orcus | ef5c8bdae983435cd8594084aed18cf2649ace4d8463464b55f5ec8a2ecaf837

Analysis

max time kernel
943s
max time network
944s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 18:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

o/Orcus.Administration.exe
Size

4.0MB
MD5

cc3670f1b3e60e00b43c86d787563a44
SHA1

4f1f8908f0ca7dc5ad01c3029206cc8c9d735e09
SHA256

9ca18641bc6b48708e4314b3f8275860aef6b9ea16cd6230d781f0abaa84c853
SHA512

684e584d8f2c6ace168760faacdd6ef44fbb85ec519805046e7d183ccf9faf4eb6764b84326aba0a90223a5b8354c3f9d055cf2297416b4562ca417924da9442
SSDEEP

49152:zB5DkV7F/Al4gU97zCvyRtQ5SH1veaEX6NrGAiAl4:zB5Dk7/Al4gU97zCvyRC5SBeJAl4

Score

10^/10

orcus defense_evasion discovery rat spyware stealer

Malware Config

Extracted

Family

orcus

0.0.0.0:7058

23.160.168.165:7058

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Orcus main payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0007000000003f27-75.dat	family_orcus
behavioral1/files/0x0007000000003f27-114.dat	family_orcus
behavioral1/files/0x00060000000054a1-137.dat	family_orcus

Orcurs Rat Executable 5 IoCs

resource	yara_rule
behavioral1/memory/236-72-0x000000000E3F0000-0x000000000F1FE000-memory.dmp	orcus
behavioral1/files/0x0007000000003f27-75.dat	orcus
behavioral1/memory/2976-104-0x00000000001C0000-0x00000000002AA000-memory.dmp	orcus
behavioral1/files/0x0007000000003f27-114.dat	orcus
behavioral1/files/0x00060000000054a1-137.dat	orcus

Downloads MZ/PE file 1 IoCs

flow	pid	Process
182	2724	firefox.exe

Executes dropped EXE 6 IoCs

pid	Process
2780	run.exe
2976	Orcus.exe
2408	run.exe
2160	test.exe
2460	test.exe
2668	test.exe

Loads dropped DLL 6 IoCs

pid	Process
236	Orcus.Administration.exe
236	Orcus.Administration.exe
236	Orcus.Administration.exe
236	Orcus.Administration.exe
236	Orcus.Administration.exe
236	Orcus.Administration.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
142	api.gofile.io
143	api.gofile.io
140	api.gofile.io
141	api.gofile.io

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Orcus\Orcus.exe	test.exe
File opened for modification	C:\Program Files\Orcus\Orcus.exe	test.exe
File opened for modification	C:\Program Files\Orcus\Orcus.exe	test.exe
File created	C:\Program Files\Orcus\Orcus.exe	run.exe
File opened for modification	C:\Program Files\Orcus\Orcus.exe	run.exe
File created	C:\Program Files\Orcus\Orcus.exe.config	run.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\test.exe:Zone.Identifier	firefox.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Orcus.Administration.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0"	Orcus.Administration.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\LogicalViewMode = "1"	Orcus.Administration.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_Classes\Local Settings	Orcus.Administration.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	Orcus.Administration.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Orcus.Administration.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1092616257"	Orcus.Administration.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Orcus.Administration.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0 = 4c0031000000000023598e30100041646d696e00380008000400efbe2359ac2923598e302a00000030000000000004000000000000000000000000000000410064006d0069006e00000014000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000	Orcus.Administration.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	Orcus.Administration.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1"	Orcus.Administration.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0 = 8000310000000000765a55961100444f43554d457e310000680008000400efbe2359ac29765a55962a000000e90100000000020000000000000000003e000000000044006f00630075006d0065006e0074007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370037003000000018000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	Orcus.Administration.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	Orcus.Administration.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\IconSize = "16"	Orcus.Administration.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Orcus.Administration.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Orcus.Administration.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Orcus.Administration.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}"	Orcus.Administration.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\NodeSlot = "2"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Orcus.Administration.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	Orcus.Administration.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Sort = 000000000000000000000000000000000200000030f125b7ef471a10a5f102608c9eebac0a0000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	Orcus.Administration.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Documents"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Documents"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Documents"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	Orcus.Administration.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}	Orcus.Administration.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}	Orcus.Administration.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000	Orcus.Administration.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_Classes\Local Settings	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	explorer.exe

Modifies system certificate store 2 TTPs 2 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Orcus.Administration.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Orcus.Administration.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\test.exe:Zone.Identifier	firefox.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
236	Orcus.Administration.exe
2648	explorer.exe
1692	explorer.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	236	Orcus.Administration.exe
Token: SeDebugPrivilege	2976	Orcus.exe
Token: SeDebugPrivilege	2724	firefox.exe
Token: SeDebugPrivilege	2724	firefox.exe
Token: 33	3256	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3256	AUDIODG.EXE
Token: 33	3256	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3256	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2976	Orcus.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2976	Orcus.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe

Suspicious use of SetWindowsHookEx 40 IoCs

pid	Process
236	Orcus.Administration.exe
236	Orcus.Administration.exe
236	Orcus.Administration.exe
236	Orcus.Administration.exe
2648	explorer.exe
2648	explorer.exe
236	Orcus.Administration.exe
236	Orcus.Administration.exe
1692	explorer.exe
1692	explorer.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe
2724	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 236 wrote to memory of 3060	236	Orcus.Administration.exe	32
PID 236 wrote to memory of 3060	236	Orcus.Administration.exe	32
PID 236 wrote to memory of 3060	236	Orcus.Administration.exe	32
PID 236 wrote to memory of 3060	236	Orcus.Administration.exe	32
PID 2872 wrote to memory of 2780	2872	explorer.exe	35
PID 2872 wrote to memory of 2780	2872	explorer.exe	35
PID 2872 wrote to memory of 2780	2872	explorer.exe	35
PID 2780 wrote to memory of 1776	2780	run.exe	36
PID 2780 wrote to memory of 1776	2780	run.exe	36
PID 2780 wrote to memory of 1776	2780	run.exe	36
PID 1776 wrote to memory of 756	1776	csc.exe	38
PID 1776 wrote to memory of 756	1776	csc.exe	38
PID 1776 wrote to memory of 756	1776	csc.exe	38
PID 2780 wrote to memory of 2976	2780	run.exe	40
PID 2780 wrote to memory of 2976	2780	run.exe	40
PID 2780 wrote to memory of 2976	2780	run.exe	40
PID 236 wrote to memory of 328	236	Orcus.Administration.exe	41
PID 236 wrote to memory of 328	236	Orcus.Administration.exe	41
PID 236 wrote to memory of 328	236	Orcus.Administration.exe	41
PID 236 wrote to memory of 328	236	Orcus.Administration.exe	41
PID 2648 wrote to memory of 2408	2648	explorer.exe	44
PID 2648 wrote to memory of 2408	2648	explorer.exe	44
PID 2648 wrote to memory of 2408	2648	explorer.exe	44
PID 2408 wrote to memory of 2384	2408	run.exe	45
PID 2408 wrote to memory of 2384	2408	run.exe	45
PID 2408 wrote to memory of 2384	2408	run.exe	45
PID 2384 wrote to memory of 1868	2384	csc.exe	47
PID 2384 wrote to memory of 1868	2384	csc.exe	47
PID 2384 wrote to memory of 1868	2384	csc.exe	47
PID 236 wrote to memory of 1540	236	Orcus.Administration.exe	48
PID 236 wrote to memory of 1540	236	Orcus.Administration.exe	48
PID 236 wrote to memory of 1540	236	Orcus.Administration.exe	48
PID 236 wrote to memory of 1540	236	Orcus.Administration.exe	48
PID 1692 wrote to memory of 2160	1692	explorer.exe	51
PID 1692 wrote to memory of 2160	1692	explorer.exe	51
PID 1692 wrote to memory of 2160	1692	explorer.exe	51
PID 2160 wrote to memory of 2368	2160	test.exe	52
PID 2160 wrote to memory of 2368	2160	test.exe	52
PID 2160 wrote to memory of 2368	2160	test.exe	52
PID 2368 wrote to memory of 348	2368	csc.exe	54
PID 2368 wrote to memory of 348	2368	csc.exe	54
PID 2368 wrote to memory of 348	2368	csc.exe	54
PID 1692 wrote to memory of 2460	1692	explorer.exe	55
PID 1692 wrote to memory of 2460	1692	explorer.exe	55
PID 1692 wrote to memory of 2460	1692	explorer.exe	55
PID 2460 wrote to memory of 2720	2460	test.exe	56
PID 2460 wrote to memory of 2720	2460	test.exe	56
PID 2460 wrote to memory of 2720	2460	test.exe	56
PID 2720 wrote to memory of 2924	2720	csc.exe	58
PID 2720 wrote to memory of 2924	2720	csc.exe	58
PID 2720 wrote to memory of 2924	2720	csc.exe	58
PID 1692 wrote to memory of 2668	1692	explorer.exe	59
PID 1692 wrote to memory of 2668	1692	explorer.exe	59
PID 1692 wrote to memory of 2668	1692	explorer.exe	59
PID 2668 wrote to memory of 1004	2668	test.exe	60
PID 2668 wrote to memory of 1004	2668	test.exe	60
PID 2668 wrote to memory of 1004	2668	test.exe	60
PID 1004 wrote to memory of 1148	1004	csc.exe	62
PID 1004 wrote to memory of 1148	1004	csc.exe	62
PID 1004 wrote to memory of 1148	1004	csc.exe	62
PID 2620 wrote to memory of 2724	2620	firefox.exe	64
PID 2620 wrote to memory of 2724	2620	firefox.exe	64
PID 2620 wrote to memory of 2724	2620	firefox.exe	64
PID 2620 wrote to memory of 2724	2620	firefox.exe	64

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\o\Orcus.Administration.exe
"C:\Users\Admin\AppData\Local\Temp\o\Orcus.Administration.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:236
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\System32\explorer.exe" /select, "C:\Users\Admin\Documents\run.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3060
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\System32\explorer.exe" /select, "C:\Users\Admin\Documents\run.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:328
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\System32\explorer.exe" /select, "C:\Users\Admin\Documents\test.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1540

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Users\Admin\Documents\run.exe
  "C:\Users\Admin\Documents\run.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ltfzjthu.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1776
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7BD5.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7BD4.tmp"
      4⤵
      PID:756
- - C:\Program Files\Orcus\Orcus.exe
    "C:\Program Files\Orcus\Orcus.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2976

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Users\Admin\Documents\run.exe
  "C:\Users\Admin\Documents\run.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2408
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0h9is2dj.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2384
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES477D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC477C.tmp"
      4⤵
      PID:1868

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Users\Admin\Documents\test.exe
  "C:\Users\Admin\Documents\test.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nxgakbjd.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2368
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFFF2.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCFFE2.tmp"
      4⤵
      PID:348
- C:\Users\Admin\Documents\test.exe
  "C:\Users\Admin\Documents\test.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ybeermkn.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES14F8.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC14F7.tmp"
      4⤵
      PID:2924
- C:\Users\Admin\Documents\test.exe
  "C:\Users\Admin\Documents\test.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ztm6qzsw.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1004
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES74E3.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC74E2.tmp"
      4⤵
      PID:1148

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2620
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Downloads MZ/PE file
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2724
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2724.0.1076434313\34608313" -parentBuildID 20221007134813 -prefsHandle 1212 -prefMapHandle 1204 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {009aafb0-0c3a-4b79-9375-724285f9d192} 2724 "\\.\pipe\gecko-crash-server-pipe.2724" 1288 106f4758 gpu
    3⤵
    PID:2652
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2724.1.2020397188\20603842" -parentBuildID 20221007134813 -prefsHandle 1452 -prefMapHandle 1448 -prefsLen 20928 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2597d8c3-a25a-4b79-b77c-f293cd1b5a4f} 2724 "\\.\pipe\gecko-crash-server-pipe.2724" 1476 e72e58 socket
    3⤵
    PID:3004
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2724.2.1867675836\577144206" -childID 1 -isForBrowser -prefsHandle 2028 -prefMapHandle 2024 -prefsLen 20966 -prefMapSize 233444 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f9a24f69-0b5d-4c23-be67-98cd01c013e2} 2724 "\\.\pipe\gecko-crash-server-pipe.2724" 2040 19241b58 tab
    3⤵
    PID:2984
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2724.3.95825417\535916140" -childID 2 -isForBrowser -prefsHandle 2848 -prefMapHandle 2844 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b5fc7f00-35dd-43d3-84d3-2addb595c6d1} 2724 "\\.\pipe\gecko-crash-server-pipe.2724" 2860 1bca6f58 tab
    3⤵
    PID:2324
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2724.4.2116852566\730349260" -childID 3 -isForBrowser -prefsHandle 2996 -prefMapHandle 2980 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c1ceaa62-ae42-459c-8533-a9dbf68f99d7} 2724 "\\.\pipe\gecko-crash-server-pipe.2724" 3008 1c155858 tab
    3⤵
    PID:2212
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2724.5.2077248591\1209923566" -childID 4 -isForBrowser -prefsHandle 3852 -prefMapHandle 3808 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c24ca06c-263c-494e-8ff5-16aa06c45e97} 2724 "\\.\pipe\gecko-crash-server-pipe.2724" 3860 1e63ab58 tab
    3⤵
    PID:1776
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2724.6.1285966763\1890212599" -childID 5 -isForBrowser -prefsHandle 3972 -prefMapHandle 3976 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c94a604d-8b33-45c1-aa32-e2ff59639cf2} 2724 "\\.\pipe\gecko-crash-server-pipe.2724" 3960 1ea0c158 tab
    3⤵
    PID:2536
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2724.7.1033855722\504601981" -childID 6 -isForBrowser -prefsHandle 4164 -prefMapHandle 4168 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f5bccf8a-e775-4627-b75b-c496d00b15c2} 2724 "\\.\pipe\gecko-crash-server-pipe.2724" 4152 1ea0d658 tab
    3⤵
    PID:780
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2724.8.1026378903\1876812358" -childID 7 -isForBrowser -prefsHandle 4032 -prefMapHandle 3900 -prefsLen 26607 -prefMapSize 233444 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9e035962-e9f2-4cbb-b1b2-786a4528dee7} 2724 "\\.\pipe\gecko-crash-server-pipe.2724" 4024 1b8f7858 tab
    3⤵
    PID:3280
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2724.9.1454647277\1265809924" -childID 8 -isForBrowser -prefsHandle 3664 -prefMapHandle 3680 -prefsLen 26607 -prefMapSize 233444 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {256c5017-ea61-44b9-840c-c712bac07906} 2724 "\\.\pipe\gecko-crash-server-pipe.2724" 3060 1e4f0558 tab
    3⤵
    PID:3592
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2724.10.1821282750\130092243" -childID 9 -isForBrowser -prefsHandle 4384 -prefMapHandle 4400 -prefsLen 26872 -prefMapSize 233444 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {65133346-169b-499b-9806-603445ad0127} 2724 "\\.\pipe\gecko-crash-server-pipe.2724" 4312 20c48258 tab
    3⤵
    PID:3516

