orcus | hxxps://pixeldrain[.]com/u/eaViHcxn

Analysis

max time kernel
595s
max time network
427s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
22-02-2025 13:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://pixeldrain.com/u/eaViHcxn

Score

10^/10

orcus discovery rat spyware stealer

Malware Config

Extracted

Family

orcus

dandev.us.to:1015

Mutex

33346576134e432b900bfc3fb9baec32

Attributes

autostart_method
TaskScheduler
enable_keylogger
true
install_path
%temp%\Updater.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\Watchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023d40-78.dat	family_orcus

Orcurs Rat Executable 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023d40-78.dat	orcus
behavioral1/memory/5072-338-0x00000000004F0000-0x0000000000608000-memory.dmp	orcus

Downloads MZ/PE file 1 IoCs

flow	pid	Process
7	3864	msedge.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	Watchdog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	RamBoost.exe

Executes dropped EXE 11 IoCs

pid	Process
2712	RamBoost.exe
3744	RamBoost.exe
4340	RamBoost.exe
1800	WindowsInput.exe
4600	WindowsInput.exe
5072	Updater.exe
4620	Updater.exe
4964	Watchdog.exe
3872	Watchdog.exe
4424	WindowsInput.exe
2680	Updater.exe

Loads dropped DLL 1 IoCs

pid	Process
5072	Updater.exe

Drops desktop.ini file(s) 3 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	RamBoost.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	RamBoost.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	RamBoost.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsInput.exe	RamBoost.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe.config	RamBoost.exe
File created	C:\Windows\SysWOW64\WindowsInput.InstallState	WindowsInput.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WindowsInput.exe.log	WindowsInput.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\Desktop.ini	RamBoost.exe
File opened for modification	C:\Windows\assembly	RamBoost.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	RamBoost.exe
File opened for modification	C:\Windows\assembly	RamBoost.exe
File created	C:\Windows\assembly\Desktop.ini	RamBoost.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Watchdog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Watchdog.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2144	PING.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\Updater.exe\:SmartScreen:$DATA	RamBoost.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 60555.crdownload:SmartScreen	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2764	NOTEPAD.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2144	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3864	msedge.exe
3864	msedge.exe
1804	msedge.exe
1804	msedge.exe
4108	identity_helper.exe
4108	identity_helper.exe
3144	msedge.exe
3144	msedge.exe
3872	Watchdog.exe
3872	Watchdog.exe
5072	Updater.exe
5072	Updater.exe
5072	Updater.exe
3872	Watchdog.exe
5072	Updater.exe
3872	Watchdog.exe
5072	Updater.exe
3872	Watchdog.exe
5072	Updater.exe
3872	Watchdog.exe
3872	Watchdog.exe
5072	Updater.exe
5072	Updater.exe
3872	Watchdog.exe
5072	Updater.exe
3872	Watchdog.exe
5072	Updater.exe
3872	Watchdog.exe
5072	Updater.exe
3872	Watchdog.exe
5072	Updater.exe
3872	Watchdog.exe
3872	Watchdog.exe
5072	Updater.exe
5072	Updater.exe
3872	Watchdog.exe
5072	Updater.exe
3872	Watchdog.exe
3872	Watchdog.exe
5072	Updater.exe
5072	Updater.exe
3872	Watchdog.exe
3872	Watchdog.exe
5072	Updater.exe
5072	Updater.exe
3872	Watchdog.exe
5072	Updater.exe
3872	Watchdog.exe
3872	Watchdog.exe
5072	Updater.exe
5072	Updater.exe
3872	Watchdog.exe
5072	Updater.exe
3872	Watchdog.exe
3872	Watchdog.exe
5072	Updater.exe
3872	Watchdog.exe
5072	Updater.exe
5072	Updater.exe
3872	Watchdog.exe
5072	Updater.exe
3872	Watchdog.exe
3872	Watchdog.exe
5072	Updater.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5072	Updater.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	5072	Updater.exe
Token: SeDebugPrivilege	4964	Watchdog.exe
Token: SeDebugPrivilege	3872	Watchdog.exe
