orcus | 726fe765745a0052e532e040a71b6b252aceab5c3b6cb13ba774eb85494390fa

Analysis

max time kernel
858s
max time network
862s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
30/01/2025, 06:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Drunkdeer(1).exe
Size

3.2MB
MD5

2e3a2248109098fa65295e84918518e0
SHA1

80c462ccf9ab80f3cafc1a1f43669c72c383db4a
SHA256

726fe765745a0052e532e040a71b6b252aceab5c3b6cb13ba774eb85494390fa
SHA512

f3b3ebccc507ecaf464f6c023e3f5a7b4174894a35a8bda186129b0f89c0dcc9389991b20cbf092692928614bc63024775b0ac5b8c2f83aa0a5bf28fe44bda8e
SSDEEP

49152:7GX87p1EZKMnkmWg8LX5prviYDyKS5AypQxbRQAo9JnCmpKu/nRFfjI7L0qb:7LHTPJg8z1mKnypSbRxo9JCm

Score

10^/10

orcus новый тег discovery rat spyware stealer

Malware Config

Extracted

Family

orcus

Botnet

Новый тег

31.44.184.52:27516

Mutex

sudo_bdnmfcpgeezwswzcg169jg3njnsdn3j8

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%appdata%\eternalasync\cpuuploads.exe
reconnect_delay
10000
registry_keyname
Sudik
taskscheduler_taskname
sudik
watchdog_path
AppData\aga.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x001a00000002aabc-13.dat	family_orcus

Orcurs Rat Executable 2 IoCs

resource	yara_rule
behavioral1/memory/4884-1-0x0000000000880000-0x0000000000BB8000-memory.dmp	orcus
behavioral1/files/0x001a00000002aabc-13.dat	orcus

Executes dropped EXE 4 IoCs

pid	Process
3900	cpuuploads.exe
1584	cpuuploads.exe
4568	cpuuploads.exe
3952	cpuuploads.exe

Loads dropped DLL 12 IoCs

pid	Process
548	caspol.exe
548	caspol.exe
548	caspol.exe
548	caspol.exe
548	caspol.exe
548	caspol.exe
548	caspol.exe
548	caspol.exe
548	caspol.exe
548	caspol.exe
548	caspol.exe
548	caspol.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3900 set thread context of 832	3900	cpuuploads.exe	82
PID 1584 set thread context of 1544	1584	cpuuploads.exe	84
PID 4568 set thread context of 548	4568	cpuuploads.exe	88

