Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
858s -
max time network
862s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
30/01/2025, 06:18
General
-
Target
Drunkdeer(1).exe
-
Size
3.2MB
-
MD5
2e3a2248109098fa65295e84918518e0
-
SHA1
80c462ccf9ab80f3cafc1a1f43669c72c383db4a
-
SHA256
726fe765745a0052e532e040a71b6b252aceab5c3b6cb13ba774eb85494390fa
-
SHA512
f3b3ebccc507ecaf464f6c023e3f5a7b4174894a35a8bda186129b0f89c0dcc9389991b20cbf092692928614bc63024775b0ac5b8c2f83aa0a5bf28fe44bda8e
-
SSDEEP
49152:7GX87p1EZKMnkmWg8LX5prviYDyKS5AypQxbRQAo9JnCmpKu/nRFfjI7L0qb:7LHTPJg8z1mKnypSbRxo9JCm
Malware Config
Extracted
orcus
Новый тег
31.44.184.52:27516
sudo_bdnmfcpgeezwswzcg169jg3njnsdn3j8
-
autostart_method
Disable
-
enable_keylogger
false
-
install_path
%appdata%\eternalasync\cpuuploads.exe
-
reconnect_delay
10000
-
registry_keyname
Sudik
-
taskscheduler_taskname
sudik
-
watchdog_path
AppData\aga.exe
Signatures
-
Orcus family
-
Orcus main payload 1 IoCs
resource yara_rule behavioral1/files/0x001a00000002aabc-13.dat family_orcus -
Orcurs Rat Executable 2 IoCs
resource yara_rule behavioral1/memory/4884-1-0x0000000000880000-0x0000000000BB8000-memory.dmp orcus behavioral1/files/0x001a00000002aabc-13.dat orcus -
Executes dropped EXE 4 IoCs
pid Process 3900 cpuuploads.exe 1584 cpuuploads.exe 4568 cpuuploads.exe 3952 cpuuploads.exe -
Loads dropped DLL 12 IoCs
pid Process 548 caspol.exe 548 caspol.exe 548 caspol.exe 548 caspol.exe 548 caspol.exe 548 caspol.exe 548 caspol.exe 548 caspol.exe 548 caspol.exe 548 caspol.exe 548 caspol.exe 548 caspol.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 3900 set thread context of 832 3900 cpuuploads.exe 82 PID 1584 set thread context of 1544 1584 cpuuploads.exe 84 PID 4568 set thread context of 548 4568 cpuuploads.exe 88 -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe caspol.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regasm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cpuuploads.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msbuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cpuuploads.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language caspol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Drunkdeer(1).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cpuuploads.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cpuuploads.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4884 Drunkdeer(1).exe 3900 cpuuploads.exe 3900 cpuuploads.exe 3900 cpuuploads.exe 3900 cpuuploads.exe 3900 cpuuploads.exe 3900 cpuuploads.exe 3900 cpuuploads.exe 3900 cpuuploads.exe 1584 cpuuploads.exe 1584 cpuuploads.exe 4568 cpuuploads.exe 4568 cpuuploads.exe 4568 cpuuploads.exe 4568 cpuuploads.exe 4568 cpuuploads.exe 4568 cpuuploads.exe 548 caspol.exe 548 caspol.exe 3720 msedge.exe 3720 msedge.exe 2792 msedge.exe 2792 msedge.exe 5096 identity_helper.exe 5096 identity_helper.exe 2620 msedge.exe 2620 msedge.exe 548 caspol.exe 548 caspol.exe 548 caspol.exe 548 caspol.exe 548 caspol.exe 548 caspol.exe 548 caspol.exe 548 caspol.exe 548 caspol.exe 548 caspol.exe 548 caspol.exe 548 caspol.exe 548 caspol.exe 548 caspol.exe 548 caspol.exe 548 caspol.exe 548 caspol.exe 548 caspol.exe 548 caspol.exe 548 caspol.exe 548 caspol.exe 548 caspol.exe 548 caspol.exe 548 caspol.exe 548 caspol.exe 548 caspol.exe 548 caspol.exe 548 caspol.exe 548 caspol.exe 548 caspol.exe 548 caspol.exe 548 caspol.exe 548 caspol.exe 548 caspol.exe 548 caspol.exe 548 caspol.exe 548 caspol.