orcus | hxxps://gofile[.]io/d/4eXwAf

Analysis

max time kernel
56s
max time network
58s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
14/03/2025, 02:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/4eXwAf

Score

10^/10

orcus discovery rat spyware stealer

Malware Config

Extracted

Family

orcus

147.185.221.26

details-congratulations.gl.at.ply.gg

Mutex

43c9345046644ae5b9b3f615c94f46e9

Attributes

administration_rights_required
false
anti_debugger
false
anti_tcp_analyzer
false
antivm
false
autostart_method
1
change_creation_date
false
force_installer_administrator_privileges
false
hide_file
false
install
false
installation_folder
%appdata%\Microsoft\Speech\AudioDriver.exe
installservice
false
keylogger_enabled
false
newcreationdate
03/06/2025 19:52:41
plugins
AgUFyfihswTdIPqEArukcmEdSF06Hw9CAFMAbwBEACAAUAByAG8AdABlAGMAdABpAG8AbgAHAzEALgAwAEEgYQBmADYAMgA3AGUAYgA5ADEAOAA5ADAANAA4ADIANAA5AGEANABjADkAZgBkADUAOABlAGYAYwBiADAAZgA0AAEFl6aNkQPXkQKOmwKLvFcpr24sKCsVRABpAHMAYQBiAGwAZQAgAFcAZQBiAGMAYQBtACAATABpAGcAaAB0AHMABwMxAC4AMABBIGIAOABiAGMAOABiADEANgA0ADMAYwA3ADQAMQA3ADkAOAA0ADUANQBmADIAMgAwAGEAZgBjAGUAZQA3ADQAZQABAAAEBA==
reconnect_delay
10000
registry_autostart_keyname
Audio HD Driver
registry_hidden_autostart
false
set_admin_flag
false
tasksch_name
Audio HD Driver
tasksch_request_highest_privileges
false
try_other_autostart_onfail
false

aes.plain

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Downloads MZ/PE file 1 IoCs

flow	pid	Process
52	3468	msedge.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	NotAVirusSir!.exe

Executes dropped EXE 6 IoCs

pid	Process
1692	NotAVirusSir!.exe
4424	WindowsInput.exe
1508	AudioDriver.exe
4452	NotAVirusSir!.exe
1692	NotAVirusSir!.exe
5220	NotAVirusSir!.exe

Loads dropped DLL 1 IoCs

pid	Process
1508	AudioDriver.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
19	api.gofile.io
20	api.gofile.io

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\WindowsInput.InstallLog	WindowsInput.exe
File created	C:\Windows\SysWOW64\WindowsInput.InstallState	WindowsInput.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe	NotAVirusSir!.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AudioDriver.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NotAVirusSir!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NotAVirusSir!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NotAVirusSir!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NotAVirusSir!.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 17723.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 402448.crdownload:SmartScreen	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe\:SmartScreen:$DATA	NotAVirusSir!.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3468	msedge.exe
3468	msedge.exe
4456	msedge.exe
4456	msedge.exe
4344	identity_helper.exe
4344	identity_helper.exe
4024	msedge.exe
4024	msedge.exe
1508	AudioDriver.exe
1508	AudioDriver.exe
1508	AudioDriver.exe
1508	AudioDriver.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1508	AudioDriver.exe
Token: 33	3376	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3376	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 43 IoCs

pid	Process
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
1508	AudioDriver.exe

