orcus | hxxps://cdn[.]discordapp[.]com/attachments/1304516917402406973/1304865951333744660/Titan[.]exe?ex=6730f29e&is=672fa11e&hm=c1b5ef9ec4e79a61ea45e3502e24db35642c724e514e0cd8ac809180ca7b30ff&

Analysis

max time kernel
67s
max time network
70s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/11/2024, 17:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1304516917402406973/1304865951333744660/Titan.exe?ex=6730f29e&is=672fa11e&hm=c1b5ef9ec4e79a61ea45e3502e24db35642c724e514e0cd8ac809180ca7b30ff&

Score

10^/10

orcus nurik discovery execution rat spyware stealer

Malware Config

Extracted

Family

orcus

Botnet

nurik

31.44.184.52:12708

Mutex

sudo_6rbpsrhwdx8231c8qhhxgcoyopp6gjkk

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%appdata%\apiprocessorlongpoll\MpCmdRun.exe
reconnect_delay
10000
registry_keyname
Sudik
taskscheduler_taskname
sudik
watchdog_path
AppData\aga.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023cf2-148.dat	family_orcus

Orcurs Rat Executable 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023cf2-148.dat	orcus
behavioral1/memory/5756-150-0x0000000000C60000-0x0000000000F5E000-memory.dmp	orcus

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3372	powershell.exe
2984	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	WinHelper32.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinHelper32.exe	javaw.exe

Executes dropped EXE 4 IoCs

pid	Process
3968	Titan.exe
5756	WinHelper32.exe
5996	MpCmdRun.exe
6088	MpCmdRun.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
35	raw.githubusercontent.com
36	raw.githubusercontent.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5996 set thread context of 6124	5996	MpCmdRun.exe	127

