orcus | 7a080f9390658ba441e845e04644e6e05ef865fdf986e8a2bfeb57dd1e4b7dee

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-11-2024 02:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a080f9390658ba441e845e04644e6e05ef865fdf986e8a2bfeb57dd1e4b7dee.exe
Size

3.0MB
MD5

7a461d8d06c7859b09524ceb0f3d7e4a
SHA1

aa27353c3883ef1ce5728dd0112e79fec7ee2fa6
SHA256

7a080f9390658ba441e845e04644e6e05ef865fdf986e8a2bfeb57dd1e4b7dee
SHA512

22d4fe1a52d16bc45ed5d8cedb8fd98149bb236f2b23f39b37fcd59652e165198180aa7e4a9e2952229a10d9613747485a6891f94ef9019557af39da676aadea
SSDEEP

49152:4i9R1/op1fAZeM9/NtRaO5NYAxC48VYrJAypQxbn32o9JnCmxJWncFfSIH4Duis:4EMtQR9TYW8V0OypSbGo9JCmx

Score

10^/10

orcus discovery persistence rat spyware stealer

Malware Config

Extracted

Family

orcus

45.10.151.182:10134

Mutex

064acb3fed56475eaee5e20cdd2d83c3

Attributes

autostart_method
Registry
enable_keylogger
true
install_path
%programfiles%\Orcus\svchost.exe
reconnect_delay
10000
registry_keyname
svchost
taskscheduler_taskname
svchost
watchdog_path
AppData\csrss.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Orcurs Rat Executable 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2132-1-0x00000000001B0000-0x00000000004AC000-memory.dmp	orcus
C:\Program Files\Orcus\svchost.exe	orcus
behavioral1/memory/2880-29-0x0000000001320000-0x000000000161C000-memory.dmp	orcus

Executes dropped EXE 30 IoCs

Processes:

WindowsInput.exeWindowsInput.exesvchost.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe

pid	process
1552	WindowsInput.exe
2904	WindowsInput.exe
2880	svchost.exe
2680	csrss.exe
1644	csrss.exe
2820	csrss.exe
1896	csrss.exe
2784	csrss.exe
2544	csrss.exe
2128	csrss.exe
2876	csrss.exe
1424	csrss.exe
380	csrss.exe
1864	csrss.exe
844	csrss.exe
980	csrss.exe
2180	csrss.exe
2052	csrss.exe
2240	csrss.exe
3052	csrss.exe
1768	csrss.exe
2488	csrss.exe
2464	csrss.exe
580	csrss.exe
3012	csrss.exe
3224	csrss.exe
3480	csrss.exe
3856	csrss.exe
3920	csrss.exe
1884	csrss.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Program Files\\Orcus\\svchost.exe\""	svchost.exe

Drops file in System32 directory 3 IoCs

Processes:

7a080f9390658ba441e845e04644e6e05ef865fdf986e8a2bfeb57dd1e4b7dee.exeWindowsInput.exe

description	ioc	process
File created	C:\Windows\SysWOW64\WindowsInput.exe.config	7a080f9390658ba441e845e04644e6e05ef865fdf986e8a2bfeb57dd1e4b7dee.exe
File created	C:\Windows\SysWOW64\WindowsInput.InstallState	WindowsInput.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe	7a080f9390658ba441e845e04644e6e05ef865fdf986e8a2bfeb57dd1e4b7dee.exe

Drops file in Program Files directory 3 IoCs

Processes:

7a080f9390658ba441e845e04644e6e05ef865fdf986e8a2bfeb57dd1e4b7dee.exe

description	ioc	process
File created	C:\Program Files\Orcus\svchost.exe	7a080f9390658ba441e845e04644e6e05ef865fdf986e8a2bfeb57dd1e4b7dee.exe
File opened for modification	C:\Program Files\Orcus\svchost.exe	7a080f9390658ba441e845e04644e6e05ef865fdf986e8a2bfeb57dd1e4b7dee.exe
File created	C:\Program Files\Orcus\svchost.exe.config	7a080f9390658ba441e845e04644e6e05ef865fdf986e8a2bfeb57dd1e4b7dee.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 40 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

IEXPLORE.EXEcsrss.execsrss.exeIEXPLORE.EXEcsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exeIEXPLORE.EXEcsrss.exeIEXPLORE.EXEIEXPLORE.EXEcsrss.execsrss.execsrss.exeIEXPLORE.EXEcsrss.exeIEXPLORE.EXEcsrss.execsrss.execsrss.execsrss.exeIEXPLORE.EXEcsrss.execsrss.execsrss.exeIEXPLORE.EXEIEXPLORE.EXEcsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exeIEXPLORE.EXEcsrss.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 46 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f036ed6d7535db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd300000000020000000000106600000001000020000000764617855c237aa02ff93a3f23540dd8da70f003f5ca16b64c3b18878e1250b8000000000e800000000200002000000079a797aa3cb707257a2516ce19e5f2b1f2b67b5fd72f02f674d4f5c191acd511900000007d052346e8591d03eb67c38ccfb0c385365b673017ba191075c719e60f03b98860e732b049432f7869be65f39c2e1cfee66c284dd63f9e95790f600708cd168b8b541b03831fa1f8acc78ecf8517b85fa87d33fae4024c97a4062aa70821e78fb8a21c7532e78d628dcd92cb128cb538891d4e27b46ef8ff02bc820c8cd42ff341d114937001d4bd02bb0c4189569872400000007109bdc81097683e5fa46de62b5e12bd3d5bc1b73e869255fb28bcd0013c6c75b6b0241d6bede651df6cbd618b8a60409251a8dc14957146aeba124cc21640df	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A6921161-A168-11EF-8202-7A9F8CACAEA3} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd3000000000200000000001066000000010000200000001103e8d064abbf0b0ed52c91a2e2fd8f409fe28dccaab512341dbe623efcacce000000000e80000000020000200000009cd4f506726e46c70c9c02096b183d17ef17c66fc75012b87302b5267f069432200000005ef3bfae6c4086da37ef06979200c7f6bad1cbf96f326a36b400d569dc20d6574000000089fd2324c6f203939e54f715325e1f5615cdbecaae16fa57cf4bd9c74a5cd287db0ac1acf88522fbe8450a76504f977c38bdf6cb0ae67bea2ae75520f428cd9f	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437627504"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

