orcus | 64348ec4267b52c1a7f639ccfaf9478b6d5159f796176076650901e5b7c0e1df

Analysis

max time kernel
1798s
max time network
1805s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-11-2024 22:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tumblr-main/svc.exe
Size

3.0MB
MD5

7a461d8d06c7859b09524ceb0f3d7e4a
SHA1

aa27353c3883ef1ce5728dd0112e79fec7ee2fa6
SHA256

7a080f9390658ba441e845e04644e6e05ef865fdf986e8a2bfeb57dd1e4b7dee
SHA512

22d4fe1a52d16bc45ed5d8cedb8fd98149bb236f2b23f39b37fcd59652e165198180aa7e4a9e2952229a10d9613747485a6891f94ef9019557af39da676aadea
SSDEEP

49152:4i9R1/op1fAZeM9/NtRaO5NYAxC48VYrJAypQxbn32o9JnCmxJWncFfSIH4Duis:4EMtQR9TYW8V0OypSbGo9JCmx

Score

10^/10

orcus discovery persistence rat spyware stealer

Malware Config

Extracted

Family

orcus

45.10.151.182:10134

Mutex

064acb3fed56475eaee5e20cdd2d83c3

Attributes

autostart_method
Registry
enable_keylogger
true
install_path
%programfiles%\Orcus\svchost.exe
reconnect_delay
10000
registry_keyname
svchost
taskscheduler_taskname
svchost
watchdog_path
AppData\csrss.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Orcurs Rat Executable 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2320-1-0x0000000000A40000-0x0000000000D3C000-memory.dmp	orcus
C:\Program Files\Orcus\svchost.exe	orcus
behavioral1/memory/2336-29-0x00000000002A0000-0x000000000059C000-memory.dmp	orcus

Executes dropped EXE 34 IoCs

Processes:

WindowsInput.exeWindowsInput.exesvchost.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe

pid	process
1292	WindowsInput.exe
2688	WindowsInput.exe
2336	svchost.exe
2752	csrss.exe
2964	csrss.exe
316	csrss.exe
2856	csrss.exe
2664	csrss.exe
332	csrss.exe
1296	csrss.exe
3032	csrss.exe
1980	csrss.exe
1188	csrss.exe
756	csrss.exe
2408	csrss.exe
2364	csrss.exe
836	csrss.exe
2960	csrss.exe
2484	csrss.exe
836	csrss.exe
1444	csrss.exe
2264	csrss.exe
940	csrss.exe
1668	csrss.exe
3128	csrss.exe
3540	csrss.exe
3892	csrss.exe
3112	csrss.exe
3548	csrss.exe
3192	csrss.exe
3640	csrss.exe
292	csrss.exe
3224	csrss.exe
3220	csrss.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Program Files\\Orcus\\svchost.exe\""	svchost.exe

Drops file in System32 directory 3 IoCs

Processes:

svc.exeWindowsInput.exe

description	ioc	process
File created	C:\Windows\SysWOW64\WindowsInput.exe	svc.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe.config	svc.exe
File created	C:\Windows\SysWOW64\WindowsInput.InstallState	WindowsInput.exe

Drops file in Program Files directory 3 IoCs

Processes:

svc.exe

description	ioc	process
File created	C:\Program Files\Orcus\svchost.exe.config	svc.exe
File created	C:\Program Files\Orcus\svchost.exe	svc.exe
File opened for modification	C:\Program Files\Orcus\svchost.exe	svc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 45 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

csrss.execsrss.exeIEXPLORE.EXEIEXPLORE.EXEcsrss.exeIEXPLORE.EXEcsrss.execsrss.execsrss.execsrss.exeIEXPLORE.EXEcsrss.execsrss.execsrss.execsrss.exeIEXPLORE.EXEcsrss.exeIEXPLORE.EXEIEXPLORE.EXEcsrss.exeIEXPLORE.EXEcsrss.execsrss.execsrss.execsrss.exeIEXPLORE.EXEIEXPLORE.EXEcsrss.exeIEXPLORE.EXEcsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exeIEXPLORE.EXEcsrss.exeIEXPLORE.EXEcsrss.execsrss.execsrss.exeIEXPLORE.EXEcsrss.execsrss.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe

Modifies Internet Explorer settings 1 TTPs 47 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50867b33993bdb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438302567"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6A789C61-A78C-11EF-B895-D686196AC2C0} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd300000000020000000000106600000001000020000000c8b7840e982da618ac9b12434e92b17635f92e01c9906af4513bbe682a22d5ef000000000e800000000200002000000071c2575004c10acb3eae8a67a8ecb8fa8fdd7cff29e47894f1713c457f3153c8200000009ba730bcc165590766f299efb68d6f85edb4403f20f85e2ab8b48fcdf48a23944000000071481436e6bd2ec2e7c913a9cbc5a738973ab715db2ca0e7a69c64917411f864c6c14662eaf04f35576c9902f2a0edd8d8fb3102596761fe66dffd98669fff79	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd300000000020000000000106600000001000020000000369136d55a665a1c8095fdb2a7419ebaa932a2c28dcc494243345a70198754aa000000000e8000000002000020000000688d1a473e318b54c16b31550ecbe6e751c2ef55e2af07ddad4316474e34f5d9900000006497ac086a95bf8e85a627fec894ec10d9692d938941bb8652484d50204c48d95efb89a1b1e8c9d5bf379878a15a293f4bdc2a60e6086a28f704d6aab12dbf25ab3893b0cb705885ca2ff82cee365e89e2f701ba4cbb61932fa242774c73869e6c4175b16b187cf3694f593d24514232977ca65dc5db33ef6329dec667c4f06d07e4002045830295358532260273d46b40000000f0ec03a5852fdb084abf298907612aa904b7f161f8d3bfb7409e3d5acf184d17885caa48a5b569a7fe8b8cb5d47788cd991998364718c0c0a6952a850b233846	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

