEXPLORE.EXE
PID 2584 wrote to memory of 2120	2584	iexplore.exe	IEXPLORE.EXE
PID 2720 wrote to memory of 2940	2720	svchost.exe	csrss.exe
PID 2720 wrote to memory of 2940	2720	svchost.exe	csrss.exe
PID 2720 wrote to memory of 2940	2720	svchost.exe	csrss.exe
PID 2720 wrote to memory of 2940	2720	svchost.exe	csrss.exe
PID 2584 wrote to memory of 2036	2584	iexplore.exe	IEXPLORE.EXE
PID 2584 wrote to memory of 2036	2584	iexplore.exe	IEXPLORE.EXE
PID 2584 wrote to memory of 2036	2584	iexplore.exe	IEXPLORE.EXE
PID 2584 wrote to memory of 2036	2584	iexplore.exe	IEXPLORE.EXE
PID 2720 wrote to memory of 2976	2720	svchost.exe	csrss.exe
PID 2720 wrote to memory of 2976	2720	svchost.exe	csrss.exe
PID 2720 wrote to memory of 2976	2720	svchost.exe	csrss.exe
PID 2720 wrote to memory of 2976	2720	svchost.exe	csrss.exe
PID 2584 wrote to memory of 2104	2584	iexplore.exe	IEXPLORE.EXE
PID 2584 wrote to memory of 2104	2584	iexplore.exe	IEXPLORE.EXE
PID 2584 wrote to memory of 2104	2584	iexplore.exe	IEXPLORE.EXE
PID 2584 wrote to memory of 2104	2584	iexplore.exe	IEXPLORE.EXE
PID 2720 wrote to memory of 2568	2720	svchost.exe	csrss.exe
PID 2720 wrote to memory of 2568	2720	svchost.exe	csrss.exe
PID 2720 wrote to memory of 2568	2720	svchost.exe	csrss.exe
PID 2720 wrote to memory of 2568	2720	svchost.exe	csrss.exe
PID 2584 wrote to memory of 1596	2584	iexplore.exe	IEXPLORE.EXE
PID 2584 wrote to memory of 1596	2584	iexplore.exe	IEXPLORE.EXE
PID 2584 wrote to memory of 1596	2584	iexplore.exe	IEXPLORE.EXE
PID 2584 wrote to memory of 1596	2584	iexplore.exe	IEXPLORE.EXE
PID 2720 wrote to memory of 1072	2720	svchost.exe	csrss.exe
PID 2720 wrote to memory of 1072	2720	svchost.exe	csrss.exe
PID 2720 wrote to memory of 1072	2720	svchost.exe	csrss.exe
PID 2720 wrote to memory of 1072	2720	svchost.exe	csrss.exe
PID 2584 wrote to memory of 1480	2584	iexplore.exe	IEXPLORE.EXE
PID 2584 wrote to memory of 1480	2584	iexplore.exe	IEXPLORE.EXE
PID 2584 wrote to memory of 1480	2584	iexplore.exe	IEXPLORE.EXE
PID 2584 wrote to memory of 1480	2584	iexplore.exe	IEXPLORE.EXE
PID 2720 wrote to memory of 3056	2720	svchost.exe	csrss.exe
PID 2720 wrote to memory of 3056	2720	svchost.exe	csrss.exe
PID 2720 wrote to memory of 3056	2720	svchost.exe	csrss.exe
PID 2720 wrote to memory of 3056	2720	svchost.exe	csrss.exe
PID 2720 wrote to memory of 1244	2720	svchost.exe	csrss.exe
PID 2720 wrote to memory of 1244	2720	svchost.exe	csrss.exe
PID 2720 wrote to memory of 1244	2720	svchost.exe	csrss.exe
PID 2720 wrote to memory of 1244	2720	svchost.exe	csrss.exe
PID 2720 wrote to memory of 2756	2720	svchost.exe	csrss.exe
PID 2720 wrote to memory of 2756	2720	svchost.exe	csrss.exe
PID 2720 wrote to memory of 2756	2720	svchost.exe	csrss.exe
PID 2720 wrote to memory of 2756	2720	svchost.exe	csrss.exe
PID 2584 wrote to memory of 1588	2584	iexplore.exe	IEXPLORE.EXE
PID 2584 wrote to memory of 1588	2584	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\7a080f9390658ba441e845e04644e6e05ef865fdf986e8a2bfeb57dd1e4b7dee.exe
"C:\Users\Admin\AppData\Local\Temp\7a080f9390658ba441e845e04644e6e05ef865fdf986e8a2bfeb57dd1e4b7dee.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Windows\SysWOW64\WindowsInput.exe
  "C:\Windows\SysWOW64\WindowsInput.exe" --install
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:2456
- C:\Program Files\Orcus\svchost.exe
  "C:\Program Files\Orcus\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2720 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch&plcid=0x409&o1=.NETFramework,Version=v4.8&processName=csrss.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
      4⤵
      Modifies Internet Explorer settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2584
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2584 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2120
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2584 CREDAT:865283 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2036
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2584 CREDAT:1061899 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2104
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2584 CREDAT:1061916 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1596
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2584 CREDAT:1127441 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1480
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2584 CREDAT:4142110 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1588
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2584 CREDAT:4142135 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2116
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2584 CREDAT:1651759 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2920
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2584 CREDAT:2569290 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1732
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2584 CREDAT:4142183 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1452
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2584 CREDAT:3945561 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:2768
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2584 CREDAT:1127531 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:2980
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2584 CREDAT:3748956 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:3924
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2720 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2940
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2720 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2976
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2720 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2568
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2720 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1072
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2720 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3056
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2720 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1244
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2720 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2756
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2720 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3028
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2720 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1956
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2720 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2984
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2720 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1128
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2720 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2436
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2720 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2740
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2720 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2628
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2720 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1288
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2720 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2672
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2720 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1548
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2720 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1736
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2720 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1048
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2720 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2420
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2720 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3108
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2720 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3436
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2720 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3704
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2720 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4020
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2720 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3456