svchost.exeiexplore.exe

pid	process
2880	svchost.exe
2880	svchost.exe
2880	svchost.exe
2880	svchost.exe
2880	svchost.exe
2880	svchost.exe
2880	svchost.exe
2880	svchost.exe
1984	iexplore.exe
1984	iexplore.exe
2880	svchost.exe
2880	svchost.exe
1984	iexplore.exe
1984	iexplore.exe
2880	svchost.exe
2880	svchost.exe
1984	iexplore.exe
1984	iexplore.exe
1984	iexplore.exe
1984	iexplore.exe
1984	iexplore.exe
1984	iexplore.exe
2880	svchost.exe
2880	svchost.exe
1984	iexplore.exe
1984	iexplore.exe
1984	iexplore.exe
1984	iexplore.exe
2880	svchost.exe
2880	svchost.exe
1984	iexplore.exe
1984	iexplore.exe
1984	iexplore.exe
1984	iexplore.exe
1984	iexplore.exe
2880	svchost.exe
2880	svchost.exe
1984	iexplore.exe
1984	iexplore.exe
1984	iexplore.exe
1984	iexplore.exe
1984	iexplore.exe
1984	iexplore.exe
1984	iexplore.exe
1984	iexplore.exe
1984	iexplore.exe
1984	iexplore.exe
2880	svchost.exe
2880	svchost.exe
1984	iexplore.exe
1984	iexplore.exe
1984	iexplore.exe
1984	iexplore.exe
1984	iexplore.exe
1984	iexplore.exe
1984	iexplore.exe
1984	iexplore.exe
1984	iexplore.exe
1984	iexplore.exe
2880	svchost.exe
2880	svchost.exe
1984	iexplore.exe
1984	iexplore.exe
1984	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

svchost.exe

pid process

2880 svchost.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svchost.exe

description pid process

Token: SeDebugPrivilege 2880 svchost.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1984 iexplore.exe

description	pid	process
Token: SeDebugPrivilege	2880	svchost.exe

pid	process
1984	iexplore.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

svchost.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
2880	svchost.exe
1984	iexplore.exe
1984	iexplore.exe
1704	IEXPLORE.EXE
1704	IEXPLORE.EXE
2988	IEXPLORE.EXE
2988	IEXPLORE.EXE
2636	IEXPLORE.EXE
2636	IEXPLORE.EXE
2636	IEXPLORE.EXE
2636	IEXPLORE.EXE
3048	IEXPLORE.EXE
3048	IEXPLORE.EXE
3048	IEXPLORE.EXE
3048	IEXPLORE.EXE
1704	IEXPLORE.EXE
1704	IEXPLORE.EXE
1704	IEXPLORE.EXE
1704	IEXPLORE.EXE
1488	IEXPLORE.EXE
1488	IEXPLORE.EXE
1488	IEXPLORE.EXE
1488	IEXPLORE.EXE
2988	IEXPLORE.EXE
2988	IEXPLORE.EXE
2988	IEXPLORE.EXE
2988	IEXPLORE.EXE
2956	IEXPLORE.EXE
2956	IEXPLORE.EXE
2956	IEXPLORE.EXE
2956	IEXPLORE.EXE
2356	IEXPLORE.EXE
2356	IEXPLORE.EXE
2356	IEXPLORE.EXE
2356	IEXPLORE.EXE
2636	IEXPLORE.EXE
2636	IEXPLORE.EXE
2636	IEXPLORE.EXE
2636	IEXPLORE.EXE
3048	IEXPLORE.EXE
3048	IEXPLORE.EXE
3048	IEXPLORE.EXE
3048	IEXPLORE.EXE
1548	IEXPLORE.EXE
1548	IEXPLORE.EXE
1548	IEXPLORE.EXE
1548	IEXPLORE.EXE
1488	IEXPLORE.EXE
1488	IEXPLORE.EXE
1488	IEXPLORE.EXE
1488	IEXPLORE.EXE
2516	IEXPLORE.EXE
2516	IEXPLORE.EXE
2516	IEXPLORE.EXE
2516	IEXPLORE.EXE
2956	IEXPLORE.EXE
2956	IEXPLORE.EXE
2956	IEXPLORE.EXE
2956	IEXPLORE.EXE
2936	IEXPLORE.EXE
2936	IEXPLORE.EXE
2936	IEXPLORE.EXE
2936	IEXPLORE.EXE
2356	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7a080f9390658ba441e845e04644e6e05ef865fdf986e8a2bfeb57dd1e4b7dee.exesvchost.execsrss.exeiexplore.exe