svchost.exeiexplore.exe

pid	process
2336	svchost.exe
2336	svchost.exe
2336	svchost.exe
2336	svchost.exe
2336	svchost.exe
2336	svchost.exe
2336	svchost.exe
2336	svchost.exe
2336	svchost.exe
2336	svchost.exe
2312	iexplore.exe
2312	iexplore.exe
2312	iexplore.exe
2312	iexplore.exe
2336	svchost.exe
2336	svchost.exe
2312	iexplore.exe
2312	iexplore.exe
2312	iexplore.exe
2336	svchost.exe
2336	svchost.exe
2312	iexplore.exe
2312	iexplore.exe
2312	iexplore.exe
2312	iexplore.exe
2336	svchost.exe
2336	svchost.exe
2312	iexplore.exe
2312	iexplore.exe
2312	iexplore.exe
2312	iexplore.exe
2312	iexplore.exe
2336	svchost.exe
2336	svchost.exe
2312	iexplore.exe
2312	iexplore.exe
2312	iexplore.exe
2312	iexplore.exe
2312	iexplore.exe
2312	iexplore.exe
2312	iexplore.exe
2312	iexplore.exe
2312	iexplore.exe
2312	iexplore.exe
2336	svchost.exe
2336	svchost.exe
2312	iexplore.exe
2312	iexplore.exe
2312	iexplore.exe
2312	iexplore.exe
2312	iexplore.exe
2336	svchost.exe
2336	svchost.exe
2312	iexplore.exe
2312	iexplore.exe
2312	iexplore.exe
2312	iexplore.exe
2312	iexplore.exe
2312	iexplore.exe
2312	iexplore.exe
2312	iexplore.exe
2312	iexplore.exe
2312	iexplore.exe
2336	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

svchost.exe

pid process

2336 svchost.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svchost.exe

description pid process

Token: SeDebugPrivilege 2336 svchost.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2312 iexplore.exe

description	pid	process
Token: SeDebugPrivilege	2336	svchost.exe

pid	process
2312	iexplore.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

svchost.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
2336	svchost.exe
2312	iexplore.exe
2312	iexplore.exe
1892	IEXPLORE.EXE
1892	IEXPLORE.EXE
2916	IEXPLORE.EXE
2916	IEXPLORE.EXE
1912	IEXPLORE.EXE
1912	IEXPLORE.EXE
1912	IEXPLORE.EXE
1912	IEXPLORE.EXE
2616	IEXPLORE.EXE
2616	IEXPLORE.EXE
2616	IEXPLORE.EXE
2616	IEXPLORE.EXE
1892	IEXPLORE.EXE
1892	IEXPLORE.EXE
1892	IEXPLORE.EXE
1892	IEXPLORE.EXE
2072	IEXPLORE.EXE
2072	IEXPLORE.EXE
2072	IEXPLORE.EXE
2072	IEXPLORE.EXE
2916	IEXPLORE.EXE
2916	IEXPLORE.EXE
2916	IEXPLORE.EXE
2916	IEXPLORE.EXE
2420	IEXPLORE.EXE
2420	IEXPLORE.EXE
2420	IEXPLORE.EXE
2420	IEXPLORE.EXE
2436	IEXPLORE.EXE
2436	IEXPLORE.EXE
1912	IEXPLORE.EXE
1912	IEXPLORE.EXE
2436	IEXPLORE.EXE
2436	IEXPLORE.EXE
1912	IEXPLORE.EXE
1912	IEXPLORE.EXE
1844	IEXPLORE.EXE
1844	IEXPLORE.EXE
1844	IEXPLORE.EXE
1844	IEXPLORE.EXE
2616	IEXPLORE.EXE
2616	IEXPLORE.EXE
2616	IEXPLORE.EXE
2616	IEXPLORE.EXE
1928	IEXPLORE.EXE
1928	IEXPLORE.EXE
1928	IEXPLORE.EXE
1928	IEXPLORE.EXE
2072	IEXPLORE.EXE
2072	IEXPLORE.EXE
2072	IEXPLORE.EXE
2072	IEXPLORE.EXE
2420	IEXPLORE.EXE
2420	IEXPLORE.EXE
2420	IEXPLORE.EXE
2420	IEXPLORE.EXE
1556	IEXPLORE.EXE
1556	IEXPLORE.EXE
1556	IEXPLORE.EXE
1556	IEXPLORE.EXE
2436	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

