orcus | hxxps://gofile[.]io/d/4n51ig

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
14/03/2025, 02:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/4n51ig

Score

10^/10

orcus discovery ransomware rat spyware stealer

Malware Config

Extracted

Family

orcus

147.185.221.26

details-congratulations.gl.at.ply.gg

Mutex

43c9345046644ae5b9b3f615c94f46e9

Attributes

administration_rights_required
false
anti_debugger
false
anti_tcp_analyzer
false
antivm
false
autostart_method
1
change_creation_date
false
force_installer_administrator_privileges
false
hide_file
false
install
false
installation_folder
%appdata%\Microsoft\Speech\AudioDriver.exe
installservice
false
keylogger_enabled
false
newcreationdate
03/06/2025 19:52:41
plugins
AgUFyfihswTdIPqEArukcmEdSF06Hw9CAFMAbwBEACAAUAByAG8AdABlAGMAdABpAG8AbgAHAzEALgAwAEEgYQBmADYAMgA3AGUAYgA5ADEAOAA5ADAANAA4ADIANAA5AGEANABjADkAZgBkADUAOABlAGYAYwBiADAAZgA0AAEFl6aNkQPXkQKOmwKLvFcpr24sKCsVRABpAHMAYQBiAGwAZQAgAFcAZQBiAGMAYQBtACAATABpAGcAaAB0AHMABwMxAC4AMABBIGIAOABiAGMAOABiADEANgA0ADMAYwA3ADQAMQA3ADkAOAA0ADUANQBmADIAMgAwAGEAZgBjAGUAZQA3ADQAZQABAAAEBA==
reconnect_delay
10000
registry_autostart_keyname
Audio HD Driver
registry_hidden_autostart
false
set_admin_flag
false
tasksch_name
Audio HD Driver
tasksch_request_highest_privileges
false
try_other_autostart_onfail
false

aes.plain

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Downloads MZ/PE file 1 IoCs

flow	pid	Process
47	836	msedge.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	NotAVirusSir!.exe

Executes dropped EXE 6 IoCs

pid	Process
5388	NotAVirusSir!.exe
5564	NotAVirusSir!.exe
5640	WindowsInput.exe
5676	NotAVirusSir!.exe
5712	NotAVirusSir!.exe
6036	AudioDriver.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
14	api.gofile.io
15	api.gofile.io

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsInput.exe	NotAVirusSir!.exe
File opened for modification	C:\Windows\SysWOW64\WindowsInput.InstallLog	WindowsInput.exe
File created	C:\Windows\SysWOW64\WindowsInput.InstallState	WindowsInput.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.bmp"	AudioDriver.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NotAVirusSir!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NotAVirusSir!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NotAVirusSir!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NotAVirusSir!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AudioDriver.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Control Panel 2 IoCs

defense_evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\Desktop\TileWallpaper = "1"	AudioDriver.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\Desktop\WallpaperStyle = "1"	AudioDriver.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 405216.crdownload:SmartScreen	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe\:SmartScreen:$DATA	NotAVirusSir!.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
836	msedge.exe
836	msedge.exe
2704	msedge.exe
2704	msedge.exe
4940	identity_helper.exe
4940	identity_helper.exe
5276	msedge.exe
5276	msedge.exe
6036	AudioDriver.exe
6036	AudioDriver.exe
6036	AudioDriver.exe
6036	AudioDriver.exe
6036	AudioDriver.exe
6036	AudioDriver.exe
6036	AudioDriver.exe
6036	AudioDriver.exe
6036	AudioDriver.exe
6036	AudioDriver.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	6036	AudioDriver.exe
Token: 33	2748	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2748	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 39 IoCs

