orcus | 911e3e95efddbae9d1c2f4b04027567c76823116755097b5868b7241c7e30cbc

Analysis

max time kernel
95s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
05/07/2024, 16:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Orcus.Administration.exe
Size

16.2MB
MD5

a6347e4e194adb6d2a3fae52598d8cdd
SHA1

aa06c496c20d6e04142d4a5205a032680a452a0d
SHA256

911e3e95efddbae9d1c2f4b04027567c76823116755097b5868b7241c7e30cbc
SHA512

2ee24604c0edbc09096e2344ca6c1f74b1067b9aff7f077d0b4e42cd8f51dd1116e98016e34f0a1d951fcdbc8bfed33b1709a9692ba95b3ea3cd84d9ce080922
SSDEEP

393216:3pC4606R60B8vYfZ9DfZ9DSK7SftLaeH+:sJOcPLPte

Score

10^/10

orcus rat spyware stealer

Malware Config

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcurs Rat Executable 1 IoCs

resource	yara_rule
behavioral1/memory/4884-1-0x00000000005E0000-0x000000000161E000-memory.dmp	orcus

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5116	4884	WerFault.exe	80

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
3116	chrome.exe
3116	chrome.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2804	taskmgr.exe
Token: SeSystemProfilePrivilege	2804	taskmgr.exe
Token: SeCreateGlobalPrivilege	2804	taskmgr.exe
Token: 33	2804	taskmgr.exe
Token: SeIncBasePriorityPrivilege	2804	taskmgr.exe
Token: SeShutdownPrivilege	3116	chrome.exe
Token: SeCreatePagefilePrivilege	3116	chrome.exe
Token: SeShutdownPrivilege	3116	chrome.exe
Token: SeCreatePagefilePrivilege	3116	chrome.exe
Token: SeShutdownPrivilege	3116	chrome.exe
Token: SeCreatePagefilePrivilege	3116	chrome.exe
Token: SeShutdownPrivilege	3116	chrome.exe
Token: SeCreatePagefilePrivilege	3116	chrome.exe
Token: SeShutdownPrivilege	3116	chrome.exe
Token: SeCreatePagefilePrivilege	3116	chrome.exe
Token: SeShutdownPrivilege	3116	chrome.exe
Token: SeCreatePagefilePrivilege	3116	chrome.exe
Token: SeShutdownPrivilege	3116	chrome.exe
Token: SeCreatePagefilePrivilege	3116	chrome.exe
Token: SeShutdownPrivilege	3116	chrome.exe
Token: SeCreatePagefilePrivilege	3116	chrome.exe
Token: SeShutdownPrivilege	3116	chrome.exe
Token: SeCreatePagefilePrivilege	3116	chrome.exe
Token: SeShutdownPrivilege	3116	chrome.exe
Token: SeCreatePagefilePrivilege	3116	chrome.exe
Token: SeShutdownPrivilege	3116	chrome.exe
Token: SeCreatePagefilePrivilege	3116	chrome.exe
Token: SeShutdownPrivilege	3116	chrome.exe
Token: SeCreatePagefilePrivilege	3116	chrome.exe
Token: SeShutdownPrivilege	3116	chrome.exe
Token: SeCreatePagefilePrivilege	3116	chrome.exe
Token: SeShutdownPrivilege	3116	chrome.exe
Token: SeCreatePagefilePrivilege	3116	chrome.exe
Token: SeShutdownPrivilege	3116	chrome.exe
Token: SeCreatePagefilePrivilege	3116	chrome.exe
Token: SeShutdownPrivilege	3116	chrome.exe
Token: SeCreatePagefilePrivilege	3116	chrome.exe
Token: SeShutdownPrivilege	3116	chrome.exe
Token: SeCreatePagefilePrivilege	3116	chrome.exe
Token: SeShutdownPrivilege	3116	chrome.exe
Token: SeCreatePagefilePrivilege	3116	chrome.exe
Token: SeShutdownPrivilege	3116	chrome.exe
Token: SeCreatePagefilePrivilege	3116	chrome.exe
Token: SeShutdownPrivilege	3116	chrome.exe
Token: SeCreatePagefilePrivilege	3116	chrome.exe
Token: SeShutdownPrivilege	3116	chrome.exe
Token: SeCreatePagefilePrivilege	3116	chrome.exe
Token: SeShutdownPrivilege	3116	chrome.exe
Token: SeCreatePagefilePrivilege	3116	chrome.exe
Token: SeShutdownPrivilege	3116	chrome.exe
Token: SeCreatePagefilePrivilege	3116	chrome.exe
Token: SeShutdownPrivilege	3116	chrome.exe
Token: SeCreatePagefilePrivilege	3116	chrome.exe
Token: SeShutdownPrivilege	3116	chrome.exe
Token: SeCreatePagefilePrivilege	3116	chrome.exe
Token: SeShutdownPrivilege	3116	chrome.exe
Token: SeCreatePagefilePrivilege	3116	chrome.exe