svc.exesvchost.execsrss.exeiexplore.exe

description	pid	process	target process
PID 2320 wrote to memory of 1292	2320	svc.exe	WindowsInput.exe
PID 2320 wrote to memory of 1292	2320	svc.exe	WindowsInput.exe
PID 2320 wrote to memory of 1292	2320	svc.exe	WindowsInput.exe
PID 2320 wrote to memory of 2336	2320	svc.exe	svchost.exe
PID 2320 wrote to memory of 2336	2320	svc.exe	svchost.exe
PID 2320 wrote to memory of 2336	2320	svc.exe	svchost.exe
PID 2336 wrote to memory of 2752	2336	svchost.exe	csrss.exe
PID 2336 wrote to memory of 2752	2336	svchost.exe	csrss.exe
PID 2336 wrote to memory of 2752	2336	svchost.exe	csrss.exe
PID 2336 wrote to memory of 2752	2336	svchost.exe	csrss.exe
PID 2752 wrote to memory of 2312	2752	csrss.exe	iexplore.exe
PID 2752 wrote to memory of 2312	2752	csrss.exe	iexplore.exe
PID 2752 wrote to memory of 2312	2752	csrss.exe	iexplore.exe
PID 2752 wrote to memory of 2312	2752	csrss.exe	iexplore.exe
PID 2312 wrote to memory of 1892	2312	iexplore.exe	IEXPLORE.EXE
PID 2312 wrote to memory of 1892	2312	iexplore.exe	IEXPLORE.EXE
PID 2312 wrote to memory of 1892	2312	iexplore.exe	IEXPLORE.EXE
PID 2312 wrote to memory of 1892	2312	iexplore.exe	IEXPLORE.EXE
PID 2336 wrote to memory of 2964	2336	svchost.exe	csrss.exe
PID 2336 wrote to memory of 2964	2336	svchost.exe	csrss.exe
PID 2336 wrote to memory of 2964	2336	svchost.exe	csrss.exe
PID 2336 wrote to memory of 2964	2336	svchost.exe	csrss.exe
PID 2312 wrote to memory of 2916	2312	iexplore.exe	IEXPLORE.EXE
PID 2312 wrote to memory of 2916	2312	iexplore.exe	IEXPLORE.EXE
PID 2312 wrote to memory of 2916	2312	iexplore.exe	IEXPLORE.EXE
PID 2312 wrote to memory of 2916	2312	iexplore.exe	IEXPLORE.EXE
PID 2336 wrote to memory of 316	2336	svchost.exe	csrss.exe
PID 2336 wrote to memory of 316	2336	svchost.exe	csrss.exe
PID 2336 wrote to memory of 316	2336	svchost.exe	csrss.exe
PID 2336 wrote to memory of 316	2336	svchost.exe	csrss.exe
PID 2312 wrote to memory of 1912	2312	iexplore.exe	IEXPLORE.EXE
PID 2312 wrote to memory of 1912	2312	iexplore.exe	IEXPLORE.EXE
PID 2312 wrote to memory of 1912	2312	iexplore.exe	IEXPLORE.EXE
PID 2312 wrote to memory of 1912	2312	iexplore.exe	IEXPLORE.EXE
PID 2336 wrote to memory of 2856	2336	svchost.exe	csrss.exe
PID 2336 wrote to memory of 2856	2336	svchost.exe	csrss.exe
PID 2336 wrote to memory of 2856	2336	svchost.exe	csrss.exe
PID 2336 wrote to memory of 2856	2336	svchost.exe	csrss.exe
PID 2312 wrote to memory of 2616	2312	iexplore.exe	IEXPLORE.EXE
PID 2312 wrote to memory of 2616	2312	iexplore.exe	IEXPLORE.EXE
PID 2312 wrote to memory of 2616	2312	iexplore.exe	IEXPLORE.EXE
PID 2312 wrote to memory of 2616	2312	iexplore.exe	IEXPLORE.EXE
PID 2336 wrote to memory of 2664	2336	svchost.exe	csrss.exe
PID 2336 wrote to memory of 2664	2336	svchost.exe	csrss.exe
PID 2336 wrote to memory of 2664	2336	svchost.exe	csrss.exe
PID 2336 wrote to memory of 2664	2336	svchost.exe	csrss.exe
PID 2336 wrote to memory of 332	2336	svchost.exe	csrss.exe
PID 2336 wrote to memory of 332	2336	svchost.exe	csrss.exe
PID 2336 wrote to memory of 332	2336	svchost.exe	csrss.exe
PID 2336 wrote to memory of 332	2336	svchost.exe	csrss.exe
PID 2312 wrote to memory of 2072	2312	iexplore.exe	IEXPLORE.EXE
PID 2312 wrote to memory of 2072	2312	iexplore.exe	IEXPLORE.EXE
PID 2312 wrote to memory of 2072	2312	iexplore.exe	IEXPLORE.EXE
PID 2312 wrote to memory of 2072	2312	iexplore.exe	IEXPLORE.EXE
PID 2336 wrote to memory of 1296	2336	svchost.exe	csrss.exe
PID 2336 wrote to memory of 1296	2336	svchost.exe	csrss.exe
PID 2336 wrote to memory of 1296	2336	svchost.exe	csrss.exe
PID 2336 wrote to memory of 1296	2336	svchost.exe	csrss.exe
PID 2336 wrote to memory of 3032	2336	svchost.exe	csrss.exe
PID 2336 wrote to memory of 3032	2336	svchost.exe	csrss.exe
PID 2336 wrote to memory of 3032	2336	svchost.exe	csrss.exe
PID 2336 wrote to memory of 3032	2336	svchost.exe	csrss.exe
PID 2312 wrote to memory of 2420	2312	iexplore.exe	IEXPLORE.EXE
PID 2312 wrote to memory of 2420	2312	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\tumblr-main\svc.exe
"C:\Users\Admin\AppData\Local\Temp\tumblr-main\svc.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Windows\SysWOW64\WindowsInput.exe
  "C:\Windows\SysWOW64\WindowsInput.exe" --install
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:1292
- C:\Program Files\Orcus\svchost.exe
  "C:\Program Files\Orcus\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2336
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2336 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch&plcid=0x409&o1=.NETFramework,Version=v4.8&processName=csrss.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
      4⤵
      Modifies Internet Explorer settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2312
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2312 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1892
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2312 CREDAT:537607 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2916
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2312 CREDAT:537627 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1912
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2312 CREDAT:799754 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2616
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2312 CREDAT:930850 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2072
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2312 CREDAT:734247 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2420
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2312 CREDAT:472135 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2436
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2312 CREDAT:1455139 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1844
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2312 CREDAT:996410 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1928
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2312 CREDAT:406686 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1556
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2312 CREDAT:3748931 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:1400
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2312 CREDAT:2896982 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:1444
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2312 CREDAT:996462 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:3972
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2312 CREDAT:1913968 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:3120
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2336 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2964
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2336 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:316
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2336 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2856
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2336 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2664
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2336 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:332
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2336 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1296
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2336 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3032
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2336 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1980
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2336 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1188
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2336 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:756
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2336 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2408
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2336 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2364
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2336 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:836
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2336 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2960
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2336 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2484
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2336 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:836
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2336 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1444
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2336 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2264
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2336 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:940
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2336 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1668
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2336 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3128
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2336 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3540
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2336 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3892
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2336 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3112
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2336 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3548
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2336 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3192
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2336 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3640
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2336 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:292
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2336 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3224
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe" /launchSelfAndExit "C:\Program Files\Orcus\svchost.exe" 2336 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3220