pid	Process
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
6036	AudioDriver.exe
2704	msedge.exe
6036	AudioDriver.exe
6036	AudioDriver.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
6036	AudioDriver.exe
6036	AudioDriver.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2704 wrote to memory of 1068	2704	msedge.exe	89
PID 2704 wrote to memory of 1068	2704	msedge.exe	89
PID 2704 wrote to memory of 2164	2704	msedge.exe	90
PID 2704 wrote to memory of 2164	2704	msedge.exe	90
PID 2704 wrote to memory of 2164	2704	msedge.exe	90
PID 2704 wrote to memory of 2164	2704	msedge.exe	90
PID 2704 wrote to memory of 2164	2704	msedge.exe	90
PID 2704 wrote to memory of 2164	2704	msedge.exe	90
PID 2704 wrote to memory of 2164	2704	msedge.exe	90
PID 2704 wrote to memory of 2164	2704	msedge.exe	90
PID 2704 wrote to memory of 2164	2704	msedge.exe	90
PID 2704 wrote to memory of 2164	2704	msedge.exe	90
PID 2704 wrote to memory of 2164	2704	msedge.exe	90
PID 2704 wrote to memory of 2164	2704	msedge.exe	90
PID 2704 wrote to memory of 2164	2704	msedge.exe	90
PID 2704 wrote to memory of 2164	2704	msedge.exe	90
PID 2704 wrote to memory of 2164	2704	msedge.exe	90
PID 2704 wrote to memory of 2164	2704	msedge.exe	90
PID 2704 wrote to memory of 2164	2704	msedge.exe	90
PID 2704 wrote to memory of 2164	2704	msedge.exe	90
PID 2704 wrote to memory of 2164	2704	msedge.exe	90
PID 2704 wrote to memory of 2164	2704	msedge.exe	90
PID 2704 wrote to memory of 2164	2704	msedge.exe	90
PID 2704 wrote to memory of 2164	2704	msedge.exe	90
PID 2704 wrote to memory of 2164	2704	msedge.exe	90
PID 2704 wrote to memory of 2164	2704	msedge.exe	90
PID 2704 wrote to memory of 2164	2704	msedge.exe	90
PID 2704 wrote to memory of 2164	2704	msedge.exe	90
PID 2704 wrote to memory of 2164	2704	msedge.exe	90
PID 2704 wrote to memory of 2164	2704	msedge.exe	90
PID 2704 wrote to memory of 2164	2704	msedge.exe	90
PID 2704 wrote to memory of 2164	2704	msedge.exe	90
PID 2704 wrote to memory of 2164	2704	msedge.exe	90
PID 2704 wrote to memory of 2164	2704	msedge.exe	90
PID 2704 wrote to memory of 2164	2704	msedge.exe	90
PID 2704 wrote to memory of 2164	2704	msedge.exe	90
PID 2704 wrote to memory of 2164	2704	msedge.exe	90
PID 2704 wrote to memory of 2164	2704	msedge.exe	90
PID 2704 wrote to memory of 2164	2704	msedge.exe	90
PID 2704 wrote to memory of 2164	2704	msedge.exe	90
PID 2704 wrote to memory of 2164	2704	msedge.exe	90
PID 2704 wrote to memory of 2164	2704	msedge.exe	90
PID 2704 wrote to memory of 836	2704	msedge.exe	91
PID 2704 wrote to memory of 836	2704	msedge.exe	91
PID 2704 wrote to memory of 4636	2704	msedge.exe	92
PID 2704 wrote to memory of 4636	2704	msedge.exe	92
PID 2704 wrote to memory of 4636	2704	msedge.exe	92
PID 2704 wrote to memory of 4636	2704	msedge.exe	92
PID 2704 wrote to memory of 4636	2704	msedge.exe	92
PID 2704 wrote to memory of 4636	2704	msedge.exe	92
PID 2704 wrote to memory of 4636	2704	msedge.exe	92
PID 2704 wrote to memory of 4636	2704	msedge.exe	92
PID 2704 wrote to memory of 4636	2704	msedge.exe	92
PID 2704 wrote to memory of 4636	2704	msedge.exe	92
PID 2704 wrote to memory of 4636	2704	msedge.exe	92
PID 2704 wrote to memory of 4636	2704	msedge.exe	92
PID 2704 wrote to memory of 4636	2704	msedge.exe	92
PID 2704 wrote to memory of 4636	2704	msedge.exe	92
PID 2704 wrote to memory of 4636	2704	msedge.exe	92
PID 2704 wrote to memory of 4636	2704	msedge.exe	92
PID 2704 wrote to memory of 4636	2704	msedge.exe	92
PID 2704 wrote to memory of 4636	2704	msedge.exe	92
PID 2704 wrote to memory of 4636	2704	msedge.exe	92
PID 2704 wrote to memory of 4636	2704	msedge.exe	92

