Analysis
-
max time kernel
246s -
max time network
261s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
06-12-2024 19:06
General
-
Target
https://restoindia.me/recaptcha/File.exe
Malware Config
Extracted
orcus
45.74.38.211:4782
7a9c0f279c464958aebbd585f20f1cf2
-
autostart_method
Disable
-
enable_keylogger
false
-
install_path
%programfiles%\Orcus\Orcus.exe
-
reconnect_delay
10000
-
registry_keyname
Orcus
-
taskscheduler_taskname
Orcus
-
watchdog_path
AppData\OrcusWatchdog.exe
Signatures
-
Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
-
Orcus family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Orcurs Rat Executable 1 IoCs
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 12 IoCs
-
Enumerates processes with tasklist 1 TTPs 10 IoCs
-
Drops file in Windows directory 10 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 55 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
NTFS ADS 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 52 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://restoindia.me/recaptcha/File.exe2⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd64e246f8,0x7ffd64e24708,0x7ffd64e247183⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,13827247365659440638,1010616408373472537,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:23⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,13827247365659440638,1010616408373472537,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,13827247365659440638,1010616408373472537,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2908 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13827247365659440638,1010616408373472537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13827247365659440638,1010616408373472537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13827247365659440638,1010616408373472537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4876 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13827247365659440638,1010616408373472537,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,13827247365659440638,1010616408373472537,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5300 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,13827247365659440638,1010616408373472537,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5300 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13827247365659440638,1010616408373472537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4632 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13827247365659440638,1010616408373472537,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2124,13827247365659440638,1010616408373472537,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4672 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13827247365659440638,1010616408373472537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2124,13827247365659440638,1010616408373472537,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6256 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2124,13827247365659440638,1010616408373472537,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6020 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\File.exe"C:\Users\Admin\Downloads\File.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy Audit Audit.cmd && Audit.cmd4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa opssvc"5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 4915055⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Dentists + ..\Flavor + ..\Disturbed + ..\Artistic + ..\Justice + ..\Proceeds + ..\Zip + ..\Soundtrack + ..