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
1⤵
- Executes dropped EXE
PID:2188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Orcus\svchost.exe

Filesize
3.0MB

MD5
7a461d8d06c7859b09524ceb0f3d7e4a

SHA1
aa27353c3883ef1ce5728dd0112e79fec7ee2fa6

SHA256
7a080f9390658ba441e845e04644e6e05ef865fdf986e8a2bfeb57dd1e4b7dee

SHA512
22d4fe1a52d16bc45ed5d8cedb8fd98149bb236f2b23f39b37fcd59652e165198180aa7e4a9e2952229a10d9613747485a6891f94ef9019557af39da676aadea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d7ebf4f65638682c7213184abf103b52

SHA1
626abc37c8591869dda233cb92db50f5774cfbca

SHA256
98fdf5155baeb7fcf1e3af7a20607e13333d987d3575c6506477c5bbf9b7b4d5

SHA512
97b621c31fbaf4e93204fa90a946b7f832c290eebbb36b6f93a14532c05b92e12aaf3eb312eebbb3ca187891c7b0f316ad28f271c456bc4dddd172ac9c99f3c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f94d46229b55ee58ddb8709bf53d6ae1

SHA1
92e210d8ede09fe3b47c4f967c41a375e5b70456

SHA256
cfb6832f0eb86b0f0a879e1af0e78b03999fab93c289f7ba71e36a0d9c67788a

SHA512
99e3ee1275d0630f2aac3ad015b65bd0095c2afefb5c66d6adababf65a70a9ad7bf75b1c708662d71261fad7e218303ded3ec3b392c5b56e7c14af17277075f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2bf573945b7cee4b13af467373c80f39

SHA1
18d6ead61ffd19b81cc0fc517f97a6571f9be1a5

SHA256
30e95efe86d33e105556b3c9b5cf27a54ee1084602cfb9ae8ea8bc31e9b963b4

SHA512
6adbc6b959b52a13814d86fbc5451e91a598cceb6aefbf9d9a1697201fc9b2c9f2d0e78ab60c0b3100284a23154b9138b5a04dafdffe3cd24e8ed8a92cb7fadb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
befe4741af0fc2a4ec7334973ae86e64

SHA1
ef4138ea9e0c7cc90619f87b008c2df88dc16724

SHA256
0b20d9cfc2380c35f5009fd8f014cc32db58acf33ccb8fd83bee3e2fe27dc873

SHA512
cfe46af1d5e32f78661c23a38ec4382ad11f9b1a9d106b5920c73a314840d9a6684c03d3252e8c4fb0f676c04950c1b237516fdcae4ea66de95c5c05279f1fa1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2a67e087a9724e9b5b5778c4404dc371