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/4n51ig
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffab12246f8,0x7ffab1224708,0x7ffab1224718
  2⤵
  PID:1068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,2415039189465193717,13647921063318546818,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
  2⤵
  PID:2164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,2415039189465193717,13647921063318546818,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  - Suspicious behavior: EnumeratesProcesses
  PID:836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,2415039189465193717,13647921063318546818,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2844 /prefetch:8
  2⤵
  PID:4636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2415039189465193717,13647921063318546818,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:4656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2415039189465193717,13647921063318546818,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2415039189465193717,13647921063318546818,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4848 /prefetch:1
  2⤵
  PID:1824
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,2415039189465193717,13647921063318546818,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3916 /prefetch:8
  2⤵
  PID:1860
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,2415039189465193717,13647921063318546818,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3916 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2415039189465193717,13647921063318546818,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1
  2⤵
  PID:4852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2136,2415039189465193717,13647921063318546818,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4648 /prefetch:8
  2⤵
  PID:644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2415039189465193717,13647921063318546818,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4896 /prefetch:1
  2⤵
  PID:4540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2136,2415039189465193717,13647921063318546818,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5876 /prefetch:8
  2⤵
  PID:920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,2415039189465193717,13647921063318546818,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5648 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5276
- C:\Users\Admin\Downloads\NotAVirusSir!.exe
  "C:\Users\Admin\Downloads\NotAVirusSir!.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  PID:5388
- - C:\Windows\SysWOW64\WindowsInput.exe
    "C:\Windows\SysWOW64\WindowsInput.exe" --install
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:5640
- - C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe"
    3⤵
    - Executes dropped EXE
    - Sets desktop wallpaper using registry
    - System Location Discovery: System Language Discovery
    - Modifies Control Panel
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:6036
- C:\Users\Admin\Downloads\NotAVirusSir!.exe
  "C:\Users\Admin\Downloads\NotAVirusSir!.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5564
- C:\Users\Admin\Downloads\NotAVirusSir!.exe
  "C:\Users\Admin\Downloads\NotAVirusSir!.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5676
- C:\Users\Admin\Downloads\NotAVirusSir!.exe
  "C:\Users\Admin\Downloads\NotAVirusSir!.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2415039189465193717,13647921063318546818,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1848 /prefetch:1
  2⤵
  PID:5460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2415039189465193717,13647921063318546818,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1188 /prefetch:1
  2⤵
  PID:5488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2415039189465193717,13647921063318546818,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6108 /prefetch:1
  2⤵
  PID:5832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2415039189465193717,13647921063318546818,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:1
  2⤵
  PID:5840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,2415039189465193717,13647921063318546818,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1988 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4888

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3448

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1108

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x460 0x46c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NotAVirusSir!.exe.log

Filesize
901B

MD5
7f91bcd7a2f1e29dc5281b201b6a03b1

SHA1
05018aa4b8d6c09acf5418848929a467ea1f36c9

SHA256
11293c7c93b774cd92051d97757c25b0cc3ba8ad2d65137cc23ade778d580e86

SHA512
bacc2b1f9a48287f5aa1805edf13b9c62c05dbad7d83a12007e3d9755ae21923eaed2e942468b01881206ca5e2f16c74b0a9dcf82926ef1df0224eaf7c512c11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56361f50f0ee63ef0ea7c91d0c8b847a

SHA1
35227c31259df7a652efb6486b2251c4ee4b43fc

SHA256
7660beecfee70d695225795558f521c3fb2b01571c224b373d202760b02055c0

SHA512
94582035220d2a78dfea9dd3377bec3f4a1a1c82255b3b74f4e313f56eb2f7b089e36af9fceea9aa83b7c81432622c3c7f900008a1bdb6b1cd12c4073ae4b8a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0621e31d12b6e16ab28de3e74462a4ce

SHA1
0af6f056aff6edbbc961676656d8045cbe1be12b

SHA256
1fd3365fdb49f26471ce9e348ce54c9bc7b66230118302b32074029d88fb6030

SHA512
bf0aa5b97023e19013d01abd3387d074cdd5b57f98ec4b0241058b39f9255a7bbab296dce8617f3368601a3d751a6a66dc207d8dd3fc1cba9cac5f98e3127f6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
144B

MD5
0694d391927fa28efdcec4c7dcb137e5

SHA1
17e2c2339c34640ec0ce0df923aa43446c86a4a0

SHA256
a57ba65200ce646c0895de93db48539e5a0b4368d96c0ef80f68dd8cb1885408

SHA512
5126cdec3c42afe54e1feb43b66da23a8c64f9b70f66a374a63c87347325e7690e07fa878fc82dad9d49e009481692e6328cdffb5407729e6bfdee495027f35c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
399B

MD5
25825d90d1b9ee75a7d57fe258d4e9ac

SHA1
049c359c016e3973f9656acfb730afc97b2c8a47

SHA256
abe59438ea9efc3795399242a90ad5d35b030080e1e0e5fa99cf0ea975608483

SHA512
7c60456d8960d18cfe0a3e35d9b8a2cf5a7ae6a15081362fc81eef4251cb75240f4496216d9458d07fffbdb4158e939da7a0c6954dc17230a70d496f2e3507d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
522711ec04f27855ca6471a7c62b538d

