orcus | hxxps://github[.]com/zz4cc/OrcusRAT[.]git

Analysis

max time kernel
82s
max time network
81s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-01-2025 10:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/zz4cc/OrcusRAT.git

Score

10^/10

orcus discovery rat spyware stealer

Malware Config

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Orcurs Rat Executable 1 IoCs

resource	yara_rule
behavioral1/memory/3380-209-0x00000000008B0000-0x00000000018EE000-memory.dmp	orcus

Executes dropped EXE 2 IoCs

pid	Process
5952	Uninstall.exe
6084	Uninstall.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5132	3380	WerFault.exe	113

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Orcus.Administration.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Uninstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Uninstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Uninstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Uninstall.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2880	msedge.exe
2880	msedge.exe
4180	msedge.exe
4180	msedge.exe
3336	identity_helper.exe
3336	identity_helper.exe
1420	msedge.exe
1420	msedge.exe
3964	msedge.exe
3964	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
5856	Uninstall.exe
5952	Uninstall.exe
6040	Uninstall.exe
6084	Uninstall.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4180 wrote to memory of 5092	4180	msedge.exe	83
PID 4180 wrote to memory of 5092	4180	msedge.exe	83
PID 4180 wrote to memory of 4560	4180	msedge.exe	84
PID 4180 wrote to memory of 4560	4180	msedge.exe	84
PID 4180 wrote to memory of 4560	4180	msedge.exe	84
PID 4180 wrote to memory of 4560	4180	msedge.exe	84
PID 4180 wrote to memory of 4560	4180	msedge.exe	84
PID 4180 wrote to memory of 4560	4180	msedge.exe	84
PID 4180 wrote to memory of 4560	4180	msedge.exe	84
PID 4180 wrote to memory of 4560	4180	msedge.exe	84
PID 4180 wrote to memory of 4560	4180	msedge.exe	84
PID 4180 wrote to memory of 4560	4180	msedge.exe	84
PID 4180 wrote to memory of 4560	4180	msedge.exe	84
PID 4180 wrote to memory of 4560	4180	msedge.exe	84
PID 4180 wrote to memory of 4560	4180	msedge.exe	84
PID 4180 wrote to memory of 4560	4180	msedge.exe	84
PID 4180 wrote to memory of 4560	4180	msedge.exe	84
PID 4180 wrote to memory of 4560	4180	msedge.exe	84
PID 4180 wrote to memory of 4560	4180	msedge.exe	84
PID 4180 wrote to memory of 4560	4180	msedge.exe	84
PID 4180 wrote to memory of 4560	4180	msedge.exe	84
PID 4180 wrote to memory of 4560	4180	msedge.exe	84
PID 4180 wrote to memory of 4560	4180	msedge.exe	84
PID 4180 wrote to memory of 4560	4180	msedge.exe	84
PID 4180 wrote to memory of 4560	4180	msedge.exe	84
PID 4180 wrote to memory of 4560	4180	msedge.exe	84
PID 4180 wrote to memory of 4560	4180	msedge.exe	84
PID 4180 wrote to memory of 4560	4180	msedge.exe	84
PID 4180 wrote to memory of 4560	4180	msedge.exe	84
PID 4180 wrote to memory of 4560	4180	msedge.exe	84
PID 4180 wrote to memory of 4560	4180	msedge.exe	84
PID 4180 wrote to memory of 4560	4180	msedge.exe	84
PID 4180 wrote to memory of 4560	4180	msedge.exe	84
PID 4180 wrote to memory of 4560	4180	msedge.exe	84
PID 4180 wrote to memory of 4560	4180	msedge.exe	84
PID 4180 wrote to memory of 4560	4180	msedge.exe	84
PID 4180 wrote to memory of 4560	4180	msedge.exe	84
PID 4180 wrote to memory of 4560	4180	msedge.exe	84
PID 4180 wrote to memory of 4560	4180	msedge.exe	84
PID 4180 wrote to memory of 4560	4180	msedge.exe	84
PID 4180 wrote to memory of 4560	4180	msedge.exe	84
PID 4180 wrote to memory of 4560	4180	msedge.exe	84
PID 4180 wrote to memory of 2880	4180	msedge.exe	85
PID 4180 wrote to memory of 2880	4180	msedge.exe	85
PID 4180 wrote to memory of 2616	4180	msedge.exe	86
PID 4180 wrote to memory of 2616	4180	msedge.exe	86
PID 4180 wrote to memory of 2616	4180	msedge.exe	86
PID 4180 wrote to memory of 2616	4180	msedge.exe	86
PID 4180 wrote to memory of 2616	4180	msedge.exe	86
PID 4180 wrote to memory of 2616	4180	msedge.exe	86
PID 4180 wrote to memory of 2616	4180	msedge.exe	86
PID 4180 wrote to memory of 2616	4180	msedge.exe	86
PID 4180 wrote to memory of 2616	4180	msedge.exe	86
PID 4180 wrote to memory of 2616	4180	msedge.exe	86
PID 4180 wrote to memory of 2616	4180	msedge.exe	86
