Malware Analysis Report

2025-01-22 15:03

Sample ID 240214-vshdtshd56
Target https://cdn.discordapp.com/attachments/1200490891303993404/1207374366661148772/Dis.rar?ex=65df6a00&is=65ccf500&hm=7b9252ce46efdf5b2e8fe586b7cd1feca560b8a700a635fabbcba7162ba35f74&
Tags
orcus rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://cdn.discordapp.com/attachments/1200490891303993404/1207374366661148772/Dis.rar?ex=65df6a00&is=65ccf500&hm=7b9252ce46efdf5b2e8fe586b7cd1feca560b8a700a635fabbcba7162ba35f74& was found to be: Known bad.

Malicious Activity Summary

orcus rat spyware stealer

Orcus

Orcus main payload

Orcurs Rat Executable

Executes dropped EXE

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Enumerates system info in registry

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-14 17:14

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-14 17:14

Reported

2024-02-14 17:16

Platform

win10-20231215-en

Max time kernel

95s

Max time network

96s

Command Line

"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://cdn.discordapp.com/attachments/1200490891303993404/1207374366661148772/Dis.rar?ex=65df6a00&is=65ccf500&hm=7b9252ce46efdf5b2e8fe586b7cd1feca560b8a700a635fabbcba7162ba35f74&

Signatures

Orcus

rat spyware stealer orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\Dis.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\Downloads\Dis.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Orcus\Orcus.exe C:\Users\Admin\Downloads\Dis.exe N/A
File opened for modification C:\Program Files (x86)\Orcus\Orcus.exe C:\Users\Admin\Downloads\Dis.exe N/A
File created C:\Program Files (x86)\Orcus\Orcus.exe.config C:\Users\Admin\Downloads\Dis.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133524045158732080" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\7-Zip\7zG.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 712 wrote to memory of 4872 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 712 wrote to memory of 4872 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 712 wrote to memory of 3340 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 712 wrote to memory of 3340 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 712 wrote to memory of 3340 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 712 wrote to memory of 3340 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 712 wrote to memory of 3340 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 712 wrote to memory of 3340 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 712 wrote to memory of 3340 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 712 wrote to memory of 3340 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 712 wrote to memory of 3340 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 712 wrote to memory of 3340 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 712 wrote to memory of 3340 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 712 wrote to memory of 3340 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 712 wrote to memory of 3340 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 712 wrote to memory of 3340 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 712 wrote to memory of 3340 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 712 wrote to memory of 3340 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 712 wrote to memory of 3340 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 712 wrote to memory of 3340 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 712 wrote to memory of 3340 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 712 wrote to memory of 3340 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 712 wrote to memory of 3340 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 712 wrote to memory of 3340 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 712 wrote to memory of 3340 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 712 wrote to memory of 3340 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 712 wrote to memory of 3340 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 712 wrote to memory of 3340 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 712 wrote to memory of 3340 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 712 wrote to memory of 3340 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 712 wrote to memory of 3340 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 712 wrote to memory of 3340 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 712 wrote to memory of 3340 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 712 wrote to memory of 3340 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 712 wrote to memory of 3340 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 712 wrote to memory of 3340 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 712 wrote to memory of 3340 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 712 wrote to memory of 3340 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 712 wrote to memory of 3340 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 712 wrote to memory of 3340 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 712 wrote to memory of 3648 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 712 wrote to memory of 3648 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 712 wrote to memory of 4784 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 712 wrote to memory of 4784 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 712 wrote to memory of 4784 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 712 wrote to memory of 4784 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 712 wrote to memory of 4784 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 712 wrote to memory of 4784 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 712 wrote to memory of 4784 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 712 wrote to memory of 4784 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 712 wrote to memory of 4784 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 712 wrote to memory of 4784 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 712 wrote to memory of 4784 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 712 wrote to memory of 4784 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 712 wrote to memory of 4784 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 712 wrote to memory of 4784 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 712 wrote to memory of 4784 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 712 wrote to memory of 4784 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 712 wrote to memory of 4784 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 712 wrote to memory of 4784 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 712 wrote to memory of 4784 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 712 wrote to memory of 4784 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 712 wrote to memory of 4784 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 712 wrote to memory of 4784 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://cdn.discordapp.com/attachments/1200490891303993404/1207374366661148772/Dis.rar?ex=65df6a00&is=65ccf500&hm=7b9252ce46efdf5b2e8fe586b7cd1feca560b8a700a635fabbcba7162ba35f74&

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffa47db9758,0x7ffa47db9768,0x7ffa47db9778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1788 --field-trial-handle=1860,i,18107426263961833172,12402397317736328217,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1540 --field-trial-handle=1860,i,18107426263961833172,12402397317736328217,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2116 --field-trial-handle=1860,i,18107426263961833172,12402397317736328217,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3004 --field-trial-handle=1860,i,18107426263961833172,12402397317736328217,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2880 --field-trial-handle=1860,i,18107426263961833172,12402397317736328217,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4916 --field-trial-handle=1860,i,18107426263961833172,12402397317736328217,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5312 --field-trial-handle=1860,i,18107426263961833172,12402397317736328217,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5456 --field-trial-handle=1860,i,18107426263961833172,12402397317736328217,131072 /prefetch:8