Token: 33	4156	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4156	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2788	csc.exe
1156	csc.exe
4680	csc.exe
5072	Updater.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1804 wrote to memory of 2472	1804	msedge.exe	84
PID 1804 wrote to memory of 2472	1804	msedge.exe	84
PID 1804 wrote to memory of 8	1804	msedge.exe	86
PID 1804 wrote to memory of 8	1804	msedge.exe	86
PID 1804 wrote to memory of 8	1804	msedge.exe	86
PID 1804 wrote to memory of 8	1804	msedge.exe	86
PID 1804 wrote to memory of 8	1804	msedge.exe	86
PID 1804 wrote to memory of 8	1804	msedge.exe	86
PID 1804 wrote to memory of 8	1804	msedge.exe	86
PID 1804 wrote to memory of 8	1804	msedge.exe	86
PID 1804 wrote to memory of 8	1804	msedge.exe	86
PID 1804 wrote to memory of 8	1804	msedge.exe	86
PID 1804 wrote to memory of 8	1804	msedge.exe	86
PID 1804 wrote to memory of 8	1804	msedge.exe	86
PID 1804 wrote to memory of 8	1804	msedge.exe	86
PID 1804 wrote to memory of 8	1804	msedge.exe	86
PID 1804 wrote to memory of 8	1804	msedge.exe	86
PID 1804 wrote to memory of 8	1804	msedge.exe	86
PID 1804 wrote to memory of 8	1804	msedge.exe	86
PID 1804 wrote to memory of 8	1804	msedge.exe	86
PID 1804 wrote to memory of 8	1804	msedge.exe	86
PID 1804 wrote to memory of 8	1804	msedge.exe	86
PID 1804 wrote to memory of 8	1804	msedge.exe	86
PID 1804 wrote to memory of 8	1804	msedge.exe	86
PID 1804 wrote to memory of 8	1804	msedge.exe	86
PID 1804 wrote to memory of 8	1804	msedge.exe	86
PID 1804 wrote to memory of 8	1804	msedge.exe	86
PID 1804 wrote to memory of 8	1804	msedge.exe	86
PID 1804 wrote to memory of 8	1804	msedge.exe	86
PID 1804 wrote to memory of 8	1804	msedge.exe	86
PID 1804 wrote to memory of 8	1804	msedge.exe	86
PID 1804 wrote to memory of 8	1804	msedge.exe	86
PID 1804 wrote to memory of 8	1804	msedge.exe	86
PID 1804 wrote to memory of 8	1804	msedge.exe	86
PID 1804 wrote to memory of 8	1804	msedge.exe	86
PID 1804 wrote to memory of 8	1804	msedge.exe	86
PID 1804 wrote to memory of 8	1804	msedge.exe	86
PID 1804 wrote to memory of 8	1804	msedge.exe	86
PID 1804 wrote to memory of 8	1804	msedge.exe	86
PID 1804 wrote to memory of 8	1804	msedge.exe	86
PID 1804 wrote to memory of 8	1804	msedge.exe	86
PID 1804 wrote to memory of 8	1804	msedge.exe	86
PID 1804 wrote to memory of 3864	1804	msedge.exe	87
PID 1804 wrote to memory of 3864	1804	msedge.exe	87
PID 1804 wrote to memory of 3616	1804	msedge.exe	88
PID 1804 wrote to memory of 3616	1804	msedge.exe	88
PID 1804 wrote to memory of 3616	1804	msedge.exe	88
PID 1804 wrote to memory of 3616	1804	msedge.exe	88
PID 1804 wrote to memory of 3616	1804	msedge.exe	88
PID 1804 wrote to memory of 3616	1804	msedge.exe	88
PID 1804 wrote to memory of 3616	1804	msedge.exe	88
PID 1804 wrote to memory of 3616	1804	msedge.exe	88
PID 1804 wrote to memory of 3616	1804	msedge.exe	88
PID 1804 wrote to memory of 3616	1804	msedge.exe	88
PID 1804 wrote to memory of 3616	1804	msedge.exe	88
PID 1804 wrote to memory of 3616	1804	msedge.exe	88
PID 1804 wrote to memory of 3616	1804	msedge.exe	88
PID 1804 wrote to memory of 3616	1804	msedge.exe	88
PID 1804 wrote to memory of 3616	1804	msedge.exe	88
PID 1804 wrote to memory of 3616	1804	msedge.exe	88
PID 1804 wrote to memory of 3616	1804	msedge.exe	88
PID 1804 wrote to memory of 3616	1804	msedge.exe	88
PID 1804 wrote to memory of 3616	1804	msedge.exe	88
PID 1804 wrote to memory of 3616	1804	msedge.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://pixeldrain.com/u/eaViHcxn
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbb8af46f8,0x7ffbb8af4708,0x7ffbb8af4718
  2⤵
  PID:2472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,1438078563674576770,14967992870223668055,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:2
  2⤵
  PID:8
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,1438078563674576770,14967992870223668055,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  - Suspicious behavior: EnumeratesProcesses
  PID:3864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,1438078563674576770,14967992870223668055,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2676 /prefetch:8