Token: SeShutdownPrivilege	3116	chrome.exe
Token: SeCreatePagefilePrivilege	3116	chrome.exe
Token: SeShutdownPrivilege	3116	chrome.exe
Token: SeCreatePagefilePrivilege	3116	chrome.exe
Token: SeShutdownPrivilege	3116	chrome.exe
Token: SeCreatePagefilePrivilege	3116	chrome.exe
Token: SeShutdownPrivilege	3116	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3116 wrote to memory of 948	3116	chrome.exe	91
PID 3116 wrote to memory of 948	3116	chrome.exe	91
PID 3116 wrote to memory of 3176	3116	chrome.exe	92
PID 3116 wrote to memory of 3176	3116	chrome.exe	92
PID 3116 wrote to memory of 3176	3116	chrome.exe	92
PID 3116 wrote to memory of 3176	3116	chrome.exe	92
PID 3116 wrote to memory of 3176	3116	chrome.exe	92
PID 3116 wrote to memory of 3176	3116	chrome.exe	92
PID 3116 wrote to memory of 3176	3116	chrome.exe	92
PID 3116 wrote to memory of 3176	3116	chrome.exe	92
PID 3116 wrote to memory of 3176	3116	chrome.exe	92
PID 3116 wrote to memory of 3176	3116	chrome.exe	92
PID 3116 wrote to memory of 3176	3116	chrome.exe	92
PID 3116 wrote to memory of 3176	3116	chrome.exe	92
PID 3116 wrote to memory of 3176	3116	chrome.exe	92
PID 3116 wrote to memory of 3176	3116	chrome.exe	92
PID 3116 wrote to memory of 3176	3116	chrome.exe	92
PID 3116 wrote to memory of 3176	3116	chrome.exe	92
PID 3116 wrote to memory of 3176	3116	chrome.exe	92
PID 3116 wrote to memory of 3176	3116	chrome.exe	92
PID 3116 wrote to memory of 3176	3116	chrome.exe	92
PID 3116 wrote to memory of 3176	3116	chrome.exe	92
PID 3116 wrote to memory of 3176	3116	chrome.exe	92
PID 3116 wrote to memory of 3176	3116	chrome.exe	92
PID 3116 wrote to memory of 3176	3116	chrome.exe	92
PID 3116 wrote to memory of 3176	3116	chrome.exe	92
PID 3116 wrote to memory of 3176	3116	chrome.exe	92
PID 3116 wrote to memory of 3176	3116	chrome.exe	92
PID 3116 wrote to memory of 3176	3116	chrome.exe	92
PID 3116 wrote to memory of 3176	3116	chrome.exe	92
PID 3116 wrote to memory of 3176	3116	chrome.exe	92
PID 3116 wrote to memory of 3176	3116	chrome.exe	92
PID 3116 wrote to memory of 3176	3116	chrome.exe	92
PID 3116 wrote to memory of 2480	3116	chrome.exe	93
PID 3116 wrote to memory of 2480	3116	chrome.exe	93
PID 3116 wrote to memory of 1712	3116	chrome.exe	94
PID 3116 wrote to memory of 1712	3116	chrome.exe	94
PID 3116 wrote to memory of 1712	3116	chrome.exe	94
PID 3116 wrote to memory of 1712	3116	chrome.exe	94
PID 3116 wrote to memory of 1712	3116	chrome.exe	94
PID 3116 wrote to memory of 1712	3116	chrome.exe	94
PID 3116 wrote to memory of 1712	3116	chrome.exe	94
PID 3116 wrote to memory of 1712	3116	chrome.exe	94
PID 3116 wrote to memory of 1712	3116	chrome.exe	94
PID 3116 wrote to memory of 1712	3116	chrome.exe	94
PID 3116 wrote to memory of 1712	3116	chrome.exe	94
PID 3116 wrote to memory of 1712	3116	chrome.exe	94
PID 3116 wrote to memory of 1712	3116	chrome.exe	94
PID 3116 wrote to memory of 1712	3116	chrome.exe	94
PID 3116 wrote to memory of 1712	3116	chrome.exe	94
PID 3116 wrote to memory of 1712	3116	chrome.exe	94
PID 3116 wrote to memory of 1712	3116	chrome.exe	94
PID 3116 wrote to memory of 1712	3116	chrome.exe	94
PID 3116 wrote to memory of 1712	3116	chrome.exe	94
PID 3116 wrote to memory of 1712	3116	chrome.exe	94
PID 3116 wrote to memory of 1712	3116	chrome.exe	94
PID 3116 wrote to memory of 1712	3116	chrome.exe	94
PID 3116 wrote to memory of 1712	3116	chrome.exe	94
PID 3116 wrote to memory of 1712	3116	chrome.exe	94
PID 3116 wrote to memory of 1712	3116	chrome.exe	94
PID 3116 wrote to memory of 1712	3116	chrome.exe	94
PID 3116 wrote to memory of 1712	3116	chrome.exe	94
PID 3116 wrote to memory of 1712	3116	chrome.exe	94
PID 3116 wrote to memory of 1712	3116	chrome.exe	94

