orcus | 047bc779d007d921cc2f900677a532a9393b99633ace127bb489ac5732c1abc0

Analysis

max time kernel
1050s
max time network
1031s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
29/03/2025, 23:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ArtyxBootstrapper.exe
Size

917KB
MD5

21879687876665cd12d25a9428568463
SHA1

71fecc06e0c6070b1290c1e173df11455a38f131
SHA256

047bc779d007d921cc2f900677a532a9393b99633ace127bb489ac5732c1abc0
SHA512

11e9b536360504960f491d85f3bfdfcef1a2071bf3c79c5b2a857aab6db98ec6be2f7c4a3a75ddcce21a96ada8686301345c6eedb5ead26a8509368f67ac5e77
SSDEEP

24576:kKa4MROxnFZx3eRM4LrrcI0AilFEvxHPGoop:kOMiTJelLrrcI0AilFEvxHP

Score

10^/10

orcus discovery rat spyware stealer

Malware Config

Extracted

Family

orcus

213.209.143.58:2095

Mutex

ea1f88a1fa7148ce8a8fded64e180068

Attributes

autostart_method
TaskScheduler
enable_keylogger
true
install_path
%programfiles%\Nirsoft\svchost.exe
reconnect_delay
10000
registry_keyname
Realtek Audio Driver
taskscheduler_taskname
Realtek Audio Driver
watchdog_path
AppData\hotdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x001900000002b1af-76.dat	family_orcus

Orcurs Rat Executable 2 IoCs

resource	yara_rule
behavioral1/memory/5808-1-0x0000000000570000-0x000000000065C000-memory.dmp	orcus
behavioral1/files/0x001900000002b1af-76.dat	orcus