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 2792 msedge.exe 2792 msedge.exe 2792 msedge.exe 2792 msedge.exe 2792 msedge.exe 2792 msedge.exe 2792 msedge.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 4884 Drunkdeer(1).exe Token: SeDebugPrivilege 3900 cpuuploads.exe Token: SeDebugPrivilege 1584 cpuuploads.exe Token: SeDebugPrivilege 4568 cpuuploads.exe Token: SeDebugPrivilege 548 caspol.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 2792 msedge.exe 2792 msedge.exe 2792 msedge.exe 2792 msedge.exe 2792 msedge.exe 2792 msedge.exe 2792 msedge.exe 2792 msedge.exe 2792 msedge.exe 2792 msedge.exe 2792 msedge.exe 2792 msedge.exe 2792 msedge.exe 2792 msedge.exe 2792 msedge.exe 2792 msedge.exe 2792 msedge.exe 2792 msedge.exe 2792 msedge.exe 2792 msedge.exe 2792 msedge.exe 2792 msedge.exe 2792 msedge.exe 2792 msedge.exe 2792 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 2792 msedge.exe 2792 msedge.exe 2792 msedge.exe 2792 msedge.exe 2792 msedge.exe 2792 msedge.exe 2792 msedge.exe 2792 msedge.exe 2792 msedge.exe 2792 msedge.exe 2792 msedge.exe 2792 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4884 wrote to memory of 3900 4884 Drunkdeer(1).exe 77 PID 4884 wrote to memory of 3900 4884 Drunkdeer(1).exe 77 PID 4884 wrote to memory of 3900 4884 Drunkdeer(1).exe 77 PID 3900 wrote to memory of 5048 3900 cpuuploads.exe 79 PID 3900 wrote to memory of 5048 3900 cpuuploads.exe 79 PID 3900 wrote to memory of 5048 3900 cpuuploads.exe 79 PID 3900 wrote to memory of 4256 3900 cpuuploads.exe 80 PID 3900 wrote to memory of 4256 3900 cpuuploads.exe 80 PID 3900 wrote to memory of 4256 3900 cpuuploads.exe 80 PID 3900 wrote to memory of 4928 3900 cpuuploads.exe 81 PID 3900 wrote to memory of 4928 3900 cpuuploads.exe 81 PID 3900 wrote to memory of 4928 3900 cpuuploads.exe 81 PID 3900 wrote to memory of 832 3900 cpuuploads.exe 82 PID 3900 wrote to memory of 832 3900 cpuuploads.exe 82 PID 3900 wrote to memory of 832 3900 cpuuploads.exe 82 PID 3900 wrote to memory of 832 3900 cpuuploads.exe 82 PID 3900 wrote to memory of 832 3900 cpuuploads.exe 82 PID 3900 wrote to memory of 832 3900 cpuuploads.exe 82 PID 3900 wrote to memory of 832 3900 cpuuploads.exe 82 PID 3900 wrote to memory of 832 3900 cpuuploads.exe 82 PID 1584 wrote to memory of 1544 1584 cpuuploads.exe 84 PID 1584 wrote to memory of 1544 1584 cpuuploads.exe 84 PID 1584 wrote to memory of 1544 1584 cpuuploads.exe 84 PID 1584 wrote to memory of 1544 1584 cpuuploads.exe 84 PID 1584 wrote to memory of 1544 1584 cpuuploads.exe 84 PID 1584 wrote to memory of 1544 1584 cpuuploads.exe 84 PID 1584 wrote to memory of 1544 1584 cpuuploads.exe 84 PID 1584 wrote to memory of 1544 1584 cpuuploads.exe 84 PID 4568 wrote to memory of 3640 4568 cpuuploads.exe 86 PID 4568 wrote to memory of 3640 4568 cpuuploads.exe 86 PID 4568 wrote to memory of 3640 4568 cpuuploads.exe 86 PID 4568 wrote to memory of 1184 4568 cpuuploads.exe 87 PID 4568 wrote to memory of 1184 4568 cpuuploads.exe 87 PID 4568 wrote to memory of 1184 4568 cpuuploads.exe 87 PID 4568 wrote to memory of 548 4568 cpuuploads.exe 88 PID 4568 wrote to memory of 548 4568 cpuuploads.exe 88 PID 4568 wrote to memory of 548 4568 cpuuploads.exe 88 PID 4568 wrote to memory of 548 4568 cpuuploads.exe 