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Titan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinHelper32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MpCmdRun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MpCmdRun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	caspol.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	taskmgr.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 909368.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
1124	msedge.exe
1124	msedge.exe
2864	msedge.exe
2864	msedge.exe
3388	identity_helper.exe
3388	identity_helper.exe
3988	msedge.exe
3988	msedge.exe
2984	powershell.exe
2984	powershell.exe
2984	powershell.exe
3372	powershell.exe
3372	powershell.exe
3372	powershell.exe
5756	WinHelper32.exe
5756	WinHelper32.exe
5996	MpCmdRun.exe
5996	MpCmdRun.exe
5996	MpCmdRun.exe
6124	caspol.exe
6124	caspol.exe
6124	caspol.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2984	powershell.exe
Token: SeDebugPrivilege	3372	powershell.exe
Token: SeDebugPrivilege	5756	WinHelper32.exe
Token: SeDebugPrivilege	5996	MpCmdRun.exe
Token: SeDebugPrivilege	6124	caspol.exe
Token: SeDebugPrivilege	5344	taskmgr.exe
Token: SeSystemProfilePrivilege	5344	taskmgr.exe
Token: SeCreateGlobalPrivilege	5344	taskmgr.exe
Token: 33	5344	taskmgr.exe
Token: SeIncBasePriorityPrivilege	5344	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3968	Titan.exe
1036	javaw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 4552	2864	msedge.exe	83
PID 2864 wrote to memory of 4552	2864	msedge.exe	83
PID 2864 wrote to memory of 5000	2864	msedge.exe	84
PID 2864 wrote to memory of 5000	2864	msedge.exe	84
PID 2864 wrote to memory of 5000	2864	msedge.exe	84
PID 2864 wrote to memory of 5000	2864	msedge.exe	84
PID 2864 wrote to memory of 5000	2864	msedge.exe	84
PID 2864 wrote to memory of 5000	2864	msedge.exe	84
PID 2864 wrote to memory of 5000	2864	msedge.exe	84
PID 2864 wrote to memory of 5000	2864	msedge.exe	84
PID 2864 wrote to memory of 5000	2864	msedge.exe	84
PID 2864 wrote to memory of 5000	2864	msedge.exe	84
PID 2864 wrote to memory of 5000	2864	msedge.exe	84
PID 2864 wrote to memory of 5000	2864	msedge.exe	84
PID 2864 wrote to memory of 5000	2864	msedge.exe	84
PID 2864 wrote to memory of 5000	2864	msedge.exe	84
PID 2864 wrote to memory of 5000	2864	msedge.exe	84
PID 2864 wrote to memory of 5000	2864	msedge.exe	84
PID 2864 wrote to memory of 5000	2864	msedge.exe	84
PID 2864 wrote to memory of 5000	2864	msedge.exe	84
PID 2864 wrote to memory of 5000	2864	msedge.exe	84
PID 2864 wrote to memory of 5000	2864	msedge.exe	84
PID 2864 wrote to memory of 5000	2864	msedge.exe	84
PID 2864 wrote to memory of 5000	2864	msedge.exe	84
PID 2864 wrote to memory of 5000	2864	msedge.exe	84
PID 2864 wrote to memory of 5000	2864	msedge.exe	84
PID 2864 wrote to memory of 5000	2864	msedge.exe	84
PID 2864 wrote to memory of 5000	2864	msedge.exe	84
PID 2864 wrote to memory of 5000	2864	msedge.exe	84
PID 2864 wrote to memory of 5000	2864	msedge.exe	84
PID 2864 wrote to memory of 5000	2864	msedge.exe	84
PID 2864 wrote to memory of 5000	2864	msedge.exe	84
PID 2864 wrote to memory of 5000	2864	msedge.exe	84
PID 2864 wrote to memory of 5000	2864	msedge.exe	84
PID 2864 wrote to memory of 5000	2864	msedge.exe	84
PID 2864 wrote to memory of 5000	2864	msedge.exe	84
PID 2864 wrote to memory of 5000	2864	msedge.exe	84
PID 2864 wrote to memory of 5000	2864	msedge.exe	84
PID 2864 wrote to memory of 5000	2864	msedge.exe	84
PID 2864 wrote to memory of 5000	2864	msedge.exe	84
PID 2864 wrote to memory of 5000	2864	msedge.exe	84
PID 2864 wrote to memory of 5000	2864	msedge.exe	84
PID 2864 wrote to memory of 1124	2864	msedge.exe	85
PID 2864 wrote to memory of 1124	2864	msedge.exe	85
PID 2864 wrote to memory of 1160	2864	msedge.exe	86
PID 2864 wrote to memory of 1160	2864	msedge.exe	86
PID 2864 wrote to memory of 1160	2864	msedge.exe	86
PID 2864 wrote to memory of 1160	2864	msedge.exe	86
PID 2864 wrote to memory of 1160	2864	msedge.exe	86
PID 2864 wrote to memory of 1160	2864	msedge.exe	86
PID 2864 wrote to memory of 1160	2864	msedge.exe	86
PID 2864 wrote to memory of 1160	2864	msedge.exe	86
PID 2864 wrote to memory of 1160	2864	msedge.exe	86
PID 2864 wrote to memory of 1160	2864	msedge.exe	86
PID 2864 wrote to memory of 1160	2864	msedge.exe	86
PID 2864 wrote to memory of 1160	2864	msedge.exe	86
PID 2864 wrote to memory of 1160	2864	msedge.exe	86
PID 2864 wrote to memory of 1160	2864	msedge.exe	86
PID 2864 wrote to memory of 1160	2864	msedge.exe	86
PID 2864 wrote to memory of 1160	2864	msedge.exe	86
PID 2864 wrote to memory of 1160	2864	msedge.exe	86
PID 2864 wrote to memory of 1160	2864	msedge.exe	86
PID 2864 wrote to memory of 1160	2864	msedge.exe	86
PID 2864 wrote to memory of 1160	2864	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://cdn.discordapp.com/attachments/1304516917402406973/1304865951333744660/Titan.exe?ex=6730f29e&is=672fa11e&hm=c1b5ef9ec4e79a61ea45e3502e24db35642c724e514e0cd8ac809180ca7b30ff&
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffa62146f8,0x7fffa6214708,0x7fffa6214718
  2⤵
  PID:4552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,12416986001467648400,10588167051101938217,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
  2⤵
  PID:5000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,12416986001467648400,10588167051101938217,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,12416986001467648400,10588167051101938217,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8
  2⤵
  PID:1160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12416986001467648400,10588167051101938217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:3684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12416986001467648400,10588167051101938217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:3252
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,12416986001467648400,10588167051101938217,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4996 /prefetch:8
  2⤵
  PID:4436
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,12416986001467648400,10588167051101938217,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4996 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12416986001467648400,10588167051101938217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
  2⤵
  PID:544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12416986001467648400,10588167051101938217,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
  2⤵
  PID:1960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2100,12416986001467648400,10588167051101938217,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5612 /prefetch:8
  2⤵
  PID:2568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12416986001467648400,10588167051101938217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:1
  2⤵
  PID:3264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12416986001467648400,10588167051101938217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:1
  2⤵
  PID:624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12416986001467648400,10588167051101938217,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:1
  2⤵
  PID:4480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2100,12416986001467648400,10588167051101938217,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5540 /prefetch:8
  2⤵
  PID:4276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,12416986001467648400,10588167051101938217,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5856 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3988
- C:\Users\Admin\Downloads\Titan.exe
  "C:\Users\Admin\Downloads\Titan.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3968
- - C:\Program Files\Java\jre-1.8\bin\javaw.exe
    "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Downloads\Titan.exe"
    3⤵
    - Drops startup file
    - Suspicious use of SetWindowsHookEx
    PID:1036
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:SystemDrive) -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3372
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:SystemDrive) -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2984
  - - C:\Users\Admin\AppData\Roaming\WinSFXConnectDevicesPlatform\WinHelper32.exe
      C:\Users\Admin\AppData\Roaming\WinSFXConnectDevicesPlatform\WinHelper32.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5756
    - - C:\Users\Admin\AppData\Roaming\apiprocessorlongpoll\MpCmdRun.exe
        