Executes dropped EXE 9 IoCs

pid	Process
5804	WindowsInput.exe
4768	WindowsInput.exe
5000	svchost.exe
4392	svchost.exe
4416	hotdog.exe
4264	hotdog.exe
2004	svchost.exe
5900	svchost.exe
3604	svchost.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsInput.exe	ArtyxBootstrapper.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe.config	ArtyxBootstrapper.exe
File created	C:\Windows\SysWOW64\WindowsInput.InstallState	WindowsInput.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Nirsoft\svchost.exe	ArtyxBootstrapper.exe
File created	C:\Program Files (x86)\Nirsoft\svchost.exe.config	ArtyxBootstrapper.exe
File created	C:\Program Files (x86)\Nirsoft\svchost.exe	ArtyxBootstrapper.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hotdog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hotdog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ArtyxBootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133877638305134297"	chrome.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\DisplayName = "Chrome Sandbox"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\Moniker = "cr.sb.odm3E4D1A088C1F6D498C84F3C86DE73CE49F82A104"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\Children	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5808	ArtyxBootstrapper.exe
5000	svchost.exe
5000	svchost.exe
5000	svchost.exe
5000	svchost.exe
4264	hotdog.exe
4264	hotdog.exe
4264	hotdog.exe
4264	hotdog.exe
5000	svchost.exe
5000	svchost.exe
4264	hotdog.exe
5000	svchost.exe
4264	hotdog.exe
4264	hotdog.exe
5000	svchost.exe
4264	hotdog.exe
5000	svchost.exe
5000	svchost.exe
4264	hotdog.exe
5000	svchost.exe
4264	hotdog.exe
5000	svchost.exe
4264	hotdog.exe
5000	svchost.exe
4264	hotdog.exe
5000	svchost.exe
4264	hotdog.exe
5000	svchost.exe
4264	hotdog.exe
5000	svchost.exe
4264	hotdog.exe
5000	svchost.exe
4264	hotdog.exe
5000	svchost.exe
4264	hotdog.exe
5000	svchost.exe
4264	hotdog.exe
2372	chrome.exe
2372	chrome.exe
5000	svchost.exe
4264	hotdog.exe
5000	svchost.exe
4264	hotdog.exe
4264	hotdog.exe
5000	svchost.exe
4264	hotdog.exe
5000	svchost.exe
4264	hotdog.exe
5000	svchost.exe
4264	hotdog.exe
5000	svchost.exe
4264	hotdog.exe
5000	svchost.exe
4264	hotdog.exe
5000	svchost.exe
5000	svchost.exe
4264	hotdog.exe
5000	svchost.exe
4264	hotdog.exe
5000	svchost.exe
4264	hotdog.exe
5000	svchost.exe
4264	hotdog.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5808	ArtyxBootstrapper.exe
Token: SeDebugPrivilege	5000	svchost.exe
Token: SeDebugPrivilege	4416	hotdog.exe
Token: SeDebugPrivilege	4264	hotdog.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5000	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5808 wrote to memory of 5804	5808	ArtyxBootstrapper.exe	78
PID 5808 wrote to memory of 5804	5808	ArtyxBootstrapper.exe	78
PID 5808 wrote to memory of 5000	5808	ArtyxBootstrapper.exe	80
PID 5808 wrote to memory of 5000	5808	ArtyxBootstrapper.exe	80
PID 5808 wrote to memory of 5000	5808	ArtyxBootstrapper.exe	80
PID 5000 wrote to memory of 4416	5000	svchost.exe	82
PID 5000 wrote to memory of 4416	5000	svchost.exe	82
PID 5000 wrote to memory of 4416	5000	svchost.exe	82
PID 4416 wrote to memory of 4264	4416	hotdog.exe	83
PID 4416 wrote to memory of 4264	4416	hotdog.exe	83
PID 4416 wrote to memory of 4264	4416	hotdog.exe	83
PID 2372 wrote to memory of 4612	2372	chrome.exe	88
PID 2372 wrote to memory of 4612	2372	chrome.exe	88
PID 2372 wrote to memory of 3904	2372	chrome.exe	89
PID 2372 wrote to memory of 3904	2372	chrome.exe	89
PID 2372 wrote to memory of 3904	2372	chrome.exe	89
PID 2372 wrote to memory of 3904	2372	chrome.exe	89
PID 2372 wrote to memory of 3904	2372	chrome.exe	89
PID 2372 wrote to memory of 3904	2372	chrome.exe	89
PID 2372 wrote to memory of 3904	2372	chrome.exe	89
PID 2372 wrote to memory of 3904	2372	chrome.exe	89
PID 2372 wrote to memory of 3904	2372	chrome.exe	89
PID 2372 wrote to memory of 3904	2372	chrome.exe	89
PID 2372 wrote to memory of 3904	2372	chrome.exe	89
PID 2372 wrote to memory of 3904	2372	chrome.exe	89
PID 2372 wrote to memory of 3904	2372	chrome.exe	89
PID 2372 wrote to memory of 3904	2372	chrome.exe	89
PID 2372 wrote to memory of 3904	2372	chrome.exe	89
PID 2372 wrote to memory of 3904	2372	chrome.exe	89
PID 2372 wrote to memory of 3904	2372	chrome.exe	89
PID 2372 wrote to memory of 3904	2372	chrome.exe	89
PID 2372 wrote to memory of 3904	2372	chrome.exe	89
PID 2372 wrote to memory of 3904	2372	chrome.exe	89
PID 2372 wrote to memory of 3904	2372	chrome.exe	89
PID 2372 wrote to memory of 3904	2372	chrome.exe	89
PID 2372 wrote to memory of 3904	2372	chrome.exe	89
PID 2372 wrote to memory of 3904	2372	chrome.exe	89
PID 2372 wrote to memory of 3904	2372	chrome.exe	89
PID 2372 wrote to memory of 3904	2372	chrome.exe	89
PID 2372 wrote to memory of 3904	2372	chrome.exe	89
PID 2372 wrote to memory of 3904	2372	chrome.exe	89
PID 2372 wrote to memory of 3904	2372	chrome.exe	89
PID 2372 wrote to memory of 3904	2372	chrome.exe	89
PID 2372 wrote to memory of 3544	2372	chrome.exe	90
PID 2372 wrote to memory of 3544	2372	chrome.exe	90
PID 2372 wrote to memory of 3144	2372	chrome.exe	91
PID 2372 wrote to memory of 3144	2372	chrome.exe	91
PID 2372 wrote to memory of 3144	2372	chrome.exe	91
PID 2372 wrote to memory of 3144	2372	chrome.exe	91
PID 2372 wrote to memory of 3144	2372	chrome.exe	91
PID 2372 wrote to memory of 3144	2372	chrome.exe	91
PID 2372 wrote to memory of 3144	2372	chrome.exe	91
PID 2372 wrote to memory of 3144	2372	chrome.exe	91
PID 2372 wrote to memory of 3144	2372	chrome.exe	91
PID 2372 wrote to memory of 3144	2372	chrome.exe	91
PID 2372 wrote to memory of 3144	2372	chrome.exe	91
PID 2372 wrote to memory of 3144	2372	chrome.exe	91
PID 2372 wrote to memory of 3144	2372	chrome.exe	91
PID 2372 wrote to memory of 3144	2372	chrome.exe	91
PID 2372 wrote to memory of 3144	2372	chrome.exe	91
PID 2372 wrote to memory of 3144	2372	chrome.exe	91
PID 2372 wrote to memory of 3144	2372	chrome.exe	91
PID 2372 wrote to memory of 3144	2372	chrome.exe	91
PID 2372 wrote to memory of 3144	2372	chrome.exe	91