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
1⤵
- Executes dropped EXE
PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Orcus\svchost.exe

Filesize
3.0MB

MD5
7a461d8d06c7859b09524ceb0f3d7e4a

SHA1
aa27353c3883ef1ce5728dd0112e79fec7ee2fa6

SHA256
7a080f9390658ba441e845e04644e6e05ef865fdf986e8a2bfeb57dd1e4b7dee

SHA512
22d4fe1a52d16bc45ed5d8cedb8fd98149bb236f2b23f39b37fcd59652e165198180aa7e4a9e2952229a10d9613747485a6891f94ef9019557af39da676aadea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5a8ed715386f80cb3406b3278e37ecdd

SHA1
a9004a042a242ab6719896ef93df3f6ddb00fb26

SHA256
a38cbf2c4b80562b18281946c3ee1917e40995be6d3eb31f448296e385d45aa0

SHA512
745cfc06d3696f27912189f42c3af4b90c9605e26028e2a432ef00f124c443ffeb8407667487ef48a258793df53503a0642ec63e7368a40a27e87c91cf0b3a5e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9a24ead918756f6578a02108563f0dfb

SHA1
1c720a421cdd1fa756129636b52eeae18fd6c7a9

SHA256
91ad6ee1fc7d1bde93eacd890fd976d42e21e5aa2c3d7e8a64b219845b8b6163

SHA512
4de965206ce645311cec8cc44154590425308bf17dcd016dcba54e46d6fcea70ac70e1d0ea539638eb476058a469404572a5eea66d3938cfe7426ff301a7325a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ba4eeb8eaf4ea0e854e8c504ab8e39ee

SHA1
c8e009329a324c888b21eb0e828217e11f4aef91

SHA256
29258fd357421a4fe888fa2c5139338a8a11a4441d08eeefa7cf26a0d5085ada

SHA512
4b3612d165df0951b2948feb4a40d28fd1e23380f5c55fe1fae1c13a29c7b2b4b1050b5d64d45bc15cfe5a1d94de3f9a26f2237e43ec25a3c8b4925e3a70ea7c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b297610e78483e532b5451ded2ae46fa

SHA1
51be5b487716e53ad090ea9c9b48fb045a0e0d42

SHA256
a6a4bcb7b39ddd17ebe3964642caa1a258bff0bf77f91cd3c6a2380400e7da7f

SHA512
f111864982e51acb339f3e3842a61b249d6462310dd2379fda6670f694412009d300fa92be01bc19a37b30c8e9b9443952adb5133dcdc5c3997663613259efb3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c3de7aa6e7cd4ea398a15771f0bcaf69

SHA1
fe59f9dcb20ec3b201586f92a883562592314532

SHA256
91018bb6892fad335420ad06f8391e9bd87b16dcc61b7f6152997e5b02d38acd

SHA512
d0ecda61a76a26cf7dcb5166b281ed4a510b88be922a1d13bd506e9d90adffee5a7d6b7b57de9ef31aa9c2a12e8dfcae0362e00afb08424ae13c73dde058a1cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
11710a959b811eff7a37d97714022eb9

SHA1
584d2df18aa25bc8958e294af048ce1af98cabdf

SHA256
2613aa7b5ab1edd42084e5b6c716c4cf8efd09e3c5b4c11fff4ca8426060b692

SHA512
3c9b30b7c01383c0984fe8c9e7279f962dea1ad05214d5e50272903f719b8e3bff71d0b542f26d616bfc4085310614a0222234307859959cf8baaa2e8000583c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
646b47190467c91fbd479a7ad6f91b07

SHA1
f32c5367cc02b4ced2ef39d723371dc4e3405ddb

SHA256
e96797f7c2377235ee2b0d7df6bdcef6a4fadd5a095dc6f6f4702526f4520a49

SHA512
d7ca4e45ca3657024a2c83ef6107fdaf16e524bb708ba8df523d15cad2b7e0a8a88da149b5511795da360efc89f833ce97ee6b22aff828558dcb8d553c7cabd1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
51843ca7d334042a4e15c2a0f71ee8bf

SHA1
078ad27c78fb6edd2aa06ecb87a4be04b2ff6ef8

SHA256
155ae28a3cb4385d12aef2e356ccef7640390eff04bb2ae86686111d241316a3

SHA512
8d8cca1c068bbf75f3c87d71a5aaf5a7942cbb77ea0ce19962f08c3e3b9a57b5c385eb438094ff44c00ab405ed4149763a01926a22893afe3a6fc4866358bced

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
81fbbff1a5e45b828888af3e8bcdcc22

SHA1
50af560a8f360a5d7797911b9b372a1b6a800ae6

SHA256
28fed730f572667219ed97e93a91f1a5e1e33f1cc0bba3a0672f352608f60157

SHA512
3b7e9893fc5f12808c1d5373c8a4bf2ef341960938a20096a2fd0b88294a7eeaa1faaa4cd7844454f67199c1f31a95f7d43c3e516cb4617b76a3abc10131eaad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d6e4a6754f47dc45b4b9a1ac94d986c4