description	pid	process	target process
PID 2132 wrote to memory of 1552	2132	7a080f9390658ba441e845e04644e6e05ef865fdf986e8a2bfeb57dd1e4b7dee.exe	WindowsInput.exe
PID 2132 wrote to memory of 1552	2132	7a080f9390658ba441e845e04644e6e05ef865fdf986e8a2bfeb57dd1e4b7dee.exe	WindowsInput.exe
PID 2132 wrote to memory of 1552	2132	7a080f9390658ba441e845e04644e6e05ef865fdf986e8a2bfeb57dd1e4b7dee.exe	WindowsInput.exe
PID 2132 wrote to memory of 2880	2132	7a080f9390658ba441e845e04644e6e05ef865fdf986e8a2bfeb57dd1e4b7dee.exe	svchost.exe
PID 2132 wrote to memory of 2880	2132	7a080f9390658ba441e845e04644e6e05ef865fdf986e8a2bfeb57dd1e4b7dee.exe	svchost.exe
PID 2132 wrote to memory of 2880	2132	7a080f9390658ba441e845e04644e6e05ef865fdf986e8a2bfeb57dd1e4b7dee.exe	svchost.exe
PID 2880 wrote to memory of 2680	2880	svchost.exe	csrss.exe
PID 2880 wrote to memory of 2680	2880	svchost.exe	csrss.exe
PID 2880 wrote to memory of 2680	2880	svchost.exe	csrss.exe
PID 2880 wrote to memory of 2680	2880	svchost.exe	csrss.exe
PID 2680 wrote to memory of 1984	2680	csrss.exe	iexplore.exe
PID 2680 wrote to memory of 1984	2680	csrss.exe	iexplore.exe
PID 2680 wrote to memory of 1984	2680	csrss.exe	iexplore.exe
PID 2680 wrote to memory of 1984	2680	csrss.exe	iexplore.exe
PID 1984 wrote to memory of 1704	1984	iexplore.exe	IEXPLORE.EXE
PID 1984 wrote to memory of 1704	1984	iexplore.exe	IEXPLORE.EXE
PID 1984 wrote to memory of 1704	1984	iexplore.exe	IEXPLORE.EXE
PID 1984 wrote to memory of 1704	1984	iexplore.exe	IEXPLORE.EXE
PID 2880 wrote to memory of 1644	2880	svchost.exe	csrss.exe
PID 2880 wrote to memory of 1644	2880	svchost.exe	csrss.exe
PID 2880 wrote to memory of 1644	2880	svchost.exe	csrss.exe
PID 2880 wrote to memory of 1644	2880	svchost.exe	csrss.exe
PID 1984 wrote to memory of 2988	1984	iexplore.exe	IEXPLORE.EXE
PID 1984 wrote to memory of 2988	1984	iexplore.exe	IEXPLORE.EXE
PID 1984 wrote to memory of 2988	1984	iexplore.exe	IEXPLORE.EXE
PID 1984 wrote to memory of 2988	1984	iexplore.exe	IEXPLORE.EXE
PID 2880 wrote to memory of 2820	2880	svchost.exe	csrss.exe
PID 2880 wrote to memory of 2820	2880	svchost.exe	csrss.exe
PID 2880 wrote to memory of 2820	2880	svchost.exe	csrss.exe
PID 2880 wrote to memory of 2820	2880	svchost.exe	csrss.exe
PID 1984 wrote to memory of 2636	1984	iexplore.exe	IEXPLORE.EXE
PID 1984 wrote to memory of 2636	1984	iexplore.exe	IEXPLORE.EXE
PID 1984 wrote to memory of 2636	1984	iexplore.exe	IEXPLORE.EXE
PID 1984 wrote to memory of 2636	1984	iexplore.exe	IEXPLORE.EXE
PID 2880 wrote to memory of 1896	2880	svchost.exe	csrss.exe
PID 2880 wrote to memory of 1896	2880	svchost.exe	csrss.exe
PID 2880 wrote to memory of 1896	2880	svchost.exe	csrss.exe
PID 2880 wrote to memory of 1896	2880	svchost.exe	csrss.exe
PID 1984 wrote to memory of 3048	1984	iexplore.exe	IEXPLORE.EXE
PID 1984 wrote to memory of 3048	1984	iexplore.exe	IEXPLORE.EXE
PID 1984 wrote to memory of 3048	1984	iexplore.exe	IEXPLORE.EXE
PID 1984 wrote to memory of 3048	1984	iexplore.exe	IEXPLORE.EXE
PID 2880 wrote to memory of 2784	2880	svchost.exe	csrss.exe
PID 2880 wrote to memory of 2784	2880	svchost.exe	csrss.exe
PID 2880 wrote to memory of 2784	2880	svchost.exe	csrss.exe
PID 2880 wrote to memory of 2784	2880	svchost.exe	csrss.exe
PID 2880 wrote to memory of 2544	2880	svchost.exe	csrss.exe
PID 2880 wrote to memory of 2544	2880	svchost.exe	csrss.exe
PID 2880 wrote to memory of 2544	2880	svchost.exe	csrss.exe
PID 2880 wrote to memory of 2544	2880	svchost.exe	csrss.exe
PID 1984 wrote to memory of 1488	1984	iexplore.exe	IEXPLORE.EXE
PID 1984 wrote to memory of 1488	1984	iexplore.exe	IEXPLORE.EXE
PID 1984 wrote to memory of 1488	1984	iexplore.exe	IEXPLORE.EXE
PID 1984 wrote to memory of 1488	1984	iexplore.exe	IEXPLORE.EXE
PID 2880 wrote to memory of 2128	2880	svchost.exe	csrss.exe
PID 2880 wrote to memory of 2128	2880	svchost.exe	csrss.exe
PID 2880 wrote to memory of 2128	2880	svchost.exe	csrss.exe
PID 2880 wrote to memory of 2128	2880	svchost.exe	csrss.exe
PID 2880 wrote to memory of 2876	2880	svchost.exe	csrss.exe
PID 2880 wrote to memory of 2876	2880	svchost.exe	csrss.exe
PID 2880 wrote to memory of 2876	2880	svchost.exe	csrss.exe
PID 2880 wrote to memory of 2876	2880	svchost.exe	csrss.exe
PID 1984 wrote to memory of 2956	1984	iexplore.exe	IEXPLORE.EXE
PID 1984 wrote to memory of 2956	1984	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\7a080f9390658ba441e845e04644e6e05ef865fdf986e8a2bfeb57dd1e4b7dee.exe
"C:\Users\Admin\AppData\Local\Temp\7a080f9390658ba441e845e04644e6e05ef865fdf986e8a2bfeb57dd1e4b7dee.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Windows\SysWOW64\WindowsInput.exe
  "C:\Windows\SysWOW64\WindowsInput.exe" --install
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:1552
- C:\Program Files\Orcus\svchost.exe
  "C:\Program Files\Orcus\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2880 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch&plcid=0x409&o1=.NETFramework,Version=v4.8&processName=csrss.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
      4⤵
      Modifies Internet Explorer settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1984
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1984 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1704
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1984 CREDAT:275469 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2988
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1984 CREDAT:209950 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2636
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1984 CREDAT:603158 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:3048
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1984 CREDAT:668705 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1488
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1984 CREDAT:996383 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2956
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1984 CREDAT:996397 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2356
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1984 CREDAT:668754 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1548
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1984 CREDAT:1520693 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2516
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1984 CREDAT:1520719 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2936
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1984 CREDAT:1848389 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:876
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1984 CREDAT:2045015 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:796
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1984 CREDAT:2503779 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:3612
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2880 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1644
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2880 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2820
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2880 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1896
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2880 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2784
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2880 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2544
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2880 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2128
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2880 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2876
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2880 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1424
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2880 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:380
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2880 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1864
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2880 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:844
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2880 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:980
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2880 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2180
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2880 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2052
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2880 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2240
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2880 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3052
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2880 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1768
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2880 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2488
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2880 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2464
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2880 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:580
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2880 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3012
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2880 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3224
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2880 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3480
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2880 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3856
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2880 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3920
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2880 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1884

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
1⤵
- Executes dropped EXE
PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Orcus\svchost.exe