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap20911:68:7zEvent3609

C:\Users\Admin\Downloads\Dis.exe

"C:\Users\Admin\Downloads\Dis.exe"

C:\Program Files (x86)\Orcus\Orcus.exe

"C:\Program Files (x86)\Orcus\Orcus.exe"

C:\Users\Admin\Downloads\Dis.exe

"C:\Users\Admin\Downloads\Dis.exe"

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
GB 157.231.133.174:8443 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
N/A 127.0.0.1:8443 tcp
GB 157.231.133.174:8443 tcp
N/A 127.0.0.1:8443 tcp

Files

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 299f828f5f15335ff67544a1ec246381
SHA1 367b2c9255a854410574493627be21c29ed740f9
SHA256 8c1210fdfc59f70db493c6190952d3dd72f0f497516ac301b40513de27332a0d
SHA512 60224e7132903104c52374a9b0ce202ed3ff658184e23aeb9afdfad9ee3613d74489b93e9d8253d8da1638b4300a4f4be38f3264e0590440c565c8733d801d4b

\??\pipe\crashpad_712_LUHOATLAVMQVHCEH

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\Downloads\Dis.rar.crdownload

MD5 612f05333cd071ad15fd7215632c48c6
SHA1 f5920b816230f25157f05a761a24e91f04f7b4e7
SHA256 be1e8ecc4bdd5a83fa5bd6af50173a2a83ba188df82506df4e0a9584017bbb0f
SHA512 511504a8ce2c41f51e1863eeb58fa28d11c71d6e50783bfd34b53b1fa629dcc64c0d7904173919447a1882867103fe5bc7456922c19f72c18ef6be94c2aa7d53

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

MD5 99914b932bd37a50b983c5e7c90ae93b
SHA1 bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA256 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA512 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 b99a1e4237e4a6e5fae3280f6e20e766
SHA1 5b2fecf2497b56485e740fd6332bea7b50fff644
SHA256 387185a47f832c7a4e89d86937c0389bab63bfc5df0a1f69417412e41eb8a0ae
SHA512 30306f53f49029b105939534e83e16ad8608b8352393f7ecb98617e882c99cc754a52d9e8bd1a965bad64734ccd142618b4f38306bd067619b4277979b3e4968

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 b121cebaf529651a11604ee67ae5f674
SHA1 744d69250685e00747f4c9ec591a13a428b3d9bc
SHA256 11eab333b1d02c7ed87f5b237aaceabca18e5d40d15f2696b80b29e0e2d19ce1
SHA512 cd75879641904a9adcde0bb4526bb8b00779948d3faeb4dbaf97ea421d7ca77083e6606eba145dee35488bf4e40244d2e0ffe0a0efe2a61ec7d830fdfe7f888a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 91cf906f146e6e5cc2a944801c482673
SHA1 53655a9bacc9bc899eb6db8828e72baef93f0345
SHA256 6ffa5c35d0e6736a45c22e234000a1198bf7986a5ddafa66b2085361d31620d2
SHA512 92e4dfb20ffdf90744a436755ac72e3ee48e64ff0c2b4a17de617eacc8e08d04b62f6e304e1b8fbb44e731ff5b79bf132ee06fcf2089137b015feb6a1ad9678f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 c86f2f6d621c59c9d2d5f0f27a4574ce
SHA1 6adf9c3d04aafb4bdd322e9a3a1348039b5af9a1
SHA256 478c4a7928854a5a41c9952f14122350c7314324d1c20b6f2267fe9f4b6f897e
SHA512 6dc3191d538765b556b05eb532ad000de87bc1de8a8e4ff9c88504778f8a576ff66bb4f29cf74fd72be2b4e38c3ffe2ff482301a3f9ae22b4c023bc3d030c9c3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 714cbe9362abe618c17c445fc09392ba
SHA1 2d9f4ef9a717607e187ac6748d6ec7d9ef5b7f32
SHA256 80099b2f8f48cccbfe638602444c2441a8a1edbe634066a2b117c42ac4b08b0d
SHA512 6ac92bd0ff0ac1d70259240d220aefdd1879fed85ba2db18c01a68e1e0f641d2262b307575bc61079d23585000d124d621fc0825554112f55742679b97843a23

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\Downloads\Dis.exe

MD5 5d4e2ad1a9c214ff44ff3812bf44142c
SHA1 6ed3198cd22c3df20943e31ba4d0a809ed9d5504
SHA256 da7d4064234a798767518a6761e4835cae459acb9ad72521b714772b2fc5f41c
SHA512 deeacff674e9ce499ca306d1551e4375a06f7df728a35cf2a755126ec47c31e5165f87adacf436d5c3448be13a7d2c58d6587d00f4e7052b5a1c3bd0e0255222