        "C:\Users\Admin\AppData\Roaming\apiprocessorlongpoll\MpCmdRun.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5996
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6124

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1444

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2536

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5880

C:\Users\Admin\AppData\Roaming\apiprocessorlongpoll\MpCmdRun.exe
C:\Users\Admin\AppData\Roaming\apiprocessorlongpoll\MpCmdRun.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6088

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MpCmdRun.exe.log

Filesize
1KB

MD5
663b8d5469caa4489d463aa9bc18124f

SHA1
e57123a7d969115853ea631a3b33826335025d28

SHA256
7b4fa505452f0b8ac74bb31f5a03b13342836318018fb18d224ae2ff11b1a7e8

SHA512
45e373295125a629fcc0b19609608d969c9106514918bfac5d6b8e340e407434577b825741b8fa6a043c8f3f5c1a030ba8857da5f4e8ef15a551ce3c5fe03b55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6960857d16aadfa79d36df8ebbf0e423

SHA1
e1db43bd478274366621a8c6497e270d46c6ed4f

SHA256
f40b812ce44e391423eb66602ac0af138a1e948aa8c4116045fef671ef21cd32

SHA512
6deb2a63055a643759dd0ae125fb2f68ec04a443dbf8b066a812b42352bbcfa4517382ed0910c190c986a864559c3453c772e153ee2e9432fb2de2e1e49ca7fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f426165d1e5f7df1b7a3758c306cd4ae

SHA1
59ef728fbbb5c4197600f61daec48556fec651c1

SHA256
b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841

SHA512
8d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
098688e1bc615e73fe9dd32767c9ce2c