88 PID 4568 wrote to memory of 548 4568 cpuuploads.exe 88 PID 4568 wrote to memory of 548 4568 cpuuploads.exe 88 PID 4568 wrote to memory of 548 4568 cpuuploads.exe 88 PID 4568 wrote to memory of 548 4568 cpuuploads.exe 88 PID 2792 wrote to memory of 220 2792 msedge.exe 93 PID 2792 wrote to memory of 220 2792 msedge.exe 93 PID 2792 wrote to memory of 1808 2792 msedge.exe 94 PID 2792 wrote to memory of 1808 2792 msedge.exe 94 PID 2792 wrote to memory of 1808 2792 msedge.exe 94 PID 2792 wrote to memory of 1808 2792 msedge.exe 94 PID 2792 wrote to memory of 1808 2792 msedge.exe 94 PID 2792 wrote to memory of 1808 2792 msedge.exe 94 PID 2792 wrote to memory of 1808 2792 msedge.exe 94 PID 2792 wrote to memory of 1808 2792 msedge.exe 94 PID 2792 wrote to memory of 1808 2792 msedge.exe 94 PID 2792 wrote to memory of 1808 2792 msedge.exe 94 PID 2792 wrote to memory of 1808 2792 msedge.exe 94 PID 2792 wrote to memory of 1808 2792 msedge.exe 94 PID 2792 wrote to memory of 1808 2792 msedge.exe 94 PID 2792 wrote to memory of 1808 2792 msedge.exe 94 PID 2792 wrote to memory of 1808 2792 msedge.exe 94 PID 2792 wrote to memory of 1808 2792 msedge.exe 94 PID 2792 wrote to memory of 1808 2792 msedge.exe 94 PID 2792 wrote to memory of 1808 2792 msedge.exe 94 PID 2792 wrote to memory of 1808 2792 msedge.exe 94 PID 2792 wrote to memory of 1808 2792 msedge.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\Drunkdeer(1).exe"C:\Users\Admin\AppData\Local\Temp\Drunkdeer(1).exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Users\Admin\AppData\Roaming\eternalasync\cpuuploads.exe"C:\Users\Admin\AppData\Roaming\eternalasync\cpuuploads.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3900 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"3⤵PID:5048
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"3⤵PID:4256
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"3⤵PID:4928
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"3⤵
- System Location Discovery: System Language Discovery
PID:832
-
-
-
C:\Users\Admin\AppData\Roaming\eternalasync\cpuuploads.exeC:\Users\Admin\AppData\Roaming\eternalasync\cpuuploads.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"2⤵
- System Location Discovery: System Language Discovery
PID:1544
-
-
C:\Users\Admin\AppData\Roaming\eternalasync\cpuuploads.exeC:\Users\Admin\AppData\Roaming\eternalasync\cpuuploads.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"2⤵PID:3640
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"2⤵PID:1184
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:548
-
-
C:\Users\Admin\AppData\Roaming\eternalasync\cpuuploads.exeC:\Users\Admin\AppData\Roaming\eternalasync\cpuuploads.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3952
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffdc19a3cb8,0x7ffdc19a3cc8,0x7ffdc19a3cd82⤵PID:220
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1860,12742707132251162892,8673710482211245453,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1884 /prefetch:22⤵PID:1808
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1860,12742707132251162892,8673710482211245453,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2340 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3720
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1860,12742707132251162892,8673710482211245453,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2564 /prefetch:82⤵PID:3568