  2⤵
  PID:3616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1438078563674576770,14967992870223668055,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:3028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1438078563674576770,14967992870223668055,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:4708
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,1438078563674576770,14967992870223668055,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5096 /prefetch:8
  2⤵
  PID:4344
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,1438078563674576770,14967992870223668055,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5096 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1438078563674576770,14967992870223668055,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:1
  2⤵
  PID:3744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1438078563674576770,14967992870223668055,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
  2⤵
  PID:2980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1438078563674576770,14967992870223668055,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
  2⤵
  PID:1944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1438078563674576770,14967992870223668055,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:3136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2056,1438078563674576770,14967992870223668055,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5388 /prefetch:8
  2⤵
  PID:5076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1438078563674576770,14967992870223668055,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
  2⤵
  PID:1796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2056,1438078563674576770,14967992870223668055,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6208 /prefetch:8
  2⤵
  PID:2024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2056,1438078563674576770,14967992870223668055,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6444 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3144
- C:\Users\Admin\Downloads\RamBoost.exe
  "C:\Users\Admin\Downloads\RamBoost.exe"
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Drops file in Windows directory
  PID:2712
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xquclq7i.cmdline"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:4680
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1D0B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1D0A.tmp"
      4⤵
      PID:2024
- C:\Users\Admin\Downloads\RamBoost.exe
  "C:\Users\Admin\Downloads\RamBoost.exe"
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Drops file in Windows directory
  PID:4340
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\de57h9bt.cmdline"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1156
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1D0A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1D09.tmp"
      4⤵
      PID:4956
- C:\Users\Admin\Downloads\RamBoost.exe
  "C:\Users\Admin\Downloads\RamBoost.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - NTFS ADS
  PID:3744
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xpzmge3o.cmdline"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2788
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1D19.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1D18.tmp"
      4⤵
      PID:1800
- - C:\Windows\SysWOW64\WindowsInput.exe
    "C:\Windows\SysWOW64\WindowsInput.exe" --install
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:1800
- - C:\Users\Admin\AppData\Local\Temp\Updater.exe
    "C:\Users\Admin\AppData\Local\Temp\Updater.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:5072
  - - C:\Users\Admin\AppData\Roaming\Watchdog.exe
      "C:\Users\Admin\AppData\Roaming\Watchdog.exe" /launchSelfAndExit "C:\Users\Admin\AppData\Local\Temp\Updater.exe" 5072 /protectFile
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4964
    - - C:\Users\Admin\AppData\Roaming\Watchdog.exe
        