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2e0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Orcus\Orcus.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\activity-stream.discovery_stream.json.tmp

Filesize
23KB

MD5
ac301f5005478f17b521fcbca458bb41

SHA1
70ea2eb58827312bb2001224bac4d16935f739e5

SHA256
02507859ba83d3314040a210a1a7f0f8a546479db21a136e450f9821911f2d05

SHA512
c4f23e3a26617420a490d341a76861cb9e8cba62ce153101f33ef63e7c4c4c9809d62d18e864132eef4fd58c1f5f43c566f6dcd1ba629bc345506b66fad809eb

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\cache2\doomed\10297

Filesize
9KB

MD5
5c3a08ab7c23ab83a840d6befa23ffc3

SHA1
8301de856c2d7edbc2cf359d662fd5031ea64777

SHA256
9aa1f3ee658de75bb9e3f83223504e6f911e1b88a9e6f007ae0e7082902fd49b

SHA512
558a2953dc6b222b1fd8585fb3e2d587f90c01933215d16d78f09e80fd37b16342b556e50345199c04c463877dbf17185d0fc440657e94e724a227ddaa40328c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Temp\0h9is2dj.dll

Filesize
76KB

MD5
e68256d01b6aabee2307a8386df35833

SHA1
f19a836cc80a09e157f7c807153886db916b95dc

SHA256
4e6d62bf0cbe023206dd7ba112fcc9464eefc54a9a1f2a42a127a07de63c727b

SHA512
2dde5fb9b0410fbce137e186e50a6214da2b80fdcc300b2b77cec1fb4ae927c393b80a6a57437f583b9fceece00f5163b2982f22af42a56991d6fd085f820b7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES14F8.tmp

Filesize
1KB

MD5
493e392b66cc0613aef36ace1c74f955

SHA1
038a6f8b5d379696886aab2cc7a2e67693f1a76e

SHA256
df1958168fd0998137198639c8a827b4f6b778b6a3da2747596dc947c451cbf0

SHA512
d45fe0495a19ac4eeb847fa8837f9e915b44a1a0c1ac98c52c9603b356cb351b187cb427041a06c4c54d88430c8be791fd7f2b4de94babf636e2b48c3d77ac78

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES477D.tmp

Filesize
1KB

MD5
37b36df531810f5728bb49a568229e94

SHA1
b46950b378ba9e89380b6910784cf2c5e34c3ffd

SHA256
4ee4cf0fdf6661e4f7fa48e62f8c92d4e6a7b322554591aa209b625d7bf6264e

SHA512
7f2617b181cfd829810dd81c8535a89d775e888069b672975bb3106e55210bd3625b6fc8c94a444fd3070eb2c7fd33f6ba00226e430d0ac79f668b765d51d903

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES74E3.tmp

Filesize
1KB

MD5
4ce032d07dcf70b7860e9805f1b662a3

SHA1
35ba06fc342dc020c9cd5e597d7ddfc0fc06711c

SHA256
c4e8d19ce224766b3cc0d917d73b9ee8c6d8091509fb01986c69301bb55ae4de

SHA512
473349f8eb2e0acb8fc70aba3c8f940ae66dff3cfc43bc831922de1a50c09cb715f6a4d2f53f5a40f8b5d6f5ab0e100fda771a91f2413747df804faf45e278bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7BD5.tmp

Filesize
1KB

MD5
39449ea001237b78f8b8b7820596547d

SHA1
78f85f16af4583bf673a781355d39c41de334bc5

SHA256
b1ad034428e94d168aa01403077f55d2b768d5dd146eec04bb0461b127d74970

SHA512
beb554a37173f3ee5cd0f406924341ba866204b5e8bbcd92244d42089a4f1ff30952b369b1d7ee68ef55d3a7120c0e7ecd322af0cfb7ac2cda5faeca0ad36253

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFFF2.tmp

Filesize
1KB

MD5
0125e028e1535687a9b2b1429322e632

SHA1
e983da8f7e345849f7d4c70a4e3bff2ecab92d0c

SHA256
0755c2baacff7742cf395cac6fb6dbfcf728f38d015e68140f0a7865d707e9eb

SHA512
1f74644034a34367759fee9f5e081b708847cd12063daf652ec020f09b054b79f8cc353ecd8321ccfb31601fbcc6eaea437737b799fc39a5ae5c1c72ca64ab9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ltfzjthu.dll

Filesize
76KB

MD5
524623878f33924d68a2723fdc5b4b54

SHA1
11eecee247e98056ad3cb427d85895a7b1fbfac8

SHA256
241ecdf97bd5dd5da88d2f3aea9dd1a7f71fc5f0cdcf1e21f312744a7f51019f

SHA512
d318edaeb5abde0d7014aa01c4f835c671a59d1c08ee432a4abb6955fca99211dc0bd53daa7785b2b733c782a9358c718f2344e4beb38eb559b3dc98448533bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nxgakbjd.dll