C:\Users\Admin\AppData\Local\Temp\Orcus.Administration.exe
"C:\Users\Admin\AppData\Local\Temp\Orcus.Administration.exe"
1⤵
PID:4884
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 816
  2⤵
  - Program crash
  PID:5116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4884 -ip 4884
1⤵
PID:3980

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe6fb2ab58,0x7ffe6fb2ab68,0x7ffe6fb2ab78
  2⤵
  PID:948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1720 --field-trial-handle=2104,i,16462513390664546556,8846348566027245600,131072 /prefetch:2
  2⤵
  PID:3176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1656 --field-trial-handle=2104,i,16462513390664546556,8846348566027245600,131072 /prefetch:8
  2⤵
  PID:2480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2236 --field-trial-handle=2104,i,16462513390664546556,8846348566027245600,131072 /prefetch:8
  2⤵
  PID:1712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3096 --field-trial-handle=2104,i,16462513390664546556,8846348566027245600,131072 /prefetch:1
  2⤵
  PID:2372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3104 --field-trial-handle=2104,i,16462513390664546556,8846348566027245600,131072 /prefetch:1
  2⤵
  PID:4892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3640 --field-trial-handle=2104,i,16462513390664546556,8846348566027245600,131072 /prefetch:1
  2⤵
  PID:4204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4652 --field-trial-handle=2104,i,16462513390664546556,8846348566027245600,131072 /prefetch:8
  2⤵
  PID:5056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4808 --field-trial-handle=2104,i,16462513390664546556,8846348566027245600,131072 /prefetch:8
  2⤵
  PID:2068
- C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:3960
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x258,0x25c,0x260,0x234,0x264,0x7ff68151ae48,0x7ff68151ae58,0x7ff68151ae68
    3⤵
    PID:3864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4652 --field-trial-handle=2104,i,16462513390664546556,8846348566027245600,131072 /prefetch:8
  2⤵
  PID:2276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4524 --field-trial-handle=2104,i,16462513390664546556,8846348566027245600,131072 /prefetch:1
  2⤵
  PID:4884