SHA1
72881f1eed8599f7542dedd5898efa8e8e5be170

SHA256
800b21ed43769129f44105ef2be536fb52f1fb4aa3624692a320ce07d16a51a6

SHA512
3e63027254a2c343990e0ea741ce61e8d92b65baf95c1efbc99d7fe76d2cde5886afa0f8c7fd4422a9c82db8340916396d2acee5dadfe7f1644eee3e677680fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
14fcd195b6c6e30ceeba2fb708e125b3

SHA1
b9ea15b381c3aecd92144e91ed993eb76cefbaf1

SHA256
1f1a7a9f022f095e332c3ef80e1c0e772fe200001008aa28ed3badf23cd849b1

SHA512
1e7cfffe50c233440b1c9ac349ef6159a3264a4b37564fb6fa01e0cd40ce9535113cd735c12fca7edc6724cb57985944e2bf79b68cc62435a48dbf86b12f046e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c07442d64011384e10b298ef4195a6d2

SHA1
d3da861a532c0176d7364a10bf4564b7fc0786f3

SHA256
a96b34677cdd08bdf7a0ea52451ebdacd0c6bac62d82de320718d4066c5a4e93

SHA512
badf062bbf1b68bbf1a6fab9b8e637778978e2d702870651e9fb4aa34960616a6c3e8f2161332cdbee230f0d6ad88ee15840d79f224e2ba3053246d8a49ee370

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
03f806206c8ee9c46594636bc0f3212e

SHA1
4b562954c6919369025631eef563243d67887f3a

SHA256
6d8d01667157771a01d8e7bf84e00f363c5545541d744581fbfacc085029b423

SHA512
1e9b1bc40a2898bb342715a400cff8afbd490cfb8d02349f614ad9af7cf25bc17dbde68fed8bcee916c462d1053332aeb3165326fbd7751f457731ca1fb243af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
72cdf9099769754f70d89c950cd0483e

SHA1
b8ef51f2acf10d191ea8e810ef2b8079795a2d1f

SHA256
cf3b259681e7c7f40d910a64420af074849b33858e9ad5be4563f6d24b510dc2

SHA512
8eefae5f7622e87a16871db030453153abe106860df8cf957b0282329d3fea8f8448d71934abbc59a64e2d56631714806154672cd19c95a6bdad48c4fd615a83

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
73eb47937f804d9caf05d9c515bcf4ce

SHA1
7103496a8ea247c0dea4a315fd46c972d6e7a7ba

SHA256
c7d4f0bbdd076586f4a9f5a6d2cbed0af61728eaa4feaaaad34431f31f53f00f

SHA512
8aba5ab544190e898d9d1cc8df3ba73e738c232633dd609b4127ed336793f2547e65f7f346ae1e63777c2277986b570667e629395982ce718e725ab2e72bb607

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dbcd2c980b442ff36dba2a52ad598e2a

SHA1
63009e6db16e4f5b9f3a9f5dedf83bf8c1c1d557

SHA256
c434a4fbbfe79ea4a53256691445cc7dc00d615e849a726cc8f15f6f9310639f

SHA512
ae432d10185c2b7f158f88285c62300cc4a4bcc4a6ab7186729a311c383660dec10c538a679bd12155ef596aba3af34bfd4d59705e6326650290aedd91140262

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4c2cad3f21af9d305aef7ae1449d0d1c

SHA1
d3ec23deb0668dc8ba860879846ef57ebb2ab0f7

SHA256
262ab0e4eccf49e346f0776e9b950812b1d49ed2927632c7d31e6bb5526e0092

SHA512
4742c80530968e86d5dd9682f873bf3393253fdca5cd7304ab319ce02b262c63c5ce58e2235b13e35c494274a5e6c5c4c87f30e6f1ca94d28cb219a38eb16c14

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e5555d43109c013c5d90e20ba265d893

SHA1
6d6fb775687bbaa5b4b36184294b5925de4d0977

SHA256
3d3aec6f983105666f1d51a34fd46e99e0138e70f3dc4e72cd8037a3607496ff

SHA512
ee129fa4254723c3650413b8f348269c31c84fa017b0a3d5b3617144012d0c17ec413214ed0938857405335f2bcd1913c56bbe25f349d2636af2c73746531697

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c5fb1fdaf8e2e4d3d9707231ad7175e7

SHA1
06af5ac25a20b6e4f6436430b39b63758ed03e85

SHA256
0eb83aeda914fe3ddc3e54b4b594b6caf6001ce07ce63c0eeb6dab2c2960cf9b

SHA512
f88621ba508098f9de1d7a4445677e9367c7aa43cbe2e1555239177faffa70c07019ce30731bcb8b191e70f76aeef10bb1664753e10ab1e9e30a549dfa01e927

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f710467fcfca990b8f4acb0213f85b0e

SHA1
e2e9a940c15209c3d8d09c7b66589a2748e3dda0

SHA256
e9f2bdbc7a6ff6d46364843480c113c8336646e357db5eb3a3d2ac7e659a636e

SHA512
ccb45fd92aa02b12a8e7b38c949a656f2dafa680f360f37150d5c18dea2ff9784ad03988bcd87b92c55584bd2989d7896d0249136c609f165dc8e6df32a59cf2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8f2253be8bb63d8a06820a01cb7a8216

SHA1
0820e5ff8de06716c0a3794a777fd0f9fd23ef95

SHA256
39cbd32163da8435e358ce51ceff8340b6dc7248dac55111a04dc8d64d878382

SHA512
538962bf8b393d1fb9d01b6030a20d795a3d3e3ea3965547fa538b196c61f9ddc7d430219dcf1adc6330591f7a4cbd90913ab9158b20fc888d09b3b0eadcbe7b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
edd977a85458040adcb5ea937fb9d4c9

SHA1
bd6518b1083e492e40335fcce8c029429ca521f1

SHA256
02afc01e591ca50620d4829e36366c48aeae9ee4bfb7d557f29e40a2a5d83a8b

SHA512
e8d6f2819bfd67158a7a8d0e4ecf33001c6f2d6411f211fa170bfdc33c95f29a60746ea762e1fa26200043cdd5d4b3cd322a657b7cb31095814b2fd6c9d8a2c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
510a69d9f8dd4119facedb3448e0c839