PID 4180 wrote to memory of 2616	4180	msedge.exe	86
PID 4180 wrote to memory of 2616	4180	msedge.exe	86
PID 4180 wrote to memory of 2616	4180	msedge.exe	86
PID 4180 wrote to memory of 2616	4180	msedge.exe	86
PID 4180 wrote to memory of 2616	4180	msedge.exe	86
PID 4180 wrote to memory of 2616	4180	msedge.exe	86
PID 4180 wrote to memory of 2616	4180	msedge.exe	86
PID 4180 wrote to memory of 2616	4180	msedge.exe	86
PID 4180 wrote to memory of 2616	4180	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/zz4cc/OrcusRAT.git
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff911c046f8,0x7ff911c04708,0x7ff911c04718
  2⤵
  PID:5092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2192,14150292286353451024,11255614325546852880,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:2
  2⤵
  PID:4560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2192,14150292286353451024,11255614325546852880,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2192,14150292286353451024,11255614325546852880,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:8
  2⤵
  PID:2616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,14150292286353451024,11255614325546852880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:2104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,14150292286353451024,11255614325546852880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:4176
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2192,14150292286353451024,11255614325546852880,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3956 /prefetch:8
  2⤵
  PID:3788
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2192,14150292286353451024,11255614325546852880,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3956 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,14150292286353451024,11255614325546852880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1
  2⤵
  PID:828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,14150292286353451024,11255614325546852880,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
  2⤵
  PID:4892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2192,14150292286353451024,11255614325546852880,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3384 /prefetch:8
  2⤵
  PID:4348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,14150292286353451024,11255614325546852880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1
  2⤵
  PID:840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,14150292286353451024,11255614325546852880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
  2⤵
  PID:964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,14150292286353451024,11255614325546852880,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6368 /prefetch:1
  2⤵
  PID:1752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2192,14150292286353451024,11255614325546852880,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6084 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2192,14150292286353451024,11255614325546852880,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6088 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,14150292286353451024,11255614325546852880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2052 /prefetch:1
  2⤵
  PID:5348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,14150292286353451024,11255614325546852880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:1
  2⤵
  PID:5260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,14150292286353451024,11255614325546852880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6372 /prefetch:1
  2⤵
  PID:5308

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1484

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1588

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4436

C:\Users\Admin\AppData\Local\Temp\Temp1_OrcusRAT-main (1).zip\OrcusRAT-main\Orcus.Administration.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_OrcusRAT-main (1).zip\OrcusRAT-main\Orcus.Administration.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:3380
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3380 -s 852
  2⤵
  - Program crash
  PID:5132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3380 -ip 3380
1⤵
PID:4288

