orcus | 60d79803c2b81c09f266a57c1e91476d1a5ef4abd3cccc113cd84077398edead

Analysis

max time kernel
48s
max time network
141s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-11-2024 16:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

example.exe
Size

839KB
MD5

351808659677be354200ca26e9b63f5a
SHA1

a147a31f13d21ff0bf0eca9c8dcf20b7cab5e363
SHA256

60d79803c2b81c09f266a57c1e91476d1a5ef4abd3cccc113cd84077398edead
SHA512

c8bcb1278652b76e4825cb4ede51f59790469f17c37b9b75f31c3208d2570c287e9e2dcf17ebd2f406927c558490860bd30b214949a276d66492d6142e125dc8
SSDEEP

24576:UBS04YNEMuExDiU6E5R9s8xY/2l/dGtnIbt+ri:Uj4auS+UjfU2TGdIbt+r

Score

10^/10

orcus discovery rat spyware stealer

Malware Config

Extracted

Family

orcus

?during-interesting.gl.at.ply.gg

Mutex

7fa8acb6c95d43bf801fe5b284514394

Attributes

administration_rights_required
false
anti_debugger
false
anti_tcp_analyzer
false
antivm
false
autostart_method
1
change_creation_date
false
force_installer_administrator_privileges
false
hide_file
false
install
false
installation_folder
%appdata%\Microsoft\Speech\AudioDriver.exe
installservice
false
keylogger_enabled
false
newcreationdate
11/25/2024 07:59:32
plugins
AgEAAA==
reconnect_delay
10000
registry_autostart_keyname
Audio HD Driver
registry_hidden_autostart
false
set_admin_flag
false
tasksch_name
Audio HD Driver
tasksch_request_highest_privileges
false
try_other_autostart_onfail
false

aes.plain

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus
Executes dropped EXE 1 IoCs

Processes:

AudioDriver.exe

pid process

2692 AudioDriver.exe
Loads dropped DLL 1 IoCs

Processes:

example.exe

pid process

2684 example.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

21 discord.com
22 discord.com
23 discord.com
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2684	example.exe

flow	ioc
21	discord.com
22	discord.com
23	discord.com

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

example.exeAudioDriver.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	example.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AudioDriver.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

AudioDriver.exechrome.exe

pid	process
2692	AudioDriver.exe
2692	AudioDriver.exe
2692	AudioDriver.exe
2680	chrome.exe
2680	chrome.exe
2692	AudioDriver.exe
2692	AudioDriver.exe
2692	AudioDriver.exe
2692	AudioDriver.exe
2692	AudioDriver.exe
2692	AudioDriver.exe
2692	AudioDriver.exe
2692	AudioDriver.exe
2692	AudioDriver.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

AudioDriver.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	2692	AudioDriver.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe
Token: SeShutdownPrivilege	2680	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

AudioDriver.exechrome.exe

pid	process
2692	AudioDriver.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe

Suspicious use of SendNotifyMessage 33 IoCs

Processes:

AudioDriver.exechrome.exe

pid	process
2692	AudioDriver.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

example.exechrome.exe

description	pid	process	target process
PID 2684 wrote to memory of 2692	2684	example.exe	AudioDriver.exe
PID 2684 wrote to memory of 2692	2684	example.exe	AudioDriver.exe
PID 2684 wrote to memory of 2692	2684	example.exe	AudioDriver.exe
PID 2684 wrote to memory of 2692	2684	example.exe	AudioDriver.exe
PID 2680 wrote to memory of 2716	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 2716	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 2716	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 2892	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 2892	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 2892	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 2892	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 2892	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 2892	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 2892	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 2892	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 2892	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 2892	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 2892	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 2892	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 2892	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 2892	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 2892	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 2892	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 2892	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 2892	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 2892	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 2892	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 2892	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 2892	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 2892	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 2892	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 2892	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 2892	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 2892	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 2892	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 2892	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 2892	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 2892	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 2892	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 2892	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 2892	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 2892	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 2892	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 2892	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 2892	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 2892	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 2920	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 2920	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 2920	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 2580	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 2580	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 2580	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 2580	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 2580	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 2580	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 2580	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 2580	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 2580	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 2580	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 2580	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 2580	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 2580	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 2580	2680	chrome.exe	chrome.exe
PID 2680 wrote to memory of 2580	2680	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\example.exe
"C:\Users\Admin\AppData\Local\Temp\example.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef76a9758,0x7fef76a9768,0x7fef76a9778
  2⤵
  PID:2716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1156 --field-trial-handle=1220,i,10638838980491461906,14694091318888149560,131072 /prefetch:2
  2⤵
  PID:2892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1400 --field-trial-handle=1220,i,10638838980491461906,14694091318888149560,131072 /prefetch:8
  2⤵
  PID:2920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1520 --field-trial-handle=1220,i,10638838980491461906,14694091318888149560,131072 /prefetch:8
  2⤵
  PID:2580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2160 --field-trial-handle=1220,i,10638838980491461906,14694091318888149560,131072 /prefetch:1
  2⤵
  PID:1644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2168 --field-trial-handle=1220,i,10638838980491461906,14694091318888149560,131072 /prefetch:1
  2⤵
  PID:2632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=2808 --field-trial-handle=1220,i,10638838980491461906,14694091318888149560,131072 /prefetch:2
  2⤵
  PID:1536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2888 --field-trial-handle=1220,i,10638838980491461906,14694091318888149560,131072 /prefetch:1
  2⤵
  PID:1192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3532 --field-trial-handle=1220,i,10638838980491461906,14694091318888149560,131072 /prefetch:8
  2⤵
  PID:1596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3668 --field-trial-handle=1220,i,10638838980491461906,14694091318888149560,131072 /prefetch:1
  2⤵
  PID:2776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2536 --field-trial-handle=1220,i,10638838980491461906,14694091318888149560,131072 /prefetch:8
  2⤵
  PID:2248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2916 --field-trial-handle=1220,i,10638838980491461906,14694091318888149560,131072 /prefetch:8
  2⤵
  PID:2216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3900 --field-trial-handle=1220,i,10638838980491461906,14694091318888149560,131072 /prefetch:1
  2⤵
  PID:2052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4088 --field-trial-handle=1220,i,10638838980491461906,14694091318888149560,131072 /prefetch:1
  2⤵
  PID:1156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3880 --field-trial-handle=1220,i,10638838980491461906,14694091318888149560,131072 /prefetch:1
  2⤵
  PID:2884