\Revenue B5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\491505\Dr.comDr.com B5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /create /tn "ApolloPro" /tr "wscript //B 'C:\Users\Admin\AppData\Local\CreativePixel Tech\ApolloPro.js'" /sc onlogon /F /RL HIGHEST6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Local\Temp\491505\RegAsm.exeC:\Users\Admin\AppData\Local\Temp\491505\RegAsm.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 155⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Users\Admin\Downloads\File.exe"C:\Users\Admin\Downloads\File.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy Audit Audit.cmd && Audit.cmd4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa opssvc"5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 4915055⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Dentists + ..\Flavor + ..\Disturbed + ..\Artistic + ..\Justice + ..\Proceeds + ..\Zip + ..\Soundtrack + ..\Revenue B5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\491505\Dr.comDr.com B5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 155⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Users\Admin\Downloads\File.exe"C:\Users\Admin\Downloads\File.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy Audit Audit.cmd && Audit.cmd4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa opssvc"5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 4915055⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Dentists + ..\Flavor + ..\Disturbed + ..\Artistic + ..\Justice + ..\Proceeds + ..\Zip + ..\Soundtrack + ..\Revenue B5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\491505\Dr.comDr.com B5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 155⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,13827247365659440638,1010616408373472537,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1204 /prefetch:23⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c schtasks.exe /create /tn "West" /tr "wscript //B 'C:\Users\Admin\AppData\Local\CreativePixel Tech\ApolloPro.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /create /tn "West" /tr "wscript //B 'C:\Users\Admin\AppData\Local\CreativePixel Tech\ApolloPro.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"2⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffd527ecc40,0x7ffd527ecc4c,0x7ffd527ecc583⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1780,i,12937989675276156924,7026993780414738493,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1776 /prefetch:23⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1784,i,12937989675276156924,7026993780414738493,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1820 /prefetch:33⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2192,i,12937989675276156924,7026993780414738493,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2408 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3156,i,12937989675276156924,7026993780414738493,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3168 /prefetch:13⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3176,i,12937989675276156924,7026993780414738493,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3324 /prefetch:13⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4560,i,12937989675276156924,7026993780414738493,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4548 /prefetch:13⤵
-
-
-