C:\Users\Admin\AppData\Local\Temp\ArtyxBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\ArtyxBootstrapper.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5808
- C:\Windows\SysWOW64\WindowsInput.exe
  "C:\Windows\SysWOW64\WindowsInput.exe" --install
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:5804
- C:\Program Files (x86)\Nirsoft\svchost.exe
  "C:\Program Files (x86)\Nirsoft\svchost.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5000
- - C:\Users\Admin\AppData\Roaming\hotdog.exe
    "C:\Users\Admin\AppData\Roaming\hotdog.exe" /launchSelfAndExit "C:\Program Files (x86)\Nirsoft\svchost.exe" 5000 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4416
  - - C:\Users\Admin\AppData\Roaming\hotdog.exe
      "C:\Users\Admin\AppData\Roaming\hotdog.exe" /watchProcess "C:\Program Files (x86)\Nirsoft\svchost.exe" 5000 "/protectFile"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4264

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
1⤵
- Executes dropped EXE
PID:4768

C:\Program Files (x86)\Nirsoft\svchost.exe
"C:\Program Files (x86)\Nirsoft\svchost.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd6b8edcf8,0x7ffd6b8edd04,0x7ffd6b8edd10
  2⤵
  PID:4612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1916,i,6386664387071213847,6832508862034200188,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=1928 /prefetch:2
  2⤵
  PID:3904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=2232,i,6386664387071213847,6832508862034200188,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2244 /prefetch:11
  2⤵
  PID:3544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2300,i,6386664387071213847,6832508862034200188,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2388 /prefetch:13
  2⤵
  PID:3144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3192,i,6386664387071213847,6832508862034200188,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:2328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3252,i,6386664387071213847,6832508862034200188,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:1420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4148,i,6386664387071213847,6832508862034200188,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4168 /prefetch:9
  2⤵
  PID:440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4588,i,6386664387071213847,6832508862034200188,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4620 /prefetch:1
  2⤵
  PID:1828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5276,i,6386664387071213847,6832508862034200188,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5296 /prefetch:14
  2⤵
  PID:3440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5296,i,6386664387071213847,6832508862034200188,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5540 /prefetch:14
  2⤵
  PID:5588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5524,i,6386664387071213847,6832508862034200188,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5664 /prefetch:14
  2⤵
  PID:564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5536,i,6386664387071213847,6832508862034200188,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5756 /prefetch:14
  2⤵
  PID:5444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5664,i,6386664387071213847,6832508862034200188,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5764 /prefetch:14
  2⤵
  PID:5896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5732,i,6386664387071213847,6832508862034200188,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5748 /prefetch:14
  2⤵
  PID:4680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5656,i,6386664387071213847,6832508862034200188,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5744 /prefetch:14
  2⤵
  PID:3400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5848,i,6386664387071213847,6832508862034200188,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5728 /prefetch:14
  2⤵
  PID:976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5856,i,6386664387071213847,6832508862034200188,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5752 /prefetch:14
  2⤵
  PID:2504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5652,i,6386664387071213847,6832508862034200188,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5800 /prefetch:9
  2⤵
  PID:1500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1116,i,6386664387071213847,6832508862034200188,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5448 /prefetch:10
  2⤵
  PID:5628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=on_device_model.mojom.OnDeviceModelService --lang=en-US --service-sandbox-type=on_device_model_execution --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3056,i,6386664387071213847,6832508862034200188,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4528 /prefetch:14
  2⤵
  PID:3132