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe	caspol.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regasm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cpuuploads.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cpuuploads.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	caspol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Drunkdeer(1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cpuuploads.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cpuuploads.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4884	Drunkdeer(1).exe
3900	cpuuploads.exe
3900	cpuuploads.exe
3900	cpuuploads.exe
3900	cpuuploads.exe
3900	cpuuploads.exe
3900	cpuuploads.exe
3900	cpuuploads.exe
3900	cpuuploads.exe
1584	cpuuploads.exe
1584	cpuuploads.exe
4568	cpuuploads.exe
4568	cpuuploads.exe
4568	cpuuploads.exe
4568	cpuuploads.exe
4568	cpuuploads.exe
4568	cpuuploads.exe
548	caspol.exe
548	caspol.exe
3720	msedge.exe
3720	msedge.exe
2792	msedge.exe
2792	msedge.exe
5096	identity_helper.exe
5096	identity_helper.exe
2620	msedge.exe
2620	msedge.exe
548	caspol.exe
548	caspol.exe
548	caspol.exe
548	caspol.exe
548	caspol.exe
548	caspol.exe
548	caspol.exe
548	caspol.exe
548	caspol.exe
548	caspol.exe
548	caspol.exe
548	caspol.exe
548	caspol.exe
548	caspol.exe
548	caspol.exe
548	caspol.exe
548	caspol.exe
548	caspol.exe
548	caspol.exe
548	caspol.exe
548	caspol.exe
548	caspol.exe
548	caspol.exe
548	caspol.exe
548	caspol.exe
548	caspol.exe
548	caspol.exe
548	caspol.exe
548	caspol.exe
548	caspol.exe
548	caspol.exe
548	caspol.exe
548	caspol.exe
548	caspol.exe
548	caspol.exe
548	caspol.exe
548	caspol.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4884	Drunkdeer(1).exe
Token: SeDebugPrivilege	3900	cpuuploads.exe
Token: SeDebugPrivilege	1584	cpuuploads.exe
Token: SeDebugPrivilege	4568	cpuuploads.exe
Token: SeDebugPrivilege	548	caspol.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4884 wrote to memory of 3900	4884	Drunkdeer(1).exe	77
PID 4884 wrote to memory of 3900	4884	Drunkdeer(1).exe	77
PID 4884 wrote to memory of 3900	4884	Drunkdeer(1).exe	77
PID 3900 wrote to memory of 5048	3900	cpuuploads.exe	79
PID 3900 wrote to memory of 5048	3900	cpuuploads.exe	79
PID 3900 wrote to memory of 5048	3900	cpuuploads.exe	79
PID 3900 wrote to memory of 4256	3900	cpuuploads.exe	80
PID 3900 wrote to memory of 4256	3900	cpuuploads.exe	80
PID 3900 wrote to memory of 4256	3900	cpuuploads.exe	80
PID 3900 wrote to memory of 4928	3900	cpuuploads.exe	81
PID 3900 wrote to memory of 4928	3900	cpuuploads.exe	81
PID 3900 wrote to memory of 4928	3900	cpuuploads.exe	81
PID 3900 wrote to memory of 832	3900	cpuuploads.exe	82
PID 3900 wrote to memory of 832	3900	cpuuploads.exe	82
PID 3900 wrote to memory of 832	3900	cpuuploads.exe	82
PID 3900 wrote to memory of 832	3900	cpuuploads.exe	82
PID 3900 wrote to memory of 832	3900	cpuuploads.exe	82
PID 3900 wrote to memory of 832	3900	cpuuploads.exe	82
PID 3900 wrote to memory of 832	3900	cpuuploads.exe	82
PID 3900 wrote to memory of 832	3900	cpuuploads.exe	82
PID 1584 wrote to memory of 1544	1584	cpuuploads.exe	84
PID 1584 wrote to memory of 1544	1584	cpuuploads.exe	84
PID 1584 wrote to memory of 1544	1584	cpuuploads.exe	84
PID 1584 wrote to memory of 1544	1584	cpuuploads.exe	84
PID 1584 wrote to memory of 1544	1584	cpuuploads.exe	84
PID 1584 wrote to memory of 1544	1584	cpuuploads.exe	84
PID 1584 wrote to memory of 1544	1584	cpuuploads.exe	84
PID 1584 wrote to memory of 1544	1584	cpuuploads.exe	84
PID 4568 wrote to memory of 3640	4568	cpuuploads.exe	86
PID 4568 wrote to memory of 3640	4568	cpuuploads.exe	86
PID 4568 wrote to memory of 3640	4568	cpuuploads.exe	86
PID 4568 wrote to memory of 1184	4568	cpuuploads.exe	87
PID 4568 wrote to memory of 1184	4568	cpuuploads.exe	87
PID 4568 wrote to memory of 1184	4568	cpuuploads.exe	87
PID 4568 wrote to memory of 548	4568	cpuuploads.exe	88
PID 4568 wrote to memory of 548	4568	cpuuploads.exe	88
PID 4568 wrote to memory of 548	4568	cpuuploads.exe	88
PID 4568 wrote to memory of 548	4568	cpuuploads.exe	88
PID 4568 wrote to memory of 548	4568	cpuuploads.exe	88
PID 4568 wrote to memory of 548	4568	cpuuploads.exe	88
PID 4568 wrote to memory of 548	4568	cpuuploads.exe	88
PID 4568 wrote to memory of 548	4568	cpuuploads.exe	88
PID 2792 wrote to memory of 220	2792	msedge.exe	93
PID 2792 wrote to memory of 220	2792	msedge.exe	93
PID 2792 wrote to memory of 1808	2792	msedge.exe	94
PID 2792 wrote to memory of 1808	2792	msedge.exe	94
PID 2792 wrote to memory of 1808	2792	msedge.exe	94
PID 2792 wrote to memory of 1808	2792	msedge.exe	94
PID 2792 wrote to memory of 1808	2792	msedge.exe	94
PID 2792 wrote to memory of 1808	2792	msedge.exe	94
PID 2792 wrote to memory of 1808	2792	msedge.exe	94
PID 2792 wrote to memory of 1808	2792	msedge.exe	94
PID 2792 wrote to memory of 1808	2792	msedge.exe	94
PID 2792 wrote to memory of 1808	2792	msedge.exe	94
PID 2792 wrote to memory of 1808	2792	msedge.exe	94
PID 2792 wrote to memory of 1808	2792	msedge.exe	94
PID 2792 wrote to memory of 1808	2792	msedge.exe	94
PID 2792 wrote to memory of 1808	2792	msedge.exe	94
PID 2792 wrote to memory of 1808	2792	msedge.exe	94
PID 2792 wrote to memory of 1808	2792	msedge.exe	94
PID 2792 wrote to memory of 1808	2792	msedge.exe	94
PID 2792 wrote to memory of 1808	2792	msedge.exe	94
PID 2792 wrote to memory of 1808	2792	msedge.exe	94
PID 2792 wrote to memory of 1808	2792	msedge.exe	94