SHA1
325d00a8832f91cf64480b10f4f081f2f571d999

SHA256
fe3c870ece10ca07e858e0c4ba88ad8c9c2512b0d1057444fd1cad8bd3d8366c

SHA512
fa9475fce558a2e6faa67dea67c0968351cfe778a23fd1095da3b5de9bab0441b22c6e8e56106d3fbf69fa0f9ec2978a3a6ee90af1205e2cc743ea519368f829

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6f9be04c628fa45b29b477eba278e507

SHA1
b0fd4029f5ec2dbd27940b257457cff439c9d671

SHA256
21071a7b7c42b82fac32f3db60aa82699dbb56b4b41781e807ffc34da31d15af

SHA512
93213d3998a8147f982f3c068f5c7ed06aa5e72e162eed2f33b22fd57ef6008cd39e36c5ba54da69ac34b35429b818a62a85fd06e69cd91833bfba676fa54291

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2c43a617934314a2c0270554a03c0b58

SHA1
400e95d6a2f08eb75101a7752c91a52c91c6f6f8

SHA256
e585c644b18f40dfbc2daeacf36de5a5b4926bfc250da396becb98b4d9ea3ebf

SHA512
b3abe0fc8d7cf9e6e6a5de47b16c55e4489e3cb6bc376a4cc7dc0a039fa0383b7d5b82bb5884cc6b500b369e84ec7afef4aeb5426850a1ae6cf48f6b81f43170

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7227a9233d5dc5acf6c9a72c535fd4fc

SHA1
efd628f18302aa7c40b048d51086ccf055be9e02

SHA256
85a6eeba77a2059192c5817d3f1f22fe7340633c3f323e803d6fc0132fd52f83

SHA512
78ec8bb2d6e631ba9e15892adc9f1cf670ca19c37e104f48952fb0ae0743b6ee5219c39e52c5d09b94f367dae060451a5fe0ac1fbfcdf992c6f50c0bf54f69cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4ff6036dafcdd5be5c8a568f358517a3

SHA1
a4e53992435aff53ff4662e72aa88e354c8d637a

SHA256
0b6d6fae8ce9e805c38c94b6ced08f01ea0d6b59148d899c86f2e24d0342af2e

SHA512
0b05702dde0312d837282cfde973fdca088f7e44f8971a024e42438b4d38e18f7da22efaa0ed7c05fd0a1601427ee88d7f94e247b846df139ef2d463c7f4808b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ad3feeee135c0cfb6ac247b01542a752

SHA1
4b7c3c726ce32a941c43a00a26bc25f5e5685f7a

SHA256
3b3c5bc773e51c337325768ca2e1e5a2bd796d639feef83477d60799e74a8613

SHA512
f77e932e54af613ff51a6547ed411a21a398f5a4fb65f44e1bf6b815a97cea74c25544690784c1ca0d9f68fffb814b7345d4ebf41779f2e39fea6916745f6187

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9995680473e58d70fa0e62816cd679f9

SHA1
a0786aa9d39a5a8146535fc84fc323a79005af28

SHA256
a66b49766cb59135fb2ee5b071e7e3ef65742d6f10642cbbbabdc16e6e249c57

SHA512
3d67fafc350f5b4c7cf7c5a531e69c62ea301e03f22dae35889d6e6b78ef558298e32dfbe13fe81e8fae609a77c1a3d9f53a0b15a933f2d99202b841cba0808a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a59d8e84be669e1f820135b466194620

SHA1
05586e35921569197c41afd092635a9efe692ab7

SHA256
c68b7ea3c8c1a0d485267fc353126927960dd3e2e58ed5f38f17020f3fef7360

SHA512
d033866c055fcb7639c07f4ef972ac10ab1af34f8fb5377e6459d73412bb2305e8da22e9e6e7d5f59a1e0fdb90b9d935b986b0e65beb129c7725d21327b3ebee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
13654df42ee943a360db62bcf98737c9

SHA1
f6e6b2e0d5dbfc23ba3be94c1d9bed994b58fe1a

SHA256
6bdc9087f6e3cea0bf032f4d0407a465a61e6ef992be216b8cf6e3641a07fb5c

SHA512
0a719ea92b63d2157772d1579cda5e7dc54340be2455f060fc169d775b1169d1b9d4e1bf465dc63d144d76c5ba3e794daca19124513f124e16c3d8a46d438f41

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2e7d21198322b3b034ca8a23c178e913

SHA1
84c16eabbf330b342377a1e1f10d90b754dfd20e

SHA256
53fb85c650d2552f756e6c1b7ab052c9d03dd00cc0893e6afcdabf430a72df11

SHA512
1d9b66735cf1e5fca95db0e310db19875998c60e59a56408b1a76dd5ec3799b928247c29e0d073c963ad8dfaddc9720feb9445be9bded0a01ae0ccbca70d678f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
75ef0519b5fba35177d594ccd9f246ee

SHA1
092802d011edc892b5f10d75dd220fbbbfae6ca1

SHA256
8a21b7939523c2df8db30937f73e12fcfb98966eccaceff0a4aeabd029133162

SHA512
bc9246c2a5feaca15c07b7ac204a667c41b6e3a828c86a89bbef134a175a682681a00b5ad2aba7cd35da674a90b1b0c4c5cb860f726c46e7aea6dcf72d5af427

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0b73e1d95232429ef09cbd71ae766e84