Filesize
76KB

MD5
1da6215203a57215e777efc0df65b59a

SHA1
320d8b4f0dd624905cd81eb8b5ef8e33fd93f8ad

SHA256
7e821066246cf8cd42da58ea836fb685d3cbe2eb8a2ad25efc2ea73d1c4b8075

SHA512
89f9457ede6375b648976cf14de8cfea424b8a32b15a20e665cca9004f3ee642a734eed4a097fd69c75282c442ad9ef47d0052442fbedaec883a193597135410

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
6.5MB

MD5
438c3af1332297479ee9ed271bb7bf39

SHA1
b3571e5e31d02b02e7d68806a254a4d290339af3

SHA256
b45630be7b3c1c80551e0a89e7bd6dbc65804fa0ca99e5f13fb317b2083ac194

SHA512
984d3b438146d1180b6c37d54793fadb383f4585e9a13f0ec695f75b27b50db72d7f5f0ef218a6313302829ba83778c348d37c4d9e811c0dba7c04ef4fb04672

Download Submit
C:\Users\Admin\AppData\Local\Temp\ybeermkn.dll

Filesize
76KB

MD5
bf502db1c90455dcce9947d3ae0563fd

SHA1
27b5799619e411d0774c0d7f9c14edb0a135e059

SHA256
c19b98f275d613a7e3fe1253fa818736311e5755d737b7f71f82e58bd4ecbd07

SHA512
798678453cdaed70f43e40cfcf17705eb367377913b35b0643cb089accebfcd61b96ce551cf0e41ecac8dd87f8e16a02f6d654915ca8cb70ab9db6b83473e45a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ztm6qzsw.dll

Filesize
76KB

MD5
f9c047748691a591ffe2f28239597cdf

SHA1
0b8eccf97b0c4e957298f37cfa1875b59f98e1af

SHA256
efd1177c9750a42920e75de575e7f913a2ee9b73cba1b7b072771a3ba52bf75e

SHA512
3eb3d8dfbe47ddadabae7a7077b6485363f715cf4e0a998783b39a6ff4ed7d7890ccb16278fcc33c2fd68bd0918a4368218ebbb03a46f71884a0446b6d396702

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
18KB

MD5
569ab5af953c4bef6fe9aebd2d126501

SHA1
87e789b97530db03d9d06ded48ddfb34c75cfe8a

SHA256
616a133891aebde424b6b0d73448646855bd890b0a1a2cdd1c23f88a6b8dc075

SHA512
5f62e9074feb5e297e773453ed2b3546c752fbc35202be90ace82542df1315b3729eb703bdf6f79cab06d5fa3e34c27fd1b937b2b400092318cd102bcfe00496

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
8c1736bb27918147774889a81f91a692

SHA1
1fc9ff2f05b3d7e760f39931e694a265bb03923d

SHA256
fa93f14509641a923e5acc5dfdcbc250a83d696090ce5cbc709bbc8ae8f4e09c

SHA512
1faf97adc3b196e99f3308153042076cd99bca46dd8593f7bc0ff861a2927cb29a8ba224f4f9ab418ef6153e2bd558b54552adececbab693d9ec737eff1fdafd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
ff72b2b47343c2cc5a26f7197dac9a62

SHA1
71a21ec0c9d8a133df90026e52ea0dfc134c640c

SHA256
998dfbaad379c874766e061d3cce31e0f0828e8084f58840270ecfd35d215ada

SHA512
8aababad2f748ee6595883a14d70eac4ff04f176018a4a4b58b23d97264ebe5c86c0e352ab61dcc954447e9b65431e52e181cfedca306c2b6d3792334052ab26

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\datareporting\glean\pending_pings\9efb47bc-e793-49d4-bfab-f24a90f75992

Filesize
10KB

MD5
0d07b427179a042ff4400369f26e036a

SHA1
0c5a13d44a6f6541c959ae1b0f7bc700b5b9e7b8

SHA256
9944aec894b6d1fa7c608d34182c79184620e54e027724c8fd7cdc567d7b4452

SHA512
29c77951530fc244572f8d41c090c6b2f72074729a0fd99fb26ca17474d67746b2b78e053dce32e38f82038d29afbe2a3cda5628a1c69913a1ef9c2c7713be05

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\datareporting\glean\pending_pings\b32450f8-7aaa-4ff8-abcb-378d3134fa64

Filesize
745B

MD5
55160c113f17470d91edc1a260c219e5

SHA1
8e19228149d02617fd8d86ace71ae933321aef45

SHA256
f64e85e53f7aac68c17dba5199cfb0e8e429d6faf7dd87cc1dfbb24954e1c191

SHA512
989c8e00938a31b36361f50125b38e2de0fb52ccdb4a91ad3c7fb892dd7d66def20a540bcc752c7f4f3ca85323d0817383ab761c9f4acbc0551e17e8e9dfda17

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\gmp-gmpopenh264\1.8.1.1\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\gmp-gmpopenh264\1.8.1.1\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\gmp-widevinecdm\4.10.2449.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\gmp-widevinecdm\4.10.2449.0\manifest.json

Filesize
372B

MD5
6981f969f95b2a983547050ab1cb2a20

SHA1
e81c6606465b5aefcbef6637e205e9af51312ef5

SHA256
13b46a6499f31975c9cc339274600481314f22d0af364b63eeddd2686f9ab665

SHA512
9415de9ad5c8a25cee82f8fa1df2e0c3a05def89b45c4564dc4462e561f54fdcaff7aa0f286426e63da02553e9b46179a0f85c7db03d15de6d497288386b26ac

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\gmp-widevinecdm\4.10.2449.0\widevinecdm.dll

Filesize
10.2MB

MD5
54dc5ae0659fabc263d83487ae1c03e4

SHA1
c572526830da6a5a6478f54bc6edb178a4d641f4

SHA256
43cad5d5074932ad10151184bdee4a493bda0953fe8a0cbe6948dff91e3ad67e

SHA512
8e8f7b9c7c2ee54749dbc389b0e24722cec0eba7207b7a7d5a1efe99ee8261c4cf708cdbdcca4d72f9a4ada0a1c50c1a46fca2acd189a20a9968ccfdb1cf42d9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\gmp-widevinecdm\4.10.2449.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\gmp-widevinecdm\4.10.2449.0\widevinecdm.dll.sig

Filesize
1KB

MD5
dea1586a0ebca332d265dc5eda3c1c19

SHA1
29e8a8962a3e934fd6a804f9f386173f1b2f9be4

SHA256
98fbbc41d2143f8131e9b18fe7521f90d306b9ba95546a513c3293916b1fce60

SHA512
0e1e5e9af0790d38a29e9f1fbda7107c52f162c1503822d8860199c90dc8430b093d09aef74ac45519fb20aedb32c70c077d74a54646730b98e026073cedd0d6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\prefs-1.js