SHA1
bb1f51d449d3c60b49f4e42d6ab27e11fdd0bba6

SHA256
a1767ad3015a1f26018507d0a56a1560bca4a4f1300ce582d597e7cfc339724d

SHA512
ccd7ff75011598f239e375363cee5770dd87374efb66aa1e70cf79b2226db49f4d2512c8aab04e334b10486507f861b12f94ee9e908c2646bbc65f4f6a588cc6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6244e43177b7b942fc9804b5cb330e0d

SHA1
0b61b16ed44253517f0d5c428e1042e549a7c864

SHA256
008a3a27d7181f9545e096633f09b29c02e5e3e8b8ece574778a84a9da66e493

SHA512
51a287daa5328af3505a718e5690ff133d8d5570f8f82d08864e6ca34b07ea190e2820ffaf47f3327e30bb616fb2eef000d1d28f872e5b8eb6e007ce9c6d7837

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
82035d3d12f8841df367e5a43873fdef

SHA1
dbbb06cada02a09096cfb9b47c60bc4951371fa2

SHA256
f1d62949667179c47fc4375b8af7b71bc6fb06d9b5d05578211d2c16c1002294

SHA512
1efb1c2d8457aa47aed0ce8111a4d534e1a1765d54836dee4eb7aa72b1c99d9ab531241f1030ec83fc6ea7a237691cdfc15b80a624ec8488796daaef7b10992b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d3d4441e0d9aece3e920e325478b3745

SHA1
9f4a7f03d06b91e1c28d8aee0cc3a82049449b79

SHA256
0457a0fa24ff15f3bbae86bae01ecbb3a008292141138ac41d2c8f57910f7c46

SHA512
fa05b83df8dbce0cb9feb559b1ca483ab3cf6a9f63c6f25b49d69bc9fb9966e661435e016fc731b657e5c4ed14c51e16f3393367b16cbc855601be169772df9a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6d09908ef19b3d7ddd83f3a646170e3e

SHA1
38379b88cb463ed39422b6c061281ba5883b093b

SHA256
9a4b91031265798ab224a23d069253f397aac72e7e31e9e92f6eb358acde2913

SHA512
0dcc2e384457d15cd4afc84eef1cd7b1650740820a68d8fbdf6cc6d8cdd393aa027af233e80d556ed48810cb7bcd4fd939e64b15d34b271146e93977652074b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4136cfc2c141910b47dcc9264db6fc68

SHA1
075f5b89fcf88c1fb1ff924b1905938c09a91c2a

SHA256
e99b061dfb6326a7ad91386e41fb150ada254df8fe8b6a6e8e66761fcf2d460a

SHA512
f9c9e1e66a2327dc1cd77a15cb4d4464b2b50c01069d64cbbefc7bb2177783451cc4c65ec23d2d1374758e468ae33849dcd60c351fb15a8203f21bf25f391dd4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d504299bde09daefc73325e242fc9a7e

SHA1
20e58fc19a004da6b5f784c89b5f119cc1d9398d

SHA256
cf645700d00d2e7cc7edf922ed4a3b2a3ae2338b16d4e114fc09531f231468d2

SHA512
7c3542c3eabc3006f32b3fad1af08bf803593a977b78fc58de6b82bdf6ded694efc6141b4e77e11e0a416bee9641a451f52f02ce9ef8bee1b53e9b7cdf6f246e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
438bef1202d3e6c447476b430069aecc

SHA1
5f39abd2e8745d4f2cd51c92f2a0bc09f92feb4e

SHA256
5229c8ad94623a701a0003a472b611152a228f5953e9e07d651371e9ed7d3253

SHA512
91f716a14957176d27f17b27114560bbecea6846b2baea2b9573b05e3bac3550f2908af797f2c1b6b69e2290cdd122e0f6e40be31d6ce55235ad06b9a56c73a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f9acf6cafe2660780d333344a32888ee

SHA1
b095a4867269bc173583cb87adc1a10da9e0369a

SHA256
a651becec268a61bb21c22e29e042d58a6c5d637c85168f14223b63acf74250f

SHA512
298b9efc73238f0ee73bf2583c673b7ae78bbec1e6f14b5a3bc22d8ef06d8f0c79cab82bf5194312e5952faedca3ab9b5cb302c3f08c7f4d43b54a90d5dba204