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:1248

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5904

C:\Program Files (x86)\Nirsoft\svchost.exe
"C:\Program Files (x86)\Nirsoft\svchost.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2004

C:\Program Files (x86)\Nirsoft\svchost.exe
"C:\Program Files (x86)\Nirsoft\svchost.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5900

C:\Program Files (x86)\Nirsoft\svchost.exe
"C:\Program Files (x86)\Nirsoft\svchost.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Nirsoft\svchost.exe

Filesize
917KB

MD5
21879687876665cd12d25a9428568463

SHA1
71fecc06e0c6070b1290c1e173df11455a38f131

SHA256
047bc779d007d921cc2f900677a532a9393b99633ace127bb489ac5732c1abc0

SHA512
11e9b536360504960f491d85f3bfdfcef1a2071bf3c79c5b2a857aab6db98ec6be2f7c4a3a75ddcce21a96ada8686301345c6eedb5ead26a8509368f67ac5e77

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
4f9fc632c0885b1e0c5d09dcc44e84be

SHA1
f174cf16c56d318e0597c8535f71df578be87a4d

SHA256
1b58dbee509d8581b8562a300810438a52b82249d2a6de258da5e293f80ebf24

SHA512
d719f2c775daf7f258e80eadccd9f92ba81a060b9f134f9ee5eb39210ceea6bf85aea6fe700614c5d61155f4d758619b42c44db34f4030a7071b36b1b03841e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.90.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
d529a81006f6915cc8c767a2a343289e

SHA1
183c898e1dbf81dc58e9e1e49b097b1d1fb09259

SHA256
821039f34a57c181f62d023770934f77071e5d32052e4814ba3fc1300cc88043

SHA512
e994b637ef82a7b5ad49acd012f7296bb9c54d34c7ef951a530e0bed6e5b16994b895e2ebcc1283a3444220766a30e7880c17ee1f644ab8274d5521551ef00d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
521B

MD5
3ba8eeedf5a9d4ed99378b1808ba3dd2

SHA1
86a9aa794c80f8d9a1454f6eeb046c989d57388d

SHA256
f2a26ef703d3a3d144a4c680c0faa5ff73e43dccd0ccda296721ad673b82624a

SHA512
8989c7e9a80383b147e088df1bf5767fadfe54d567f3a6440462e34505203acd90d655e28e9cda42fbc4a6be61ecb77f524f2ce2600b71de2c52e1733e3fe48a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
6f0cec7cc972285d06ab26a733a1558d

SHA1
eaaee7d25e137a071d97186d55ce04b4447197e8

SHA256
1320d1c4ac970a8781cecffcb42744ca1dc0d8409fc53344782aecea93320cbc

SHA512
38facca6c689d12faacafec7bd44a650b7eb1faa01d9d42f09942ee589cf1f837a85b487e9f6250af4a88db02f3c4fdd2801b673068bc8836e5bd09675a23ec2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
4cb4a70a42d3b706b42fe0e66ec44ff3

SHA1
2d312a2add2eca2e7f8dbe0649a32cca2870a515

SHA256
05a5c0bcbd09f5c75554080085cf6b1861016c54d4e9a287ebf939cb4779fab6

SHA512
7cf927da73db01e9e7556f64945d3704a79fb716137aa65ae264f10cd22207357a9d0bfefb2f93178fba91c4694edc2876e2fd8ed081ef68e7af7e5c406651f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
b93d27dc1af2355cc6ade27f66f62154

SHA1
cde82585c635fa246a8ac261c1902c8639306d60

SHA256
6a0c2bf544f390e0d41d9ba340bcf4beb67b702a252a1b9ed05169f9924b198f

SHA512
cd01e53d66c9ef44380f99355cc2d57e986f69db1f33dc23fdbb49a3d46d9a16d5af786b857c0dca5086fcec3469e798bed57dd56f638a4a6ca84469de2caa36