Filesize
3.0MB

MD5
7a461d8d06c7859b09524ceb0f3d7e4a

SHA1
aa27353c3883ef1ce5728dd0112e79fec7ee2fa6

SHA256
7a080f9390658ba441e845e04644e6e05ef865fdf986e8a2bfeb57dd1e4b7dee

SHA512
22d4fe1a52d16bc45ed5d8cedb8fd98149bb236f2b23f39b37fcd59652e165198180aa7e4a9e2952229a10d9613747485a6891f94ef9019557af39da676aadea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5705a2960c0784e7cf91e2f14b032015

SHA1
49681c209e47dc63e1905800a629ea0fc3224505

SHA256
e5825fc649c3c56f471d5fc766344d357096abc898fee934579aaafcec3c7d69

SHA512
1b34a15657cf4e16448a6217e9339de5440a0c40c9753866873d94a992075aa25ac43dfdc107f0c638b991d39488ec864f8de48e2850259fb4101a8659e8c369

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0ee54c0ea8d5bde27bb62b949ab18f35

SHA1
21617b8d0e6714b187eddc0488f8609f37631ec2

SHA256
97dfe0c10882a76a11b715c1d8a7bdf1cdd57ac426e3c83fae762a94f3782c7e

SHA512
76e55c51f42099441d2e3df802fa772fd44ecaa13a5db67d26d71c632b0a67bfa90e818ba2eea172316e777c5f766e202cdb0c9829ae58fc6ae6369de1e88499

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
84f9c746328ba454ae59d20efb0c7bf0

SHA1
8dd39842b5befc928f2991ab9eedd6841f40c591

SHA256
0ec947e86c22255f21c897b73a111675fb046490194e61123f3293ec290ce44e

SHA512
e4acbe8a08aefce7b743f8142ef34b84709f746c690baff6c25493eb7f128063d4e35f79bedd10e67986957c243d4cd83eb77b2264bf26ef035f3f7955c5971d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
21c6b847ab463ad7405fe23757b7922a

SHA1
d8b890b86d70f9a5eb21ad31f9448899407a8c36

SHA256
b3f95a4515bc0f7a6e7d6d40bab5db33c6336840227e29a0630c5fc8a1128a47

SHA512
275234196c11cd62930c8904eeeaf6b2279601bcd768ce93b30396007d466292a7b0ff9eae8710832d27223355e81976b586d06730e36d3df96f31cd44c77a8f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9f3ea0075e3346956d1c4e441abc4de7

SHA1
fa03fef4b200cf1348d94d8d45410f77c4cc1d49

SHA256
6344117c8c0b67223c2a8cddada8e7ea670ca908d4d3d974b1ae6dd4b73f1482

SHA512
0644aa80c7d9191842ae7cb76af95441e26b4e1edd1122a8f19f60d88e7f91c5ea9df24b1ae4cd8655e5695598868260ead087f72dcb5b946bd34f7a70221ed3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a4c46dd607dddeb5ad989c6fec97f663

SHA1
7c4a011e65996c434f5ed245b3bc982a93b1e192

SHA256
ff7ada19ec3514fca84b4108d2d44d54a3b8f4e513b4ecc79f544398c9dc4795

SHA512
7ab7b08efa74b4e78f9e3afd0d284fffb3cc830e645c769cbdf48894bd209edc9466a84018a8799a9e777d4afe23e82ff38d9dfe8009bbe31931c981bc1b19a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a1ae83bfa9fa881dbb11400b350514b2

SHA1
5ae0011da01b3b4712e9d488fdaa07b708d2bf55

SHA256
9efa0e92045e2b929334aafa7674fdbe76647708cadc74da395553acfda29906

SHA512
2ffdf507e728bc11545f85d4b7a43aef8bb73eff4cacfd50efe142279116f5c0024b412e4b7c96519f14996c20e006f7a8e2a0acbff943967bccf8ee658f21bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8d2abfc890d652a5c23e346ddf6b38d4

SHA1
1e0108e953ab3433c952a0b9b51e4958b8693be4

SHA256
ddc772defd5fecc2cd4c808d4da5f6ab38d3cd2841ac85d89d06f2c6dcf62492

SHA512
bfa499a055e560be3f56f0ef175478a2b7d667f5d6327e2d990ad9d29c7cc1535cd453cac101d6cd01497222f03413b82af6b3567eb0b25ad6d3f2cc11763b39

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8a418487e4074c84dfb2b40f1ee9ce60

SHA1
40ed5f54006e1c77d380aef3c6003e697b9f3e1d

SHA256
3a9933881e17a2ad9b5b80482bf9494d5ed38b7da5d9cbd41c18572e4ad78678

SHA512
454952d1474d25ef546da74fce5350848401b2c28b4b1e062ff8e37f2c1cef3f8082decd3ad712b8aca7347a19fbf249689fb8c19243401b4d8d3f3cac76c622

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2e5bc7dedf215bc8783a324550650c34

SHA1
a00dc93927efddbe8ede0cf98048ad046cbf5618

SHA256
9a6ebd93509e72c65ffadfe788d5a6087182f4fd50a7cec6cfa4b12eb3745cca

SHA512
606faef210d2e1cb364ecd9f046b0e5e142b274b301ca470dcad26007cc35c7f05395ea58d64e28d5980121ce6a89b30a4ef24a02a6fc4f8ed101627d83bb5bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
648fd91546a63618e7e7e07697d3a9a6

SHA1
5c219fa4c7850832c831e85cdeb059fe3308a6ce

SHA256
b1f9aa0e2bb29780c3a9fe0f8cedabd5bde37edbd6ecf18c6e8efd1f562736ab

SHA512
8c1a139f993c9f9b8a3c3b4688f2eafa60101c2d1aebc2e340d2bd86c4579e34c2b7277c4a806e9a016d8d646071c7c4c4492ed5412de95497402e83267f0922

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
48222af43f6208c9436506c4b94fe143

SHA1
876e215c2dd070282222629b847c851978322acb

SHA256
79401dd6d81849b6361cd0b0ad61ea50417406927e2f9f48d863efa6935cb15a

SHA512
d45960d3cbf723dbb0040fe750af37ace58a25339f427b71fd6a265b245740f629cc8e5f812159c4d37b8a2772ce5607432975ee2b5e9519615987ab13cf4797

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fd73c3e4e1ab2c6fec8bb2d218d096f8