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b87e145d824751f9b437cd63ee015150

SHA1
8006c30c4232fc73cbe9ea42e6317177cde1be18

SHA256
d110b2354fe9f82ddaf7386390b9d9a176de147a8b09856169614e3d7b4c0b7a

SHA512
a28c7b43aa1ccc959546f695f841e4b3d99c707693db9d729e91870d0e4682bb8ebd24e2d863dd15af806c1c6e8737a567a1b15fd77ceca7ab3a12aaf1845cf5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000041

Filesize
215KB

MD5
2be38925751dc3580e84c3af3a87f98d

SHA1
8a390d24e6588bef5da1d3db713784c11ca58921

SHA256
1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b

SHA512
1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
480B

MD5
980084a217a39a144a1d33eb23ac502a

SHA1
ed6d0466ba7200dee957106b8329b94ddcf763b5

SHA256
0a4e29a382f8837683f4e73e569a9943c59d65ddbf7a1f02de35f41ac7dc62c7

SHA512
bc388bcb9624c669dd943a7552995b544166aa1191c4e5c544262bdcd4fe1846b29454c55779f805bf52554114cae60d44960514cdd5835ba2180f0a123ef1e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
5cd9c9368cfb913fe4787ac7787edea2

SHA1
d94941264c11562fd5b714dd8ca97b47fd4fc5ce

SHA256
17036e08abb39d5e7630facb7d7808b9975be8cdd718a8ddc0d1bce6950a7dd7

SHA512
3bd43b68e6b8ddbdb304c0092bb044b7ca0e7e282a6418d25e225eac89e718f146ba88d6e9389f2d137c833276fabb55226f69594277ca1d236fb25cdf85b79e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
8833a6be3e854f761c7e68d5506588b2

SHA1
eded8f1fa9ca7d3f715716c2c235957dfd0aba43

SHA256
5da8702bc9ee5d31be368127e534b9d55f375b3f4ea39a3c86cc742e1e646fb6

SHA512
9f30d0319c349c97f3044a4453af6eca4130d2c3cad7f94182bbef3f59ce53c9ab19812bddf5a3e022a7d808d8edac6e9efa5e43365361f523f85d7109fc1195

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
2e065e7dba84d5f116d456974703346c

SHA1
d43929478ee940c95b284015d17ee8026d0f3456

SHA256
f454cfb030b673e044d25fabc793d3145cc40e88876d8e235ae556327f86461a

SHA512
4eed4115a570c60eb5d74f340c8f70906d579509dfd63b7c092d8a1ad1c627233cccf3fb6f3922283a43ea90a88fa60f46878d82663521b586b2ca03fd892f71

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
46f8738cb56bbb083bbe0c3dc49c54bb

SHA1
9779b86e22acbee7013d0bca90b034026c4ff397

SHA256
baa6e6a3bc0b6ebd940e34036bdbed9de3ab37793c12c1b1101253e58449a85d

SHA512
546a9d57b9bbbd9e9dbaccaec98fab5cd849300a6f3662d9dd6ea76c4181ec139e60afc02d162ca3c7bb0c4716bd69f1e33a6f19adb9bb44db04cda2e36a4549

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
e9867d69588cfccc79ed63b5e0707c74

SHA1
24ae6e90e68cce0b365e191b8d64c35103ace56d

SHA256
3c7454383e334c91a01d4c9ab77acd2ea878ff4424c01038ae16d14157e882e9

SHA512
decf6f61b826063a0de2f128487e1644092161ac1ca2445d89c5f50e36deef83414af229e9484ab9b8aabe2171c8598d9eb15776bcf882bd3dd884c62f4fe10a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
1f2b980c640479d1ebbf53facc9213e8