C:\Users\Admin\AppData\Local\Temp\Temp1_OrcusRAT-main (1).zip\OrcusRAT-main\Uninstall.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_OrcusRAT-main (1).zip\OrcusRAT-main\Uninstall.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5856
- C:\Users\Admin\AppData\Local\Temp\Uninstall.exe
  "C:\Users\Admin\AppData\Local\Temp\Uninstall.exe" end
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5952

C:\Users\Admin\AppData\Local\Temp\Temp1_OrcusRAT-main (1).zip\OrcusRAT-main\Uninstall.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_OrcusRAT-main (1).zip\OrcusRAT-main\Uninstall.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:6040
- C:\Users\Admin\AppData\Local\Temp\Uninstall.exe
  "C:\Users\Admin\AppData\Local\Temp\Uninstall.exe" end
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:6084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/playlist?list=PLkoNiUTDHC4_dakaSc7ePa5epYLx35DcV
1⤵
PID:1824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff911c046f8,0x7ff911c04708,0x7ff911c04718
  2⤵
  PID:3592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fab8d8d865e33fe195732aa7dcb91c30

SHA1
2637e832f38acc70af3e511f5eba80fbd7461f2c

SHA256
1b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea

SHA512
39a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
36988ca14952e1848e81a959880ea217

SHA1
a0482ef725657760502c2d1a5abe0bb37aebaadb

SHA256
d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6

SHA512
d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

Filesize
25.0MB

MD5
4ebe8621171038676189cbc5e7053d9f

SHA1
2e3a3b97163d1e8af1e41c36f9495062fb4b1934

SHA256
3786d314f4e3906400b24657ed15fca047576eba9cf17630246db69503fdbea3

SHA512
e0091ae9f3acddc7e8d11b89a60debc3dab57b8af57bde4a3f538b2283eae398a1adec8224bf5fd2d0be61be015fc2a79c49b06cf786945073e1cc87d66be356

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
f973ba005d78ce389f91081c094ce242

SHA1
21d3e8aa5b439d21a473728ff004fa76995b13cd

SHA256
08bcee16c4760fda79824def466b7128d08cad28720dcfe3528f8bed8b35ff4f

SHA512
da424450cbdb76bf05796886bbb4a7d1bdf6bcc98119520cb6498113731640530f440977b4ac9014da3a99885ea930632ae5568f310ca5b26308d2bd0455b7c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
573B

MD5
ae032e5a8d0088761a5b1131e6d7adb7

SHA1
d495300e297e5392d0ad7512461b3f1b6f8f367e

SHA256
578b48d86653d004d76e5f3f0e3ca52ad7e39b3ce2ad9a4b069a3a55083b0b4d

SHA512
a3acb9599dc64d93e17dffdf65e8df2f3c4a6e349645cfe054de79a60ba9f8876d5fa88715f733529c21c803db429270a024375bf10d50bd38356e516febfe12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
2986e1b152b48a81facf29f4e2f1f273

SHA1
d278375ee7d7ed86d2943c2d0830f7e199f3e461

SHA256
a6260f454cfdd2126121847c051c842793d97eecf818107eb020ad2467708035

SHA512
91e56e8384c53a711921fca868e7f2410e3995092aa6ccaec3a46b1130f5009800caaa2e186500fc104c353b81c4e596040a31db48ddc49255d2d3a4136ce1d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
af8b60625b38eebff94d6a002f1dfdc6

SHA1
4e34466394d73a7da535a7bae0df01025e48f351

SHA256
cb89578a521766981036f4fbd2f12a23698eee55e50f1d61776b645fc42b84ea

SHA512
7cfce083aa21728f1d8b0feb13413c1003a39fdce345948d2f0d05b9b7dee4f22b9e2929c644e52926baa1870acfbee6cc8d7737ee7d9bdde7f2c787a5cfc53c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ce2af9f834698c82cc907ba994848637