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e5907f53046fb442c7800b69f42f6bf9

SHA1
a91db266051cb8738e35ce88c28804ee91eea21f

SHA256
7884d31a3022ac1dc924ef0bbc331a674ce61f191b55ca40f6be17408f10b3d6

SHA512
ab06df053dc3e05ac3e9161d3c6dcbf0937397925d71d93b79b4a5ab19cd56056aac6241188c6af12581e894cc589674d3bc7b30f519c1c6e774113a21655322

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
462a523562bbd0ebf43565fe503baeeb

SHA1
66b1556b37486a2691cae6298a6d947badd2f5ec

SHA256
ccc72b668e562ff656fc0e5596cc1a431123fd1b165972501ff766ae2e33d714

SHA512
4647deb406b146d0c3a2d93e900dac4b0208c6ec986ca0174a8cf0c0b0e16e60a4ba22bcf7fcfa7b196e7cd961ce52ccd739375dc14a23e55e326696a7fa637d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f7e81661ff5a573a9bea86cf8052dee3

SHA1
172a0a0dda5dfdfa31be1d107b7472818dd8e30b

SHA256
d8c5ab5cdce0354769d9d80956687e8a619e206c74c4294f01101fda6090d07e

SHA512
1e97ce03d85266b1399a14a42a9f33a11c027530f825917c930b4e8049ccf855dbc491dc8bd64b2d00040af298892238ea4b1c05a3f55796dd62c6fac36d1485

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
97750c6fcbfc57d31ec91cea2ec94b2b

SHA1
55baf4b10763f72e53c2a6e49f08f03fc1179e9b

SHA256
21174a07a1242f6ccad63ec63dfac661f4c92c8a58a911dd4863ecf084b3c102

SHA512
ad32cef78d2a8dcf25713432d8bf9bafa30c0089243cf33d57b5204e50d658634871c226782aecc24181ab010edbe57f11e41dc9ae031278de9f9a52727b90e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7d8fc5793c497cc60ad178227812eaf4

SHA1
475759c10489566aad3e34625a035542c2e227bf

SHA256
d7295321ac8626b1bca011211b7cbc0d6eecf13d1d8f2f46e04d1018bc14d4a1

SHA512
794380aee71c458b8c7812015776c3bb69029107de18fadab52f4e70e6dc4a66e27fbbb680181d085a1054bcc0f4ff61db6a4dbd4cb1c6f23f3cb451f5348ac3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ec049c0dafc4837da22857ea4e1ad3a0

SHA1
9855ba1ffa9168ff2858874edfff1c3705435695

SHA256
5909a09fd9d40f1e3ac533f417a85eb94cbaf6fcd0f637ba1a8d5b7eabd5fafa

SHA512
ae1ac1df6020b4a6a746fbed1ef0ba176bc9cc2959a6a87c75bd12c2d5539e4035c0e5848444e22e32f8fe7fc0f57d8c4c895bb1ee8461e018aa6bbd0f312274

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
833e491a30b174b0a3e9fc8acbee4754

SHA1
0f31a785372b0fc651ef88e37737ecdb614e13e7

SHA256
549317d51f45790f35cf4a798731e8b0868cbe75485b7f1096caae88cdbfa47e

SHA512
6c6104f532e06beab8aeb57c693a780ef82862512ec17794191fe580d0c5e2e94d3abfea9230ad08b4d80a8d9f4d2121c2882c33c6d030264ed896bd5b61c748

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
174d64732a404c2a728f8f34d3f89c56

SHA1
3e9ae30770dc181f658cf5e5be42b61904c41895

SHA256
4250abe2622e93b6bc54af08d8687faccedb854026916b55b372a4e4a37beb9e

SHA512
d2b9e1897bc012bcb820c8d8ea5c097063f203d3de6af03eb7092036f64a81fa8e84fe2ca8dba3278e3570e53e4862b6bb7b75c949246cab25077e458fda01e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ea6b87bfa6f5df79fa9cb3327d614c28

SHA1
78dd19df1ab67db0c04173d286fed371ee575e8d

SHA256
d5b195e398dd9d02fe781011e80ca2436c9392e6593b244f22ac759628c2ae7e

SHA512
ed2d6f5f7b36dde57b98ca83c9a53212520af59ae0b15c3df981b1e9ab13b1d1b244ce452707f9eff51a57f8e37560a303bed5b5aa472e002b6632dc1bfeeaa8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0f1588bbfea55219c6116d0a935f0221