C:\Users\Admin\AppData\Local\Temp\Drunkdeer(1).exe
"C:\Users\Admin\AppData\Local\Temp\Drunkdeer(1).exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4884
- C:\Users\Admin\AppData\Roaming\eternalasync\cpuuploads.exe
  "C:\Users\Admin\AppData\Roaming\eternalasync\cpuuploads.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3900
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
    3⤵
    PID:5048
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
    3⤵
    PID:4256
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
    3⤵
    PID:4928
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:832

C:\Users\Admin\AppData\Roaming\eternalasync\cpuuploads.exe
C:\Users\Admin\AppData\Roaming\eternalasync\cpuuploads.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1544

C:\Users\Admin\AppData\Roaming\eternalasync\cpuuploads.exe
C:\Users\Admin\AppData\Roaming\eternalasync\cpuuploads.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4568
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
  2⤵
  PID:3640
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
  2⤵
  PID:1184
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:548

C:\Users\Admin\AppData\Roaming\eternalasync\cpuuploads.exe
C:\Users\Admin\AppData\Roaming\eternalasync\cpuuploads.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffdc19a3cb8,0x7ffdc19a3cc8,0x7ffdc19a3cd8
  2⤵
  PID:220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1860,12742707132251162892,8673710482211245453,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1884 /prefetch:2
  2⤵
  PID:1808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1860,12742707132251162892,8673710482211245453,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2340 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1860,12742707132251162892,8673710482211245453,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2564 /prefetch:8
  2⤵
  PID:3568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,12742707132251162892,8673710482211245453,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:1540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,12742707132251162892,8673710482211245453,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:3060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,12742707132251162892,8673710482211245453,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4020 /prefetch:1
  2⤵
  PID:4712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,12742707132251162892,8673710482211245453,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4596 /prefetch:1
  2⤵
  PID:952
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1860,12742707132251162892,8673710482211245453,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,12742707132251162892,8673710482211245453,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1
  2⤵
  PID:3716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,12742707132251162892,8673710482211245453,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4008 /prefetch:1
  2⤵
  PID:2528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,12742707132251162892,8673710482211245453,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
  2⤵
  PID:2820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1860,12742707132251162892,8673710482211245453,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3464 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1860,12742707132251162892,8673710482211245453,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4940 /prefetch:2
  2⤵
  PID:1928

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4060

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\cpuuploads.exe.log

Filesize
1KB

MD5
9ab70628e2d07fb6d0af7ffe9c2534eb

SHA1
73e1d327502efc4ae6f21277eba6b4fddca8da3f

SHA256
a20c6b19845afcbb3346022339b60594c062bf437ff2303a25d8329d8baf73e6

SHA512
142912047400eeb4bd866f1b459bf0b4f44658fcf4e77ffa88d94e54240f87282a8af25381e3e834f094b6a8f5d607f5cf90930e2462ddaee8a7e8dcfecbbb9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d91478312beae099b8ed57e547611ba2