SHA1
49c4dc61d0cd28bb6bd595e95ec9d2b156ab5e36

SHA256
62c83013c58f749d5111fff00ee7d2a3626487d1d0d056d45b8b4f05db1bef93

SHA512
1af3e9812471ed139f9a5074af3168c310a8bdb480bde4a704e0bd524d4b05122ade0d9cb004ed3f065241595c77503f7782249bd5427bb52ed7e9109bf0398c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a84e81f996d412b7e1bf21b3cc144b5e

SHA1
970c9f23a9cce0bf82b44092228dca72f54edd9b

SHA256
b7b40dbc2cfd328bbd21d7e9d3c18a91d86c7e5e8080c03216581e4da6ba2cc1

SHA512
49f294829745a7a7b8aa8945bc0c7fd182bc56f30a0297a4972c5a41218cce1ec401c0e402665d8903c9b0eb02548c690be9a745f257f2c220d112fa08ce76fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1d40944fe89eccbed5f613f7486275fa

SHA1
093362f4076e23a496ed756a3c255ca71e2f5521

SHA256
6db6a680a1988bb02c32c871c5cda24961798a2192b575a86bd623e6ab3369e4

SHA512
8804f80087203020d4cee6a883fdd2439f1ab6fca7e407119a77f63a5d2dffc9fb12620a167025e501fa9230383fbd5ac80a4d8678bf4d008ebf89db3f634861

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2c594d36515042299980edff9d0c2520

SHA1
c471c0ee6043690d7c1dfc235dee416cf5602d92

SHA256
8a5e4eaa3b9bea8d5cc11b2355c8f10a66554d3272c020f1c1763fefe05366b1

SHA512
effc9aac405773585cbd8341d48e9a10e90555569620f849766dfbf94fd41a72e501fd0db50595e3b5af5d093b1fc3c629b4e6f4019465ee934f159b532d7164

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EB0KZ1Y4\down[1]

Filesize
748B

MD5
c4f558c4c8b56858f15c09037cd6625a

SHA1
ee497cc061d6a7a59bb66defea65f9a8145ba240

SHA256
39e7de847c9f731eaa72338ad9053217b957859de27b50b6474ec42971530781

SHA512
d60353d3fbea2992d96795ba30b20727b022b9164b2094b922921d33ca7ce1634713693ac191f8f5708954544f7648f4840bcd5b62cb6a032ef292a8b0e52a44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EB0KZ1Y4\errorPageStrings[1]

Filesize
2KB

MD5
e3e4a98353f119b80b323302f26b78fa

SHA1
20ee35a370cdd3a8a7d04b506410300fd0a6a864

SHA256
9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

SHA512
d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EB0KZ1Y4\invalidcert[1]

Filesize
2KB

MD5
8ce0833cca8957bda3ad7e4fe051e1dc

SHA1
e5b9df3b327f52a9ed2d3821851e9fdd05a4b558

SHA256
f18e9671426708c65f999ca0fd11492e699cb13edc84a7d863fa9f83eb2178c3

SHA512
283b4c6b1035b070b98e7676054c8d52608a1c9682dfe138c569adfecf84b6c5b04fe1630eb13041ad43a231f83bf38680198acd8d5a76a47ec77829282a99fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WCATT3E5\background_gradient_red[1]

Filesize
868B

MD5
337038e78cf3c521402fc7352bdd5ea6

SHA1
017eaf48983c31ae36b5de5de4db36bf953b3136

SHA256
fbc23311fb5eb53c73a7ca6bfc93e8fa3530b07100a128b4905f8fb7cb145b61

SHA512
0928d382338f467d0374cce3ff3c392833fe13ac595943e7c5f2aee4ddb3af3447531916dd5ddc716dd17aef14493754ed4c2a1ab7fe6e13386301e36ee98a7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WCATT3E5\httpErrorPagesScripts[1]

Filesize
8KB

MD5
3f57b781cb3ef114dd0b665151571b7b

SHA1
ce6a63f996df3a1cccb81720e21204b825e0238c

SHA256
46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad

SHA512
8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WCATT3E5\red_shield_48[1]

Filesize
4KB

MD5
7c588d6bb88d85c7040c6ffef8d753ec

SHA1
7fdd217323d2dcc4a25b024eafd09ae34da3bfef

SHA256
5e2cd0990d6d3b0b2345c75b890493b12763227a8104de59c5142369a826e3e0

SHA512
0a3add1ff681d5190075c59caffde98245592b9a0f85828ab751e59fdf24403a4ef87214366d158e6b8a4c59c5bdaf563535ff5f097f86923620ea19a9b0dc4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WUBCGJ0A\green_shield[1]

Filesize
810B

MD5
c6452b941907e0f0865ca7cf9e59b97d

SHA1
f9a2c03d1be04b53f2301d3d984d73bf27985081

SHA256
1ba122f4b39a33339fa9935bf656bb0b4b45cdded78afb16aafd73717d647439

SHA512
beb58c06c2c1016a7c7c8289d967eb7ffe5840417d9205a37c6d97bd51b153f4a053e661ad4145f23f56ce0aebda101932b8ed64b1cd4178d127c9e2a20a1f58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WUBCGJ0A\invalidcert[1]

Filesize
4KB

MD5
a5d6ba8403d720f2085365c16cebebef

SHA1
487dcb1af9d7be778032159f5c0bc0d25a1bf683

SHA256
59e53005e12d5c200ad84aeb73b4745875973877bd7a2f5f80512fe507de02b7

SHA512
6341b8af2f9695bb64bbf86e3b7bfb158471aef0c1b45e8b78f6e4b28d5cb03e7b25f4f0823b503d7e9f386d33a7435e5133117778291a3c543cafa677cdc82d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZOGPI1N2\ErrorPageTemplate[1]