C:\Users\Admin\Downloads\File.exe"C:\Users\Admin\Downloads\File.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy Audit Audit.cmd && Audit.cmd3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa opssvc"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 4915054⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Dentists + ..\Flavor + ..\Disturbed + ..\Artistic + ..\Justice + ..\Proceeds + ..\Zip + ..\Soundtrack + ..\Revenue B4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\491505\Dr.comDr.com B4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 154⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Users\Admin\Downloads\File.exe"C:\Users\Admin\Downloads\File.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy Audit Audit.cmd && Audit.cmd3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa opssvc"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 4915054⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Dentists + ..\Flavor + ..\Disturbed + ..\Artistic + ..\Justice + ..\Proceeds + ..\Zip + ..\Soundtrack + ..\Revenue B4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\491505\Dr.comDr.com B4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 154⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SDRSVC1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wscript.EXEC:\Windows\system32\wscript.EXE //B "C:\Users\Admin\AppData\Local\CreativePixel Tech\ApolloPro.js"1⤵
-
C:\Users\Admin\AppData\Local\CreativePixel Tech\ApolloPro.scr"C:\Users\Admin\AppData\Local\CreativePixel Tech\ApolloPro.scr" "C:\Users\Admin\AppData\Local\CreativePixel Tech\E"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1JavaScript
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5f9ec0e75d0bf53d04b8d84cd11852b8b
SHA1695858870264a883a5e018ca1cb0b79b2926dd50
SHA256d2458db8039fc1a03756a9dfb4a8ce07af3425b8f8843ef9bcf55365835858d1
SHA512f90538aa3008b98627910af5f67491d55e6d239eb0960d71fb7bcb572f53324aaa33758741ab19c9a9e45ded06f87abf27da5c98446ffe5828da071a8e9342f1
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD5c6d0585628ec1a76fb07ef6c5776d6b6
SHA14f4ed79e6cc07537d0a8bb24a24df2fab0d17c2f
SHA256809c0eb64039d901dd2d5b941f05b095c49a2a330e50cfcdd4504eea7f5bf55e
SHA512f631dc91712906077f4f7b6065ea51f2e26317a15ad45fe86de93ac69ca5b59dc94dd424dfa94fc53b013ef812bf6d48c819ecb345510ede95c20707cc84fa39
-
Filesize
9KB
MD57ef20e9458f1e9e59506d520a7659a04
SHA1b88f2b9b88e66718a8fc02d5f304ac314434f3de
SHA25667b3fc63b6ce9557a9633ebb84d03e2f08965e333862abaadb1706fbd577bb91
SHA5129f98bf0d9694b461ab8f1108657eb6aecd6f0709c9220bcb845abdda2c01c23e844264ab8c3a79f4236641c50dbbda9aa91c27ea68da6bbc12b09b29bd6d5dfe
-
Filesize
9KB
MD54d9e5542c010124db611575e5849e2f3
SHA1edddda0c429b9a4bd03748f814f4a4c7c0c14f14
SHA256d9908e4ed1fadfd8f64884d1a24eda5b3be8b6ad089f7c47e40cb592160bd2be
SHA5125db63cb7bde840731ddb4a0d68e29c9c604fbd0ab22be86be4a43c9754bc53a3673763cd61339730d2762976a1011c122c34e81257b26150d3031e6c2433ec85
-
Filesize
116KB
MD5d8460cc1c5e2603cca896a97c9ef584a
SHA1346b47e9e579f45ff904ada1ba8525ed7a5b532d
SHA256158ea274ec2cbf043d3a84b5a5bfdf5f0a3be705aba7886ad1a3c3e86c62cfcf
SHA512715f21b88456c8c6707721a3ec475efb9dbe83a34199b889c2fdcb3c9f7672b7a4743e2dbe0b8fda64c3461446b4b957a6716a64bd49eecb86f326d32928e0fd
-
Filesize
116KB
MD538beda6b3382d546e497b349b49f614c
SHA193f8820193b86c81b1db7c2643e1e701dcf8d3b8
SHA256d589d27961c766435fa8d91ca656dbbdc5e11d613a913f1b7f1a9c011880c9ae
SHA512b3cb5908dac2a556888cd641c188733fe2f4ee64483f5c4db88a8ce80bde5165ea3c12c94468f5b1326accc978dfcf989bbdf9c9a076d235b2d8a8fa8bf6446c
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
152B
MD556a4f78e21616a6e19da57228569489b
SHA121bfabbfc294d5f2aa1da825c5590d760483bc76
SHA256d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb
SHA512c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b
-
Filesize
152B
MD5e443ee4336fcf13c698b8ab5f3c173d0
SHA19bf70b16f03820cbe3158e1f1396b07b8ac9d75a
SHA25679e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b
SHA512cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd
-
Filesize
181B
MD5132d358a1ce4331ff173d82be3b4f8b8
SHA1b49f40ab1de594c1e344bbeabbd3a232d1972fd4
SHA256185f1b5d7f38ca7322b20e6c25d67c15d6f30f8b2511167902319a7a94ae371b