Filesize
7KB

MD5
1aad710e08ae0e93c914e8e47a0de313

SHA1
2876e0182f02762211c40d55eb1020802442a258

SHA256
9e5a86dc2edd620a120e4cfc0950e25c92ac62b3d91b8d83e7062a6c11713780

SHA512
582808de08aa41d4761841bb4391f718a52d41e7550ddd9216fb6d530bb74bc150178f78e199603059cd572a2de198b3d9d563d12fe598222219423527e4b69e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\prefs-1.js

Filesize
6KB

MD5
43b44e9ff928d6a58dd08e343b73e5bf

SHA1
d0ddc347c2ae0fc782877751af8b1beac4a0e5cb

SHA256
e78f2f85c45ca8fe0bd8a6ac4c80a73c7eff6a43dce9f02f35aca53a6d38ea04

SHA512
5334014b3e28c997fa23ca50f6dcd636ee3d638bf8487c0493652c6c4bc865c04ecc2c2ffde1bf70133bdd4c16c13643680954d19d4666cc52edfa49aa9534eb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\prefs-1.js

Filesize
6KB

MD5
9ad8550882cecf9b4c6470dc741a2a0d

SHA1
01b05e1a7752aa12f8523bb73587ee781e369a65

SHA256
3e31c94b48124a37ee6e3f7dadeef59eb411ee8f772040528a177ee36b6e0f25

SHA512
ccfc2d4aa8b47bcd4fafd11236241439abf24fd5e58a609876c4afa9a14ec2fa0adbf8164aba25c19b0a50f9e11866e97a8f8cca156a4683aa82417f9f46da3d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\prefs.js

Filesize
7KB

MD5
0c81b341d69dba95bd5b69637b5f9fb7

SHA1
2ce80b1ae7e7252c50fe7e946ba0860ebe07bb25

SHA256
62b65bd818c1e62a71c6fdafdf0edb7eab4136aff4a680644721f0d09fde2e61

SHA512
f6bd6c62cee3efde1b019b19db340422a0e358ed6ac7b39fbf77b9d45c394dea1aaca76f42e8e740661b335d09c77d90391fa54f0fec07591e0a0ef1ff10c6eb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\prefs.js

Filesize
7KB

MD5
13ed7806302a61c7e1d56d8dc2feaae7

SHA1
c7bb5b0b17b12991320a2d626646d811fe27c7f8

SHA256
28343c96bca000c22bc78ef10b0778257937129bbdc067e4bfdc6293f9a6cdeb

SHA512
e5c74cf7503af6b6cd6059235bdc7217b45a184e535b5fd8d8131ff6f7f70316ce4bca100cbcb62942ec685331b73dcbfce775e6136aa52a1767ac3ce77133ae

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
f382b84395e98e575562416fc7e7904d

SHA1
897d76013d78e649fd53f3fd2b57715f6e9750a9

SHA256
1cd8187bfe3763f082de315c5a12a415850f206dbd94ef86bd9f5126dc2a00de

SHA512
37523a2e544775881ce6cdbd9456df9bb9f888171adeecab6d9561d1e8c82312526654979df17d52a35121fd198ead84add67c77cfb8205b71b8b132cec74749

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
9e237be552ab6916d0dcc6d4b7fe8fe9

SHA1
5fd9b338cfc70c9db679887ebd3dc5009eb2fc52

SHA256
f6164a32af0780e4d77bb609dd42f954401956853d1330cfa0bf9f59388b783a

SHA512
4dc1da3731daae8014c60e10d09803d5fabe63053ebe9f5b6d4c06ff6dba44a8f551cb7626c694e5ca3d0743358183c88307e81c8977a464f2088e7c910be4dc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
338b0887e4c7c4e70162d60a06d7ac7d

SHA1
09f1a557241a845040bbeab8d5269dca22d6dd33

SHA256
a96d5c673d37a9ec9fe2a8b9952921292105b014a34084d7c9e02b93ee719610

SHA512
42561a8cf6fd090c4927c39a985f948a300327243c60afb7cb1613de19fe8408994ca2e5f6524d8f7bbd7c5378c99fc68310a0a3cdf911e83b13b794dad98d6b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
d2aebc7ddc6c3c02f90eede4fa44b937

SHA1
1c962d38b2831e3bbb68ca8393762504520d2cc1

SHA256
1b162b26ed966dd01ba5ef549adbd24716bc1e8392dd2fbbb7ee0bf1535ac8c0

SHA512
108b90ce00f3ab01ff001c2c866cf0bfb800b2a09ee770201fa10487039159bda275d129d95a471d08473f9fe22bb027b3eec590d93e7c6d4f44dddb20e98d66

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
78ede08c5573b0f1a2108b79e29feb9b

SHA1
3a77735e6eb4d725e573f301605fde09d3a2fc99

SHA256
a028abb11c6a9a056ab93e0eebae459722b7bc5d82473abffa5a05b1b24754b4

SHA512
58ca4ca929414ffd1e2818adeed05a8b03652af5ad775be432e6c44900ec8316848e475c0806ebfc67e7fabd034e206981dd288e74967c3824c2c27da681a9e9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
3053ab556fe44ce0de9f607878c32607

SHA1
3c0c3ef6ad59c4cbdb1f71bb133a2c1b3a36ced6

SHA256
13dfb7887edde958e6fb48efb601d7fa75148106473edbaf040f3e242271590f

SHA512
8abf2e91de1f9965dbb911120b0f84a339e56c3703e5fb1f2df8dc6a74112160d428077dcbc37a7b66cf48cd83b1fc8dfa0a595a8f90f7c42b54bbb63f6b2fdb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
00c6833acee9055dcd375313e2467398

SHA1
b84b3f6d57e05d1e705140ff9f04a1c601fb64d1

SHA256
87a31e3b468a4f2d16278607dd4778593cd291974769edb5e7aa1214d9727b2d

SHA512
9b2ac3ccdb6e15435c8170bb3082eca09e817d75966e7cb5b3aef49f86054efe2fd2456d49aa530ac601164c3503059a969d9f3b93c02d402fb1d6546b82c903

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
e81b2ce407e48632d654998ecf3a9037

SHA1
77eadd4294f5e3d65ee72f8765b72eeba304734b

SHA256
9079cce6becb4ffbe0664cb9fa2008305fea0b6aa0384bdbacd7caf7fec2f432

SHA512
9d7001afd132d13ba1efcc7a5d306c5f366533db6c2bc68faa6698a775ff1cea1d8bcc6de8720b3ce4100a90240f23f0850ef1f8299f59d08fd73efe03aec193

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
4675ca5c868044b2f441b52e767517ab