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,12742707132251162892,8673710482211245453,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:12⤵PID:1540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,12742707132251162892,8673710482211245453,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:12⤵PID:3060
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,12742707132251162892,8673710482211245453,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4020 /prefetch:12⤵PID:4712
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,12742707132251162892,8673710482211245453,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4596 /prefetch:12⤵PID:952
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1860,12742707132251162892,8673710482211245453,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5096
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,12742707132251162892,8673710482211245453,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:12⤵PID:3716
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,12742707132251162892,8673710482211245453,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4008 /prefetch:12⤵PID:2528
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,12742707132251162892,8673710482211245453,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:12⤵PID:2820
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1860,12742707132251162892,8673710482211245453,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3464 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1860,12742707132251162892,8673710482211245453,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4940 /prefetch:22⤵PID:1928
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4060
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4660
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD59ab70628e2d07fb6d0af7ffe9c2534eb
SHA173e1d327502efc4ae6f21277eba6b4fddca8da3f
SHA256a20c6b19845afcbb3346022339b60594c062bf437ff2303a25d8329d8baf73e6
SHA512142912047400eeb4bd866f1b459bf0b4f44658fcf4e77ffa88d94e54240f87282a8af25381e3e834f094b6a8f5d607f5cf90930e2462ddaee8a7e8dcfecbbb9d
-
Filesize
152B
MD5d91478312beae099b8ed57e547611ba2
SHA14b927559aedbde267a6193e3e480fb18e75c43d7
SHA256df43cd7779d9fc91fd0416155d6771bc81565e98be38689cb17caece256bf043
SHA5124086c4ebe410a37d0124fc8bd00c58775e70ab2b7b5a39b4e49b332ce5b4866c6775707436395467aff9596507c96fb4896f3bf0249c5b9c99a927f31dcc1a96
-
Filesize
152B
MD5d7145ec3fa29a4f2df900d1418974538
SHA11368d579635ba1a53d7af0ed89bf0b001f149f9d
SHA256efc56eb46cf3352bf706c0309d5d740bca6ac06142f9bdc5e8344b81d4d83d59
SHA5125bb663ede88f8b7c96b09c1214aac68eda99bc09525ac383baa96914ff7d553ea1aed09e3c9d16893d791c81ddb164c682dfbb4759ac0bc751221f3e36558a91
-
Filesize
5KB
MD5c4236033d11f967145666a4365e98550
SHA1e4b67ba3b6fb9cc710f9073815b19084997c162b
SHA25605b6d315352bac7ae468a7fd29d6c87606f34292a72102fbc36a901544495b05
SHA51279782fb9efc57f1779518e464ef79d5c86d3b74beecb640b1878e3aebfe8544478f9d840a9985ec76d51aff9f2406fcd86c03489c4d7b619952f13485a9a19eb
-
Filesize
5KB
MD543ee2a6d6e2c3c9da3ec11d2e7354702
SHA1478a5c2be24c46cd6ab4bab9d63cb16d647f4e60
SHA25655e5f3ede92ad04934288dd2d18942c8c50b1da43643e8e5dc15b3928b5974ed
SHA5125131ef75b9fb96cdd5c8de88117bfceb2ed2c46ed445abe4e8a9fa51749b38905de3f0152acc1c341372cf89f162ebb560c26223fec5133bcbe08ec2a4bea314