        "C:\Users\Admin\AppData\Roaming\Watchdog.exe" /watchProcess "C:\Users\Admin\AppData\Local\Temp\Updater.exe" 5072 "/protectFile"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3872
  - - C:\Windows\SysWOW64\WindowsInput.exe
      "C:\Windows\SysWOW64\WindowsInput.exe" --uninstall
      4⤵
      Executes dropped EXE
      PID:4424
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\{330939ab-40cd-4fcc-b83f-5e63fcdf5f47}.bat" "
      4⤵
      PID:3744
    - - C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2144
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo j "
        5⤵
        
        PID:2980
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\Updater.exe""
        5⤵
        
        PID:5004
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo j "
        5⤵
        
        PID:1468
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" del C:\Users\Admin\AppData\Local\Temp\{330939ab-40cd-4fcc-b83f-5e63fcdf5f47}.bat"
        5⤵
        
        PID:4404

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4976

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:500

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4600

C:\Users\Admin\AppData\Local\Temp\Updater.exe
C:\Users\Admin\AppData\Local\Temp\Updater.exe
1⤵
- Executes dropped EXE
PID:4620

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\lmao.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2764

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x52c 0x38c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4156

C:\Users\Admin\AppData\Local\Temp\Updater.exe
C:\Users\Admin\AppData\Local\Temp\Updater.exe
1⤵
- Executes dropped EXE
PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\RamBoost.exe.log

Filesize
706B

MD5
36462beaa9367f9d8fa312dc91007da9

SHA1
f1d192892e71d12f7d7abfba4a4539e009c50d3d

SHA256
4d28aaf66460bdf3d14da4ec568c8d1fb1fb8ab3df381d40493b10067fa7d008

SHA512
92271cfe98692108107695387f8f28007676fbc23930b16f8149e73fbf903c1227df75588f7c226d23a7398822e909b4f17218d191764d2d951acf1927f59bbf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Updater.exe.log

Filesize
1KB

MD5
9be3069b2cf9222dde6c28dd9180a35a

SHA1
14b76614ed5c94c513b10ada5bd642e888fc1231

SHA256
5e4c38466764be178ea21ba3149d0580d25d035b57e081b3abb9c06a19cfd67a

SHA512
043256f38c20d8765ddf2f1d5912249bfbb017c0b630d24d9e4894f4a759dec66bf0ffaf878ac69e9dfd6db7ec5e090dd69de2333d83299ef43888c394398885

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WindowsInput.exe.log

Filesize
2KB

MD5
78ffbfd38b4ab75e03596bbb2d321e25

SHA1
1b99ba3cfa6389b8483b36b28836aca4773845e4

SHA256
6a6a889f671eea1112a70756ae849bc1c32357ac2818bfa79db84bbbb9813a5d

SHA512
e18ff531f792282d0efa0d4264daa36e2d0112ac6d06eabfeb98ffd78570583a602defe3e71332d8801294dc90a2af9a8cdc1e1d0b9c5d0264c584d775cf0243

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Watchdog.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fe6fb7ffeb0894d21284b11538e93bb4

SHA1
80c71bf18f3798129931b1781115bbef677f58f0

SHA256
e36c911b7dbea599da8ed437b46e86270ce5e0ac34af28ac343e22ecff991189

SHA512
3a8bd7b31352edd02202a7a8225973c10e3d10f924712bb3fffab3d8eea2d3d132f137518b5b5ad7ea1c03af20a7ab3ff96bd99ec460a16839330a5d2797753b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1bed6483de34dd709e03fd3af839a76b

SHA1
3724a38c9e51fcce7955a59955d16bf68c083b92

SHA256
37a42554c291f46995b2487d08d80d94cefe6c7fb3cb4ae9c7c5e515d6b5e596

SHA512
264f6687ea8a8726b0000de1511b7b764b3d5a6f64946bb83a58effda42839e593de43865dafeeb89f5b78cc00d16f3979b417357fa2799ca0533bdf72f07fda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
057e0e45d34692095f0bd8d748c19ec3

SHA1
ceb3485a615e53550df8ae7d82319a33f0afc8e8

SHA256
2a353dccb025b7d3825da8eb8c7a77582958f1c458e94d109526c607b3c6cc67

SHA512
7e46c888858c19c8b1ce8b5ad19d47d453ae520703cd6452a79a337ab36d3dfed60653efae0ce43307fb0acccf3eaa8075865b9d7e7449db3b5bab070fa99f6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
182B

MD5
9eb9d67f919ae153884991ffc5223fdb

SHA1
8ebbb1a763b529cc9bf2839b13f0564f10d10046

SHA256
08e4c57ce93d9bce050befa4e516d8aca239010d22692f90ea30a39ba91a1d40

SHA512
9aad23e77ff458c7b49381fec4e0c650172314e46cdae969744d948f67eabb8ee25e2d04f6d81d43bc97f2d704fabc43b4b63ece97a14f09fde78c59132a003b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
69b90a24524c4d2cd7bb32a8bb98acea