Suspicious use of SendNotifyMessage 25 IoCs

pid	Process
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
1508	AudioDriver.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4456 wrote to memory of 208	4456	msedge.exe	87
PID 4456 wrote to memory of 208	4456	msedge.exe	87
PID 4456 wrote to memory of 3472	4456	msedge.exe	88
PID 4456 wrote to memory of 3472	4456	msedge.exe	88
PID 4456 wrote to memory of 3472	4456	msedge.exe	88
PID 4456 wrote to memory of 3472	4456	msedge.exe	88
PID 4456 wrote to memory of 3472	4456	msedge.exe	88
PID 4456 wrote to memory of 3472	4456	msedge.exe	88
PID 4456 wrote to memory of 3472	4456	msedge.exe	88
PID 4456 wrote to memory of 3472	4456	msedge.exe	88
PID 4456 wrote to memory of 3472	4456	msedge.exe	88
PID 4456 wrote to memory of 3472	4456	msedge.exe	88
PID 4456 wrote to memory of 3472	4456	msedge.exe	88
PID 4456 wrote to memory of 3472	4456	msedge.exe	88
PID 4456 wrote to memory of 3472	4456	msedge.exe	88
PID 4456 wrote to memory of 3472	4456	msedge.exe	88
PID 4456 wrote to memory of 3472	4456	msedge.exe	88
PID 4456 wrote to memory of 3472	4456	msedge.exe	88
PID 4456 wrote to memory of 3472	4456	msedge.exe	88
PID 4456 wrote to memory of 3472	4456	msedge.exe	88
PID 4456 wrote to memory of 3472	4456	msedge.exe	88
PID 4456 wrote to memory of 3472	4456	msedge.exe	88
PID 4456 wrote to memory of 3472	4456	msedge.exe	88
PID 4456 wrote to memory of 3472	4456	msedge.exe	88
PID 4456 wrote to memory of 3472	4456	msedge.exe	88
PID 4456 wrote to memory of 3472	4456	msedge.exe	88
PID 4456 wrote to memory of 3472	4456	msedge.exe	88
PID 4456 wrote to memory of 3472	4456	msedge.exe	88
PID 4456 wrote to memory of 3472	4456	msedge.exe	88
PID 4456 wrote to memory of 3472	4456	msedge.exe	88
PID 4456 wrote to memory of 3472	4456	msedge.exe	88
PID 4456 wrote to memory of 3472	4456	msedge.exe	88
PID 4456 wrote to memory of 3472	4456	msedge.exe	88
PID 4456 wrote to memory of 3472	4456	msedge.exe	88
PID 4456 wrote to memory of 3472	4456	msedge.exe	88
PID 4456 wrote to memory of 3472	4456	msedge.exe	88
PID 4456 wrote to memory of 3472	4456	msedge.exe	88
PID 4456 wrote to memory of 3472	4456	msedge.exe	88
PID 4456 wrote to memory of 3472	4456	msedge.exe	88
PID 4456 wrote to memory of 3472	4456	msedge.exe	88
PID 4456 wrote to memory of 3472	4456	msedge.exe	88
PID 4456 wrote to memory of 3472	4456	msedge.exe	88
PID 4456 wrote to memory of 3468	4456	msedge.exe	89
PID 4456 wrote to memory of 3468	4456	msedge.exe	89
PID 4456 wrote to memory of 1140	4456	msedge.exe	90
PID 4456 wrote to memory of 1140	4456	msedge.exe	90
PID 4456 wrote to memory of 1140	4456	msedge.exe	90
PID 4456 wrote to memory of 1140	4456	msedge.exe	90
PID 4456 wrote to memory of 1140	4456	msedge.exe	90
PID 4456 wrote to memory of 1140	4456	msedge.exe	90
PID 4456 wrote to memory of 1140	4456	msedge.exe	90
PID 4456 wrote to memory of 1140	4456	msedge.exe	90
PID 4456 wrote to memory of 1140	4456	msedge.exe	90
PID 4456 wrote to memory of 1140	4456	msedge.exe	90
PID 4456 wrote to memory of 1140	4456	msedge.exe	90
PID 4456 wrote to memory of 1140	4456	msedge.exe	90
PID 4456 wrote to memory of 1140	4456	msedge.exe	90
PID 4456 wrote to memory of 1140	4456	msedge.exe	90
PID 4456 wrote to memory of 1140	4456	msedge.exe	90
PID 4456 wrote to memory of 1140	4456	msedge.exe	90
PID 4456 wrote to memory of 1140	4456	msedge.exe	90
PID 4456 wrote to memory of 1140	4456	msedge.exe	90
PID 4456 wrote to memory of 1140	4456	msedge.exe	90
PID 4456 wrote to memory of 1140	4456	msedge.exe	90