SHA1
f23a70f6f28c2411f7a1e05d38633177b77aad16

SHA256
9f2a42ff38f5b3d32566147954047f91f93267bc4933edbfbc47e239d38550ce

SHA512
871757fa77975b099e00ca690e28a69faba313c169421c6d9506cac138765ba7a6b90e08a7af8d4d5ca858bbfa6342ab468870f00ba54c6eaace8f0384ec1312

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1eaa63c2387bb99394e0fd403d98a973

SHA1
e4ebe989c387f648ee5f4a59eef64301d8ce3cc9

SHA256
e8408abb31d4a0a0fbd04916ceaf13b048a6c862c49857dfd7457b2fc2750368

SHA512
2025ba045f66d1d5440e7602c6452b32d89c800e7e91259320efc06f8fa57fcee6673bf52c90112b4a9cf7962231902db8c338918540b6ea9ea2d715e4ccd64b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0021001e370be6b1ee444fc9e78a7ab2

SHA1
b2438ec8b6ac0167d45ffc9f1bd7d1c4323f0925

SHA256
b461d7108d225e5aee61dde2e32e65d50b146b0c6f34e29431db67aa7ae1722e

SHA512
aedb94f3a6b1638410e7b075848c2da798507f9e309dfa8b11c0fcacb160964eb67a3fee8284b10438a1b4e83988c45864108a034fed42a0a4619f5c1c4e1342

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ff6c457f80651e1c6f9e346f1b06b453

SHA1
2b6cb3eba8fc73e831fd086dbcbea57fe2c0e2c2

SHA256
b5ee3a02f20eca3d85305922d1864a2fa1935517d382815f3eb9ec62462cb240

SHA512
bac25931c095ec13ac05327e0883ad329e173336c56bc7bfa625948ccba0dd789897b0654ce640aaff87ec1304b01adbdcb5d9eed5dbfd4c1d8dcb9a646c92f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5b1b351ce3a9e23e127e8f0e2633b67c

SHA1
bd532ea750cf1fb0332709435a88bc7ff0ad255b

SHA256
5342f6160c825ebb607d3c2f58eed84d9e0f279ea4c8f165612753cc659974d1

SHA512
15b4bbfd70758ece6c3f1bbedd3c4c467d8ce932f412c74089a96f70eea26bbd9689f9b133ed415af98613a31994817301e2575f7e4acd1dff07b020048267b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
34e1ab9d467f419d36bce4eeffe62c55

SHA1
309df054c2f4c9b60697d903043fcdb63ea477bb

SHA256
b4b71ea20b3c26b8b55bdadab5abca29fea4f686291cc40ebae722e7aa8f20b5

SHA512
f45671e3402cc05a532b4cf92035f5691043c97d5f2d3871ee6d622a2799c70889814fee2411b3d914b2210a3f6509bc70b3fe44544d6cfde2792c45d04059e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
760fb098aff1506a764d6df668ef6268

SHA1
dc301cb6f1d316ade05f91944687bb3c311b8fe2

SHA256
a08bad69ea217d929dbffbb8e6bbcebc4dc868cb33b51a2bc07dce86b79d795f

SHA512
67cede4a5566c3897913e82bbebb0203509983557658c6e3bf75e7f87f2ce9d4cbfd115e23f39ebe325213f35b8f22c73486962bb7a6c5687a1158d1784994a5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7947d5fd8b21f420fbda9de4ce8c10f2

SHA1
8b1c2c4c7b8697d82c5fd68befb11253705ba781

SHA256
a8af6acd9549ce79910133b3ad3d80cecea1606361442afa10d419f2f71ed4ac

SHA512
4480e3ab2340a538bce6e0cb206dc4430f5e894c868a09fd49975941d3326d03814c6a2792352db3eb4eb0e306198b63a924cd30a5b3ef68f671d6e9d59eeeb1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ad43b78770a87e1c9589a1618466a6af

SHA1
adaac992ebe052ab1fe095666b3f6e766e2e7695

SHA256
7469257f732ceab6dd144af096c5ee6e0ef44968db76ca13b833745216dd39a7

SHA512
4ca8fe9251eee1d432e66304691216eed743439cc089856cb05b601215aee02709fcde21b8e0e44f78ce3d781f5af1e3dd13b097079811cf5c452a4ea4fb2168