SHA1
11c935b12a9387f25b03b03b92e5f19c2eafcec4

SHA256
be17c3c409168ce694ea46b0654da58a3cbe8b97c919d6f177fbb51527af8d5f

SHA512
e04055b62c4193f29e178f27ee0e3b209a5c36fef8b6cc2a70502a10b60d2a1c91defc5fdf2f0dc6aed4f1d32c0c2ef57268b395021eac126edec2ca18a1bc1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d37d97f43453beabeb79dc908dc97e8b

SHA1
4b1aa98eb136624acb9c29091161e4772db2bc3c

SHA256
40a13a58220ed5884d809fda60ab83758f071ed6033f79606f5ef5897c6490c8

SHA512
d98f2da453ee54dd39f59e47247162aae1c4a13682262d44da8a0f4392ad5f5fb3baeb9cfc15326a8507baa06f6c826318d673e92c808e6807b872eba479d4e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3b7dd083d1088decf92b6aceacecb16e

SHA1
1644b4d9c8e4780fc1b0eefbafcf1091555cc9b3

SHA256
b3669d06a605d2605a13d09262cc8b12676fe868b101a64dfbd43b3743f0a43e

SHA512
a7f92101dd50dbc6d93daadbb12ab0c24ecc8669106e66862ce93bb8a8e76b7b3d0618adae1fffe4a56c74c1c29bd48be019844661d7dc63e4a02962e9ca78d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ab41e9d72a9da9c65927bfdc170f7c97

SHA1
6dbf898d31104461eecffde6c41cc0d1c027342c

SHA256
19b29467b94755011e4952393b82564da0fb6c503c2068654bf99951a31b59bd

SHA512
d5e1f6d5cd7f9e000e442dd94aaa4dab0c85633bd8f78d184fe3f255f94b368d0e2795629744a866988bccb3ec1905f89539e549d75681d38080d4bfc1b35210

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
fe901857522b990cdf8a01b588b36df3

SHA1
f18aba012afb54814e0e947d550a33827449e545

SHA256
dfbfbf217c5c78e8473539bc0b628f1bd59e977bae0f6c445756174a334bc711

SHA512
d7823e8f09dce87c469c586d4260961ef568a04ff46d91aab2060318c9ff5c46b1d1d1491b226a798bb5df2246ad0be87424c7f4d1d6f4ea008b0e4754c2bf8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0ivcgeg1.lnv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\WinSFXConnectDevicesPlatform\WinHelper32.exe

Filesize
3.0MB

MD5
0bf7d5cf7b2ea03e2cd580ef696cf8c2

SHA1
61c427e6019867a7deab09415a92a3e001caba74

SHA256
607f66fd470487071732efbcd3781b2dacec3844e6c902f0281ef5a2afb79e13

SHA512
8e286c40b531f3e0094e4181fe330b9af7e37d5a0d4786d4002c85ce7da199f6c03fef6d8d36bde3d00b2be1b84cd6351507c435074f2e3aeff2abedee246362

Download Submit
C:\Users\Admin\AppData\Roaming\apiprocessorlongpoll\MpCmdRun.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 909368.crdownload

Filesize
66KB

MD5
47b26f25ce8ba5352e9fe6eec45221f4

SHA1
aa54cbefe649f5678592dc8efb23bd4070416a20

SHA256
b445e70dea6cdeaa2948f3c6349394b71b66dbfe563748f06bb904aae4e3bf7a

SHA512
351e3048d23b993c16feec3e562f9a02598ec501c1675704e65e6415d7684478ae6a38cfc3b6307943967d5810a12d75e2371f24aecd38ef96cda09cb7f0d4b8

Download Submit
memory/1036-138-0x000001C4373A0000-0x000001C4373A1000-memory.dmp

Filesize
4KB

Download
memory/1036-143-0x000001C4373A0000-0x000001C4373A1000-memory.dmp

Filesize
4KB

Download
memory/1036-106-0x000001C4373A0000-0x000001C4373A1000-memory.dmp

Filesize
4KB

Download
memory/1036-151-0x000001C4373A0000-0x000001C4373A1000-memory.dmp

Filesize
4KB

Download
memory/1036-176-0x000001C4373A0000-0x000001C4373A1000-memory.dmp

Filesize
4KB

Download
memory/2984-73-0x000001FFB6500000-0x000001FFB6522000-memory.dmp

Filesize
136KB

Download
memory/3968-177-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5344-197-0x00000275604C0000-0x00000275604C1000-memory.dmp