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2908

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
d2fb266b97caff2086bf0fa74eddb6b2

SHA1
2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

SHA256
b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

SHA512
c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
944B

MD5
6bd369f7c74a28194c991ed1404da30f

SHA1
0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

SHA256
878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

SHA512
8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
211KB

MD5
151fb811968eaf8efb840908b89dc9d4

SHA1
7ec811009fd9b0e6d92d12d78b002275f2f1bee1

SHA256
043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed

SHA512
83aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
34b627959a81563430c0b1731f8eaaf8

SHA1
a5288ee3b6c190ebb4997cd0d8585d7928ecd779

SHA256
ad87fb1d7e791d8a287f47e06c460b453a6e26eebd68fdce45e47834d3e46574

SHA512
cbaddc3dcc7cc0850d0142a000d33cad77d59cedeeb36d84bf912b96d7fde1c5ebd7a9b4a7147d5122bb2502a8148206c44c579d05815b190c31768da16007bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
6ec17fc39c23f37e8bb7143537ae7f91

SHA1
25a7600971308a8872618969d8dc5077a6b19fb3

SHA256
69d32a3988be5e623592019c04f2237538234f3868fad23a31ec806217ed1fd6

SHA512
878ce6eacdec0788b845e69b79cefecd83c63ae16798c6be3a09679ab1f68f4861805812339f07d348578ffdeb625a8402e4a83b39fa0471a56035d5a16b235d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
7a6a8173ec9d931770448475774cc7f4

SHA1
9c65db7687a600f49e9eb1e21e470b083276adf9

SHA256
b9a9fccf2ff8c0256999ebbf0965f5b6042082e6e56f8f2c4be4159ced269975

SHA512
db31d74aa94f4f7ac204218edb6f1ebf2b9a04daf8f1de91aa150542c52324f534945b509f847416ff45dff27f53d3bc272c5c24fe12507bf8175fbd74184182

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
9636510689deda4308f9a73bfc81f303

SHA1
46d6a842cf30fd6ca20cd5d274bc4a88edd57112

SHA256
34d1d90d8aee07e31a37bb94a52696a26bb8d4bbc017109bfb445986b8b42c9d

SHA512
141ace4a790e90b84495d2d31bf5e6914f9ab839fe268330f1c786c0383c086b5396fe98f032b5986a59f4a7a9a7350bec45c36fc15d608499c7ba3975befaf6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
cd7ba3d1d80db54aa56f6d54ac2fd1b1

SHA1
e56ac1e5ccd723c26234650cc668c10398a657bb

SHA256
3a8781e2dfaed333d9ff534b9e11af4a140e09aa7ead93c6b65394674c7e26be

SHA512
c00c35bd085d556c2dae65ea0a2b20c1e18e6bcb9b9c2f5d9bea90d2f765a5e0a689fbabc45b3d5532b80a20204cccedb650d465631e90643bde17863a8e5510

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b09888f19c02d29a95f123abd64e7810

SHA1
ff03301719d22410341f125e0ea7fb19bfe2cfcd

SHA256
be94499ac666a51616c071802cdbc0bc8ddf90ffea26e4a586866bb51a18f383

SHA512
78aaa88f6d0167b250ac82d00cb8466ed034b0cf7a7aa070653e8048063fffe178ec891e4cc46ae49d7a6963af535903940f61b0abf578d106508d99ea938b63

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
fb8dd1ccf630d3b4b178e2c4a7838f18

SHA1
eab09a4c18e148658e3351e28e9c32155972db12

SHA256
f5c04fd44d74b7e664d7b395054f71066bbca574e016de94bcd2551477535949

SHA512
d3bae5bc1a18cdebeda815719aa37120fa6712c499e8635f378ca1e3b3a6b37edd868f9439479ff0480359026df55ee936d9e1cb32e81aee47b9a3b6fb96403f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
5d4d1d84c1f0846fe3ee722ed0ceba7d