SHA1
4b927559aedbde267a6193e3e480fb18e75c43d7

SHA256
df43cd7779d9fc91fd0416155d6771bc81565e98be38689cb17caece256bf043

SHA512
4086c4ebe410a37d0124fc8bd00c58775e70ab2b7b5a39b4e49b332ce5b4866c6775707436395467aff9596507c96fb4896f3bf0249c5b9c99a927f31dcc1a96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7145ec3fa29a4f2df900d1418974538

SHA1
1368d579635ba1a53d7af0ed89bf0b001f149f9d

SHA256
efc56eb46cf3352bf706c0309d5d740bca6ac06142f9bdc5e8344b81d4d83d59

SHA512
5bb663ede88f8b7c96b09c1214aac68eda99bc09525ac383baa96914ff7d553ea1aed09e3c9d16893d791c81ddb164c682dfbb4759ac0bc751221f3e36558a91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c4236033d11f967145666a4365e98550

SHA1
e4b67ba3b6fb9cc710f9073815b19084997c162b

SHA256
05b6d315352bac7ae468a7fd29d6c87606f34292a72102fbc36a901544495b05

SHA512
79782fb9efc57f1779518e464ef79d5c86d3b74beecb640b1878e3aebfe8544478f9d840a9985ec76d51aff9f2406fcd86c03489c4d7b619952f13485a9a19eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
43ee2a6d6e2c3c9da3ec11d2e7354702

SHA1
478a5c2be24c46cd6ab4bab9d63cb16d647f4e60

SHA256
55e5f3ede92ad04934288dd2d18942c8c50b1da43643e8e5dc15b3928b5974ed

SHA512
5131ef75b9fb96cdd5c8de88117bfceb2ed2c46ed445abe4e8a9fa51749b38905de3f0152acc1c341372cf89f162ebb560c26223fec5133bcbe08ec2a4bea314

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
540d087333030e4a0f83aa0cf03979a2

SHA1
3859ecf468529403764fa06fdf52f434aedfbdf4

SHA256
f2ddb44789bbbca1606d19d38c257742c5d658f0885dbfdd0b9c7344ab19c46a

SHA512
55bad20a0b8a68b6ef843456e65bf73273c5a621b3e3df029be1827b102b9c924bcb12489a7ac2e58c7ccf62449afdb8dc0592dfe8e00e4f4f0c5bfc2cb36055

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
45849579399af4908cd74ca81779ab3e

SHA1
3b42e5dea3758b06dffc356efb430ed400ca0509

SHA256
a628238e988c08a9245fdbe0e624564970548c39294042d66e87849bcee05b2d

SHA512
8f2bba7a32b138eb9edee073e3ddd2c2e1da465be29be07abfc3dd73cd57af158f2ffcd7f43f425679abdf53c82741b7c8ce93a124b1880d6a1ba63d1c7fbbd3

Download Submit
C:\Users\Admin\AppData\Roaming\eternalasync\cpuuploads.exe

Filesize
3.2MB

MD5
2e3a2248109098fa65295e84918518e0

SHA1
80c462ccf9ab80f3cafc1a1f43669c72c383db4a

SHA256
726fe765745a0052e532e040a71b6b252aceab5c3b6cb13ba774eb85494390fa

SHA512
f3b3ebccc507ecaf464f6c023e3f5a7b4174894a35a8bda186129b0f89c0dcc9389991b20cbf092692928614bc63024775b0ac5b8c2f83aa0a5bf28fe44bda8e

Download Submit
C:\Users\Admin\AppData\Roaming\eternalasync\cpuuploads.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\AppData\Roaming\eternalasync\lib_sudo_bdnmfcpgeezwswzcg169jg3njnsdn3j8\CSCore.dll

Filesize
519KB

MD5
94a312a6fcec0e78808bcea3d8ff67f5

SHA1
fe760487d13f9a6f5f359036561105d4aca88a1f

SHA256
e835139171eb0d63b6b4e02b0997cac040c02d295648a275d4c8d28b234c8e94

SHA512
ecdedeee1ee4e35e4fbd2dea3a4dd8b0805166a9610a63affbfb673f2644588eacecba6b3a5a0052c202ab14c321800997512abc318d36a50b00cc86dc83ec1c