Filesize
4KB

Download
memory/5344-200-0x00000275604C0000-0x00000275604C1000-memory.dmp

Filesize
4KB

Download
memory/5344-195-0x00000275604C0000-0x00000275604C1000-memory.dmp

Filesize
4KB

Download
memory/5344-196-0x00000275604C0000-0x00000275604C1000-memory.dmp

Filesize
4KB

Download
memory/5344-198-0x00000275604C0000-0x00000275604C1000-memory.dmp

Filesize
4KB

Download
memory/5344-199-0x00000275604C0000-0x00000275604C1000-memory.dmp

Filesize
4KB

Download
memory/5344-201-0x00000275604C0000-0x00000275604C1000-memory.dmp

Filesize
4KB

Download
memory/5344-191-0x00000275604C0000-0x00000275604C1000-memory.dmp

Filesize
4KB

Download
memory/5344-190-0x00000275604C0000-0x00000275604C1000-memory.dmp

Filesize
4KB

Download
memory/5344-189-0x00000275604C0000-0x00000275604C1000-memory.dmp

Filesize
4KB

Download
memory/5756-159-0x0000000005B30000-0x0000000005B42000-memory.dmp

Filesize
72KB

Download
memory/5756-155-0x0000000005840000-0x000000000584E000-memory.dmp

Filesize
56KB

Download
memory/5756-150-0x0000000000C60000-0x0000000000F5E000-memory.dmp

Filesize
3.0MB

Download
memory/5756-156-0x0000000005B40000-0x0000000005B9C000-memory.dmp

Filesize
368KB

Download
memory/5756-157-0x0000000006230000-0x00000000067D4000-memory.dmp

Filesize
5.6MB

Download
memory/5756-158-0x0000000005D20000-0x0000000005DB2000-memory.dmp

Filesize
584KB

Download
memory/5996-181-0x0000000006B90000-0x0000000006C2C000-memory.dmp

Filesize
624KB

Download
memory/5996-179-0x0000000006230000-0x000000000627E000-memory.dmp

Filesize
312KB

Download
memory/5996-178-0x0000000005D70000-0x0000000005D82000-memory.dmp

Filesize
72KB

Download
memory/6124-186-0x0000000006C20000-0x0000000006C2A000-memory.dmp

Filesize
40KB

Download
memory/6124-202-0x00000000074C0000-0x0000000007526000-memory.dmp

Filesize
408KB

Download
memory/6124-205-0x0000000007B50000-0x0000000008168000-memory.dmp

Filesize
6.1MB

Download
memory/6124-206-0x00000000075D0000-0x00000000075E2000-memory.dmp

Filesize
72KB

Download
memory/6124-207-0x0000000007630000-0x000000000766C000-memory.dmp

Filesize
240KB

Download
memory/6124-208-0x0000000007670000-0x00000000076BC000-memory.dmp

Filesize
304KB

Download
memory/6124-209-0x0000000007800000-0x000000000790A000-memory.dmp

Filesize
1.0MB

Download
memory/6124-210-0x0000000008170000-0x0000000008332000-memory.dmp

Filesize
1.8MB

Download
memory/6124-211-0x00000000077F0000-0x00000000077FE000-memory.dmp

Filesize
56KB

Download
memory/6124-212-0x00000000085D0000-0x0000000008620000-memory.dmp

Filesize
320KB

Download
memory/6124-185-0x0000000005FB0000-0x0000000005FC0000-memory.dmp

Filesize
64KB

Download
memory/6124-184-0x0000000005F60000-0x0000000005F78000-memory.dmp

Filesize
96KB

Download