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
18KB

MD5
533dc72289126bb90945b8a4f2f079fb

SHA1
5e963473c07117bf381c4062180aa129402d9ca4

SHA256
e7d9c6f2d75213766b613fb91887c44e5a2cbe85c0889c72da8ff8bacfd3010f

SHA512
3e8579721b6aca25af711184db1fdadc11ffff201f1b973508302cf8f7b20799d373e1c0a5ed93c56cd0177f3e56fdd815c9db23dc0b31aaec5c9acac6c8bca8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
1b41473939ee38ba1a05b1d722a4e707

SHA1
220a750e96c36819f22a7ce38fbcfd800f8792ec

SHA256
dd541a152cd79916f7d8e4e422f9fbf426814bcba972effe0b711acaf051047d

SHA512
95ae25f0b143d480768faa662171f00270eca37e1e19c97e94adfa20d468ecfa2d2c46519f12dff0dae5d0c5329b90e0c33f606dee81f01b356744f6665649f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
ed62ed3fdb3f47739945fa7faafde7c0

SHA1
e5928b724c1bf92860755d3280c504d6e7a03879

SHA256
57d65c3648eb3d8d635fafb81f3fd023751867921f7d072332312de34bb9703c

SHA512
1ebf9e2075a3de14db3f4acfda673e3db1830c4fe2206aeeb0a1e09cfd50ceaf86a16309cd91e050e09262038110b72ce8a5acd771ec3f50e6b257508687ff7e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
a5b6610d10afcec1524589d8b0c7ce36

SHA1
8265bf3d707c1101296aa35b30606022e891416c

SHA256
4a778b4086de5e1701c1161591a837a5597b004a6a1b701b310bc213a268089c

SHA512
34dd462fb654ca8e53fa34dba685235adf25cbb3f29f03aa1e60a4ef550343cbd38434efe6ba9168ca3a78f4b48326bbd249b49bd25d54351a829d3ff983c2b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe586339.TMP

Filesize
48B

MD5
1e2d525c45cc3a4b1d93311565c09ec2

SHA1
3ce5cf06911631d22271ecb1be7cac70c0fa8101

SHA256
e782a82620ab24aeb254aa7f5295c3edbc07874f0decb4aee2642f3dbb81e617

SHA512
fa8f58353c9d141953937fbc98af518029fcdd2446d4b3c6afab542db3e8c8082a705aa0e604941bf497e9b5fd98fcec749a57e28db97d91645362a4f1284f08

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
155KB

MD5
92ab2a724dd97ad3d7eba5d9031b671b

SHA1
c7a01892113d1d899e73a210bf100e6558cc7ee7

SHA256
b0a19a706e7fc0294bbbe0281b4be4d3b9e9965aecfa58dd7bcd2c951b968162

SHA512
b84c937d311b9d96b86c1de3157fb7522893d0c94d243d308928f4c2b76b07bed57b19d70fe35f9efc49de389768d1bcbfe05290e945717a09b975fee13b7863

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
00c0837a45062d4ad26f33cd3037c4ad

SHA1
0d9a4af43d573b10897807d1dacdfca8e5f63632

SHA256
3b352fd175bef0e07f4ad3353dfbc03dfbfad98d3905daae61b0ccd8953f5d34

SHA512
bbc3de53dfe9051c6899bc273778791f75b5de6380bc699ccf53ec4c5d404348026a22b409c531bcea37fb3c4c8257b14a0d6ee95d246e2d07835d9365b398ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
155KB

MD5
d85f82c390b122f7c95329a04d066fe3

SHA1
fe65872a4f796414da17b497f66ece18b08425e2

SHA256
0bafcca8ec23246389bc171065afa3e379fc368dae4ddf150b416bebd74a4bbe

SHA512
424930edd2ab670e90db9db928d9950834e96e613c243d455d72b778bfd60a8c47abd677636212aac8bd89542c59c845eba056d5318984366828030e937e3781

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
156KB

MD5
6a00f478384a97b7aaccd550547269ec

SHA1
bdefb6e50ff597497fe754829fd4a8e326e42773

SHA256
0d84b34734a6eee6195dce82a722ba3fc0bcd2f112246291010ae35355d6154b

SHA512
d7fdf7fdbbea220223e6a397d8ca169b53c4d25c6f50e25dc2b396334bac222a4fe88951fdc0e06ec9c36bd932f6327688b2b0cb08f7ede8e24f1eefb522b233