SHA1
8b9524ea6d9893c809aa861240cc6ea98880a41e

SHA256
8e675336ac6729ed6f8753ac3562be252ff209228084d0241c1a9a010b38f7a1

SHA512
ff5a0024212a1829909452659ef448c31c6e7f3d5606f71fdc2c0ac0f5b92d2f80ccab0442b614947aa524aeb6e13b20ee2c8bd21d7bd68ca3f63553e7257fc7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
8d4ca1b9b49e89278cfb0af281dd979b

SHA1
5874464849b64366fc9637362dfaee65c45c5db1

SHA256
776192ae563965928c3e148c11ced5f28eba20eaf9c1f8980c431d88f90fd481

SHA512
c26b2b21fcbeea50d3a48cb7fdb70b41249bb7cd7b42d82ca6c58719dac3b704e70ebf60c0edabc46f4998adc9d26e48f62ea980107a2b59479013f1ac42e0ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
2a6e0ac37480f78083c60ad65d0ca553

SHA1
c85fada1e3df994a4b4026350448415cf4778bd0

SHA256
ce7e391c09852d690ea038646a20b0293b85b73f53b2e8b73eecbd6f18d73195

SHA512
5fdedc476932010dc24e8df5e498a19f7c009b96c31e1ef33d3ce2bd31af6bd23d1d4be2db2b693e42b8f419602c85009e6a4419e008eb25fbec3f743c5b92b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
b84282ff08292a2824d356757189a681

SHA1
ea6585a16e6df6f224fe7e8803b634ba2b8ce63d

SHA256
d0885314a7f8a077e3fecb512e613a87f764d62fb7b8495b130c620ca1d8e9f8

SHA512
0dfb4a10e00238e9cc11d0a0c0e6e61b6112f9060a91cad3b7cabaa4d5d74960db6af3c3137677ba95db066ae2a12630733854d41d0eb2d941923f98c8bdd970

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
347KB

MD5
fe49ebad4bd92db4ab790a8229f842bc

SHA1
2aaacef97c62f6ff6ea183ae3b052ec46445eeba

SHA256
6439139c50149b948286fce21bf83a6918e70f39f29d38909c6e940d0050e316

SHA512
23cc1defa2370d43165035194d6e998debdeb91ac47a641e4b51cd60d34f730a4785c8a7ac4a53616355327ffa70626bf0a5b52729ad115f49de60376772e0c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
347KB

MD5
a99a046adfc45c8bd5e9d2fd91405cd4

SHA1
08f23b3d8ca0af5488d3bf902397f3f22ad5829a

SHA256
d583f45d31cc897d908a7f2fb7d0404fe00d6340698ac109036e08affdff9ea3

SHA512
6ca276312495989c3e7f077d8c63bc451945ed2f649c340722039eb9d75e0579601c53e070dbea381dc36083ee75ac2aec0272b263f9fdf6a2ae5d20cb54c70a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ebb118eb-6a7d-462d-9ece-5db4dd83f1fd.tmp

Filesize
347KB

MD5
5268c4a4e29f91944ccaf32eb4405582

SHA1
c39e75ebd53dc0648ea66b793e203b3604863c52

SHA256
b86c5d67f1e55b852c36ba84d243811c132b141ca020ace53eb6ef88d98c41c6

SHA512
e0971e7796de42a076c08f5b2b05226b6cf752f5da9535c4ef8d66be351ec73e7a220465075ba8d35114d74f20984a1bfc9e00b9b9949b5f81d7167e7c12362a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5C74.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5CB6.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe

Filesize
839KB

MD5
351808659677be354200ca26e9b63f5a

SHA1
a147a31f13d21ff0bf0eca9c8dcf20b7cab5e363

SHA256
60d79803c2b81c09f266a57c1e91476d1a5ef4abd3cccc113cd84077398edead

SHA512
c8bcb1278652b76e4825cb4ede51f59790469f17c37b9b75f31c3208d2570c287e9e2dcf17ebd2f406927c558490860bd30b214949a276d66492d6142e125dc8

Download Submit
\??\pipe\crashpad_2680_GVBGNISDCOQVVYOX

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2684-0-0x0000000074981000-0x0000000074982000-memory.dmp

Filesize
4KB

Download
memory/2684-11-0x0000000074980000-0x0000000074F2B000-memory.dmp

Filesize
5.7MB

Download
memory/2684-2-0x0000000074980000-0x0000000074F2B000-memory.dmp

Filesize
5.7MB

Download
memory/2684-1-0x0000000074980000-0x0000000074F2B000-memory.dmp

Filesize
5.7MB

Download
memory/2692-69-0x0000000074980000-0x0000000074F2B000-memory.dmp

Filesize
5.7MB

Download
memory/2692-64-0x0000000074980000-0x0000000074F2B000-memory.dmp

Filesize
5.7MB

Download
memory/2692-14-0x0000000074980000-0x0000000074F2B000-memory.dmp

Filesize
5.7MB

Download
memory/2692-12-0x0000000074980000-0x0000000074F2B000-memory.dmp

Filesize
5.7MB

Download
memory/2692-13-0x0000000074980000-0x0000000074F2B000-memory.dmp

Filesize
5.7MB

Download