SHA1
b86841ca592e6d59a092135e1feac9171aeffa80

SHA256
15add4e5a053429878fcdbdde431718103a418a5748256597e2dd53f11acda1f

SHA512
472835f80868dd313699e0c389e4af8e5383d8ba8cbecb2c8437190df9f137e1767478cac34caebc26c5f81ec3a6b11c4d12e9c43cd1fe803376e09fd6bcfde9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9fe303abd033f097fb01142a3b09cc67

SHA1
dffdaf124372c941bce3ec3100ba060c37f6274c

SHA256
70debecba7423b8ad13cf505bffb21d1b5068eefaa5a22a8819f9bf5ffe14f19

SHA512
1bb698ac6291489edc045f62542c94d4900f175100d51f65c3101c82670a03f37646ad4f970352aa36568174f6a27819097ba48f0d2ff482e6b8821eef8ae80e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f7fdae0e16ecd0a9fa81b7538c749f92

SHA1
46a5ea7cb0eb50cdc5d9966bb405df38a1ac00ca

SHA256
f5052fa4564a20f55ce7125300e8116f81c0ca5239f3bdf36f61b6b1a4897250

SHA512
b86939d884f639b2d3a7db1d769e4fe8964645544ac5afa43ea8c96fbfc1b1ce3c5b127ff26e5739fe22c379c2f15cf57e414c0a34734ba9fa0769280d688648

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe584cd3.TMP

Filesize
1KB

MD5
10216a3940eb76f3a34b2514a0a0ba14

SHA1
48980713ba035c7caea2bbfbc1f6a49af4d6f919

SHA256
61a9d39c655531dd46d5e00589c0d2a3d226c8e00d052a0e6621bf396db64978

SHA512
97e1f20a4142594897785929e8b1858e64c07cbcb28ba9cc23ef25ce319557b25d422fbe658eadefa1d51aca4e6f08366d208920152793134d9f7a1cf33b9ea8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
15c1736ab2997e140365e7320da09616

SHA1
406461a8955ee660cb864b1d4a8497fcf44568ab

SHA256
245d2192cd0e4ba87ce749d25ed3718595eaac920a7f60028554d3143b3b3bc1

SHA512
939e1304f7ac79a06bd2dd7427adea374d1c83dba5a84f4d1555b6653e03f289f7e29ba2df66a674aa329b4d5018580708184195ab736ea6b8e15907cb90f93f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
7613da2667a3c350f89c9df8a06e5e9e

SHA1
c667642f6ca9b24e40a6acfe9f1190b2630b8636

SHA256
3751dba706d28cc349c454d22732fb0347eb4bcbcafecc9d0f972609440384f9

SHA512
d4abfa088b509969dd98752a398ef347164aa26faadb8868e80afa42d76d75db4349b514f1e528097859412866c723cde66a9b94b053036c7790f57553b5c121

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
63dccb17cbf9d93b6dbc0267daa1616e

SHA1
e45aa6f294fcaafb1c26f391f3500cd2771198b3

SHA256
0bfda68c14bf3723dc35533d5e8b0ed5ac26c9c26a6b3dcb40fd4318a5a43644

SHA512
2b936328f4452946ffb92340c148290592a923c5bd093e58f558f639098f1d4f8a398a057430b33057be643fcfac29a8080df6750ea962f665c89569a08f8862

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uninstall.exe

Filesize
101KB

MD5
4143d3bb52f6ca4aea06d4ae15db611f

SHA1
be6b949ed7be8ce752b7343d56d9c3f96b25a0d3

SHA256
1ff448e9e456f5ad022c2bffb16e0e94eeb6346e8befab695ec0f369349a1a0a

SHA512
2a9befa77e042ea32358c8e3c40e67b3ebf618744634878393a7f7121484371dd62f5d981d0aaef2280bb1a574379271abaf249708ed49b893924fb521cbd2d2

Download Submit
memory/3380-209-0x00000000008B0000-0x00000000018EE000-memory.dmp

Filesize
16.2MB

Download
memory/5856-277-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5952-278-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/6040-280-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/6084-281-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download