SHA1
026eecc847f8298196ed0b75055b64343be82def

SHA256
3d7c2797cca044892d2be22660a35a78f4248dd56401302682cf00dba6a381dd

SHA512
e78db936ccec71a3e5360280b41f42d234d99bc0c165219769f708d98a8e11ee1b537099ad0dbd933979d6bc3a373d53ad9e113167707193fc33a42deb1744ed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d04cd42d9a0892693e7c656f99f4ea9e

SHA1
da82c3eb46518b99588ff18ab94f07cc944db69b

SHA256
b27fe21b01d80520c55778c73f7277f10c85f979388c2c113392622790eadc42

SHA512
1c03dca6052d509edb1acacf4856ce51aa9f887cee153244f00527b7bf925a000c3d5cb7a36c74af9185ab502d8c63a8eb95339f9d5bcd02d916358a6058c2a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7cf59daabf6194e99722a5e6be89a718

SHA1
1dfa83ed11007ad5350a0caf2989ee558b2fb4d0

SHA256
f04fbbabdb8bece8bf7b3bbeb706bdc7b2de6324717b572cc0b41f81c8d8ebee

SHA512
b32ced65631058ed4c29c7f50a803bc99e9e39df6d3951e258f6fc3ed87c495632a36b23ab0ae983061ba6b950adb1968d9c605fabb726d2560a33dde9a27504

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7d00479afa1f2fc24fd20e45ace1bd69

SHA1
6f1057d8fbf03242ddf27831b1aabcef94b407df

SHA256
c2ef508797b5cdfb70c7a70270cdf2ff4d92b6c5d4f62d225609f1f130602afe

SHA512
ec24d398f3c90a370dabf7a2ebb4986a3a9e482c8f73a82f971458c3864301bc8a3cb9e951bfb0bedd3f8bb4d531ffd363beef399e2a75c4081b5f06601e76c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
494f455ff0c2cedd8e8d396c33c405ef

SHA1
e51e75516643c601d719f190dc05088f6d98831a

SHA256
34cd0dbb03b742299363bac8bc5813d698a0025ed280129eed904df2ac705f77

SHA512
786b32d13ee70ad9ee4e9e661cfff1bf0e8b79a06dab99e89e8b23f937c5b46344c09e7114aa5c7505b184a60685ba805309c999f44e9ef96f3b08cb71a69d78

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cb39492ba9576b54f4813e73c3d2f893

SHA1
be85354708e6a482283d8e70e5335bfbda43bdd6

SHA256
5bbdae070628f7e4502c6baf1bf1bf072444a62b7fe517e6411ea5c396c3a673

SHA512
8bce4ccae454a5cbd8d064012155f0c9b4ade34ec32ebbfae345ef9a0d2a7cb22cf09292f836c37c68e3e08560f8881658347438a3a056cc86f10564bdfbd38a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0d46151ed9ae03e3782e63ca7df581db

SHA1
2c3a2849caddb4b2d37f6817c22bf67f988edb9b

SHA256
43088a7299ad80819949c616f98b72765190ad6e703bc53ed208c66614d52eb6

SHA512
9709da6b93f5ec1b98970f4764323b2d01508dbad37f3cca2e1a1c643c79338cb1e5053e9aaa64f7eb589d667d9a3bb580431a49020679d9a71083441fcbc9fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
620182646254aad3411100ec1a47e57b

SHA1
0b4ea34c2df62a39aa843a1228e0e0f81c5e7208

SHA256
8c6fb7e94d7e2cb2fdaa188ad3545bff5f57bf0985447a4450c1b49f18833e0e

SHA512
e131cdb385000bd1f6a4806478b1286887a5c9cce56a2ba4019d24a8269ac52d3c16cedfc5529ecca1d6807e9f76b57edb3df2147a5d9b083d60a48a8fdf33b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a9dd3d134feb1cb5bcdbfec4c8a3708a

SHA1
298ee501772480558a05fee3142fdaf089fad6d9

SHA256
cccbfd71d702547395e4744b6cea07b7a21b6f9308a6b1be3e7ef79aef0f34e3

SHA512
6949488bca649713855a727bd59e37fc6aa26cd58d170744fd9fdc0ebefd6588fbf3d4e073f59beed6266e26ab2b157e6a6fb9bfd25eea20440fc79ba35161dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1fa257515eca3c2c892c012ab932ee5e

SHA1
e8d3403049572e1f7565c2158d944b85c0aed6cb

SHA256
b4b38f9f5c849d85d9d420fc7b475363ea3dc1dadf70cd4839b0cbb817774fad

SHA512
94476156666548ff66fc644e3d88b00a02e63b4986a73e33753b96d59f1a8da553ba66c9628542854ce6f0099f471b8721eec7fdaae5c7b70a58022ac3c332df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8fd63888f23ca85795fdedd7f012f657

SHA1
8de787942e637fb0a87ed2aa9d72f7d1bef5cfc5

SHA256
0b822d0a0049691dd8149f924439ddba47331de41b7198df2072ec74e06ff1e9

SHA512
fc0f30df3f6b03dae7ae2484cd52eb8e2af859494810243c70d4eb7f0f96d7e7566b73bf01e70272eaec5decddecd28abbf856074e16c73945ec049103ad44d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
428e031851e360c4d30f0781950d349a

SHA1
7e9588622803bbea040b8da98c343c3ca3e5a8d1

SHA256
b6defb75f828e4ec246ec2495aff5b8090f5127ea70d625d8f2febef3d2a8679

SHA512
d6767b297f26c85b953cff007650ccaba9c8c03b1349801275994e704e883a47bd2bd43593a8d5176cd9e85f70293937d0ac661220e2f48d1bf9dcb32b11bf72

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
767ef836f44e2b81ac37847ff4be734b

SHA1
745d601d30c17e02d6fd5d716fef5c2fabd53016

SHA256
20f3820491184f956ceb6d7d824634b2ce3b2971c94fc30fe2639b585fd0b30a

SHA512
9421a4587cd89c4bc8537700ecacce4aed61420d8abf00a6f53db57ead1f5727cc53f88d3783b51d9ad8abf606343db18c15775b316f77dd8e87eabbca903a56

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3032959d3f724f69cc94af979fc1d4d0

SHA1
9ec82fedeb32b54366cb46c5e07e9865f7b82ab3

SHA256
cd52130ae7821d4bb90a0e8b8202637771ce9a619eb18aa2ab1a4a8f4f6cdf17

SHA512
ed1c9c5edf47e9607669c64d0dce142f462fd507cd05a973899e36aaa4e8640e657d771eb56c8824b1441356764fa7dd4c67cad3b9d9651993a73cbc47448ed0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6c7428f8d853ff8c655a664ff8408f6f