SHA1
e4819cc51aefcc8ffb99c5e071abcf04f8d97550

SHA256
5dcb13a7df236eabaf460ca9a491fdd204919fd8f3241e9af3f00434e486cd38

SHA512
8824340bbdf95d1b12be31728a6e4c39c32bd34cecda3e7c54cc87b5164a0eb5187b2a80ca917a9449de52755bd1cbdd4a1568e9891cd02f3cc51f93c9c16fa8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5ac14946d6492cbadc89c9322e73a2c6

SHA1
cb8b3c8f04818a3d2620c8f3fdd6b0e89fa62e74

SHA256
e4db49e8b50cf6f5052b1bc7a8f598e2d919dbee2a498557f700eddbbab41edb

SHA512
5892ce7fae29102d9da2fc4ae0c643f5624063da1a02583097d45b1c803fd8e1a15cdf93c9541aa996dfa6e162c74b9aa7d8c1569278b1db9483f09c41759610

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fefafb21fcbb4ccb46c5095ba808e716

SHA1
b3cd9f9f81574f176fdf0ba536407526681f7a49

SHA256
9d9a97223fb8c725628f6d90e6965539375d102cba70170d670c88ccddd1bdb7

SHA512
6d1fffdc4f782a059994e2b1a214d49c9945d00d9a80ce6b13100d39a3a05fa2688370d9b29ced3c748431fe48eebc7b22f49733bf7d9656610ad6bad5c35a2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b84ce758b0981c01d4ac5660419b7b70

SHA1
1bba88fdefc921d055e129a844da2662444d49ff

SHA256
261454d206d9d4f3201cc248ba93a39c8a55564aa32f75442538aff7dbb1ee15

SHA512
4690e5fead4fb8f155b0dc7f2a571f712ad7c72aabf1a51395acf8222ddaacd7f7fef9af75ab676666d53a64225e144a0310d7f524424531508afd6abc1f8c12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f99270994c0b3985e97ac97a42e63808

SHA1
0c13577670de790e874119ead9eff9013af41a69

SHA256
a5e51e059475d7cbaa913b0575fb14611ee7fc0df7df7e4e5b68619b1fa1ef8f

SHA512
45d8b57da37e8ba2323548273459aff0b93edc9e61d62caf152080bbed84c36b3a686a53d354fbfbd8151e20bb7f0344284f41de2013754b99c35de739b9b93b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3c7592dc7a262d8ba4713b59e005c599

SHA1
9318d16c3ad3d17b6427cba4b1c2ef081092c974

SHA256
2350c451214d525b1f44c49f28d18ab69d76480c64e713b9dcf8f503333891b2

SHA512
dff372392d10e3106d724248003940d6f2671c875a3ffd43db8c0686ebcf4e6240d798fe2c892e8986ca68cd03f250d63e1df5a476cccaab59fee6ed85c87dac

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1D0A.tmp

Filesize
1KB

MD5
b2d5932a074309191a09a694eb948051

SHA1
7f77d798b81eb9fe6002bd4879824bf7284bd066

SHA256
2b164a2cd38018908c910a65acfb5eea3463e3f2a944c52b00538cbad0a1dfb3

SHA512
895b63138a4a4dbf6e6be446ec4d820df8427ff126c01f4e0e4bf91330edb70c467385dec50b4334fbd6cb786d7188992a5f29197427bf60942f3c800e08b513

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1D0B.tmp

Filesize
1KB

MD5
7d49733edaf2fbc41b66769b3e0f80a8

SHA1
04532d488a65bcf42f153459e3f48d20152218d5

SHA256
c94f954048e1f69cad1840626982375334b53928db8e34a5cb92cbac1767a949

SHA512
ff5a806d7473248d039b2c4c20acdb96d324b44d594d30b50c387df0e90dba63253a8910b96c635680c6a31e5090d6393b9606940860f9d72922a41d87dff8d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1D19.tmp