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ec39c789585694ac8e5a80765b913329

SHA1
0de499ace07904d3c84b0491230d8d64a189d8f7

SHA256
1ca49a2004d04438e57c76a5f93a7e636abef5926916288bee4ee6a99f76be3b

SHA512
fb49bbc55beee31db7f0c7064f308c95b7a9b7f761557828f90981f7647f924531a005a23e991046fa58bcf10aa820b302e033a3a914401fdbc3370b9f8e4775

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8aac2d3eb37dbe26714543dccc6b61e0

SHA1
623ed5181f03bf978d7c7fa1aa496ff3808c1f83

SHA256
2c4915a52d07eff0abbdbd4d662feda97d30007072fe3e4a36268c4fc40eff45

SHA512
1f078aab0f7567067e1881a44e24a66debfe68a726642c64f7d6732586a0a138528d453ad8e352bf99077c2d8e5c9f1b9ded20a11ae727f644914f31b0d148cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
619e572627f0453e29555195c9300f12

SHA1
e26a777274b61e253cfc4822a6f8ccf46960dacb

SHA256
2f2070f9308d9f2176509306d698f858c7dd577e7a6c44c741177b584160810a

SHA512
312d16d3b3f9567fd57c832cb27122c50bff820a8731d93fe4dfe736347e824858703886ca8ee4b7bee5c3d1d4d653ee4613f609f8828e666f0e78fd416f20e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3cfe1ced0e8a1bf9ec184ec230266cd1

SHA1
47fe2441df5b2cc84b62a7ff7175fc5385944313

SHA256
446cd0a8ad69947d09c95fb9a42632b1ea02799dc32b24fd2a9a56fee7075854

SHA512
cd714a31d1ed93188b30db4766dfbfb2cddbcf615da86394c8f3c4713bf915777290cd12b1a8f7a0e917db796b528529b9aa11bd25ea99989f9752452d70d13c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8ff41f16dd17ff7302f9f172f7621737

SHA1
1f5c938fa5ec9526c22a6aad423f4a5dbeceed7d

SHA256
dcb9d859f2dec5576f34751512a9100f09922432110aefdce6fdad178ee45f31

SHA512
838ab4ea30d78cb95caf540764cf6a12331272b9d49135c1825689bf703cd626bccfec741cceff939b5e60c591d6a802f752eca8168654b99bde40a4553b4efd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
94255ad4413bbe4ad5f33386d59d86ee

SHA1
bb1232f4e1fe7f54f5fd45fb96322df7b8e3fd50

SHA256
d8fd1f5d6d7cd0a8c57af80a04f8d26f4ca6d279c9408015a00a650ff2028c62

SHA512
056ec5c979ce82005ad95cca87aa1eea96cf7e4eea41985411cefe46bc708c0c8658ffb67c81598ddb32ba42556d3b7ded2652cb7057a943332bd48c1b17066c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1371653c552613cc4a0a3731e4ce79d8

SHA1
04b99f72a77aad1a8d09be3785dce262e8994d8f

SHA256
5e294d400a3f1be0e1198fae5cc97b23dcdba2883174fa5b45ccf9862933f148

SHA512
e9e48ecd359dc5ff2ba7c1ad6ed73ec1c2bb12d7436337f2d433d59d00a78883c019964cb156602e4f5eac0a4755d51534d935f80f7f2cf6c857a5b87020332b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DJB1KT77\background_gradient_red[1]

Filesize
868B

MD5
337038e78cf3c521402fc7352bdd5ea6

SHA1
017eaf48983c31ae36b5de5de4db36bf953b3136

SHA256
fbc23311fb5eb53c73a7ca6bfc93e8fa3530b07100a128b4905f8fb7cb145b61

SHA512
0928d382338f467d0374cce3ff3c392833fe13ac595943e7c5f2aee4ddb3af3447531916dd5ddc716dd17aef14493754ed4c2a1ab7fe6e13386301e36ee98a7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DJB1KT77\errorPageStrings[1]

Filesize
2KB

MD5
e3e4a98353f119b80b323302f26b78fa

SHA1
20ee35a370cdd3a8a7d04b506410300fd0a6a864

SHA256
9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

SHA512
d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DJB1KT77\red_shield_48[1]