SHA1
91a10bbc11016c77c8601e4f2296133ac7e176d5

SHA256
700f0f89287b022b66e2be00e8d63258b8609ad0e46d3ded959be877b57b68a2

SHA512
60074b9eaf02d87dce5b1160cf01753e051d401d8d8593045eebc09b3ff5037fe77df2f383710b89ce011989cf22ae2c74637d6a419ee82affb5ae4984e0d634

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
914e4612bbc9e2ce202282263531bce8

SHA1
72951f527b6bea789c5e8e33723212d9e4cc82b1

SHA256
aad3a35d1d58a6a36b7800ea07a7ae9f040280effa776dbf65dfc1345c35b000

SHA512
a36cef1d8e017e63a1074ba9ef9423cf18cd8b829161304b123c13b4c31057f6f61a8099e86b5bffdce3ea61d5f7b879743e3bc70a70e0c007a26f91de9c821e

Download Submit
C:\Users\Admin\AppData\Roaming\Orcus\err_ca1795abc3374b519fdef01c2242037e.dat

Filesize
1KB

MD5
1edea513e699b5e9a16de00461be7443

SHA1
03e27879ac71d75a9b86e89c2d14125785876234

SHA256
49a897ecb0d06fe59c0b02e1fcce37971bebe320d94ffb9f3b64115c09f30879

SHA512
65540ee16645c052b95b74631e25b8cfbd6bc21ab7284f5b4c6f1aeb69befbdb861983e923ea824023c400be4cdb0c73a2644374e8235f8a1c09a7137b9709ef

Download Submit
C:\Users\Admin\AppData\Roaming\Orcus\err_eb4cdf8f2fdf48e2948ba799aa59ebe5.dat

Filesize
1KB

MD5
7a400c032d05c78d3666498c5e91f213

SHA1
a15764c75008980030245fb1e864f21d6fa216db

SHA256
b50ece579d828a0c75a87980085ca6dc5c10fb910bd50361bae6671007aa4425

SHA512
e140545171751aced407983197d452956c68c20b0b6dac5a74dca149eb0b8a314498a84dd99a754f4ed428777aa1e297669beb14710317fdd79049cad6a2f205

Download Submit
C:\Users\Admin\AppData\Roaming\Orcus\err_eb4cdf8f2fdf48e2948ba799aa59ebe5.dat

Filesize
1KB

MD5
9aee945bc1a31c2bd8652d115a47c86a

SHA1
db7e791f561edf4ad424ef183e33734efc1c4505

SHA256
dc18a3194c4b07d4267e4a622e82bd62c0cd0cafbbc65993fb42497e02dbda04

SHA512
2bd8176f164cb0cc1bd89740e7ff8bf2e780e406f50902a267b4dfe66c843ce071769c26b47f0389722e669cef3eede48d44e01c982de7166d7ffabb90f4f115

Download Submit
C:\Users\Admin\Documents\run.exe

Filesize
913KB

MD5
3b038502b1510f932ed18b8f7b959460

SHA1
53c38b898db95809bdc338f5bf44c50a8d88b767

SHA256
e65450ecac21d7b3f073982da7b13599fd916924dadba0a297694ca1d937619e

SHA512
4ddd9de336127acf2f1d7e511f7e136a3154f58d530ef6c5b4a55c108901b071839f1fcb3c6a3c54a0f31dc298fef1064f8de382b278b6573309f8b6e1d35f3e

Download Submit
C:\Users\Admin\Documents\run.exe

Filesize
913KB

MD5
0d1dff10c4cb35c10a4a8040bcae6317

SHA1
0b5b65edcb75a18b21699a939d8b805811ff3063

SHA256
ae07f205e4ddace3a194375c4750f3fe0691922a8af8b614590e4e45bbbdb703

SHA512
c76c87ca7f79166bb4caaf79f2895a80fc7bdda17dfd205a739746d636fc7a8a9040440c0a8591cc4e166c44ce6192864aec442a061b98044466c59954924601

Download Submit
C:\Users\Admin\Documents\test.exe

Filesize
913KB

MD5
3ec4232085e107853eb6787e80848efa

SHA1
3cc6617af32cd1da1b7ffc0996a1a32e1a171bf1

SHA256
2c79679727444f53ecabaa6c6d588cefb54b9c118ef858bc7e1fdc913440086a

SHA512
9b7f0d5f9d18b3c54d3c65eb7df0f95a799eaeccd383ef9aae44372896bac2e629d6a26c30c47d6ef839c91559a024a1083bd5f39a3187e63e817638f3d2a999

Download Submit
C:\Users\Admin\Downloads\test.BP2CBRLm.exe.part

Filesize
8KB

MD5
3bfd1e558c3850512067995478b430d6

SHA1
11ba1bd34e871b9bdc81921e403739b2d824dd10

SHA256
e34c6f6ad575d0d4785476e4dca330961b615e94cd246ccf12db5af6b63566ca

SHA512
02e4e5edac3062caec2ca75f012a5b47974ad2e59552fbdf701217eb01fe94eff7c45ee4cee46af19420623bb78b5bcf8136c4e1cb24553ae3d7533c2a19b011

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0h9is2dj.0.cs

Filesize
208KB

MD5
250321226bbc2a616d91e1c82cb4ab2b

SHA1
7cffd0b2e9c842865d8961386ab8fcfac8d04173

SHA256
ef2707f83a0c0927cfd46b115641b9cae52a41123e4826515b9eeb561785218d

SHA512
bda59ca04cdf254f837f2cec6da55eff5c3d2af00da66537b9ebaa3601c502ae63772f082fd12663b63d537d2e03efe87a3b5746ef25e842aaf1c7d88245b4e1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0h9is2dj.cmdline

Filesize
349B

MD5
42d530a22920e40379828b24c9395cbc

SHA1
d4ed8002b7e351c6e7a75a6301fb8a76e6e02e20

SHA256
390ca1ea4a27ce782ae82fef65523d09724f557b63e54fc7610eeeb43c723505

SHA512
eadb59e475dd94096b0e5a4878a26146e90d20fbde378541bd533d5369ea7790c5456f63c45181ea00fbf9570eb53b406efc13f703d6822e686e98532ed80347

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC14F7.tmp

Filesize
676B

MD5
e1e0276985a54d9d4110604a49399127

SHA1
e3793857a1260f71c2362b9e8cb63b36d0c9c309

SHA256
570457a9fb737b532cd0c77a3b94dd26a0079f02f0221e9bf171eeeaef1f8afc

SHA512
b990a2d90f84fb469e8ab0e29c81271f0fd403e20694b58d9f590cb9a07c620efb6df8d21a6b02d7a4a472d50b580a9e1f697a3274d58234cb9ebc8824e3d851