SHA1
b6df134947d4380ce95044ba11b9532e1f2a1a81

SHA256
4e9be2c77e6f38e32012aeefb05256a64b5b09103ce2357f12b4f6e7dda1951d

SHA512
fb8fd528b9a5034aa0c756256f5806cfffc38f590c116fde476b173a1fc35c8f785e61497b4ec3af4090e4db4c8de5bb8f0f76957ad6ab321986273214ed2b92

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6b3a40bd00695b1cd016f16af1899c63

SHA1
174ff5c3d771007d18919319c35886e9b1e6bbe7

SHA256
8987ed495c17361f2dd98baf7234d2945d372593dd3e53efc3f165f9fff059ec

SHA512
fb86fdba0a28a9f679352c479908b7b86d3a5b89416fad5cdfe737f91ed12d8f30e21ae2a89b5b6c3cc0e9d64454d890fb0d4ed3272db5eeb3b9c358fe060506

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e4a0f95d86ae6eaf17e4de3a3e56f0e8

SHA1
f21e9fad19d6b46a29f5104c7532e2191d95124e

SHA256
1c03ae45419a59fb8a251b1d0104d5cf1d1a3be85e1fe47cbf4c6a21fd0bd41d

SHA512
67e4c2e57e52e21757f071e5847faa4926dd92a6600dc46cc3255d9c27a6c62858d3dca56be2360250fd7c27ab04142c13b970a1c77f630103d0498240b5b7e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
180584f6fff61fdc86955f3ad1f3fe6b

SHA1
8eebadd6ca9d96a6e053de4795c34acd4525f81d

SHA256
89fef5c4677288dd50dcd985f529c4a47997306244db2e01cbce8a2791582acb

SHA512
6889a875e019ce24f90e97a3f7270828d0ff2d2cdea508b073c1ae2aa17a85335cf501da0e9078ea9a91ee7cf4a086cfe1d982732462f808ec7f46cb38f90f42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7c4e1cba14328f1f0467417328ebd3a3

SHA1
e459fe8ab4eace7b146bb8a96424fa380e8bbef9

SHA256
d1bf04b4f29d461a14ae5264673ffb111a4d72874cf51000f3a8b4082669236d

SHA512
deb00fc3be1f076925ccd44d49bb411aee823bc49ba5ab075c6dbb360a268df3648edb6034974a4b3b7b4b9655779306b1757b4d9b9c6d81f772961bca71a2c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cb5691cca8d12d5e2f0244fa87a4fa9f

SHA1
6d2cb7894dfe41ac4cbdf22c3286845d587e93e9

SHA256
c33df7a121d48b55b427771b4c6684dac3faa21d23f0540592af1a6ec1194a91

SHA512
296a39cfa3f1c96428943ff6e3358006c61ab62343a828d4fcab78ebb214b9bd9d59253255fc044febfc3805984c67b43cc95fdca93934fc7cca46a0c788eec5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ab47a28395e41947e4aa7dc6f836edc7

SHA1
5dcc0374403f385064a15e28a9bb763fa75f15e7

SHA256
7a56c8d219d69f99a1e61c5b450beadd3baf39a5cf24c0822b4043903e938f66

SHA512
1da88944c16b28c07b4805536464c154d12b99782324efbba55d1c2e480192807292b590590bf70f8f85fc1af43dc8196f639b86f5f520136702614a7cc15080

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
87d2d94f3b23d40074637ef511b8ea35

SHA1
75d77bcdd4606aedc00009f8601afb399950f43d

SHA256
70db053e4c64235c45897c2d93693d004ce0e69d3cb93167bfe9031612019c84

SHA512
84afbdee27625b362f77898cdcbf39bfb8e477e4a64577c04a6c5cac915dedf7f93e6d0944b4993cae945807b8882e9b449fccdf1396b295505a0df0c29f21b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
23166bebb0b09ffd3b2fb40a98643254

SHA1
f4822f8571d4f2a0719e1218ced84d15bc4da95c

SHA256
061a587c8ba7d42759ba284f2b8b12b9723335b7491a0fb80a8f23ef19788c4b

SHA512
b6f73c7c5630a254cd78a998d1aeb619e2b65e300516fc183eb555e7dccc07b23f32a3db13e7b293ecb54e97f19792528d31d0337abacf995d65ecd58676756f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cc5e3fbca149cecf24f6c8acaa67ace0

SHA1
2b70fa7ff9f3aa813230961008572f2b4ec9fd23

SHA256
81b8f7b2901c5a23c39378d1e36630d6c72f26bb169e3331714c0922269c6a9e

SHA512
6d44c514ab09959039645d373aa1d079878f1908019fcbead60ba00bf7f2693b3d046a50578c0c609eacb51e047ac0acddbf09bfc22e7027ce5f0f3faa266427

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6650d681d3f7b734b1033c0856abcb01

SHA1
f9acade84ece874c15a42a83a0974dbd1778c758

SHA256
59733095ef282f4fc5545a9985067826d11dfbf358589fdcb91fa5149d17fe4f

SHA512
332786449880238242fc5975ae4b46aedb9a2ac1fe9ffedbd7b198ff0d6879590ae280f57a08ed405c245329647d4119009917f383673e7be5a372efb22077e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5020a20935f2f5e9495bfa35fca9c1a3

SHA1
ff513223cd03b6ec286495ed92d8439661843ee7

SHA256
8c54368226d77f3c9b07b76e9ce792d891d1959529904645133cbc13037e2c07

SHA512
e5442da2a9545b5309014d2e8b1652864c2fcbe75985c67911baf8681b27cf485025fc4f50d65a9bc49a4854b4965f6276a3ae5d029871a76895a5ab46eec9b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
14eb30dc5f55107cedc0c89f73e27e77

SHA1
263ae7a056cc7e3bdd5f6c3058f6987e78708464

SHA256
79769f4781e2c32c4f309429db5bca1a0f1674d8241bd1d59c9155bb91519b81

SHA512
db592d27327b08ceddfb904d27e8812676c5db0a85abb05ed31241c5509616addbd6f2edb257bd792498e5a605c708ae61806bbdfff570d3d6ac176f82356042

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8e7539c113d1b3e5ac566c3af65c74d1