Filesize
4KB

MD5
7c588d6bb88d85c7040c6ffef8d753ec

SHA1
7fdd217323d2dcc4a25b024eafd09ae34da3bfef

SHA256
5e2cd0990d6d3b0b2345c75b890493b12763227a8104de59c5142369a826e3e0

SHA512
0a3add1ff681d5190075c59caffde98245592b9a0f85828ab751e59fdf24403a4ef87214366d158e6b8a4c59c5bdaf563535ff5f097f86923620ea19a9b0dc4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F91VN88R\invalidcert[1]

Filesize
4KB

MD5
a5d6ba8403d720f2085365c16cebebef

SHA1
487dcb1af9d7be778032159f5c0bc0d25a1bf683

SHA256
59e53005e12d5c200ad84aeb73b4745875973877bd7a2f5f80512fe507de02b7

SHA512
6341b8af2f9695bb64bbf86e3b7bfb158471aef0c1b45e8b78f6e4b28d5cb03e7b25f4f0823b503d7e9f386d33a7435e5133117778291a3c543cafa677cdc82d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F91VN88R\red_shield[1]

Filesize
810B

MD5
006def2acbd0d2487dffc287b27654d6

SHA1
c95647a113afc5241bdb313f911bf338b9aeffdc

SHA256
4bd9f96d6971c7d37d03d7dea4af922420bb7c6dd46446f05b8e917c33cf9e4e

SHA512
9dabf92ce2846d8d86e20550c749efbc4a1af23c2319e6ce65a00dc8cbc75ac95a2021020cab1536c3617043a8739b0495302d0ba562f48f4d3c25104b059a04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KIYAG1MM\ErrorPageTemplate[1]

Filesize
2KB

MD5
f4fe1cb77e758e1ba56b8a8ec20417c5

SHA1
f4eda06901edb98633a686b11d02f4925f827bf0

SHA256
8d018639281b33da8eb3ce0b21d11e1d414e59024c3689f92be8904eb5779b5f

SHA512
62514ab345b6648c5442200a8e9530dfb88a0355e262069e0a694289c39a4a1c06c6143e5961074bfac219949102a416c09733f24e8468984b96843dc222b436

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KIYAG1MM\down[1]

Filesize
748B

MD5
c4f558c4c8b56858f15c09037cd6625a

SHA1
ee497cc061d6a7a59bb66defea65f9a8145ba240

SHA256
39e7de847c9f731eaa72338ad9053217b957859de27b50b6474ec42971530781

SHA512
d60353d3fbea2992d96795ba30b20727b022b9164b2094b922921d33ca7ce1634713693ac191f8f5708954544f7648f4840bcd5b62cb6a032ef292a8b0e52a44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KIYAG1MM\invalidcert[1]

Filesize
2KB

MD5
8ce0833cca8957bda3ad7e4fe051e1dc

SHA1
e5b9df3b327f52a9ed2d3821851e9fdd05a4b558

SHA256
f18e9671426708c65f999ca0fd11492e699cb13edc84a7d863fa9f83eb2178c3

SHA512
283b4c6b1035b070b98e7676054c8d52608a1c9682dfe138c569adfecf84b6c5b04fe1630eb13041ad43a231f83bf38680198acd8d5a76a47ec77829282a99fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MPUI9R2R\green_shield[1]

Filesize
810B

MD5
c6452b941907e0f0865ca7cf9e59b97d

SHA1
f9a2c03d1be04b53f2301d3d984d73bf27985081

SHA256
1ba122f4b39a33339fa9935bf656bb0b4b45cdded78afb16aafd73717d647439

SHA512
beb58c06c2c1016a7c7c8289d967eb7ffe5840417d9205a37c6d97bd51b153f4a053e661ad4145f23f56ce0aebda101932b8ed64b1cd4178d127c9e2a20a1f58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MPUI9R2R\httpErrorPagesScripts[1]

Filesize
8KB

MD5
3f57b781cb3ef114dd0b665151571b7b

SHA1
ce6a63f996df3a1cccb81720e21204b825e0238c

SHA256
46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad

SHA512
8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabEDEA.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEE0C.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFF1288564A2D91488.TMP