Filesize
1KB

MD5
190947e2988ef39edf0db1eff3a80a33

SHA1
da63531df2d85277c521b8f827abaeb4e538be19

SHA256
25e040fa402f6ce2ba85611dfd77b904e4be73453eb955032b539345bb6d1890

SHA512
6da04c2d5a6ed3e76c627d6909bb5ec5bac9738db3a006894bf9208d6d093ab975f50ffb600612679268d19b9e90d4cf9e853ca5fcbb6e849bae7431b1ea475f

Download Submit
C:\Users\Admin\AppData\Local\Temp\de57h9bt.dll

Filesize
76KB

MD5
a97c487ae2051fa94c3263a0215145a4

SHA1
86f67b1fa85f001b8297bdb23418ac2ecf7fd84b

SHA256
0d8b08ba9c84fc346a06127a2f6e904141b022b4c9554e3158d37493d4952ea0

SHA512
8320fbd75f1ea665608ca97bae855d17da25330296f9da3eebb37ae4b64412d836edc683a2d35381b9661b3bb22ee58ab2470b0ff9df2da7a979a018f45236a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\xpzmge3o.dll

Filesize
76KB

MD5
1148178cd19ce0f15767130418b5d382

SHA1
4947034f4c682ef768e03a952b3d7403663a0a1f

SHA256
b34edff9ddc295a2d0b0c33316535aade1db7d144cd80be83c483b9be3284e76

SHA512
075f005753083550faedd81ca16e578b9c518fa8a3d564780f6d63c82435360ab1b724675db803a1d08c17966a19dc5c299b7d5da6ffab55b02beff3614937fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\xquclq7i.dll

Filesize
76KB

MD5
6c54df25f10b6808eaf497c1dee37695

SHA1
bc45266dd383c22d72c0e4c40b5ae2d86487624f

SHA256
ddeac4de7b8c001852dd005e17c9b07fe64b0a8cd3e72820ff7d611ebfb3d795

SHA512
e9cf5ff3aed1604d76ca3da0f63ccaa1555bd18758157efa9484a2db535072f9863c54750e1f4fd944577a5676e541df589e115cd90f9538764f26c5931f6b9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{330939ab-40cd-4fcc-b83f-5e63fcdf5f47}.bat

Filesize
184B

MD5
df062eb55d8a23ba230abadc3ba307e9

SHA1
819fe0798ada836fe926a43531582f34bb3204a2

SHA256
a728d35f3fbc32657d573869a5450b5812f40509edf8656b19928f9d05c3a51d

SHA512
ade6741dd097d6a0ea104adf123d23818c98c49efb1dada05f06b03ae648a98430c8f31e6aa1257eb866bda9941db07f389587e91da3a2c2feda80b8a6e72de6

Download Submit
C:\Users\Admin\AppData\Roaming\RamBoost\lib_33346576134e432b900bfc3fb9baec32\x64\turbojpeg.dll

Filesize
662KB

MD5
b36cc7f7c7148a783fbed3493bc27954

SHA1
44b39651949a00cf2a5cbba74c3210b980ae81b4

SHA256
c1ce9a872d33fb8757c59b5cd1f26c93b9eeec3e3cf57162c29a0783e6222a38

SHA512
c987c689ecc2cc57350c74ee22b66cb543535bc17b790016ec6407c3d02c539a727f5c38e1451a201e8e7ccfcb4d4639780b6e68cd38b7e67b1b28034ad738a2

Download Submit
C:\Users\Admin\AppData\Roaming\Watchdog.exe

Filesize
9KB

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 60555.crdownload

Filesize
11.1MB

MD5
a5c93db4c83dab084d6d4ae80ce1e527

SHA1
e90866ae65781058b98cb155e35b7ce1445d6139

SHA256
d9dc36b7bedf2632fe0a7ca99478b20406d288a69bd7b65e5da2c9d748a5b81f

SHA512
e61fdcabc99dbef705ac83dfa347c5f12b584ceec8b4f2fa7997a3f12722944987e65620d2f8764174e2145e7b3e7cf31372f4a591a38e4fc4496063f03e35b7