SHA1
c265ba86ba01ac356cb7e7698d31123b11b33472

SHA256
6a9c58f417bf705160152e5a96a10e17096b7068cd6c9e80798ecb07620d7aab

SHA512
0661749f2ce86b242ef26e030c114fc1a1b80792381e121517e11d4b92f457e572813eff0b19ef3aaff2027198c0e6ca66faa2370948ff380c77187a2975b93d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
52cfc49d0db7621fbec6a165e8f65262

SHA1
8cb906b88608094fb6490ea5ba94cb174aa493c4

SHA256
b8634fd86aaf69601b3ccf178ef5dcbbe7f7013bfbcf4e96d2185d8858c332ae

SHA512
4b749f7a74be520b2733775e9c731f773e422b290ce0e5e766fa7c6292ee34dffbd20d60b4cc828f3b47b64f0a8302243ae6e38f4486928aeaca9fe8da8f2619

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
be99c8950404c485cfa135a9711e8fa6

SHA1
3c86f2678e9a90461fad29511cd47f0e1f34e3b7

SHA256
a7387790c054c89dc3f1edefc97d4ef7a0821875cc2f03bd69d2703d5e24c517

SHA512
ff9ab1c8d136582f62d4a97bca00a8d80883bb47bc83f750ee1fc9ea4396ed4fd969e82cf5f3f64feb6ed71d4d8c393fa89981e5385814ea47a82878a468c570

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2a2d8c5c4b1aae095756bda437cecc67

SHA1
ff1f5786169b2ec6d0bebd7f231bdaa5e31305e4

SHA256
681372d5d6483a49292ac38d114a2588e3f6b711acccbde0a3d8ab58a92e2200

SHA512
02a7b5a5740c7ed6fbd8f302c7e70759da73319cf51c054c051034ca2daa26be08f57d6f8cd83c1543fcc0ffd2c84aa3ccb0dde3edc72923f00f8fe01bc5a9c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
21518749712b8d1c6d33878f6f0046f2

SHA1
4640a4f60b99159298fe850f869e517a8cb96f54

SHA256
086d9ff8b3dc6f0f6dd1e5ebd4063f47d6bddec6aa1fe4aa278f56d93d0139d8

SHA512
2593c03fd6fedf8bbc67d04f31cea6f9c8b8ad2cda796dfce8382f7204ec86c888d1385bac05fc795799e5ec1837528bdf622f73b0ff3b53266956ae3d40bc3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EB0KZ1Y4\down[1]

Filesize
748B

MD5
c4f558c4c8b56858f15c09037cd6625a

SHA1
ee497cc061d6a7a59bb66defea65f9a8145ba240

SHA256
39e7de847c9f731eaa72338ad9053217b957859de27b50b6474ec42971530781

SHA512
d60353d3fbea2992d96795ba30b20727b022b9164b2094b922921d33ca7ce1634713693ac191f8f5708954544f7648f4840bcd5b62cb6a032ef292a8b0e52a44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EB0KZ1Y4\errorPageStrings[1]

Filesize
2KB

MD5
e3e4a98353f119b80b323302f26b78fa

SHA1
20ee35a370cdd3a8a7d04b506410300fd0a6a864

SHA256
9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

SHA512
d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EB0KZ1Y4\invalidcert[1]

Filesize
2KB

MD5
8ce0833cca8957bda3ad7e4fe051e1dc

SHA1
e5b9df3b327f52a9ed2d3821851e9fdd05a4b558

SHA256
f18e9671426708c65f999ca0fd11492e699cb13edc84a7d863fa9f83eb2178c3

SHA512
283b4c6b1035b070b98e7676054c8d52608a1c9682dfe138c569adfecf84b6c5b04fe1630eb13041ad43a231f83bf38680198acd8d5a76a47ec77829282a99fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WCATT3E5\background_gradient_red[1]

Filesize
868B

MD5
337038e78cf3c521402fc7352bdd5ea6

SHA1
017eaf48983c31ae36b5de5de4db36bf953b3136

SHA256
fbc23311fb5eb53c73a7ca6bfc93e8fa3530b07100a128b4905f8fb7cb145b61

SHA512
0928d382338f467d0374cce3ff3c392833fe13ac595943e7c5f2aee4ddb3af3447531916dd5ddc716dd17aef14493754ed4c2a1ab7fe6e13386301e36ee98a7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WCATT3E5\httpErrorPagesScripts[1]

Filesize
8KB

MD5
3f57b781cb3ef114dd0b665151571b7b

SHA1
ce6a63f996df3a1cccb81720e21204b825e0238c

SHA256
46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad

SHA512
8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WCATT3E5\red_shield_48[1]

Filesize
4KB

MD5
7c588d6bb88d85c7040c6ffef8d753ec

SHA1
7fdd217323d2dcc4a25b024eafd09ae34da3bfef

SHA256
5e2cd0990d6d3b0b2345c75b890493b12763227a8104de59c5142369a826e3e0

SHA512
0a3add1ff681d5190075c59caffde98245592b9a0f85828ab751e59fdf24403a4ef87214366d158e6b8a4c59c5bdaf563535ff5f097f86923620ea19a9b0dc4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WUBCGJ0A\green_shield[1]

Filesize
810B

MD5
c6452b941907e0f0865ca7cf9e59b97d

SHA1
f9a2c03d1be04b53f2301d3d984d73bf27985081

SHA256
1ba122f4b39a33339fa9935bf656bb0b4b45cdded78afb16aafd73717d647439

SHA512
beb58c06c2c1016a7c7c8289d967eb7ffe5840417d9205a37c6d97bd51b153f4a053e661ad4145f23f56ce0aebda101932b8ed64b1cd4178d127c9e2a20a1f58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WUBCGJ0A\invalidcert[1]

Filesize
4KB

MD5
a5d6ba8403d720f2085365c16cebebef

SHA1
487dcb1af9d7be778032159f5c0bc0d25a1bf683

SHA256
59e53005e12d5c200ad84aeb73b4745875973877bd7a2f5f80512fe507de02b7

SHA512
6341b8af2f9695bb64bbf86e3b7bfb158471aef0c1b45e8b78f6e4b28d5cb03e7b25f4f0823b503d7e9f386d33a7435e5133117778291a3c543cafa677cdc82d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZOGPI1N2\ErrorPageTemplate[1]