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/4eXwAf
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffec4ab46f8,0x7ffec4ab4708,0x7ffec4ab4718
  2⤵
  PID:208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,13963840830024894873,3818740353023579893,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
  2⤵
  PID:3472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,13963840830024894873,3818740353023579893,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  - Suspicious behavior: EnumeratesProcesses
  PID:3468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,13963840830024894873,3818740353023579893,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2676 /prefetch:8
  2⤵
  PID:1140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,13963840830024894873,3818740353023579893,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,13963840830024894873,3818740353023579893,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:4936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,13963840830024894873,3818740353023579893,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:1
  2⤵
  PID:3604
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,13963840830024894873,3818740353023579893,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3952 /prefetch:8
  2⤵
  PID:3024
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,13963840830024894873,3818740353023579893,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3952 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,13963840830024894873,3818740353023579893,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
  2⤵
  PID:4444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2128,13963840830024894873,3818740353023579893,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5480 /prefetch:8
  2⤵
  PID:864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,13963840830024894873,3818740353023579893,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
  2⤵
  PID:1656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,13963840830024894873,3818740353023579893,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5908 /prefetch:1
  2⤵
  PID:4372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,13963840830024894873,3818740353023579893,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1
  2⤵
  PID:4212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2128,13963840830024894873,3818740353023579893,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5284 /prefetch:8
  2⤵
  PID:2016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2128,13963840830024894873,3818740353023579893,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5860 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2128,13963840830024894873,3818740353023579893,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5256 /prefetch:8
  2⤵
  PID:2660
- C:\Users\Admin\Downloads\NotAVirusSir!.exe
  "C:\Users\Admin\Downloads\NotAVirusSir!.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  PID:1692
- - C:\Windows\SysWOW64\WindowsInput.exe
    "C:\Windows\SysWOW64\WindowsInput.exe" --install
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:4424
- - C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1508
- C:\Users\Admin\Downloads\NotAVirusSir!.exe
  "C:\Users\Admin\Downloads\NotAVirusSir!.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4452
- C:\Users\Admin\Downloads\NotAVirusSir!.exe
  "C:\Users\Admin\Downloads\NotAVirusSir!.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1692
- C:\Users\Admin\Downloads\NotAVirusSir!.exe
  "C:\Users\Admin\Downloads\NotAVirusSir!.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,13963840830024894873,3818740353023579893,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3780 /prefetch:1
  2⤵
  PID:5228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,13963840830024894873,3818740353023579893,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3008 /prefetch:1
  2⤵
  PID:5252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,13963840830024894873,3818740353023579893,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2820 /prefetch:1
  2⤵
  PID:372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,13963840830024894873,3818740353023579893,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
  2⤵
  PID:3852

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3476

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4060

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3dc 0x48c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NotAVirusSir!.exe.log

Filesize
901B

MD5
7f91bcd7a2f1e29dc5281b201b6a03b1

SHA1
05018aa4b8d6c09acf5418848929a467ea1f36c9

SHA256
11293c7c93b774cd92051d97757c25b0cc3ba8ad2d65137cc23ade778d580e86

SHA512
bacc2b1f9a48287f5aa1805edf13b9c62c05dbad7d83a12007e3d9755ae21923eaed2e942468b01881206ca5e2f16c74b0a9dcf82926ef1df0224eaf7c512c11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56361f50f0ee63ef0ea7c91d0c8b847a

SHA1
35227c31259df7a652efb6486b2251c4ee4b43fc

SHA256
7660beecfee70d695225795558f521c3fb2b01571c224b373d202760b02055c0

SHA512
94582035220d2a78dfea9dd3377bec3f4a1a1c82255b3b74f4e313f56eb2f7b089e36af9fceea9aa83b7c81432622c3c7f900008a1bdb6b1cd12c4073ae4b8a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0621e31d12b6e16ab28de3e74462a4ce

SHA1
0af6f056aff6edbbc961676656d8045cbe1be12b

SHA256
1fd3365fdb49f26471ce9e348ce54c9bc7b66230118302b32074029d88fb6030

SHA512
bf0aa5b97023e19013d01abd3387d074cdd5b57f98ec4b0241058b39f9255a7bbab296dce8617f3368601a3d751a6a66dc207d8dd3fc1cba9cac5f98e3127f6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
eafdc5a680e55bdb403bad9ba6cb6581

SHA1
86d2135128073164d73976a37d832777d59f2edb

SHA256
55d8c9dae996a4ec4e06d32f4c8b62b007eca7a74fa02df988b8e41499f7ebea

SHA512
dfd9750bfbe58c235b74ac2de1d6ed103dbdfc6df1aadea5b2cc01c8dd67c43f6c1c18b199ab7d12d940c9a066a59ccd718bb7b340d0d68fd3407c285011d0e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d1f4865725f21ce17b6b13ffaa92f4a4