Filesize
2KB

MD5
f4fe1cb77e758e1ba56b8a8ec20417c5

SHA1
f4eda06901edb98633a686b11d02f4925f827bf0

SHA256
8d018639281b33da8eb3ce0b21d11e1d414e59024c3689f92be8904eb5779b5f

SHA512
62514ab345b6648c5442200a8e9530dfb88a0355e262069e0a694289c39a4a1c06c6143e5961074bfac219949102a416c09733f24e8468984b96843dc222b436

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZOGPI1N2\red_shield[1]

Filesize
810B

MD5
006def2acbd0d2487dffc287b27654d6

SHA1
c95647a113afc5241bdb313f911bf338b9aeffdc

SHA256
4bd9f96d6971c7d37d03d7dea4af922420bb7c6dd46446f05b8e917c33cf9e4e

SHA512
9dabf92ce2846d8d86e20550c749efbc4a1af23c2319e6ce65a00dc8cbc75ac95a2021020cab1536c3617043a8739b0495302d0ba562f48f4d3c25104b059a04

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab98E7.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar98FA.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF5489E17383DBBE55.TMP

Filesize
16KB

MD5
a2a8d31c3bf9a6dc16ee0e45debeafcb

SHA1
64c9972e67264120cc19eef2c1a287eb8fc6b44a

SHA256
acc5d4b75382eefc787b4142d56c5ba7ec506b55d70ae28f15c4592d71d79ebb

SHA512
3bfc0146e29556fef741558bb4a45b95fc7946c910c2443bff5146c78b78bdff7ed4e532cd4fb26842df336d383e871fb2033968e5838614233c69550f95d382

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms

Filesize
3KB

MD5
754bf48ad81805446c365a59771a4243

SHA1
ff31ac6bc8dfeae06da84d47f662c2920b6bf6b6

SHA256
5e139146d18484c4458959832d5b281c435e0e3df35228d50e6a2b7dd633f681

SHA512
7ae5b4d3ec485407da5ba538b67e559b0b1718c104102e54c04b4514402b39fdd60a4c552b6df282e8d5cdd706133e4b031d1dc4b35c5efd6e4f1132d0120ab6

Download Submit
C:\Users\Admin\AppData\Roaming\csrss.exe

Filesize
9KB

MD5
484af5d2607d4c70ed4e0a350eeeee45

SHA1
1aa920ad742516f41b3722b4524acf38be5dfd57

SHA256
0f7f639c1efbff416a8ad19d6563e0bc719d789cd6aaa9b4ea050f559c8886d8

SHA512
f12f1bbe67194420a577e8123bb75b91c4d117245eed81ef78e65c2de6633bd5d3feea128be3d556d506cbd10ccd9e35c8ccca09a397207518c63cb4e2464faa

Download Submit
C:\Users\Admin\AppData\Roaming\csrss.exe.config

Filesize
157B

MD5
7efa291047eb1202fde7765adac4b00d

SHA1
22d4846caff5e45c18e50738360579fbbed2aa8d

SHA256
807fb6eeaa7c77bf53831d8a4422a53a5d8ccd90e6bbc17c655c0817460407b6

SHA512
159c95eb1e817ba2d281f39c3939dd963ab62c0cd29bf66ca3beb0aff53f4617d47f48474e58319130ae4146a044a42fc75f63c343330c1b6d2be7034b9fa724

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe

Filesize
21KB

MD5
785adb93e8dd006421c1ba3e81663d72

SHA1
0ea67d6d82b03c51a22e01de33476c70f70f8fbc

SHA256
cb29a7aba6161d96b66c9a1cdb92e293109ed7c171906fdb52d73c4226a09c74

SHA512
86dbcf36114a99228f5720c3835af24765c8c7f059ad207dfb89f3923552f9485991a41e3874c138a5fd9a1ee3ae722329380660bd92666b8ebbc68ec49baf2c

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe.config

Filesize
349B

MD5
89817519e9e0b4e703f07e8c55247861

SHA1
4636de1f6c997a25c3190f73f46a3fd056238d78

SHA256
f40dfaa50dcbff93611d45607009158f798e9cd845170939b1d6088a7d10ee13

SHA512
b017cb7a522b9c6794f3691cb7266ec82f565a90d7d07cc9beb53b939d2e9bf34275bc25f6f32d9a9c7136a0aab2189d9556af7244450c610d11ed7a4f584ba3

Download Submit
memory/1292-14-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

Filesize
9.9MB

Download
memory/1292-15-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

Filesize
9.9MB

Download
memory/1292-13-0x0000000000B00000-0x0000000000B0C000-memory.dmp

Filesize
48KB

Download
memory/1292-18-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

Filesize
9.9MB

Download
memory/2320-4-0x00000000003C0000-0x00000000003CE000-memory.dmp

Filesize
56KB

Download
memory/2320-30-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

Filesize
9.9MB

Download
memory/2320-0-0x000007FEF5493000-0x000007FEF5494000-memory.dmp

Filesize
4KB

Download
memory/2320-1-0x0000000000A40000-0x0000000000D3C000-memory.dmp

Filesize
3.0MB

Download
memory/2320-3-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

Filesize
9.9MB

Download
memory/2320-2-0x0000000000640000-0x000000000069C000-memory.dmp

Filesize
368KB

Download
memory/2320-5-0x0000000000480000-0x0000000000492000-memory.dmp

Filesize
72KB

Download
memory/2336-33-0x0000000000180000-0x0000000000190000-memory.dmp

Filesize
64KB

Download
memory/2336-32-0x0000000000900000-0x0000000000918000-memory.dmp

Filesize
96KB

Download
memory/2336-31-0x00000000005A0000-0x00000000005F8000-memory.dmp

Filesize
352KB

Download
memory/2336-29-0x00000000002A0000-0x000000000059C000-memory.dmp

Filesize
3.0MB

Download
memory/2688-20-0x00000000013E0000-0x00000000013EC000-memory.dmp

Filesize
48KB

Download