SHA512f5ef365e25cdc3348369b583d5d23993c669b529475ff4f9326a205e1ee044849d91e4c0f4868d0715fdb53c26eead3c0e9e3e3f7edf9d1eb8aa96cf3caed3f6
-
Filesize
6KB
MD5712ee9cafde7be18e1e5c5c7e113eb55
SHA10d2719992f8baf559e8a2a4b8c554c295ae9e00a
SHA2560a8f7718b6bb15591eb3136978a2bf902cec87de6c9d59af6184a5c687b2f84a
SHA5124a2a7783b0fa9e3a371e6c4424b3944d6d70559baf08d651bf79c0c252534685cd087b000afceff3c9b8a29f470af1f28bdb333e1ea5b179d8161a1fd5895c22
-
Filesize
6KB
MD501bad4f47d33baca931254e13f42498a
SHA163e6286334fbc98b61b4d310773a8a08b8de1786
SHA25688851abb9b4810b8a66d965817bb2aeb4f9ea75a1dee3427dc89adf32dd4f096
SHA5126ada6b270d75c43bfcae12ba352079fb803ddc882d513dbab6a63da70733f84931cd44add3d56690f4036808fcfe267f0af379a9ee75a37ccb605c551f27f4fd
-
Filesize
5KB
MD5a7247da1dac06fe8f021726c6ce0c717
SHA1c86f9acaaadb8a9342dab0f5acd6c3d73e56f9a7
SHA256b5282c7d3193b96d3f577add30208f3ae7a8bbccb0157685f2e74afcda9fd64a
SHA512f086c2099f0a8b64e8c335ead99d1aaa4ed19fce392a8170a8c03299aa7a02edfe2b839662ac2e280eec4b5850df2d0e1aabae973bcdcdd331446edada5a7ffa
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5be1d80538998ed146e9c47761d47eb77
SHA1f69ca601ff79d8fd6caae59d0d493d8b6cba0090
SHA256b4cd109c1debc3e29f7f571077ca48e4b6cf8fb4c2a428a1edc2091de8454e4e
SHA512ce860b644a366d75b4ef45b3d192f95327d51fea379e9995189a017e6056d8da0990c30b27f538dc45a2e447ade3dc89067e3d22fbc1a933991133fb601d24b4
-
Filesize
10KB
MD5ed744c6b7addd09a981a4e3c3cc5943b
SHA1242a8e70be78881da08e40a1c0667746b31c686b
SHA2566028bef00c677235b29dee22d3f9a9daa7520b8cef80429047378199f762b62d
SHA512e33e7d7150f457c3c9b6e8fbbc4558a6c46e117055c0e6bd6b2f7e4c49edb8cae2672351e5dd3ab48d7da4db97ea39c8b2f1d189c00df5fa302c5bf68a51be54
-
Filesize
10KB
MD5df934f8415a34c916ed5e06ea338d8a2
SHA1670fa9ac5a8af3aa1db373c9aeddf29bd196ee56
SHA2560a6d6744133746d42c9590925b8ebded40e9d185bab870b48cac5b31fe979618
SHA5123f9031b1b8b706b1a41805be8c5b4cd557ae92508b4cbce749d582b10bb196a3191a6f31e1989aa2097323d97e8b79c12ee8e47cbcf3dc6ea3c56438516ba818
-
Filesize
1.5MB
MD5e81cc32cb3ac46e51db1137a73946864
SHA18bce108ebc3a6d59e09a1930aeeaa65fb468bb81
SHA256c9da589ce003766bde8f9a0fb8e1ad5b8290bbce1b12ed32c5e0799122358edd
SHA512134009c5d931be35a585d75a5f363cdcc13eb9b682c115c48f822be3d292a6b1ed52b1324b153c75f8b15c23181c5cd10486b1b7be854355f50506d79f296b9e
-
Filesize
2.8MB
MD5e0054857ae9362a0b78df2a49e23c5c9
SHA1c956d4d8938e3603865c0f8cc157e455e77f6b29
SHA2568597816ee457b424938f0ed46cac4cd7c7f244e87131eef736a45b191903ec7a
SHA5125f0cef5537860842d9797a963936a61c16716d089b0eec9018bc7cb6d3d3abb6a9dc6fde48616b25c056a49820c796bcfa99e805d6a5a0effd7c151c7a310399
-
Filesize
6.3MB
MD50a1e63fc10dd1dbb8b2db81e2388bf99
SHA167ad39aabbf4875bc1b165ccd5afc40194d1d3c8
SHA256122991768f589431b9166a4e22523bf48a53efff73fc2b191955e604196541b7
SHA51294c50f06e1d157381b9d0746044b5d015e2946b44291d92739783cb3ed9e91371cf7d1b981d3108d910d7a7000810fe69fbe6590f9a84f822b671866ab9db5fc
-
Filesize
720KB
MD5d35007cc8b2860b1fe9ee861e1f2846d
SHA158638fd185601506b3b13fe254065aeb7edff28c
SHA256de1e4dbe18f0b926b49aceb10157bc7f542409bad6242422efef3b831608a037
SHA51245f851201656cb19c89274d124a7625a4c9fe12f412616a84458aa1857c61455126264416ff7fa1c9ffa99b994613baecfacd1f8179240a5021c7e5b867ea068
-
Filesize
14KB
MD59da23439e34b0498b82ae193c5a8f3a8
SHA1ae20bbe7fac03c94e42f4dd206d89003faae7899
SHA2560f241cc0324871a1a900a7ac0edf889a8d12875b1072f44856cc979a4b7a77ac
SHA512cd4b262753b4f5f1dac09c20fa64ebdee00cf4a3fce92287a7439df943ea65bdf8569f541c2668b2164139b91facccfb3c98db8ad8f686637f4e317583cc98a2
-
Filesize
872KB
MD56ee7ddebff0a2b78c7ac30f6e00d1d11
SHA1f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2
SHA256865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4
SHA51257d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0
-
Filesize