Download Submit
C:\Users\Admin\AppData\Roaming\eternalasync\lib_sudo_bdnmfcpgeezwswzcg169jg3njnsdn3j8\SharpDX.DXGI.dll

Filesize
125KB

MD5
2b44c70c49b70d797fbb748158b5d9bb

SHA1
93e00e6527e461c45c7868d14cf05c007e478081

SHA256
3762d43c83af69cd38c9341a927ca6bd00f6bae8217c874d693047d6df4705bf

SHA512
faced62f6ecbfa2ee0d7a47e300302d23030d1f28758cbe9c442e9d8d4f8359c59088aa6237a28103e43d248c8efc7eeaf2c184028701b752df6cce92d6854d0

Download Submit
C:\Users\Admin\AppData\Roaming\eternalasync\lib_sudo_bdnmfcpgeezwswzcg169jg3njnsdn3j8\SharpDX.Direct3D11.dll

Filesize
271KB

MD5
98eb5ba5871acdeaebf3a3b0f64be449

SHA1
c965284f60ef789b00b10b3df60ee682b4497de3

SHA256
d7617d926648849cbfef450b8f48e458ee52e2793fb2251a30094b778aa8848c

SHA512
a60025e304713d333e4b82b2d0be28087950688b049c98d2db5910c00b8d45b92e16d25ac8a58ff1318de019de3a9a00c7cbf8a6ad4b5bb1cb175dafa1b9bea2

Download Submit
C:\Users\Admin\AppData\Roaming\eternalasync\lib_sudo_bdnmfcpgeezwswzcg169jg3njnsdn3j8\SharpDX.Direct3D9.dll

Filesize
338KB

MD5
934da0e49208d0881c44fe19d5033840

SHA1
a19c5a822e82e41752a08d3bd9110db19a8a5016

SHA256
02da4af8cd4a8de19d816000caaae885e676b9e52f136ff071a279c2b8ad34c7

SHA512
de62f629c2299b50af62893244a28895d63b78138c8632449984306f45de16bd01076eadbb0d75a700215e970c1df731e202ea640236c0f0da6ed15146193b59

Download Submit
C:\Users\Admin\AppData\Roaming\eternalasync\lib_sudo_bdnmfcpgeezwswzcg169jg3njnsdn3j8\SharpDX.dll

Filesize
247KB

MD5
ffb4b61cc11bec6d48226027c2c26704

SHA1
fa8b9e344accbdc4dffa9b5d821d23f0716da29e

SHA256
061542ff3fb36039b7bbffdf3e07b66176b264c1dfd834a14b09c08620717303

SHA512
48aa6130bf1f5bd6de19256bbdf754c0158b43dd122cec47bb801a7a7b56f2da268bfdec24d135621764a23278ead3dcc35911a057e2dfa55a348bae8ef7b8a9

Download Submit
C:\Users\Admin\AppData\Roaming\eternalasync\lib_sudo_bdnmfcpgeezwswzcg169jg3njnsdn3j8\TurboJpegWrapper.dll

Filesize
1.3MB

MD5
ac6acc235ebef6374bed71b37e322874

SHA1
a267baad59cd7352167636836bad4b971fcd6b6b

SHA256
047b042cebf4c851f0d14f85f16ce952f03e48c20362d4ed9390875d4900fe96

SHA512
72ac8b8c8f27264cc261297c325d14a0be2084d007c6132ab8402d87f912fe9189cb074db11625d9f86d29a6188f22a89e58ae45c9131fac4522473567017081