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC477C.tmp

Filesize
676B

MD5
3323896c1a0e7a861453993309c049e1

SHA1
f80af071e6abceb6e30761c4e010398f76e1f999

SHA256
3d3c39c2114a50f9f67d873d9ce673b48fddbe6b5c249dd78fe6d1b9e01549f6

SHA512
ec0053be48e6cf20c9c71b316e4f8db9e580c1698510fcca5b959b0def9b116659012555e94aa3f0de861ddbd3066ea149c5cce6ab86816e335bb87d891aac81

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC74E2.tmp

Filesize
676B

MD5
b4bb6d71db70a6c1c319a970c3e0e983

SHA1
d9d9b05044448a634f4fdfe2ed0dc00da83bcc59

SHA256
72d06e74439bf33664095590c024fd64825b30cce96f84d2db433fce8ffecba7

SHA512
795217e802bbef58ad8ba675db694d43a6c84fa39067875e7bfd188b9a3373ff0f60e9a5c13735fbf479e14ea21017236995b0d19bcaa8e00d7adb555576ce70

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC7BD4.tmp

Filesize
676B

MD5
a1471b7a1aaa529a2d575d79e992ffeb

SHA1
6bf82529ab02646955acb1411426b9bb2abd23fc

SHA256
06f4c76bf474bd80ba5e69309d0e0ef47d707a6836003f56ebef66dd2340c810

SHA512
fc86250371c05a7afbaeb479f92a05455f5a6d41b3c591d43b463c309f6db83022dfde43cf9922c98593c0028d599c89f2704e2a4b67705901a420a32a9c31a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCFFE2.tmp

Filesize
676B

MD5
de6cfb2cfd7ed5a43a6b7dc1a21d8584

SHA1
465744323829100e887b2409de64d4d20eda3565

SHA256
0db920ffcf5dd454133d3fa55f70965c5a0ca87aa8e0075788a6e87b654641a2

SHA512
34414eb388aba13b368d611fbfca54484eb2bac71af56439d313b3be8ae9529a237696f009bf1554738af74e9e300776b78fb8030aa51a81db7257a070f33128

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ltfzjthu.0.cs

Filesize
208KB

MD5
c555d9796194c1d9a1310a05a2264e08

SHA1
82641fc4938680519c3b2e925e05e1001cbd71d7

SHA256
ccbb8fd27ab2f27fbbd871793886ff52ff1fbd9117c98b8d190c1a96b67e498a

SHA512
0b85ca22878998c7697c589739905b218f9b264a32c8f99a9f9dd73d0687a5de46cc7e851697ee16424baf94d301e411648aa2d061ac149a6d2e06b085e07090

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ltfzjthu.cmdline

Filesize
349B

MD5
eef4be1149053370e602946880431776

SHA1
1d6c386de97b135e83fa69f0b5456959225e66d2

SHA256
db6db9e4fca582875696afb946b38aa45fc214c72150620611da85995b85225a

SHA512
ca51a88ba48f56122d7cf86b6c46569c4242d6a1340dc4dc6444c064b600a8a02279beac88d1069820705bbb3a2462be9d7f7d8c6e9e7ba56232935abcc3c7d1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nxgakbjd.0.cs

Filesize
208KB

MD5
62a85092f060ce8271c5fba94b4aba7a

SHA1
9a2f7a2f472ad9ee885faf13579acdce5204908e

SHA256
da347f5c56a106054c19dc17c64b85007622b73bda1c96255d40e7604ef7c3cc

SHA512
8c1558a66fc9962ce32321725994bdeb06213487cb90b69b21ccf150a4f79975cf0b63bfaed775a53df33baefca8cacca2b58f3b6a4ba6914c3247f5afa7c280

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nxgakbjd.cmdline

Filesize
349B

MD5
7d0481a477727455daae832758d79156

SHA1
5c5f261e896d0903c6437f04060d9d38b473d913

SHA256
44e978a822922d92f41007e99d96e191e096f7ea944aacccb633c39f6826ae6d

SHA512
8ac8dc84669cc0999ee2838d211f757aabd04a1f900fccfdb08c8c11f61089737a2877bb00583acafa09822b9303fc37330cd8a728df78d7c46c6906ffbb417d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ybeermkn.0.cs

Filesize
208KB

MD5
6011503497b1b9250a05debf9690e52c

SHA1
897aea61e9bffc82d7031f1b3da12fb83efc6d82

SHA256
08f42b8d57bb61bc8f9628c8a80953b06ca4149d50108083fca6dc26bdd49434

SHA512
604c33e82e8b5bb5c54389c2899c81e5482a06e69db08268173a5b4574327ee5de656d312011d07e50a2e398a4c9b0cd79029013f76e05e18cf67ce5a916ffd9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ybeermkn.cmdline

Filesize
349B

MD5
2c46d2c9aaee523110d72c90634f4d4a

SHA1
bb15e91d2ec35d0b8f1a7076c8319e56ba739baf

SHA256
273a990dc353fa7e043a57938a7c402ff4f69a5989fb6058ba711fda04bd6c55

SHA512
19987694ed8694141a8b920e280176a3a9520003033cb2cd75570c5f777c1a34dd8cc04a367f9aa3695fa18c79271f6db1e4988fb770e6289a1f385833aee10e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ztm6qzsw.cmdline

Filesize
349B

MD5
056d9c1ec48bc3e596c1dc4e2892852a

SHA1
7ec3eb3a8fc94668138fdc31547ebf1cf640cb8d

SHA256
ffff4e0d2abda7807fc1d764b812d3e0ce2f905b0d4f9ccf90ca69f61b24110b

SHA512
f5bf685ca93a0e6ae5d173f2a57a2dc5724c58bac7657cecc1cfdad4c400efac23383c1cbe6cb29b5189b53533e3db15c07f6453f79e9bf4a2bed88a1ed06c83