SHA1
e2fc5c967ca905c24b3e66e965da652a37173f82

SHA256
6baacede60f3e702b08805d7f52eede7ac2a28f30f5dd48ee73a185bebf952fa

SHA512
716de23abe8fc2a5ad79c585d3f6705292566b3fa0d1fafb7b720e56d09be9fcff8aeda4e377dc4a0564c9651dc990d624d663d4f0098fadaed5acf8c5b868a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bfef35fd86c89dcf3374b44db13dc4ed

SHA1
fa41059f3237bed41c14c67a58a201d75f4de263

SHA256
10567feb5babb5e66d759fe5892aae5b604ed1ab54fbc633208888f7836627b3

SHA512
f5bcf19b6fc3d8025b38b4a947f8a982b75e94ac48bad97982c0bdb419d1851130156b067a5b0d8da702018e29eab2c5285de421a077baa02c6820d8318d95ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
65f577976cdbc432d49a98c07497de73

SHA1
746ede4ce164b0d2c7d161d778be3652c6c86391

SHA256
d28647029a6cc35bcdbe057650938810a939d2e2fdef0ddd9756f0ba405f6fea

SHA512
6d8b87f383a7f09348ea6b6e0de26c0ddda0aef388efd3ddffeb0383c505447acdca207b7fad7d5119e7a846bb87428a600465787608494d5c0a2c647b000e85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b54ba80255bbf28f6fe174e58b4c2d56

SHA1
296745f10afa5f9805be8a9f10282d310370d41a

SHA256
84442ed7aa7299226e14884b229857ca2533cf653b7a29fdb462254135b8d045

SHA512
52e9987329b5d816de55f496ea2f8a01eb79ff1ff7665a5c04353ae785dfdde9337d5e671bbb6fd9e016acac1801e20b59f85939ef54a7ccf8e0d36e0bc12e2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
99d9873da89c071d3c770cf6acca77af

SHA1
174a3e42adc321438ec29bf7e587df6fba899b71

SHA256
724660d5bbbad9b5c31eb2948647c1d8b2d094bb60e44aaa7322d758af7c5045

SHA512
5894c87b18d30909b50389a8d2f30025849a3ebc81bff7fa2c4e1893c2582aa59fa1dabb8c1040e5c2571062e3ff8be195f2d4765f62a32ae92c2ab7a3180b25

Download Submit
C:\Users\Admin\AppData\Local\Temp\opus.dll

Filesize
332KB

MD5
1fc04b8bb4896745163df806695ee193

SHA1
39174ce2fca9a3e86bb7a5686037bc42f2572de1

SHA256
3f2b2fd440fdd84288dadfc63e37a4bc7ea0aae26889ab0d4a5ef6148f44ce14

SHA512
3ff18bdd364f27e54ffbf2d1af53e3500ec57e7e8fa14185f7fb1ef6639d69ac6253543b9e2155ade45ca5bcd567e94334f1ee7ad0a7ff28194168dc49883261

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 17723.crdownload

Filesize
846KB

MD5
6b94d76a12117b78e386402769b5eb65

SHA1
5430948160b2690b5d28d5d7a7e9a2a89ab5a3d2

SHA256
d7567a32ab4954f51b0a8dfa60a3c20cd65f5881a593c9f57855a7995b3aa17e

SHA512
20f31bd0818a2e27dafd6b0f3d44a22cc5cb8c74f17653bc1b48c1759fecdffeaa0b5025e5a4c09da1969fa2cf6363d76ec54fef4d9693f4ad7392000708a47f

Download Submit
C:\Windows\SysWOW64\WindowsInput.InstallLog

Filesize
224B

MD5
e469dda91ae810a1f94c96060f3f8a65

SHA1
0b4b3b0f6f937016b1e045ce5313ee2a65a38630

SHA256
d42fee8db8eb0e047ca53ad59b1c9bc69fe04993be36fec502e3532371908842

SHA512
2eb4037361c03e195c642a53f55a3182a6df19903db503060e366f2394750e64ae04fdaace61ef5a6dba649defc88322d78edd2928bc53ebd1ce11d68cc88dac