Filesize
16KB

MD5
b7c18faf1345e48659e6647657c22405

SHA1
1e93ca5f4d56df4d922f785bd669b27f6b27d786

SHA256
a90c49dc2978c939907f6a5f37204214d4539b31384401a80a35190624ad84ef

SHA512
f0ac7de41efd92d881fa48bc11958d05739acb8dbf9afe8f71f72ba5e8fb2c1273060e50a67336373f9402e604edfec0f30eda6bd4b4957254f4dbafb66e5c64

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms

Filesize
3KB

MD5
dbc6c128bf753c588f6b0ce8fa728baf

SHA1
631377723344b7b07660942216d27c510bed826b

SHA256
a4cec21278f25c819dab15d62883b01edcd4d0481323b4889e12261d308a218b

SHA512
b2a07a5cd511b9f7ea31ca085ef05470d44282974c04379921342ffec75fa5b3155cd29d2c28cc7d412d0cf9e941ab193ab5e9ebaf2b926986b190b3e83fa9ad

Download Submit
C:\Users\Admin\AppData\Roaming\csrss.exe

Filesize
9KB

MD5
484af5d2607d4c70ed4e0a350eeeee45

SHA1
1aa920ad742516f41b3722b4524acf38be5dfd57

SHA256
0f7f639c1efbff416a8ad19d6563e0bc719d789cd6aaa9b4ea050f559c8886d8

SHA512
f12f1bbe67194420a577e8123bb75b91c4d117245eed81ef78e65c2de6633bd5d3feea128be3d556d506cbd10ccd9e35c8ccca09a397207518c63cb4e2464faa

Download Submit
C:\Users\Admin\AppData\Roaming\csrss.exe.config

Filesize
157B

MD5
7efa291047eb1202fde7765adac4b00d

SHA1
22d4846caff5e45c18e50738360579fbbed2aa8d

SHA256
807fb6eeaa7c77bf53831d8a4422a53a5d8ccd90e6bbc17c655c0817460407b6

SHA512
159c95eb1e817ba2d281f39c3939dd963ab62c0cd29bf66ca3beb0aff53f4617d47f48474e58319130ae4146a044a42fc75f63c343330c1b6d2be7034b9fa724

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe

Filesize
21KB

MD5
785adb93e8dd006421c1ba3e81663d72

SHA1
0ea67d6d82b03c51a22e01de33476c70f70f8fbc

SHA256
cb29a7aba6161d96b66c9a1cdb92e293109ed7c171906fdb52d73c4226a09c74

SHA512
86dbcf36114a99228f5720c3835af24765c8c7f059ad207dfb89f3923552f9485991a41e3874c138a5fd9a1ee3ae722329380660bd92666b8ebbc68ec49baf2c

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe.config

Filesize
349B

MD5
89817519e9e0b4e703f07e8c55247861

SHA1
4636de1f6c997a25c3190f73f46a3fd056238d78

SHA256
f40dfaa50dcbff93611d45607009158f798e9cd845170939b1d6088a7d10ee13

SHA512
b017cb7a522b9c6794f3691cb7266ec82f565a90d7d07cc9beb53b939d2e9bf34275bc25f6f32d9a9c7136a0aab2189d9556af7244450c610d11ed7a4f584ba3

Download Submit
memory/2348-5-0x0000000000980000-0x0000000000992000-memory.dmp

Filesize
72KB

Download
memory/2348-1-0x00000000009A0000-0x0000000000C9C000-memory.dmp

Filesize
3.0MB

Download
memory/2348-3-0x0000000000440000-0x000000000044E000-memory.dmp

Filesize
56KB

Download
memory/2348-29-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/2348-2-0x0000000002230000-0x000000000228C000-memory.dmp

Filesize
368KB

Download
memory/2348-4-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/2348-0-0x000007FEF5C53000-0x000007FEF5C54000-memory.dmp

Filesize
4KB

Download
memory/2456-13-0x00000000012E0000-0x00000000012EC000-memory.dmp

Filesize
48KB

Download
memory/2456-14-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/2456-15-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/2456-18-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/2720-32-0x0000000000B30000-0x0000000000B40000-memory.dmp

Filesize
64KB

Download
memory/2720-31-0x000000001A870000-0x000000001A888000-memory.dmp

Filesize
96KB

Download
memory/2720-30-0x000000001B280000-0x000000001B2D8000-memory.dmp

Filesize
352KB

Download
memory/2720-28-0x0000000000370000-0x000000000066C000-memory.dmp

Filesize
3.0MB

Download