Download Submit
C:\Windows\SysWOW64\WindowsInput.InstallState

Filesize
7KB

MD5
362ce475f5d1e84641bad999c16727a0

SHA1
6b613c73acb58d259c6379bd820cca6f785cc812

SHA256
1f78f1056761c6ebd8965ed2c06295bafa704b253aff56c492b93151ab642899

SHA512
7630e1629cf4abecd9d3ddea58227b232d5c775cb480967762a6a6466be872e1d57123b08a6179fe1cfbc09403117d0f81bc13724f259a1d25c1325f1eac645b

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe

Filesize
21KB

MD5
e6fcf516d8ed8d0d4427f86e08d0d435

SHA1
c7691731583ab7890086635cb7f3e4c22ca5e409

SHA256
8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

SHA512
c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Windows\assembly\Desktop.ini

Filesize
227B

MD5
f7f759a5cd40bc52172e83486b6de404

SHA1
d74930f354a56cfd03dc91aa96d8ae9657b1ee54

SHA256
a709c2551b8818d7849d31a65446dc2f8c4cca2dcbbc5385604286f49cfdaf1c

SHA512
a50b7826bfe72506019e4b1148a214c71c6f4743c09e809ef15cd0e0223f3078b683d203200910b07b5e1e34b94f0fe516ac53527311e2943654bfceade53298

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC1D09.tmp

Filesize
676B

MD5
7e130a30f51521e0f888ab288b3dc9b5

SHA1
b1c51204bbc88856e34b5126e8d34199a8dd9554

SHA256
91808da3bf69bab637022f1610b9fc0d61b9008b5b7fdb25fc82fae825423c6a

SHA512
dd1e38a87aa4b6e6d0361e43ac484aa433d3bd39c31be01299910d12ff0555c425c4b7eac7a03602e9a31331a5598819a047fe13128f4df9122b35205a7ab0a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC1D0A.tmp

Filesize
676B

MD5
93f0d4b15ea8f96a9f01206dbb02dfe1

SHA1
a2878f728ecc83f09e8a10bceee5f778914514b3

SHA256
193c06fc116651efea090c80a895f86b967a5155aed590f4c58740628964fd41

SHA512
dbdd709fbceb7c6d84f73435de66e3e43d1e0a38bf34d88b3fbddbe90a3d14a5932ffe66be356a6d5d6db17b2023b03588ac77fc95439c2b8656790a2ce69355

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC1D18.tmp

Filesize
676B

MD5
3e765707b6095890abf886ef182d5e55

SHA1
0a17f446870a6aac98ddd0860617c6135ea3e15b

SHA256
6de7c5c843307b7171a2721f6d18830778720587adccd1c439517b3313a8f71d

SHA512
a35a5c72c6f4a0773483f8570114c4a807baf1733ef8246aa9d32f18f00f08b528c5b2cdea268e91cf791d3f0253f6e0583b6c3c508ecdaff8722d820d167bce

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\de57h9bt.0.cs

Filesize
208KB

MD5
b86ec5439ab8213b30b6d97f090b15a6

SHA1
d4ace6f4dcbd01795268e9546336dcd7e706d636

SHA256
3f1a07da6da5196e8b3ae9a4689c5edb72691e20307cc1ac55cca7df47449cbe

SHA512
c54ed38af28d60a715b0300ac674487071141bdd00c31a153d3e24686f838a795c59aa1a337cf2b513548eb2f6289bf3f5ea386a3c44b565f509b19efb698496

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\de57h9bt.cmdline

Filesize
349B

MD5
62528db9374f1e444583e707ee23798c

SHA1
8174aecc4ddc6bd47b98ccebc37cfb29f5351574

SHA256
fbebddf75f136d2679378bd88460f92a7f1d7c83672c1beb1b0c453d6ca8f2f4

SHA512
20296b323a1517714cba07db0b2d89b7b27f0a0dcae54582c14f17321d3a886c99b1856ec2ac607e94524b7623243a08a35b0e508c1017d1822d686f2ac893f9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xpzmge3o.cmdline