SHA1
25bf2cd5f4b490d3ffcd05e8d0b8edfd78db69e9

SHA256
44752a8346ea11e4430ceac7c9c2814cb6808ae283cb372029e9205b2e1f6943

SHA512
c7c9a8435e35bab1e6fff4b6b5b1442f8b188890c6d5cdaffe42158d0c6a48aaddd1a03a1029aac905ca2a19e1ebadaf88a43bcd7b8c64951edd7b4e6b71827f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1183dbf60353324b8bd9ee20c88dd984

SHA1
74d62462e8f2a5034df7deb1cf251c30f1662069

SHA256
73b87fa955dfa53cdf06664207448448e9520c0c3ad07a3cad0e9c3313cc0823

SHA512
3f2a89f84511e08b498e37b293b183f667f2cfb8b3729e30db570d78a4233ebadfd73a8f35ef575897a7e2d7290b60f50750587c3e11003bb4f91b9b65492626

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
54e5108c37f947627936597296a1f608

SHA1
37ccb35a87f7d45673d7483eadcb12515677abab

SHA256
ed6c8ed1b4494b70e98043e7bfd670d65b5a9af68c16ad38478feb70ec769ce1

SHA512
d6e647a4c8be09c30c8e9547dfb37b6e076a833cd8486c89690c473547c09ede7c684ebf80e012b5cc4ac564222ae6208357f8b7cb791a23df45f21aaf8a39ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5f2e2f6125f88fb35d809bbcee2a765e

SHA1
e8100a5857f4104001f1987e9c5160dcbb7781f0

SHA256
9536c024b95a5d1c284f96cae0b4939480c842706c7a48d22f9e6913b8be9c30

SHA512
53fda72de7c794077912b2898507b8734485a7249c65655a58b1d10974b0fef54fa96aea5948661e1d1097ecb1acb5a46d0ab5cd82fa0c1c68651ee515f4fe3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c559668eea80936c4412598ae6201e2d

SHA1
480aaccfe42dd8e6706d4bd5c5c2bd18788d17fc

SHA256
a7dfcc2665fc8abc5f7cba92a315ccb8c2190f8ef9b44b15db68ae2be7968f21

SHA512
87c50e244db7caea9147e503d38df37b862df13861f3a55e1c04c0a1399de22eb53335a6fb436d0ea2570fd13a81062ee52351880bb7371977a7fdad6da5ba05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0bd216de7258c4132a6e70f6230ca766

SHA1
bd354ae2bc69c1a6aa963b21da51fe006ce3a4cc

SHA256
08961865385ed48c72db64d04b7d2c9784bffc3555140a13295ed75c6f74c792

SHA512
5eaea0fd9c2dcd6674acfadc4caa4199a3b8dc19876c6144672326c59eb7e1516d850ebccb8e47db990a3cce6e5185d296c716eb016bd283147970853365fad3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a3d11dcc31d5b73a8637fa9aca07ff8a

SHA1
ec4289f2be579fa4c8b39ddbdf3dfd39e1ab4707

SHA256
327f89ddd24fcb7034b36c08a5609eb95f383013c359540fb06e4d421fc7718b

SHA512
fb6576a466255fd5e949d1cb2b217e34c9d8a3aa471dcddc1c95151dedc414f583390f3799409683677338a43bfa7b39bb75c4ebe1e30aa9dc229f94b027c0c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
55231ca95db92c6598fe1649d9767577

SHA1
92819bb053bf9fc4898cf77fceb48fd258f85fa5

SHA256
cd73adbc8e3427fe850ceb2c2bcd8fb66fbd54050dbb15bbcbbd80bcfb035224

SHA512
3683cee1f3652a6acdcedd268f2bee063d80aa93491e892add0510a6c8c04ba2aefcc117e2a6f925ef84f25d0e5d62a31e202f1a83d79c293c9878ad6ce7a580

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 405216.crdownload

Filesize
846KB

MD5
6b94d76a12117b78e386402769b5eb65

SHA1
5430948160b2690b5d28d5d7a7e9a2a89ab5a3d2

SHA256
d7567a32ab4954f51b0a8dfa60a3c20cd65f5881a593c9f57855a7995b3aa17e

SHA512
20f31bd0818a2e27dafd6b0f3d44a22cc5cb8c74f17653bc1b48c1759fecdffeaa0b5025e5a4c09da1969fa2cf6363d76ec54fef4d9693f4ad7392000708a47f