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\hotdog.exe.log

Filesize
425B

MD5
bb27934be8860266d478c13f2d65f45e

SHA1
a69a0e171864dcac9ade1b04fc0313e6b4024ccb

SHA256
85ad0d9909461517acf2e24ff116ca350e9b7000b4eefb23aa3647423c9745b4

SHA512
87dd77feac509a25b30c76c119752cc25020cca9c53276c2082aef2a8c75670ef67e1e70024a63d44ae442b64f4bc464aee6691e80c525376bb7421929cfa3bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchost.exe.log

Filesize
1KB

MD5
23095077e59941121be408de05f8843b

SHA1
6a85a4fb6a47e96b4c65f8849647ff486273b513

SHA256
49cc85a6bad5faf998eae8f1156e4a3cdd0273ff30a7828f5545689eb22e3fe5

SHA512
05644cd4aa2128e4c40993e4033ae3102705ee27c157d8376180c81e58b61c2801ca8deed6a256c79bc409e40f9ab5c66e2b2492f6c60871fb575eb6cce73211

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vwqjtmvt.51r.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2372_796245665\9322fca0-760d-4855-8867-310266bce0b8.tmp

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Users\Admin\AppData\Roaming\hotdog.exe

Filesize
9KB

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe

Filesize
21KB

MD5
e6fcf516d8ed8d0d4427f86e08d0d435

SHA1
c7691731583ab7890086635cb7f3e4c22ca5e409

SHA256
8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

SHA512
c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
memory/4416-133-0x0000000000B10000-0x0000000000B18000-memory.dmp