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5540d087333030e4a0f83aa0cf03979a2
SHA13859ecf468529403764fa06fdf52f434aedfbdf4
SHA256f2ddb44789bbbca1606d19d38c257742c5d658f0885dbfdd0b9c7344ab19c46a
SHA51255bad20a0b8a68b6ef843456e65bf73273c5a621b3e3df029be1827b102b9c924bcb12489a7ac2e58c7ccf62449afdb8dc0592dfe8e00e4f4f0c5bfc2cb36055
-
Filesize
10KB
MD545849579399af4908cd74ca81779ab3e
SHA13b42e5dea3758b06dffc356efb430ed400ca0509
SHA256a628238e988c08a9245fdbe0e624564970548c39294042d66e87849bcee05b2d
SHA5128f2bba7a32b138eb9edee073e3ddd2c2e1da465be29be07abfc3dd73cd57af158f2ffcd7f43f425679abdf53c82741b7c8ce93a124b1880d6a1ba63d1c7fbbd3
-
Filesize
3.2MB
MD52e3a2248109098fa65295e84918518e0
SHA180c462ccf9ab80f3cafc1a1f43669c72c383db4a
SHA256726fe765745a0052e532e040a71b6b252aceab5c3b6cb13ba774eb85494390fa
SHA512f3b3ebccc507ecaf464f6c023e3f5a7b4174894a35a8bda186129b0f89c0dcc9389991b20cbf092692928614bc63024775b0ac5b8c2f83aa0a5bf28fe44bda8e
-
Filesize
357B
MD5a2b76cea3a59fa9af5ea21ff68139c98
SHA135d76475e6a54c168f536e30206578babff58274
SHA256f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad
-
Filesize
519KB
MD594a312a6fcec0e78808bcea3d8ff67f5
SHA1fe760487d13f9a6f5f359036561105d4aca88a1f
SHA256e835139171eb0d63b6b4e02b0997cac040c02d295648a275d4c8d28b234c8e94
SHA512ecdedeee1ee4e35e4fbd2dea3a4dd8b0805166a9610a63affbfb673f2644588eacecba6b3a5a0052c202ab14c321800997512abc318d36a50b00cc86dc83ec1c
-
C:\Users\Admin\AppData\Roaming\eternalasync\lib_sudo_bdnmfcpgeezwswzcg169jg3njnsdn3j8\SharpDX.DXGI.dll
Filesize125KB
MD52b44c70c49b70d797fbb748158b5d9bb
SHA193e00e6527e461c45c7868d14cf05c007e478081
SHA2563762d43c83af69cd38c9341a927ca6bd00f6bae8217c874d693047d6df4705bf
SHA512faced62f6ecbfa2ee0d7a47e300302d23030d1f28758cbe9c442e9d8d4f8359c59088aa6237a28103e43d248c8efc7eeaf2c184028701b752df6cce92d6854d0
-
C:\Users\Admin\AppData\Roaming\eternalasync\lib_sudo_bdnmfcpgeezwswzcg169jg3njnsdn3j8\SharpDX.Direct3D11.dll
Filesize271KB
MD598eb5ba5871acdeaebf3a3b0f64be449
SHA1c965284f60ef789b00b10b3df60ee682b4497de3
SHA256d7617d926648849cbfef450b8f48e458ee52e2793fb2251a30094b778aa8848c
SHA512a60025e304713d333e4b82b2d0be28087950688b049c98d2db5910c00b8d45b92e16d25ac8a58ff1318de019de3a9a00c7cbf8a6ad4b5bb1cb175dafa1b9bea2
-
C:\Users\Admin\AppData\Roaming\eternalasync\lib_sudo_bdnmfcpgeezwswzcg169jg3njnsdn3j8\SharpDX.Direct3D9.dll
Filesize338KB
MD5934da0e49208d0881c44fe19d5033840
SHA1a19c5a822e82e41752a08d3bd9110db19a8a5016
SHA25602da4af8cd4a8de19d816000caaae885e676b9e52f136ff071a279c2b8ad34c7
SHA512de62f629c2299b50af62893244a28895d63b78138c8632449984306f45de16bd01076eadbb0d75a700215e970c1df731e202ea640236c0f0da6ed15146193b59
-
Filesize
247KB
MD5ffb4b61cc11bec6d48226027c2c26704
SHA1fa8b9e344accbdc4dffa9b5d821d23f0716da29e
SHA256061542ff3fb36039b7bbffdf3e07b66176b264c1dfd834a14b09c08620717303
SHA51248aa6130bf1f5bd6de19256bbdf754c0158b43dd122cec47bb801a7a7b56f2da268bfdec24d135621764a23278ead3dcc35911a057e2dfa55a348bae8ef7b8a9
-
C:\Users\Admin\AppData\Roaming\eternalasync\lib_sudo_bdnmfcpgeezwswzcg169jg3njnsdn3j8\TurboJpegWrapper.dll
Filesize1.3MB
MD5ac6acc235ebef6374bed71b37e322874
SHA1a267baad59cd7352167636836bad4b971fcd6b6b
SHA256047b042cebf4c851f0d14f85f16ce952f03e48c20362d4ed9390875d4900fe96
SHA51272ac8b8c8f27264cc261297c325d14a0be2084d007c6132ab8402d87f912fe9189cb074db11625d9f86d29a6188f22a89e58ae45c9131fac4522473567017081