915KB
MD5895c5374a042a9e6c78c673690cd2275
SHA19dfe1b532f958f678de2bac7c74646e007a8fa14
SHA256226099aac21e8d4a671a68b37d204339703fb696b6cc5aa30311fb55d6ab2147
SHA512130af34bb1d12db8e86b930d8e490754687e1381a0104ac4c98cc2f02ff7fc4ed9e1d549121a013e1c32663a00d1dc8eb20d2f9831feb3c7eb17bf61a1d8d52c
-
Filesize
903KB
MD50e2df9a4f4d78ad0299f0377d417b39e
SHA1a2452ab3b04b480dfc2a58a416762e280254751f
SHA2568834f63f09734b9f284437f26cba4909ce9ae1aceafa27e2bcd7531c1a7479df
SHA512d8194f24cc02fc030c7cf1dab5970257a79b8bcc887a8ff1ccd104e94ea809dcd266b056c80e6a0e73cba71f81e654389025c939e3135f6fafca9d51737812b8
-
Filesize
594KB
MD5d9182f7a263f19b9876e7e1568e6c760
SHA1d0683b5a7247a2f4a69473165d2c2649f2e1c01f
SHA2564efff79e94f136f9bbaed62501810937785831b8c10ee9eb675ceae24cf3c4c9
SHA51285582b94da822580eb26bc477440d87fb0a9ed98e3b75166cd96c2a18c88367c8bdd808fc43c52c2078e625efd81983e9f2e733272289833700649ad58a96a9b
-
Filesize
848KB
MD5774df02c553d130dde3aa7496b64ebed
SHA1e2a4aab8c3b654bd022662045fa70413a80e55f9
SHA256ae9283c1a14b751639a75592295d85105954b761737ab77fc1e667a1498f2e9e
SHA512c132cdf383e4fa32362d50768898ed9c6cd1e306056d066168a8ac1ee3ea7953424ff3b241ff1e0376b99b91f566b698bfef07da9bc45471097a6637dc154d11
-
Filesize
853KB
MD5de061b898e12d89c92409f220918347f
SHA16b571edab30dcc4d5518e5bebb296d1f7bf5414c
SHA25670fda66f3ea2607d6cff63d0a6a7258577690d2a9bc5105bb529889ce025d1c2
SHA51261d94f04572643dc4274aedda51e7cb6bcccefcfa4556e6d87f94195ddf90ffbeb65909688c7bc3407f244021cc6dff0c8692fd7835ee61e6a43a0394a693a2b
-
Filesize
396KB
MD5aabc90b85b9c3b51543de0339d29778e
SHA1299f5e2ca9326e0a5feefb4fc7b05da93cfd11a1
SHA2569a0a3567f4c9b9ca46fbf41d65cdd5ce464b0efe42d6aaf7cff840addbe05d60
SHA5123d951489d7d46874909bfd82e9cac346bdd15bbb485fc76e1ed7d6fe7bb51a7649d1f649b75bb6f6f1b6f10ea16113cd01c20aa7ea85d038fcb7fe317082edf3
-
Filesize
575KB
MD5826f4a6946380e346be2700b633d0c35
SHA19433907be5fef925295318f1698d0dbd05c8a16b
SHA2563d295b6fb4cad25db6a140eaf94a7f577fea02b3bc1cde1d696ea5ee3cd5a0bb
SHA512a87bcf4ad23076ca3632d035709002b682a90a565bb5685239d52910605b50f67a46627dc1a3649f3c30d40fd9da2b08d423d6df44ea937be80c38872a79d9fa
-
Filesize
582KB
MD5b75737c804ca9949cc63bd42c945a5e6
SHA175c0490174adc40d1824b1024021b82dd5c762b7
SHA256628068ee856d68776d6e9b755cd42d7a5a46af1a2a6a2c22e65db95b5d2d8f2c
SHA51258fedd2bd6318d4b93de429d184701e059321c16872cafc978837c29985404bf432e4a2701894f7f67045f9684da40c8e14f9f557da3398c5d6eeca2e18faca7
-
Filesize
622KB
MD584f05dddefb1c72567827be553fe67fe
SHA1c2ebcc4de3439a8206aa8faac90312bfb207ce4f
SHA256b7de8d92196f323eb9a6237b9e902461569fd093b36e1988dee9de2ab157bb12
SHA51299954fa07fe7cc0e54dbd0af09b32507cd998c8b44cb63f1ffe8e30667b6d1bb0949a6c95b60e40e73f0b0bb3f11e79f8fa23f696032118210cd10f03eec2904
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
6.9MB
MD55eecc13df41c8e6967f8a3ecb1d0cda9
SHA18ac9ce30344f976a09da51da509dee5d2b0e8723
SHA2566b8848b38b3e239a0df83efc456ad22bf5e59e7145b59d1f8e154881ebb9f8e3
SHA51224c981ad16a5bc65738127dc27f2c804f4678671a8c13ff60ef2edcf795b8b6d505d121f407514dfbe7853b5d7577299ae30832319d21e83c5c18f5c638382d1
-
Filesize
32KB
-
Filesize
408KB
-
Filesize
96KB
-
Filesize
64KB
-
Filesize
6.2MB
-
Filesize
32KB
-
Filesize
104KB
-
Filesize
216KB
-
Filesize
6.5MB
-
Filesize
600KB
-
Filesize
72KB
-
Filesize
408KB
-
Filesize
296KB
-
Filesize
120KB
-
Filesize
136KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
368KB
-
Filesize
3.3MB
-
Filesize
32KB
-
Filesize
136KB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
652KB
-
Filesize
40KB
-
Filesize
68KB
-
Filesize
56KB
-
Filesize
80KB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
56KB
-
Filesize
40KB
-
Filesize
4.0MB
-
Filesize
72KB
-
Filesize
6.1MB
-
Filesize
240KB
-
Filesize
1.0MB
-
Filesize
1.8MB