Filesize
32KB

Download
memory/4768-142-0x00007FFD70AC0000-0x00007FFD71582000-memory.dmp

Filesize
10.8MB

Download
memory/4768-34-0x000000001A570000-0x000000001A67A000-memory.dmp

Filesize
1.0MB

Download
memory/4768-33-0x00007FFD70AC0000-0x00007FFD71582000-memory.dmp

Filesize
10.8MB

Download
memory/5000-139-0x0000000009DA0000-0x0000000009DDC000-memory.dmp

Filesize
240KB

Download
memory/5000-89-0x0000000006D10000-0x0000000006D28000-memory.dmp

Filesize
96KB

Download
memory/5000-141-0x000000000A430000-0x000000000A53A000-memory.dmp

Filesize
1.0MB

Download
memory/5000-138-0x0000000007F70000-0x0000000007F82000-memory.dmp

Filesize
72KB

Download
memory/5000-137-0x000000000B220000-0x000000000B838000-memory.dmp

Filesize
6.1MB

Download
memory/5000-119-0x00000000091D0000-0x00000000091DA000-memory.dmp

Filesize
40KB

Download
memory/5000-118-0x0000000009180000-0x0000000009195000-memory.dmp

Filesize
84KB

Download
memory/5000-112-0x000000000A120000-0x000000000A131000-memory.dmp

Filesize
68KB

Download
memory/5000-111-0x0000000009D30000-0x0000000009DD4000-memory.dmp

Filesize
656KB

Download
memory/5000-102-0x00000000092A0000-0x00000000092EC000-memory.dmp

Filesize
304KB

Download
memory/5000-101-0x0000000008480000-0x00000000087D7000-memory.dmp

Filesize
3.3MB

Download
memory/5000-92-0x00000000070B0000-0x0000000007272000-memory.dmp

Filesize
1.8MB

Download
memory/5000-91-0x0000000006ED0000-0x0000000006EE0000-memory.dmp

Filesize
64KB

Download
memory/5000-88-0x0000000006B60000-0x0000000006B78000-memory.dmp

Filesize
96KB

Download
memory/5000-87-0x0000000006310000-0x000000000635E000-memory.dmp

Filesize
312KB

Download
memory/5804-27-0x00007FFD70AC0000-0x00007FFD71582000-memory.dmp

Filesize
10.8MB

Download
memory/5804-31-0x00007FFD70AC0000-0x00007FFD71582000-memory.dmp

Filesize
10.8MB

Download
memory/5804-23-0x00007FFD70AC3000-0x00007FFD70AC5000-memory.dmp

Filesize
8KB

Download
memory/5804-24-0x0000000000940000-0x000000000094C000-memory.dmp

Filesize
48KB

Download
memory/5804-25-0x000000001B560000-0x000000001B572000-memory.dmp

Filesize
72KB

Download
memory/5804-26-0x000000001B5C0000-0x000000001B5FC000-memory.dmp

Filesize
240KB

Download
memory/5808-47-0x00000000063A0000-0x00000000063BA000-memory.dmp

Filesize
104KB

Download
memory/5808-38-0x0000000006650000-0x0000000006C7A000-memory.dmp

Filesize
6.2MB

Download
memory/5808-68-0x00000000094B0000-0x00000000094BA000-memory.dmp

Filesize
40KB

Download
memory/5808-54-0x0000000007980000-0x0000000007CD7000-memory.dmp

Filesize
3.3MB

Download
memory/5808-51-0x0000000006580000-0x00000000065E6000-memory.dmp

Filesize
408KB

Download
memory/5808-52-0x0000000006480000-0x000000000649E000-memory.dmp

Filesize
120KB

Download
memory/5808-67-0x0000000009240000-0x00000000092E4000-memory.dmp

Filesize
656KB

Download
memory/5808-66-0x0000000009220000-0x000000000923E000-memory.dmp

Filesize
120KB

Download
memory/5808-0-0x0000000074A8E000-0x0000000074A8F000-memory.dmp

Filesize
4KB

Download
memory/5808-57-0x00000000072B0000-0x00000000072FC000-memory.dmp

Filesize
304KB

Download
memory/5808-53-0x0000000006C80000-0x0000000006CCA000-memory.dmp

Filesize
296KB

Download
memory/5808-50-0x00000000064E0000-0x0000000006576000-memory.dmp

Filesize
600KB

Download
memory/5808-49-0x0000000007300000-0x000000000797A000-memory.dmp

Filesize
6.5MB

Download
memory/5808-86-0x0000000074A80000-0x0000000075231000-memory.dmp

Filesize
7.7MB

Download
memory/5808-48-0x0000000006400000-0x0000000006436000-memory.dmp

Filesize
216KB

Download
memory/5808-69-0x0000000009620000-0x0000000009631000-memory.dmp

Filesize
68KB

Download
memory/5808-70-0x0000000009650000-0x000000000965E000-memory.dmp

Filesize
56KB

Download
memory/5808-56-0x0000000007160000-0x0000000007182000-memory.dmp

Filesize
136KB

Download
memory/5808-71-0x0000000009660000-0x0000000009675000-memory.dmp

Filesize
84KB

Download
memory/5808-72-0x00000000096B0000-0x00000000096CA000-memory.dmp

Filesize
104KB

Download
memory/5808-73-0x00000000096D0000-0x00000000096D8000-memory.dmp

Filesize
32KB

Download
memory/5808-55-0x00000000070C0000-0x0000000007126000-memory.dmp

Filesize
408KB

Download
memory/5808-8-0x0000000005220000-0x0000000005228000-memory.dmp

Filesize
32KB

Download
memory/5808-9-0x0000000005690000-0x00000000056B2000-memory.dmp

Filesize
136KB

Download
memory/5808-7-0x0000000005210000-0x0000000005222000-memory.dmp

Filesize
72KB

Download
memory/5808-6-0x0000000005230000-0x00000000052C2000-memory.dmp

Filesize
584KB

Download
memory/5808-5-0x00000000056D0000-0x0000000005C76000-memory.dmp

Filesize
5.6MB

Download
memory/5808-4-0x00000000050C0000-0x000000000511C000-memory.dmp

Filesize
368KB

Download
memory/5808-3-0x0000000074A80000-0x0000000075231000-memory.dmp

Filesize
7.7MB

Download
memory/5808-2-0x0000000005080000-0x000000000508E000-memory.dmp

Filesize
56KB

Download
memory/5808-1-0x0000000000570000-0x000000000065C000-memory.dmp

Filesize
944KB

Download