Filesize
349B

MD5
e5f8592e7a84d2d2d2a824b803bca9c8

SHA1
ffc8d29f6dcb06187778e017a207eea50345da93

SHA256
b94e4472206d8eda6d6a26ed3531cbb0fb642baaeb051f5108575448ff13fafc

SHA512
1d61bb75700f3cb5b270e479dc7d6ca47d7ea93e3c5aef4e5234f301d74d39a5ddc82a194c7104879f5a5e5aadafe666a38521419ba33ca586661eb7a4b503f2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xquclq7i.cmdline

Filesize
349B

MD5
8be1ce51c12912eb8cbd484e2f473b0c

SHA1
bc03c0a568633a6cde7a7ec44229fdcd17812c01

SHA256
afdedf15ae7401d8a3b8817d71db6388bf2ff702f058a576b8133fbc82178d92

SHA512
45fa43d9fd2a98f540cc69ff384090bd74f0250330310f13e653ae27fdf022a3ad17ab4de86c39d74632edeebb7d9b1e8b4a1b72fb42d8f052e686b003e0c77d

Download Submit
memory/1800-203-0x0000000000C80000-0x0000000000C8C000-memory.dmp

Filesize
48KB

Download
memory/1800-209-0x0000000001560000-0x0000000001572000-memory.dmp

Filesize
72KB

Download
memory/1800-210-0x0000000001600000-0x000000000163C000-memory.dmp

Filesize
240KB

Download
memory/2712-186-0x000000001CCA0000-0x000000001CCB6000-memory.dmp

Filesize
88KB

Download
memory/2712-343-0x0000000001460000-0x0000000001472000-memory.dmp

Filesize
72KB

Download
memory/3744-189-0x000000001CC30000-0x000000001CC50000-memory.dmp

Filesize
128KB

Download
memory/3744-180-0x000000001CBF0000-0x000000001CC06000-memory.dmp

Filesize
88KB

Download
memory/3744-144-0x000000001C060000-0x000000001C52E000-memory.dmp

Filesize
4.8MB

Download
memory/3744-188-0x00000000014A0000-0x00000000014B2000-memory.dmp

Filesize
72KB

Download
memory/4340-137-0x000000001BBB0000-0x000000001BC0C000-memory.dmp

Filesize
368KB

Download
memory/4340-140-0x000000001BDE0000-0x000000001BDEE000-memory.dmp

Filesize
56KB

Download
memory/4340-341-0x000000001BA90000-0x000000001BAA2000-memory.dmp

Filesize
72KB

Download
memory/4340-145-0x000000001C830000-0x000000001C8CC000-memory.dmp

Filesize
624KB

Download
memory/4340-183-0x000000001CEF0000-0x000000001CF06000-memory.dmp

Filesize
88KB

Download
memory/4600-215-0x000000001A900000-0x000000001AA0A000-memory.dmp

Filesize
1.0MB

Download
memory/4964-363-0x0000000000ED0000-0x0000000000ED8000-memory.dmp

Filesize
32KB

Download
memory/5072-347-0x000000001B1F0000-0x000000001B208000-memory.dmp

Filesize
96KB

Download
memory/5072-370-0x0000000000CE0000-0x0000000000D24000-memory.dmp

Filesize
272KB

Download
memory/5072-375-0x000000001B800000-0x000000001B84A000-memory.dmp

Filesize
296KB

Download
memory/5072-380-0x000000001C040000-0x000000001C09A000-memory.dmp

Filesize
360KB

Download
memory/5072-385-0x0000000000C90000-0x0000000000CB6000-memory.dmp

Filesize
152KB

Download
memory/5072-390-0x000000001CA80000-0x000000001CBD4000-memory.dmp

Filesize
1.3MB

Download
memory/5072-349-0x000000001BAD0000-0x000000001BC92000-memory.dmp

Filesize
1.8MB

Download
memory/5072-404-0x000000001CBE0000-0x000000001CD5A000-memory.dmp

Filesize
1.5MB

Download
memory/5072-348-0x000000001B220000-0x000000001B230000-memory.dmp

Filesize
64KB

Download
memory/5072-345-0x000000001B1A0000-0x000000001B1EE000-memory.dmp

Filesize
312KB

Download
memory/5072-344-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/5072-338-0x00000000004F0000-0x0000000000608000-memory.dmp

Filesize
1.1MB

Download