Filesize
2KB

MD5
f4fe1cb77e758e1ba56b8a8ec20417c5

SHA1
f4eda06901edb98633a686b11d02f4925f827bf0

SHA256
8d018639281b33da8eb3ce0b21d11e1d414e59024c3689f92be8904eb5779b5f

SHA512
62514ab345b6648c5442200a8e9530dfb88a0355e262069e0a694289c39a4a1c06c6143e5961074bfac219949102a416c09733f24e8468984b96843dc222b436

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZOGPI1N2\red_shield[1]

Filesize
810B

MD5
006def2acbd0d2487dffc287b27654d6

SHA1
c95647a113afc5241bdb313f911bf338b9aeffdc

SHA256
4bd9f96d6971c7d37d03d7dea4af922420bb7c6dd46446f05b8e917c33cf9e4e

SHA512
9dabf92ce2846d8d86e20550c749efbc4a1af23c2319e6ce65a00dc8cbc75ac95a2021020cab1536c3617043a8739b0495302d0ba562f48f4d3c25104b059a04

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF7AA.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF7CC.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFF64AC3B5B8DBEBFE.TMP

Filesize
16KB

MD5
47e869640982d7606027102e8d3a4dfd

SHA1
846904f2e42d982a5dc4793b0d8aee620d96364e

SHA256
127225393a9ac3d35cc72cc1b0c47ba73274440f85dd97d7b9c560bdf9f6f924

SHA512
7f4c8011eccd83128725b6a446622c8f6f47dc9392888c2bd0facb9d5f328758fd16a042771442b4106ee6bf1b1c777b7e909efb0cd589218d0329946f1e549e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms

Filesize
3KB

MD5
d7ccda1e2795780e9f1c442678059d31

SHA1
1edf62ca2ce25b45e82aaa142ec35c5cf434d7bd

SHA256
dcdcbed2890d8ea89326955bd911131dbabace28975915d3154d6acd50f6c326

SHA512
9ac8704687bf3a7ead4216dbe28cd91a796d7126d304e0e80fd3b55aba78093ecdea435130600fd6d7f4ff5a41c70fbc099ec685a91423cf0c06b49f14d0d0c7

Download Submit
C:\Users\Admin\AppData\Roaming\csrss.exe

Filesize
9KB

MD5
484af5d2607d4c70ed4e0a350eeeee45

SHA1
1aa920ad742516f41b3722b4524acf38be5dfd57

SHA256
0f7f639c1efbff416a8ad19d6563e0bc719d789cd6aaa9b4ea050f559c8886d8

SHA512
f12f1bbe67194420a577e8123bb75b91c4d117245eed81ef78e65c2de6633bd5d3feea128be3d556d506cbd10ccd9e35c8ccca09a397207518c63cb4e2464faa

Download Submit
C:\Users\Admin\AppData\Roaming\csrss.exe.config

Filesize
157B

MD5
7efa291047eb1202fde7765adac4b00d

SHA1
22d4846caff5e45c18e50738360579fbbed2aa8d

SHA256
807fb6eeaa7c77bf53831d8a4422a53a5d8ccd90e6bbc17c655c0817460407b6

SHA512
159c95eb1e817ba2d281f39c3939dd963ab62c0cd29bf66ca3beb0aff53f4617d47f48474e58319130ae4146a044a42fc75f63c343330c1b6d2be7034b9fa724

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe

Filesize
21KB

MD5
785adb93e8dd006421c1ba3e81663d72

SHA1
0ea67d6d82b03c51a22e01de33476c70f70f8fbc

SHA256
cb29a7aba6161d96b66c9a1cdb92e293109ed7c171906fdb52d73c4226a09c74

SHA512
86dbcf36114a99228f5720c3835af24765c8c7f059ad207dfb89f3923552f9485991a41e3874c138a5fd9a1ee3ae722329380660bd92666b8ebbc68ec49baf2c

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe.config

Filesize
349B

MD5
89817519e9e0b4e703f07e8c55247861

SHA1
4636de1f6c997a25c3190f73f46a3fd056238d78

SHA256
f40dfaa50dcbff93611d45607009158f798e9cd845170939b1d6088a7d10ee13

SHA512
b017cb7a522b9c6794f3691cb7266ec82f565a90d7d07cc9beb53b939d2e9bf34275bc25f6f32d9a9c7136a0aab2189d9556af7244450c610d11ed7a4f584ba3

Download Submit
memory/1552-18-0x000007FEF6720000-0x000007FEF710C000-memory.dmp

Filesize
9.9MB

Download
memory/1552-13-0x00000000009B0000-0x00000000009BC000-memory.dmp

Filesize
48KB

Download
memory/1552-14-0x000007FEF6720000-0x000007FEF710C000-memory.dmp

Filesize
9.9MB

Download
memory/1552-15-0x000007FEF6720000-0x000007FEF710C000-memory.dmp

Filesize
9.9MB

Download
memory/2132-5-0x0000000000770000-0x0000000000782000-memory.dmp

Filesize
72KB

Download
memory/2132-30-0x000007FEF6720000-0x000007FEF710C000-memory.dmp

Filesize
9.9MB

Download
memory/2132-4-0x000007FEF6720000-0x000007FEF710C000-memory.dmp

Filesize
9.9MB

Download
memory/2132-3-0x00000000005B0000-0x00000000005BE000-memory.dmp

Filesize
56KB

Download
memory/2132-2-0x0000000002580000-0x00000000025DC000-memory.dmp

Filesize
368KB

Download
memory/2132-0-0x000007FEF6723000-0x000007FEF6724000-memory.dmp

Filesize
4KB

Download
memory/2132-1-0x00000000001B0000-0x00000000004AC000-memory.dmp

Filesize
3.0MB

Download
memory/2880-29-0x0000000001320000-0x000000000161C000-memory.dmp

Filesize
3.0MB

Download
memory/2880-33-0x0000000000B60000-0x0000000000B78000-memory.dmp

Filesize
96KB

Download
memory/2880-31-0x0000000000AD0000-0x0000000000AE2000-memory.dmp

Filesize
72KB

Download
memory/2880-34-0x0000000000B80000-0x0000000000B90000-memory.dmp

Filesize
64KB

Download
memory/2880-32-0x0000000000D70000-0x0000000000DC8000-memory.dmp

Filesize
352KB

Download
memory/2904-20-0x00000000009D0000-0x00000000009DC000-memory.dmp

Filesize
48KB

Download