Download Submit
memory/548-119-0x0000000008380000-0x0000000008406000-memory.dmp

Filesize
536KB

Download
memory/548-142-0x0000000008410000-0x000000000845A000-memory.dmp

Filesize
296KB

Download
memory/548-168-0x00000000084E0000-0x00000000084F8000-memory.dmp

Filesize
96KB

Download
memory/548-167-0x00000000069B0000-0x00000000069BC000-memory.dmp

Filesize
48KB

Download
memory/548-41-0x0000000005B30000-0x0000000005B48000-memory.dmp

Filesize
96KB

Download
memory/548-42-0x0000000005B80000-0x0000000005B90000-memory.dmp

Filesize
64KB

Download
memory/548-43-0x00000000067F0000-0x00000000067FA000-memory.dmp

Filesize
40KB

Download
memory/548-46-0x0000000006E40000-0x0000000006EA6000-memory.dmp

Filesize
408KB

Download
memory/548-47-0x0000000007800000-0x0000000007E18000-memory.dmp

Filesize
6.1MB

Download
memory/548-48-0x0000000006EE0000-0x0000000006EF2000-memory.dmp

Filesize
72KB

Download
memory/548-49-0x0000000007220000-0x000000000725C000-memory.dmp

Filesize
240KB

Download
memory/548-50-0x0000000007260000-0x00000000072AC000-memory.dmp

Filesize
304KB

Download
memory/548-52-0x00000000073E0000-0x00000000074EA000-memory.dmp

Filesize
1.0MB

Download
memory/548-54-0x0000000007E20000-0x0000000007FE2000-memory.dmp

Filesize
1.8MB

Download
memory/548-55-0x0000000007390000-0x000000000739E000-memory.dmp

Filesize
56KB

Download
memory/548-56-0x00000000077B0000-0x0000000007800000-memory.dmp

Filesize
320KB

Download
memory/548-166-0x0000000006980000-0x0000000006996000-memory.dmp

Filesize
88KB

Download
memory/548-163-0x00000000087D0000-0x0000000008924000-memory.dmp

Filesize
1.3MB

Download
memory/548-156-0x0000000006A30000-0x0000000006A56000-memory.dmp

Filesize
152KB

Download
memory/548-149-0x0000000008610000-0x000000000866A000-memory.dmp

Filesize
360KB

Download
memory/548-135-0x00000000082F0000-0x0000000008334000-memory.dmp

Filesize
272KB

Download
memory/1584-38-0x0000000074860000-0x0000000075011000-memory.dmp

Filesize
7.7MB

Download
memory/1584-30-0x0000000074860000-0x0000000075011000-memory.dmp

Filesize
7.7MB

Download
memory/1584-34-0x00000000051B0000-0x00000000051C2000-memory.dmp

Filesize
72KB

Download
memory/3900-26-0x0000000005730000-0x0000000005742000-memory.dmp

Filesize
72KB

Download
memory/3900-33-0x0000000074860000-0x0000000075011000-memory.dmp

Filesize
7.7MB

Download
memory/3900-29-0x0000000006560000-0x00000000065FC000-memory.dmp

Filesize
624KB

Download
memory/3900-25-0x0000000074860000-0x0000000075011000-memory.dmp

Filesize
7.7MB

Download
memory/3900-27-0x0000000005BF0000-0x0000000005C3E000-memory.dmp

Filesize
312KB

Download
memory/3900-23-0x0000000074860000-0x0000000075011000-memory.dmp

Filesize
7.7MB

Download
memory/4884-4-0x0000000005630000-0x000000000568C000-memory.dmp

Filesize
368KB

Download
memory/4884-3-0x0000000074860000-0x0000000075011000-memory.dmp

Filesize
7.7MB

Download
memory/4884-5-0x0000000005F50000-0x00000000064F6000-memory.dmp

Filesize
5.6MB

Download
memory/4884-2-0x0000000003020000-0x000000000302E000-memory.dmp

Filesize
56KB

Download
memory/4884-6-0x0000000005A40000-0x0000000005AD2000-memory.dmp

Filesize
584KB

Download
memory/4884-0-0x000000007486E000-0x000000007486F000-memory.dmp

Filesize
4KB

Download
memory/4884-7-0x0000000005A20000-0x0000000005A32000-memory.dmp

Filesize
72KB

Download
memory/4884-24-0x0000000074860000-0x0000000075011000-memory.dmp

Filesize
7.7MB

Download
memory/4884-1-0x0000000000880000-0x0000000000BB8000-memory.dmp

Filesize
3.2MB

Download