SHA1
55c7f2fbf9e7216e57af4ef9c3326855a458ee90

SHA256
fa1f4e4737fe8b7cbd909c15976935e860beb69b1c59a799f2db8d352749d11e

SHA512
92e0df9a0c5b3d18b720c22b8b79555b37c4c7fdfdee74e334c8d3a5bf82edac6114648cddfbf6963188dd34d2bebf1106e3370bd5e03b712128e54535a31766

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
a4e05e784cd15d8552154ad4427807ff

SHA1
0e3f7d5962ee28413ec24853eea0d5b8fa6d406e

SHA256
f72217c472203d985470dc0f7886022395333fee8d56a5a5e5d9bc5f0c173d71

SHA512
1300c3be18c1c4fb8aaa136c59956d9fdf0db5c843362b1bbd73627c9bb25684d53642af8b240102f9419f01c7c895f0bd8406a2be190067bf9b2860c4222260

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
285KB

MD5
b16ff860fbb317e212bc3041db75ea21

SHA1
c1cc5131ebe35f5ac97f604907e9c7f45eab68bf

SHA256
12a9ffacfc70b69e3bb886b487369cdd8c919a5f1bf3ae83015d03099af2bafa

SHA512
d907b66ce07c233691b20b4623da060c9f9c788ba0fb193d834918cf913c5cb9901429cb67253cdae4aab6aa0d7861051667dd1bd0e949199e069ba434978cfa

Download Submit
memory/2804-10-0x00000183A0110000-0x00000183A0111000-memory.dmp

Filesize
4KB

Download
memory/2804-2-0x00000183A0110000-0x00000183A0111000-memory.dmp

Filesize
4KB

Download
memory/2804-9-0x00000183A0110000-0x00000183A0111000-memory.dmp

Filesize
4KB

Download
memory/2804-8-0x00000183A0110000-0x00000183A0111000-memory.dmp

Filesize
4KB

Download
memory/2804-11-0x00000183A0110000-0x00000183A0111000-memory.dmp

Filesize
4KB

Download
memory/2804-12-0x00000183A0110000-0x00000183A0111000-memory.dmp

Filesize
4KB

Download
memory/2804-13-0x00000183A0110000-0x00000183A0111000-memory.dmp

Filesize
4KB

Download
memory/2804-14-0x00000183A0110000-0x00000183A0111000-memory.dmp

Filesize
4KB

Download
memory/2804-4-0x00000183A0110000-0x00000183A0111000-memory.dmp

Filesize
4KB

Download
memory/2804-3-0x00000183A0110000-0x00000183A0111000-memory.dmp

Filesize
4KB

Download
memory/2912-157-0x0000018D40EF0000-0x0000018D40EF1000-memory.dmp

Filesize
4KB

Download
memory/2912-156-0x0000018D40EF0000-0x0000018D40EF1000-memory.dmp

Filesize
4KB

Download
memory/2912-155-0x0000018D40EF0000-0x0000018D40EF1000-memory.dmp

Filesize
4KB

Download
memory/2912-167-0x0000018D40EF0000-0x0000018D40EF1000-memory.dmp

Filesize
4KB

Download
memory/2912-163-0x0000018D40EF0000-0x0000018D40EF1000-memory.dmp

Filesize
4KB

Download
memory/2912-166-0x0000018D40EF0000-0x0000018D40EF1000-memory.dmp

Filesize
4KB

Download
memory/2912-165-0x0000018D40EF0000-0x0000018D40EF1000-memory.dmp

Filesize
4KB

Download
memory/2912-164-0x0000018D40EF0000-0x0000018D40EF1000-memory.dmp

Filesize
4KB

Download
memory/2912-162-0x0000018D40EF0000-0x0000018D40EF1000-memory.dmp

Filesize
4KB

Download
memory/4884-0-0x0000000074F7E000-0x0000000074F7F000-memory.dmp

Filesize
4KB

Download
memory/4884-1-0x00000000005E0000-0x000000000161E000-memory.dmp

Filesize
16.2MB

Download