Download Submit
C:\Windows\SysWOW64\WindowsInput.InstallLog

Filesize
597B

MD5
c2291863df7c2d3038ce3c22fa276506

SHA1
7b7d2bc07a6c35523807342c747c9b6a19f3184e

SHA256
14504199bede3f46129969dbd2b7680f2e5b7fcd73a3e427ce1bb6217a6d13da

SHA512
00bf40174a67e3e663d18a887c5b461a1e5ead0b27f0a139d87969158c58f4ca72cfa5a731dda239356192ca4cb5ac6ae2b0e37401d534e686cabacd3cbee8fa

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe

Filesize
21KB

MD5
e854a4636afc652b320e12e50ba4080e

SHA1
8a4ac6ecc22ee5f3a8ec846d38b41ff18c641fdc

SHA256
94b9c78c6fa2bf61fba20a08ad4563f7dd2f5668c28eff227965ce0a2032d5d5

SHA512
30aabd5079b6ed0948eb70fd18e9166096e4ba5d1d47fc35b7270f931d19bbe6cd929b6010f70297bf5272dc5a79e2523721354d211c4080d68ad8d17e316118

Download Submit
memory/5388-92-0x0000000005810000-0x00000000058A2000-memory.dmp

Filesize
584KB

Download
memory/5388-96-0x0000000005900000-0x0000000005922000-memory.dmp

Filesize
136KB

Download
memory/5388-91-0x0000000005B20000-0x00000000060C4000-memory.dmp

Filesize
5.6MB

Download
memory/5388-90-0x0000000002C40000-0x0000000002C4A000-memory.dmp

Filesize
40KB

Download
memory/5388-97-0x00000000058D0000-0x00000000058DC000-memory.dmp

Filesize
48KB

Download
memory/5388-89-0x00000000008D0000-0x00000000009AA000-memory.dmp

Filesize
872KB

Download
memory/5388-94-0x00000000057F0000-0x00000000057F8000-memory.dmp

Filesize
32KB

Download
memory/5388-93-0x0000000005770000-0x00000000057BC000-memory.dmp

Filesize
304KB

Download
memory/5388-95-0x00000000058B0000-0x00000000058B8000-memory.dmp

Filesize
32KB

Download
memory/5388-168-0x0000000006510000-0x000000000655E000-memory.dmp

Filesize
312KB

Download
memory/5640-143-0x000000001CD60000-0x000000001CDFC000-memory.dmp

Filesize
624KB

Download
memory/5640-142-0x000000001C7F0000-0x000000001CCBE000-memory.dmp

Filesize
4.8MB

Download
memory/5640-111-0x0000000001760000-0x0000000001778000-memory.dmp

Filesize
96KB

Download
memory/5640-112-0x000000001BB70000-0x000000001BB90000-memory.dmp

Filesize
128KB

Download
memory/5640-116-0x000000001BE90000-0x000000001BEB4000-memory.dmp

Filesize
144KB

Download
memory/6036-183-0x0000000006C50000-0x0000000006C5A000-memory.dmp

Filesize
40KB

Download
memory/6036-188-0x0000000007700000-0x0000000007712000-memory.dmp

Filesize
72KB

Download
memory/6036-189-0x0000000007760000-0x000000000779C000-memory.dmp

Filesize
240KB

Download
memory/6036-190-0x00000000077A0000-0x00000000077EC000-memory.dmp

Filesize
304KB

Download
memory/6036-191-0x0000000007920000-0x0000000007A2A000-memory.dmp

Filesize
1.0MB

Download
memory/6036-192-0x00000000087D0000-0x0000000008CFC000-memory.dmp

Filesize
5.2MB

Download
memory/6036-187-0x0000000007C80000-0x0000000008298000-memory.dmp

Filesize
6.1MB

Download
memory/6036-186-0x00000000075F0000-0x0000000007656000-memory.dmp

Filesize
408KB

Download
memory/6036-182-0x0000000005BE0000-0x0000000005BF0000-memory.dmp

Filesize
64KB

Download
memory/6036-256-0x0000000008E00000-0x0000000008F7A000-memory.dmp

Filesize
1.5MB

Download
memory/6036-181-0x00000000063E0000-0x00000000065A2000-memory.dmp

Filesize
1.8MB

Download
memory/6036-275-0x000000000B1E0000-0x000000000B230000-memory.dmp

Filesize
320KB

Download