orcus | 363dc45b223fd59f5dfc9ea44a41b912ccd944f6cb317a068cd8247a7d0ffe8f

Analysis

max time kernel
809s
max time network
810s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
29/03/2025, 08:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bootstrapper/Solara Bootstrapper.exe
Size

916KB
MD5

f24b0f78c8be241de211f2a7329c31d0
SHA1

c94c0bb146040ed400a80d754f6f7ed5003328ef
SHA256

4dbeefad08420db91ab0faa7bafebbd58a74fde562f97eaa2f2faedc56c1baae
SHA512

d6d969b6729206d4cf50519053109bff6ee6f84dd09e1900e03606ad150490db38881076e6a62f0dca02e2fa0e93221c0e86fe6534dd2fbec813d6c6a46ae8a6
SSDEEP

24576:dcI4MROxnFD3w74S4xrZlI0AilFEvxHiaZ:dcrMiJTrZlI0AilFEvxHi

Score

10^/10

orcus discovery persistence rat spyware stealer

Malware Config

Extracted

Family

orcus

192.168.0.25:10134

Mutex

a5447eba215c43b98853781f7d6d0b95

Attributes

autostart_method
Registry
enable_keylogger
false
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\Windows

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x001a00000002b1a8-54.dat	family_orcus

Orcurs Rat Executable 2 IoCs

resource	yara_rule
behavioral1/files/0x001a00000002b1a8-54.dat	orcus
behavioral1/memory/4840-63-0x0000000000350000-0x000000000043A000-memory.dmp	orcus

Executes dropped EXE 7 IoCs

pid	Process
5784	WindowsInput.exe
1624	WindowsInput.exe
4840	Orcus.exe
5800	Orcus.exe
3464	Orcus.exe
5332	Orcus.exe
1444	Orcus.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000\Software\Microsoft\Windows\CurrentVersion\Run\Orcus = "\"C:\\Program Files\\Orcus\\Orcus.exe\""	Orcus.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\Desktop.ini	Solara Bootstrapper.exe
File created	C:\Windows\assembly\Desktop.ini	Solara Bootstrapper.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsInput.exe	Solara Bootstrapper.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe.config	Solara Bootstrapper.exe
File created	C:\Windows\SysWOW64\WindowsInput.InstallState	WindowsInput.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Orcus\Orcus.exe.config	Solara Bootstrapper.exe
File created	C:\Program Files\Orcus\Orcus.exe	Solara Bootstrapper.exe
File opened for modification	C:\Program Files\Orcus\Orcus.exe	Solara Bootstrapper.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	Solara Bootstrapper.exe
File created	C:\Windows\assembly\Desktop.ini	Solara Bootstrapper.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	Solara Bootstrapper.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133877098731434422"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\Children	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings	Orcus.exe
Key created	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\DisplayName = "Chrome Sandbox"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\Moniker = "cr.sb.odm3E4D1A088C1F6D498C84F3C86DE73CE49F82A104"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
3904	chrome.exe
3904	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeCreatePagefilePrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeCreatePagefilePrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeCreatePagefilePrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeCreatePagefilePrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeCreatePagefilePrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeCreatePagefilePrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeCreatePagefilePrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeCreatePagefilePrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeCreatePagefilePrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeCreatePagefilePrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeCreatePagefilePrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeCreatePagefilePrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeCreatePagefilePrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeCreatePagefilePrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeCreatePagefilePrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeCreatePagefilePrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeCreatePagefilePrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeCreatePagefilePrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeCreatePagefilePrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeCreatePagefilePrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeCreatePagefilePrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeCreatePagefilePrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeCreatePagefilePrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeCreatePagefilePrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeCreatePagefilePrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeCreatePagefilePrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeCreatePagefilePrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeCreatePagefilePrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeCreatePagefilePrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeCreatePagefilePrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeCreatePagefilePrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeCreatePagefilePrivilege	236	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe

Suspicious use of SetWindowsHookEx 19 IoCs

pid	Process
5852	OpenWith.exe
5852	OpenWith.exe
5852	OpenWith.exe
5852	OpenWith.exe
5852	OpenWith.exe
5852	OpenWith.exe
5852	OpenWith.exe
5852	OpenWith.exe
5852	OpenWith.exe
5852	OpenWith.exe
5852	OpenWith.exe
5852	OpenWith.exe
5852	OpenWith.exe
5852	OpenWith.exe
5852	OpenWith.exe
5852	OpenWith.exe
5852	OpenWith.exe
5852	OpenWith.exe
5852	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4416 wrote to memory of 5292	4416	Solara Bootstrapper.exe	78
PID 4416 wrote to memory of 5292	4416	Solara Bootstrapper.exe	78
PID 5292 wrote to memory of 3904	5292	csc.exe	80
PID 5292 wrote to memory of 3904	5292	csc.exe	80
PID 4416 wrote to memory of 5784	4416	Solara Bootstrapper.exe	81
PID 4416 wrote to memory of 5784	4416	Solara Bootstrapper.exe	81
PID 4416 wrote to memory of 4840	4416	Solara Bootstrapper.exe	83
PID 4416 wrote to memory of 4840	4416	Solara Bootstrapper.exe	83
PID 5036 wrote to memory of 5800	5036	cmd.exe	87
PID 5036 wrote to memory of 5800	5036	cmd.exe	87
PID 236 wrote to memory of 2116	236	chrome.exe	94
PID 236 wrote to memory of 2116	236	chrome.exe	94
PID 236 wrote to memory of 5000	236	chrome.exe	95
PID 236 wrote to memory of 5000	236	chrome.exe	95
PID 236 wrote to memory of 5000	236	chrome.exe	95
PID 236 wrote to memory of 5000	236	chrome.exe	95
PID 236 wrote to memory of 5000	236	chrome.exe	95
PID 236 wrote to memory of 5000	236	chrome.exe	95
PID 236 wrote to memory of 5000	236	chrome.exe	95
PID 236 wrote to memory of 5000	236	chrome.exe	95
PID 236 wrote to memory of 5000	236	chrome.exe	95
PID 236 wrote to memory of 5000	236	chrome.exe	95
PID 236 wrote to memory of 5000	236	chrome.exe	95
PID 236 wrote to memory of 5000	236	chrome.exe	95
PID 236 wrote to memory of 5000	236	chrome.exe	95
PID 236 wrote to memory of 5000	236	chrome.exe	95
PID 236 wrote to memory of 5000	236	chrome.exe	95
PID 236 wrote to memory of 5000	236	chrome.exe	95
PID 236 wrote to memory of 5000	236	chrome.exe	95
PID 236 wrote to memory of 5000	236	chrome.exe	95
PID 236 wrote to memory of 5000	236	chrome.exe	95
PID 236 wrote to memory of 5000	236	chrome.exe	95
PID 236 wrote to memory of 5000	236	chrome.exe	95
PID 236 wrote to memory of 5000	236	chrome.exe	95
PID 236 wrote to memory of 5000	236	chrome.exe	95
PID 236 wrote to memory of 5000	236	chrome.exe	95
PID 236 wrote to memory of 5000	236	chrome.exe	95
PID 236 wrote to memory of 5000	236	chrome.exe	95
PID 236 wrote to memory of 5000	236	chrome.exe	95
PID 236 wrote to memory of 5000	236	chrome.exe	95
PID 236 wrote to memory of 5000	236	chrome.exe	95
PID 236 wrote to memory of 5000	236	chrome.exe	95
PID 236 wrote to memory of 3180	236	chrome.exe	96
PID 236 wrote to memory of 3180	236	chrome.exe	96
PID 236 wrote to memory of 5824	236	chrome.exe	97
PID 236 wrote to memory of 5824	236	chrome.exe	97
PID 236 wrote to memory of 5824	236	chrome.exe	97
PID 236 wrote to memory of 5824	236	chrome.exe	97
PID 236 wrote to memory of 5824	236	chrome.exe	97
PID 236 wrote to memory of 5824	236	chrome.exe	97
PID 236 wrote to memory of 5824	236	chrome.exe	97
PID 236 wrote to memory of 5824	236	chrome.exe	97
PID 236 wrote to memory of 5824	236	chrome.exe	97
PID 236 wrote to memory of 5824	236	chrome.exe	97
PID 236 wrote to memory of 5824	236	chrome.exe	97
PID 236 wrote to memory of 5824	236	chrome.exe	97
PID 236 wrote to memory of 5824	236	chrome.exe	97
PID 236 wrote to memory of 5824	236	chrome.exe	97
PID 236 wrote to memory of 5824	236	chrome.exe	97
PID 236 wrote to memory of 5824	236	chrome.exe	97
PID 236 wrote to memory of 5824	236	chrome.exe	97
PID 236 wrote to memory of 5824	236	chrome.exe	97
PID 236 wrote to memory of 5824	236	chrome.exe	97
PID 236 wrote to memory of 5824	236	chrome.exe	97

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Bootstrapper\Solara Bootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\Bootstrapper\Solara Bootstrapper.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4416
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qq0zpypd.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5292
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7F24.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7F23.tmp"
    3⤵
    PID:3904
- C:\Windows\SysWOW64\WindowsInput.exe
  "C:\Windows\SysWOW64\WindowsInput.exe" --install
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:5784
- C:\Program Files\Orcus\Orcus.exe
  "C:\Program Files\Orcus\Orcus.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies registry class
  PID:4840

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
1⤵
- Executes dropped EXE
PID:1624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files\Orcus\Orcus.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5036
- C:\Program Files\Orcus\Orcus.exe
  "C:\Program Files\Orcus\Orcus.exe"
  2⤵
  - Executes dropped EXE
  PID:5800

C:\Program Files\Orcus\Orcus.exe
"C:\Program Files\Orcus\Orcus.exe"
1⤵
- Executes dropped EXE
PID:3464

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5852

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe7da2dcf8,0x7ffe7da2dd04,0x7ffe7da2dd10
  2⤵
  PID:2116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1876,i,13426769768879872220,17478352360859010729,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=1872 /prefetch:2
  2⤵
  PID:5000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1452,i,13426769768879872220,17478352360859010729,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2260 /prefetch:11
  2⤵
  PID:3180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2348,i,13426769768879872220,17478352360859010729,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2752 /prefetch:13
  2⤵
  PID:5824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3204,i,13426769768879872220,17478352360859010729,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:4568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3288,i,13426769768879872220,17478352360859010729,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3456 /prefetch:1
  2⤵
  PID:4452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4144,i,13426769768879872220,17478352360859010729,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4188 /prefetch:9
  2⤵
  PID:1656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4620,i,13426769768879872220,17478352360859010729,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4636 /prefetch:1
  2⤵
  PID:3396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5276,i,13426769768879872220,17478352360859010729,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5284 /prefetch:14
  2⤵
  PID:4724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5492,i,13426769768879872220,17478352360859010729,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5516 /prefetch:14
  2⤵
  PID:828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5272,i,13426769768879872220,17478352360859010729,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5520 /prefetch:14
  2⤵
  PID:1892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5712,i,13426769768879872220,17478352360859010729,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5288 /prefetch:14
  2⤵
  PID:1244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5612,i,13426769768879872220,17478352360859010729,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5844 /prefetch:14
  2⤵
  PID:5308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5520,i,13426769768879872220,17478352360859010729,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5360 /prefetch:14
  2⤵
  PID:4352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=212,i,13426769768879872220,17478352360859010729,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5740 /prefetch:14
  2⤵
  PID:3984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5288,i,13426769768879872220,17478352360859010729,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5880 /prefetch:14
  2⤵
  PID:4112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5888,i,13426769768879872220,17478352360859010729,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5924 /prefetch:14
  2⤵
  PID:4784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=4248,i,13426769768879872220,17478352360859010729,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3776 /prefetch:9
  2⤵
  PID:4680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=4264,i,13426769768879872220,17478352360859010729,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5504 /prefetch:10
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=on_device_model.mojom.OnDeviceModelService --lang=en-US --service-sandbox-type=on_device_model_execution --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6076,i,13426769768879872220,17478352360859010729,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5792 /prefetch:14
  2⤵
  PID:4796

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:3476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5932

C:\Program Files\Orcus\Orcus.exe
"C:\Program Files\Orcus\Orcus.exe"
1⤵
- Executes dropped EXE
PID:5332

C:\Program Files\Orcus\Orcus.exe
"C:\Program Files\Orcus\Orcus.exe"
1⤵
- Executes dropped EXE
PID:1444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Orcus\Orcus.exe

Filesize
916KB

MD5
f24b0f78c8be241de211f2a7329c31d0

SHA1
c94c0bb146040ed400a80d754f6f7ed5003328ef

SHA256
4dbeefad08420db91ab0faa7bafebbd58a74fde562f97eaa2f2faedc56c1baae

SHA512
d6d969b6729206d4cf50519053109bff6ee6f84dd09e1900e03606ad150490db38881076e6a62f0dca02e2fa0e93221c0e86fe6534dd2fbec813d6c6a46ae8a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
ced8eab3e59af4378424df93db04eeaf

SHA1
1435cc0c356538b95756c725230491d704774d1d

SHA256
f92dcec7b264a3390a23565fb1f9a05e1e73fde876bf5ceaa181e9f033917e2c

SHA512
4922ace916ee6844550b77517f4b9e5635acff78759d7cf5fc0a67918ba9274e75eb5dbf28337d702fed45c5e7f5a536c79fd0137822ae4742b5858f7ef2f4d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.90.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
34d424271f3f04aa51ff1f1975ea6043

SHA1
11658f981743c3155b531d8253ca65ef54ccfc4a

SHA256
092e1b50605274e17a45bf036ca5122bc984a22d1de5938fd5ee7c7329d82834

SHA512
e20234531adfed80d7aa75705d170f23f7996aacbfd9cad06db340fa5f136e2185ce7905a0ac07cbed70dc88ed4e9b01466e4bbd2ebc2d3681e9fddbbb4dc646

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
a41a133afb27193a9f2db5bb83890ab3

SHA1
1dbb51315f3c0c4f8a7d2410ee1cf0e4859abdf9

SHA256
a86752c3e6ebdb2cf5163fbc5c1a1e05a6f9e912215cbaf555a742cd548df064

SHA512
5c5382b4e906add7ca7915a4e1e8a417d2c12434b56db99fa9f9c53242a2a7f0b24d08865c294aeb7866efca72badba86a8acd5e6d8319af8b3376db70258bad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
f80a7ef92d02d8d17e8e81969552a69a

SHA1
82935be4e56664cde0cd9013187a41b0bf5850b0

SHA256
7febf18b02cc652457fcaa14dd83852a9c8e3e5c3be555e1c8a38f2016e0d5d6

SHA512
18e247316f1d1384ddf24355335d543f9c7ebd88e43262c7559324b716672f46d56d9c26806aea718ec5f8df83c3b746c997783712d151d81fdce2a6774030c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
517B

MD5
58ddc4d0c211ef45fe24231ba4e16cac

SHA1
a7862c7c0c8c369b7e5051fb3cf96f958fea2c69

SHA256
a5fafa5e3e800c87f00a5ae869f798952513b1a6ce9832d9b816d45c847dd303

SHA512
e1fab02d27ce64857f4b1435f3fd157a014a56760951041a8f953478bbe7c4acd36394afec83fbe4c1d167cc3258535b7cccf225820434fc472bae4ade97d60c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
803508173d270b5606f9c80f716cae70

SHA1
4c4cdf7601490e0fcbdb5f67345a523608e9df07

SHA256
d258de4d48923802dd9d5ad109a97499fb34d51becb5219492351cb3486d5d4f

SHA512
1e876ef604cc17cd05f3e44632a2fa10a50cc13efc8df9e7cb8174006e62e1994e5bb31560ad09506ed04dfac7fb595fd3b758940c1a715a0615140d426616c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
b34a8ff8adc047e610576de72b7b7e05

SHA1
fd237f99480144b649869e7db5978c4e9f9795d1

SHA256
da1d18ee54f22bdddaad955da1cd4656c66e7f2d737ae550ed046fe67e422137

SHA512
b7212976cdf9ac1285d2ed2a93f74972ca06950bef7bfd30bc686f3fe1318ac5ee4b874bcf55e83fd535618e9a561961cffc32787cbdea15d68caf4ac58a8ad4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
18KB

MD5
ea88ca9582e094bf20bf0cc59e988f72

SHA1
a944fcf5b10fbb729b36e7a37098a73862506195

SHA256
de1f38db3ae08ceae52a32626b8d17480d7606e61e196e2a15ce053d055b71b7

SHA512
52b146689c4c686d30e85351382f00484f92abf216e65c60519bd0fd5257e9f5c44cb98ecd0175121ebd98f8e668f333f58b15cad45fbea58109a97717db4396

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
9feca06fb8912923f4fb598fd1fe8773

SHA1
7018c3300ff9a0ac73f596abb6110cd720abca0f

SHA256
1f26ba937848d0ef09130fca4a203f65ab8097230d1a171790a2560e343a6769

SHA512
49e15de99a1e73841bf275f73669b45c0624628b5ec84eeff723fa6b11c0d29ff5b71d76ad68960dc19e1f8a35433bbf5712b798b5955088ba389da5a5a89159

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
0e9db53c2922f10704b26cdaa8a6af32

SHA1
b3aac2a18d44ad13647596cb90e9f52f0a8e3207

SHA256
8002b0a5024e89142e8dd3b09f6d3b28b792fcac24d3c240baace147d449aec6

SHA512
89cf324f7cd789d0dd5845ee0eb0d83bd18f74fd8df1623d933ddd9ed9fed2c8e47dea947da460bc5ebf71a200404833816af92f27518cd28609e4faaa6dffcb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
e810621ac4bb45d967b33c4fa95472bd

SHA1
7879c831ec64a33acc6b805abfb1391545f63e85

SHA256
2086f464315d743f7cc54757a1afe313103b048e648dea20448545ec955a2ca0

SHA512
e12b0dfb1a08a673f0b1fc1dc29e4cf163d914eca25f2cedb411ff12f2ba2ecbfd523b990e227dce47df3f21a37761dc1ed81dc851c72c672d99ffe3ea59d68f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe582a86.TMP

Filesize
48B

MD5
cec06892417401580597f13a58a66125

SHA1
37ea59e8a845650266a62b6297bdcf2c6fddbedb

SHA256
c72edfe080547d841ef792f594f5a2a265690847e9357abe4abc1546c56c53f7

SHA512
a5ce1399fd31a503c3377c5b278223c49081256d1892a4bf2ebe361e0bc458092b2b59145dba7f1f9d847bec75f215d4d0855fa3bb075d876d4ae79de3304905

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
155KB

MD5
709256d269644130c6931960954470c0

SHA1
6f686bf9351bd91579c957294e620d42e19fd8ac

SHA256
20ae3abb71dc0fb95b0d72f21604e870dcb9e65ea6c90404b366a92d7bfe5686

SHA512
7aef5cd74a48ac711fee73f953edb74a384022af085c4a860abb33981bfe6cd6c856fab8a99b8cc3e4fb24c7163d55be70bda3744055d7a5c450b2ecd6233fb5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
d571d710de881295dce7358b2d0652cf

SHA1
d623b3b1fb2e84833b27244646c6ce23fff3fd02

SHA256
9cc61f9d52196c940501fdc90b5f40d32261880d2d5b9703805ca12a2dd33839

SHA512
090ceb89d88be2a2310e0fd4b54211cbdf255b6e732f40be4736f73faecd1b4004b4c26645bc356846484c2193e0996fa3f5643a2eb5d49d8420310a1c79d686

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
155KB

MD5
b56b19805b26b328e16c820a7d729282

SHA1
2e6a1255909391c2cf766d37414f621ca6188198

SHA256
e89522c440fb8c269f34180c67fdb11c3c58f72e4cfa8cee6f4985e83a533370

SHA512
95e4a1ac720a5e262a69e67f4aafd1a83aefe746111948ff38579c5c2d1e4368592b3824e42724c282c3036224c00a9408422b1af3bc9ab3ff09958a622c9637

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
156KB

MD5
cd616626fde848ff1ccdb1a062a43c26

SHA1
008d0105725eb5444f0d62735c124101388a6374

SHA256
6b9da0c1a7605b2f97826969e1b71596993408b09954de5c0481500a24879ac5

SHA512
a4232f5599a9b51a7cf13cebcf4b10fac9b550b9fb58ef29c01a5b54f95f4cd4c23a540f24fce5cb0ab68e9e9ad55a0a6f7a5657bb8a137524c5e59dbda9f596

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Orcus.exe.log

Filesize
1KB

MD5
9666dac81545c9074f4da5ceac101f52

SHA1
ea515e0b8895f3d75a949851a360f8082637017b

SHA256
1dc357977659fdb0474ba61f6e34053669875581f8ef70fa397a31d1b2a81e3c

SHA512
6e4a99b1b27b61973ae79fdfd4dd9831aabb6d64177a1e9081977b5bf8fdf7e9d0c071dd5e229484c3db6f66271f91247d48f086dc6bd43566553ccdc9ac5670

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7F24.tmp

Filesize
1KB

MD5
0f8c6dd2b9bbdc7c351a2b1071c4558c

SHA1
00fac25320c92628aa8e01bdc8ed0e06cdf2ead9

SHA256
dfeb7bc6b1ac66f9412e7da35952f01fab372b4f8fbe216e0e3577306cd6ddce

SHA512
cd4d4c0f4434a02891b0b9bb9be1a0a2e5962870edc9d12147a3c4b3e20a62e3e94828b3b3215d497c8853c0e963f8d23b51f619c48104d3dade45022a824974

Download Submit
C:\Users\Admin\AppData\Local\Temp\qq0zpypd.dll

Filesize
76KB

MD5
a4015f21fbfb4b37005dc8e52b1c9e43

SHA1
3060a71b1204230b684940c4885c65cdb21937fd

SHA256
c4e3a3657fec01e2567eda413966b4150310ff9d4c10e2e3d4174d3a7bdfad19

SHA512
ce32a043bfb377759f7935f6e6b6879ffb3520241ff8af481d93093656aea7b057a16cfd7c25c3461daef19ccd454cfd4b3e47a8cfd65fe45ed4f096cbd1fac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir236_183736771\a92ed74f-b6ab-4ff1-b0bc-e56b211112e6.tmp

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe

Filesize
21KB

MD5
e6fcf516d8ed8d0d4427f86e08d0d435

SHA1
c7691731583ab7890086635cb7f3e4c22ca5e409

SHA256
8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

SHA512
c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC7F23.tmp

Filesize
676B

MD5
ebb70d277bc48042bd8f7bd66c0e80f3

SHA1
f1619021878dc8eb4c1d30dbf680c0a93723aa29

SHA256
cadfefdfcdbfbe9103f998c05b10b052fafc3e03eab48144f1ac213fd2ca21d5

SHA512
cea1d89da17946abb2410ec7ea58847fc2a6e1b31d1b17cac78bfed91aca3ea1a130f96a0d80c188baae367cf61a6dcd3578e08cc9f8b222057944d6ea7a1952

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qq0zpypd.0.cs

Filesize
208KB

MD5
ebf7d81eeafa2b8581b30a9c99462228

SHA1
98fc222c2023e1ce0a1b847f20754bf0cff40d82

SHA256
693c45c2a01eb38377db4a7e7ef4fd7f8aaed6e0a98750f8ba07dda0235c91b9

SHA512
fbe17b4f2216626372513b139c633e135d785dcce7eb7511a8b92c045d0301c4d47bd5549c3a1aa80a4794794bc8c80c451012d117ced863581c7a725db146e5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qq0zpypd.cmdline

Filesize
349B

MD5
84b6e45003f226b17bf711fcc862719e

SHA1
6013e701e8f6d59825e660fe05e94f8b4e55eefb

SHA256
2860701d582981c12cd4c21fc1a219fa95cf667688b7180cde47f2fa851a9ba2

SHA512
119a6ad4833e99b3742c18fcca60541693de158e3118414d893856a30067265354cf3b0486acb7014bedc1c6c9189f1060e085c06e481ff64007aff3cb58e4fe

Download Submit
memory/1624-48-0x000000001A9A0000-0x000000001AAAA000-memory.dmp

Filesize
1.0MB

Download
memory/4416-23-0x000000001BB20000-0x000000001BB36000-memory.dmp

Filesize
88KB

Download
memory/4416-8-0x000000001C6E0000-0x000000001C77C000-memory.dmp

Filesize
624KB

Download
memory/4416-1-0x00007FFE7D250000-0x00007FFE7DBF1000-memory.dmp

Filesize
9.6MB

Download
memory/4416-2-0x000000001BA50000-0x000000001BAAC000-memory.dmp

Filesize
368KB

Download
memory/4416-5-0x000000001BAE0000-0x000000001BAEE000-memory.dmp

Filesize
56KB

Download
memory/4416-64-0x00007FFE7D250000-0x00007FFE7DBF1000-memory.dmp

Filesize
9.6MB

Download
memory/4416-6-0x000000001C170000-0x000000001C63E000-memory.dmp

Filesize
4.8MB

Download
memory/4416-7-0x00007FFE7D250000-0x00007FFE7DBF1000-memory.dmp

Filesize
9.6MB

Download
memory/4416-0-0x00007FFE7D505000-0x00007FFE7D506000-memory.dmp

Filesize
4KB

Download
memory/4416-25-0x00000000011F0000-0x0000000001202000-memory.dmp

Filesize
72KB

Download
memory/4416-26-0x000000001D070000-0x000000001D090000-memory.dmp

Filesize
128KB

Download
memory/4840-70-0x0000000002610000-0x0000000002620000-memory.dmp

Filesize
64KB

Download
memory/4840-63-0x0000000000350000-0x000000000043A000-memory.dmp

Filesize
936KB

Download
memory/4840-65-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download
memory/4840-66-0x000000001B060000-0x000000001B0AE000-memory.dmp

Filesize
312KB

Download
memory/4840-69-0x000000001B0B0000-0x000000001B0C8000-memory.dmp

Filesize
96KB

Download
memory/5292-21-0x00007FFE7D250000-0x00007FFE7DBF1000-memory.dmp

Filesize
9.6MB

Download
memory/5292-16-0x00007FFE7D250000-0x00007FFE7DBF1000-memory.dmp

Filesize
9.6MB

Download
memory/5784-40-0x00007FFE7AE53000-0x00007FFE7AE55000-memory.dmp

Filesize
8KB

Download
memory/5784-41-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download
memory/5784-42-0x0000000002680000-0x0000000002692000-memory.dmp

Filesize
72KB

Download
memory/5784-43-0x000000001AFC0000-0x000000001AFFC000-memory.dmp

Filesize
240KB

Download