Download Submit
C:\Windows\SysWOW64\WindowsInput.InstallLog

Filesize
597B

MD5
c2291863df7c2d3038ce3c22fa276506

SHA1
7b7d2bc07a6c35523807342c747c9b6a19f3184e

SHA256
14504199bede3f46129969dbd2b7680f2e5b7fcd73a3e427ce1bb6217a6d13da

SHA512
00bf40174a67e3e663d18a887c5b461a1e5ead0b27f0a139d87969158c58f4ca72cfa5a731dda239356192ca4cb5ac6ae2b0e37401d534e686cabacd3cbee8fa

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe

Filesize
21KB

MD5
e854a4636afc652b320e12e50ba4080e

SHA1
8a4ac6ecc22ee5f3a8ec846d38b41ff18c641fdc

SHA256
94b9c78c6fa2bf61fba20a08ad4563f7dd2f5668c28eff227965ce0a2032d5d5

SHA512
30aabd5079b6ed0948eb70fd18e9166096e4ba5d1d47fc35b7270f931d19bbe6cd929b6010f70297bf5272dc5a79e2523721354d211c4080d68ad8d17e316118

Download Submit
memory/1508-230-0x00000000095D0000-0x000000000962E000-memory.dmp

Filesize
376KB

Download
memory/1508-206-0x00000000067F0000-0x00000000068FA000-memory.dmp

Filesize
1.0MB

Download
memory/1508-205-0x0000000006680000-0x00000000066CC000-memory.dmp

Filesize
304KB

Download
memory/1508-204-0x0000000006640000-0x000000000667C000-memory.dmp

Filesize
240KB

Download
memory/1508-207-0x0000000007730000-0x0000000007C5C000-memory.dmp

Filesize
5.2MB

Download
memory/1508-202-0x00000000065E0000-0x00000000065F2000-memory.dmp

Filesize
72KB

Download
memory/1508-201-0x0000000006BE0000-0x00000000071F8000-memory.dmp

Filesize
6.1MB

Download
memory/1508-200-0x0000000006550000-0x00000000065B6000-memory.dmp

Filesize
408KB

Download
memory/1508-219-0x0000000007C60000-0x0000000007DDA000-memory.dmp

Filesize
1.5MB

Download
memory/1508-194-0x00000000058E0000-0x0000000005AA2000-memory.dmp

Filesize
1.8MB

Download
memory/1508-197-0x0000000006140000-0x000000000614A000-memory.dmp

Filesize
40KB

Download
memory/1508-236-0x000000000A270000-0x000000000A2F4000-memory.dmp

Filesize
528KB

Download
memory/1508-195-0x00000000050D0000-0x00000000050E0000-memory.dmp

Filesize
64KB

Download
memory/1692-129-0x0000000000540000-0x000000000061A000-memory.dmp

Filesize
872KB

Download
memory/1692-134-0x0000000005320000-0x0000000005328000-memory.dmp

Filesize
32KB

Download
memory/1692-130-0x0000000001020000-0x000000000102A000-memory.dmp

Filesize
40KB

Download
memory/1692-131-0x00000000055B0000-0x0000000005B54000-memory.dmp

Filesize
5.6MB

Download
memory/1692-132-0x00000000053A0000-0x0000000005432000-memory.dmp

Filesize
584KB

Download
memory/1692-133-0x0000000004F90000-0x0000000004FDC000-memory.dmp

Filesize
304KB

Download
memory/1692-182-0x0000000006170000-0x00000000061BE000-memory.dmp

Filesize
312KB

Download
memory/1692-137-0x0000000005360000-0x000000000536C000-memory.dmp

Filesize
48KB

Download
memory/1692-136-0x0000000005440000-0x0000000005462000-memory.dmp

Filesize
136KB

Download
memory/1692-135-0x0000000005340000-0x0000000005348000-memory.dmp

Filesize
32KB

Download
memory/4424-149-0x00000000016B0000-0x00000000016C8000-memory.dmp

Filesize
96KB

Download
memory/4424-150-0x00000000016F0000-0x0000000001710000-memory.dmp

Filesize
128KB

Download
memory/4424-153-0x000000001BFE0000-0x000000001C004000-memory.dmp

Filesize
144KB

Download
memory/4424-161-0x000000001CA40000-0x000000001CF0E000-memory.dmp

Filesize
4.8MB

Download
memory/4424-162-0x000000001CFB0000-0x000000001D04C000-memory.dmp

Filesize
624KB

Download