C:\Users\Admin\Downloads\Dis.exe

MD5 8b07679fc95cf586099d982552986a82
SHA1 a5889527ee84bff8a06b8a45cb881ac226c9ffd5
SHA256 fc803c78881628cbbe5cc02e0c843b119682b4728b08aec45ab437ea05395dd7
SHA512 86c0091849630bad612daa7e4ff3207dd9ca4153a02db06cf478e9a0776936cf4d9863ed980789774ca734a0da7572455d4afaecd3e8dfcacc5b550d6e6e0053

memory/3888-143-0x0000000000C60000-0x0000000000D48000-memory.dmp

memory/3888-144-0x0000000073700000-0x0000000073DEE000-memory.dmp

memory/3888-145-0x00000000054B0000-0x00000000054C0000-memory.dmp

memory/3888-146-0x0000000005490000-0x000000000549E000-memory.dmp

memory/3888-147-0x0000000005530000-0x000000000558C000-memory.dmp

memory/3888-148-0x0000000005AB0000-0x0000000005FAE000-memory.dmp

memory/3888-149-0x00000000056C0000-0x0000000005752000-memory.dmp

memory/3888-150-0x00000000056A0000-0x00000000056B2000-memory.dmp

memory/3888-151-0x00000000061F0000-0x00000000061FA000-memory.dmp

memory/3888-152-0x00000000054B0000-0x00000000054C0000-memory.dmp

C:\Program Files (x86)\Orcus\Orcus.exe

MD5 6b4eecf3eb62db1ccfcdeb4cf2b8aa41
SHA1 6b3a1351d0f7e6c9c41bb58d1d3208a168ba2d43
SHA256 ea9dd111a3b00694f6af0268151367c509021a7251c5b0ba2153b1f85776c6c1
SHA512 9f5664991de9cc943d8392427d805d12611eb8bba3ec6a0085761f1e11d3ccc29923ea0ca8fd213bd068916208045cc80f6ae8f0dff5ea0d120267c512bb829f

C:\Program Files (x86)\Orcus\Orcus.exe

MD5 6534bdeb4b52c2de3bfb79f17cfe464b
SHA1 1ac0f2ea22b7958298f958016c92117e67631a1c
SHA256 e59a91c812dd2a62339968d97450979c885d82cd12cf5f2f4ea6696be634a83a
SHA512 77c570df00e04837f444ca22d50c7551bf3af75c7afdb96bc07e2c3ef1fcf4f15e1c2cba0eeed740c59ed4e2ba97476b8195261865f6dd2e26ea78bce272f700

C:\Program Files (x86)\Orcus\Orcus.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

C:\Program Files (x86)\Orcus\Orcus.exe

MD5 851a799a6d3a02a46c07eaef247bac5d
SHA1 4e24e7514dfad8aa6ed67c07e2b5c35f85bf4d5a
SHA256 e0315cb18054439ae348d0f735e910f965d423004a50c02804dac72d7f8ef5d5
SHA512 be8e69fff393e4adc06572c3d349c3b6430a6c6c0373f347c3c78236167977fb4a702d4405fcd3ec2dd1b8bd4213511aed59b1471cd0ecab0de728cbdef70f46

memory/1496-163-0x0000000003160000-0x0000000003170000-memory.dmp

memory/1496-165-0x0000000073700000-0x0000000073DEE000-memory.dmp

memory/3888-164-0x0000000073700000-0x0000000073DEE000-memory.dmp

memory/1496-166-0x0000000005880000-0x0000000005892000-memory.dmp

memory/1496-167-0x0000000005C90000-0x0000000005CA8000-memory.dmp

memory/1496-168-0x0000000005CD0000-0x0000000005CE0000-memory.dmp

memory/1496-169-0x0000000003160000-0x0000000003170000-memory.dmp

memory/1496-170-0x0000000073700000-0x0000000073DEE000-memory.dmp

C:\Users\Admin\Downloads\Dis.exe

MD5 94dc002c04c5a8189200292b527d8cf5
SHA1 1cd49d50b4526c0f60fc3489eaa59c8f39c546ef
SHA256 d08500896ea85a9e62b5b2ae2f5424ee472901859d46bf87ab9448e9e0d4f5e5
SHA512 d0d3f65d435e296b87aa195cb7c1d8a419bc9dfc695d7eb84794d0b2175d5b70868a97fe19ae26aba0b7d7e6d5b366676686e4ff52dd504570b02cfa430887da

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Dis.exe.log

MD5 a8621816e9cb2a332f1b2207e5f8b278
SHA1 b44f23656fa9ae7622e4212560c7551ff3bddcba
SHA256 898999326c00a1885e7e5054f9a117326fd8c2b0f7179f95e480e541907ba970
SHA512 ea8f8697eda369f1ae49247f1a770ac55c2c23517e78eb08f6e283d28cc2ad609266c237b000e2ce63a371ff06f3cee2860007e3821d21a532c4846263c7f6dd

memory/1936-173-0x0000000073700000-0x0000000073DEE000-memory.dmp

memory/1936-174-0x0000000005040000-0x0000000005050000-memory.dmp

memory/1936-175-0x0000000073700000-0x0000000073DEE000-memory.dmp