Download Submit
memory/236-32-0x0000000007070000-0x000000000707A000-memory.dmp

Filesize
40KB

Download
memory/236-0-0x0000000074BDE000-0x0000000074BDF000-memory.dmp

Filesize
4KB

Download
memory/236-735-0x0000000009FC0000-0x000000000A046000-memory.dmp

Filesize
536KB

Download
memory/236-736-0x0000000009FC0000-0x000000000A046000-memory.dmp

Filesize
536KB

Download
memory/236-1-0x00000000013A0000-0x000000000179A000-memory.dmp

Filesize
4.0MB

Download
memory/236-2-0x0000000000B20000-0x0000000000BDA000-memory.dmp

Filesize
744KB

Download
memory/236-3-0x00000000052A0000-0x0000000005536000-memory.dmp

Filesize
2.6MB

Download
memory/236-4-0x0000000074BD0000-0x00000000752BE000-memory.dmp

Filesize
6.9MB

Download
memory/236-5-0x0000000005820000-0x0000000005926000-memory.dmp

Filesize
1.0MB

Download
memory/236-6-0x0000000005A30000-0x0000000005B5C000-memory.dmp

Filesize
1.2MB

Download
memory/236-72-0x000000000E3F0000-0x000000000F1FE000-memory.dmp

Filesize
14.1MB

Download
memory/236-71-0x000000000A6B0000-0x000000000A6F8000-memory.dmp

Filesize
288KB

Download
memory/236-70-0x00000000084E0000-0x00000000084E2000-memory.dmp

Filesize
8KB

Download
memory/236-69-0x0000000000580000-0x00000000005A0000-memory.dmp

Filesize
128KB

Download
memory/236-68-0x0000000074BD0000-0x00000000752BE000-memory.dmp

Filesize
6.9MB

Download
memory/236-7-0x0000000000A10000-0x0000000000A32000-memory.dmp

Filesize
136KB

Download
memory/236-67-0x0000000005060000-0x0000000005076000-memory.dmp

Filesize
88KB

Download
memory/236-8-0x0000000005B60000-0x0000000005C68000-memory.dmp

Filesize
1.0MB

Download
memory/236-66-0x0000000074BD0000-0x00000000752BE000-memory.dmp

Filesize
6.9MB

Download
memory/236-60-0x0000000000EC0000-0x0000000000ED2000-memory.dmp

Filesize
72KB

Download
memory/236-42-0x0000000000D80000-0x0000000000D90000-memory.dmp

Filesize
64KB

Download
memory/236-41-0x0000000074BD0000-0x00000000752BE000-memory.dmp

Filesize
6.9MB

Download
memory/236-9-0x0000000000A90000-0x0000000000AA4000-memory.dmp

Filesize
80KB

Download
memory/236-40-0x0000000074BD0000-0x00000000752BE000-memory.dmp

Filesize
6.9MB

Download
memory/236-39-0x0000000007070000-0x000000000707A000-memory.dmp

Filesize
40KB

Download
memory/236-38-0x0000000074BD0000-0x00000000752BE000-memory.dmp

Filesize
6.9MB

Download
memory/236-37-0x0000000074BD0000-0x00000000752BE000-memory.dmp

Filesize
6.9MB

Download
memory/236-10-0x0000000000DC0000-0x0000000000DF4000-memory.dmp

Filesize
208KB

Download
memory/236-36-0x0000000074BDE000-0x0000000074BDF000-memory.dmp

Filesize
4KB

Download
memory/236-35-0x0000000074BD0000-0x00000000752BE000-memory.dmp

Filesize
6.9MB

Download
memory/236-11-0x0000000004F50000-0x0000000004FD8000-memory.dmp

Filesize
544KB

Download
memory/236-34-0x0000000074BD0000-0x00000000752BE000-memory.dmp

Filesize
6.9MB

Download
memory/236-33-0x0000000007070000-0x000000000707A000-memory.dmp

Filesize
40KB

Download
memory/236-12-0x0000000000AD0000-0x0000000000AE0000-memory.dmp

Filesize
64KB

Download
memory/236-31-0x0000000006B50000-0x0000000006B68000-memory.dmp

Filesize
96KB

Download
memory/236-30-0x0000000006720000-0x0000000006730000-memory.dmp

Filesize
64KB

Download
memory/236-29-0x0000000006580000-0x0000000006588000-memory.dmp

Filesize
32KB

Download
memory/236-28-0x0000000007D10000-0x0000000007E8A000-memory.dmp

Filesize
1.5MB

Download
memory/236-25-0x0000000005E50000-0x0000000005E5A000-memory.dmp

Filesize
40KB

Download
memory/236-26-0x00000000064E0000-0x00000000064F2000-memory.dmp

Filesize
72KB

Download
memory/236-27-0x0000000006530000-0x0000000006538000-memory.dmp

Filesize
32KB

Download
memory/236-23-0x0000000006D20000-0x0000000007062000-memory.dmp

Filesize
3.3MB

Download
memory/236-24-0x0000000004DA0000-0x0000000004DA8000-memory.dmp

Filesize
32KB

Download
memory/236-22-0x0000000004C90000-0x0000000004C98000-memory.dmp

Filesize
32KB

Download
memory/236-21-0x0000000004C80000-0x0000000004C8C000-memory.dmp

Filesize
48KB

Download
memory/236-20-0x0000000004BA0000-0x0000000004BAA000-memory.dmp

Filesize
40KB

Download
memory/236-19-0x0000000074BD0000-0x00000000752BE000-memory.dmp

Filesize
6.9MB

Download
memory/236-18-0x0000000001390000-0x0000000001398000-memory.dmp

Filesize
32KB

Download
memory/236-17-0x0000000005D00000-0x0000000005D98000-memory.dmp

Filesize
608KB

Download
memory/236-16-0x0000000005C70000-0x0000000005CF6000-memory.dmp

Filesize
536KB

Download
memory/236-15-0x0000000005100000-0x000000000515C000-memory.dmp

Filesize
368KB

Download
memory/236-14-0x0000000000E50000-0x0000000000E5E000-memory.dmp

Filesize
56KB

Download
memory/236-13-0x0000000000C50000-0x0000000000C62000-memory.dmp

Filesize
72KB

Download
memory/2160-153-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2160-151-0x0000000000AD0000-0x0000000000AE6000-memory.dmp

Filesize
88KB

Download
memory/2408-128-0x0000000001030000-0x0000000001046000-memory.dmp

Filesize
88KB

Download
memory/2460-168-0x0000000000F20000-0x0000000000F36000-memory.dmp

Filesize
88KB

Download
memory/2668-187-0x00000000002B0000-0x00000000002C2000-memory.dmp

Filesize
72KB

Download
memory/2668-185-0x0000000000E00000-0x0000000000E16000-memory.dmp

Filesize
88KB

Download
memory/2780-77-0x000000001AFE0000-0x000000001B03C000-memory.dmp

Filesize
368KB

Download
memory/2780-78-0x0000000000490000-0x000000000049E000-memory.dmp

Filesize
56KB

Download
memory/2780-91-0x000000001ADD0000-0x000000001ADE6000-memory.dmp

Filesize
88KB

Download
memory/2780-93-0x00000000006D0000-0x00000000006E2000-memory.dmp

Filesize
72KB

Download
memory/2872-74-0x0000000003A10000-0x0000000003A20000-memory.dmp

Filesize
64KB

Download
memory/2976-107-0x0000000000610000-0x0000000000628000-memory.dmp

Filesize
96KB

Download
memory/2976-104-0x00000000001C0000-0x00000000002AA000-memory.dmp

Filesize
936KB

Download
memory/2976-108-0x0000000000640000-0x0000000000650000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads