3194849b09575cf8052c8d10e99e264b280b29b57b9415cdd1bfbb6297dfe7af

Analysis

max time kernel
226s
max time network
264s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
12/07/2023, 15:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WinrarKG.exe
Size

381KB
MD5

0d2c7fdaffd974980053fc7ca44a054c
SHA1

9b8b9a5d2bdceddea776f519ae026adbf88625a3
SHA256

3194849b09575cf8052c8d10e99e264b280b29b57b9415cdd1bfbb6297dfe7af
SHA512

e8c75907fa14b09266a576c8abfebcc2f3ac0ea4c05a71bb3837b0132973a35370f96c63188e6bc0f22d7160c6682ea2b5a58bcbc411b7607d7ffdac8a944749
SSDEEP

6144:AIqmOc0YZtOc0YZtOc0YZN1J4KfrNpx1J4K5rNpk:7Oc0otOc0otOc0ohJfRplJ5Rpk

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1498570331-2313266200-788959944-1000\{A43BE482-F303-4775-8062-9F18C8055D9E}	msedge.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2168	WinrarKG.exe
3776	msedge.exe
3776	msedge.exe
3464	msedge.exe
3464	msedge.exe
3280	identity_helper.exe
3280	identity_helper.exe
4200	msedge.exe
4200	msedge.exe
3764	msedge.exe
3764	msedge.exe
4448	WinrarKG.exe
4448	WinrarKG.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2168	WinrarKG.exe
Token: SeDebugPrivilege	4448	WinrarKG.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3464 wrote to memory of 1952	3464	msedge.exe	98
PID 3464 wrote to memory of 1952	3464	msedge.exe	98
PID 3464 wrote to memory of 3304	3464	msedge.exe	101
PID 3464 wrote to memory of 3304	3464	msedge.exe	101
PID 3464 wrote to memory of 3304	3464	msedge.exe	101
PID 3464 wrote to memory of 3304	3464	msedge.exe	101
PID 3464 wrote to memory of 3304	3464	msedge.exe	101
PID 3464 wrote to memory of 3304	3464	msedge.exe	101
PID 3464 wrote to memory of 3304	3464	msedge.exe	101
PID 3464 wrote to memory of 3304	3464	msedge.exe	101
PID 3464 wrote to memory of 3304	3464	msedge.exe	101
PID 3464 wrote to memory of 3304	3464	msedge.exe	101
PID 3464 wrote to memory of 3304	3464	msedge.exe	101
PID 3464 wrote to memory of 3304	3464	msedge.exe	101
PID 3464 wrote to memory of 3304	3464	msedge.exe	101
PID 3464 wrote to memory of 3304	3464	msedge.exe	101
PID 3464 wrote to memory of 3304	3464	msedge.exe	101
PID 3464 wrote to memory of 3304	3464	msedge.exe	101
PID 3464 wrote to memory of 3304	3464	msedge.exe	101
PID 3464 wrote to memory of 3304	3464	msedge.exe	101
PID 3464 wrote to memory of 3304	3464	msedge.exe	101
PID 3464 wrote to memory of 3304	3464	msedge.exe	101
PID 3464 wrote to memory of 3304	3464	msedge.exe	101
PID 3464 wrote to memory of 3304	3464	msedge.exe	101
PID 3464 wrote to memory of 3304	3464	msedge.exe	101
PID 3464 wrote to memory of 3304	3464	msedge.exe	101
PID 3464 wrote to memory of 3304	3464	msedge.exe	101
PID 3464 wrote to memory of 3304	3464	msedge.exe	101
PID 3464 wrote to memory of 3304	3464	msedge.exe	101
PID 3464 wrote to memory of 3304	3464	msedge.exe	101
PID 3464 wrote to memory of 3304	3464	msedge.exe	101
PID 3464 wrote to memory of 3304	3464	msedge.exe	101
PID 3464 wrote to memory of 3304	3464	msedge.exe	101
PID 3464 wrote to memory of 3304	3464	msedge.exe	101
PID 3464 wrote to memory of 3304	3464	msedge.exe	101
PID 3464 wrote to memory of 3304	3464	msedge.exe	101
PID 3464 wrote to memory of 3304	3464	msedge.exe	101
PID 3464 wrote to memory of 3304	3464	msedge.exe	101
PID 3464 wrote to memory of 3304	3464	msedge.exe	101
PID 3464 wrote to memory of 3304	3464	msedge.exe	101
PID 3464 wrote to memory of 3304	3464	msedge.exe	101
PID 3464 wrote to memory of 3304	3464	msedge.exe	101
PID 3464 wrote to memory of 3776	3464	msedge.exe	102
PID 3464 wrote to memory of 3776	3464	msedge.exe	102
PID 3464 wrote to memory of 1940	3464	msedge.exe	103
PID 3464 wrote to memory of 1940	3464	msedge.exe	103
PID 3464 wrote to memory of 1940	3464	msedge.exe	103
PID 3464 wrote to memory of 1940	3464	msedge.exe	103
PID 3464 wrote to memory of 1940	3464	msedge.exe	103
PID 3464 wrote to memory of 1940	3464	msedge.exe	103
PID 3464 wrote to memory of 1940	3464	msedge.exe	103
PID 3464 wrote to memory of 1940	3464	msedge.exe	103
PID 3464 wrote to memory of 1940	3464	msedge.exe	103
PID 3464 wrote to memory of 1940	3464	msedge.exe	103
PID 3464 wrote to memory of 1940	3464	msedge.exe	103
PID 3464 wrote to memory of 1940	3464	msedge.exe	103
PID 3464 wrote to memory of 1940	3464	msedge.exe	103
PID 3464 wrote to memory of 1940	3464	msedge.exe	103
PID 3464 wrote to memory of 1940	3464	msedge.exe	103
PID 3464 wrote to memory of 1940	3464	msedge.exe	103
PID 3464 wrote to memory of 1940	3464	msedge.exe	103
PID 3464 wrote to memory of 1940	3464	msedge.exe	103
PID 3464 wrote to memory of 1940	3464	msedge.exe	103
PID 3464 wrote to memory of 1940	3464	msedge.exe	103

C:\Users\Admin\AppData\Local\Temp\WinrarKG.exe
"C:\Users\Admin\AppData\Local\Temp\WinrarKG.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff8b2a46f8,0x7fff8b2a4708,0x7fff8b2a4718
  2⤵
  PID:1952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,7543733000289464899,8783484590660481945,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
  2⤵
  PID:3304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,7543733000289464899,8783484590660481945,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2416 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,7543733000289464899,8783484590660481945,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:8
  2⤵
  PID:1940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7543733000289464899,8783484590660481945,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:3088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7543733000289464899,8783484590660481945,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
  2⤵
  PID:1580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7543733000289464899,8783484590660481945,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4848 /prefetch:1
  2⤵
  PID:1968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7543733000289464899,8783484590660481945,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4888 /prefetch:1
  2⤵
  PID:4116
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,7543733000289464899,8783484590660481945,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5256 /prefetch:8
  2⤵
  PID:1700
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,7543733000289464899,8783484590660481945,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5256 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7543733000289464899,8783484590660481945,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:1
  2⤵
  PID:1956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7543733000289464899,8783484590660481945,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
  2⤵
  PID:3144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7543733000289464899,8783484590660481945,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4604 /prefetch:1
  2⤵
  PID:1400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7543733000289464899,8783484590660481945,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
  2⤵
  PID:4064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7543733000289464899,8783484590660481945,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
  2⤵
  PID:1708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7543733000289464899,8783484590660481945,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
  2⤵
  PID:1468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2128,7543733000289464899,8783484590660481945,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4488 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2128,7543733000289464899,8783484590660481945,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5372 /prefetch:8
  2⤵
  PID:1512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7543733000289464899,8783484590660481945,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:1
  2⤵
  PID:4112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7543733000289464899,8783484590660481945,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:1
  2⤵
  PID:3864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7543733000289464899,8783484590660481945,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4624 /prefetch:1
  2⤵
  PID:4296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2128,7543733000289464899,8783484590660481945,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5136 /prefetch:8
  2⤵
  PID:1748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2128,7543733000289464899,8783484590660481945,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=2692 /prefetch:8
  2⤵
  PID:4964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7543733000289464899,8783484590660481945,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
  2⤵
  PID:1892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2128,7543733000289464899,8783484590660481945,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6252 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,7543733000289464899,8783484590660481945,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=336 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1432

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4304

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:184

C:\Users\Admin\Downloads\IDK\WinrarKG.exe
"C:\Users\Admin\Downloads\IDK\WinrarKG.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4448
- C:\Users\Admin\Downloads\IDK\library\winrarkg_cli.exe
  "C:\Users\Admin\Downloads\IDK\library\winrarkg_cli.exe" Abel "Unlimited Business License"
  2⤵
  PID:2220

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WinrarKG.exe.log

Filesize
4KB

MD5
f89359ddbce523373ec63acde6384f81

SHA1
ef1123ab114037e475a3a8279a8ef4d99b1e1745

SHA256
dc4f4c97b11cffb0f0c46f51b340a1cf68f1a8cf1419c41e1121ce4f67f8e542

SHA512
659be7499a63bb4c50640bcdc1c9b76860d4a7b3e83a132132bed87e866eb882b1526b96dc8417673edefb62b6e0201af853de2acae8c2bd9584807cdf7ec9f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8411007bafe7b1182af1ad3a1809b4f8

SHA1
4a78ee0762aadd53accae8bb211b8b18dc602070

SHA256
1f274d0d144942d00e43fb94f9c27fc91c68dce50cd374ac6be4472b08215ca3

SHA512
909e2e33b7614cb8bbd14e0dfff1b7f98f4abbf735f88292546ce3bfa665e4cb5ee4418561004e56afc5dd30d21483b05f6358dad5624c0dc3ab1ba9a3be18eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000036

Filesize
695KB

MD5
35f95253f2dd56851172ba0f23dbb8cf

SHA1
797e0e0a17803d49fc619581740eaf26951143e3

SHA256
7d4ab095542d7fc75211ab8d513608f3670a6911d8021b8331df620b5f281041

SHA512
4885ed7f3858d1a5ea47719ebf35e3cbb5c77df01cc0f5d9f1bdcbc79cc3993dabdb515a9f0d493ce4813db9eae1dedd178e63b1ae6f838d5544713c5492ad4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
6792f5e6a59ef00928c2f5d93fdf8147

SHA1
39f4c974d662a85736d7a08857b8ab9f7505283f

SHA256
1a8256b61f003531d9399a37175bbd1dc93d79045cd0220e86e4b9f85bc5435b

SHA512
bd07dd239f21618175bc5f72f522c4ad0fda75e2a437390fbe5862a8ce185cba5702d598af8c68bc0dcf4d328be68abf891b8477007dd36eb6d99acc8054d7e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ef1e12cdf40770079ff77e625dd934d3

SHA1
1d1f48f73137214d4a6c9e335998c94138500c4d

SHA256
d27c37cccb20beb9255e0f6867ece4008ffc06de31c4927a20c76c7abfbab4e2

SHA512
0a57c6116ac983f44fcce802d582aa3928a276791ded3a7a841a786e3b19fb881116108f10ae536064659eeae3719192315c8a4507c1a678fd2022aec418dbef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
67fdb703cd36e522133f5dae321bcd22

SHA1
1fc5f3d96c34d425351f7feaf3cafdf77063cb30

SHA256
f0f8be32e4b8f9c6c03d537c55213438bb8cd2252ba96737b3dcfe49a0be0abd

SHA512
90cca5578e20e4c3738daedd832836285a65edd92a886f6e7af2a27893858fc98b89749bbfde68c75877c708e5321239533f37092fcf7bb7a6fdea0f6a19a067

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8e53fb9cc99b26f9b3e7747fabf72157

SHA1
3697ce67f696474f515bc887513a6d192daebef2

SHA256
8bdfdb80cccc8d9350c8e923856af919962a8468c260b1b0055def2dea81fdb4

SHA512
af685cdc2be96f29ce0e4680a5690f459285f57afaab83432818989381712ed7158945855367a57fee7deacfe4aeab27a08f9f0001ace668b8b20650429a399e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a24cadfafebe4513fc106b1a05a3ebba

SHA1
1cd7e6b4be38de49ba817328dc561404185bb745

SHA256
fe12370e288b899345935f0e01e3ef054cfbb5673b32939715701cdfbb546390

SHA512
8c6dce7f79ea6ea3339d7d88b5911c2cb17acd2cec95a6901ab69269e3acc8297990a699faecd2596ded6d5826bf597a4112e5401b358e98b0ebab064a979115

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
42055c50d2d86e98064baa36bd44dc86

SHA1
2c4d1d598342ed8d65ff3f11b78c86f8bfcb1604

SHA256
a8ea662e047148cd6a032e444f0790d0312cb0697f991d20ce2f2c9c38fd7403

SHA512
86257ee4f2f29062a38bcb49c1907309b0e9f17aeb8d5411f6863c0475a57363764705f7979e16a4103d142144e0ad23c57891c1bb8053cbc1eaf915f295ba8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
8caf4d73cc5a7d5e3fb3f9f1a9d4a0cc

SHA1
83f8586805286b716c70ddd14a2b7ec6a4d9d0fe

SHA256
0e0c905b688340512e84db6cf8af6dbdfe29195fefde15bd02e4917a2c5fda8c

SHA512
084ef25ea21ee1083735c61b758281ba84b607e42d0186c35c3700b24a176ada47bf2e76ed7dadd3846f2b458c977e83835ced01cda47cdd7ab2d00e5a1a294e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
fde6db735fea16f7ab21c0a2118284ba

SHA1
fa8c93d8c847cce66ac896b5985899172f9665ea

SHA256
2fd3bf28527a0a26cd52d1470f22d49fe49b1a4d22f5cfc7700aa8280ebefd1e

SHA512
f97eab60b3d2bbac6fae1ff36139293e58ffebccc9ff8bc57294cb12414cb064cd473c7b421dd41beb9c2d182cc00db34aa7e1ff5acd9fc811db4999ec19e59a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2474f075e3e0de0f20e58651a8be1b5a

SHA1
5cc56a768fd8189fead5015a5a7c73a3e6536b1e

SHA256
be75ddb2444219f83687caf948f41e929a5b0b052e121ab36f3c64e89db4e146

SHA512
a8cc4758550aa5f06546dcad2b0077908f1dcc2a11f253ab226d4dc61f36ab8a427b64648eb5f386bfb54bc79f14947e90dbedf0fac8dd28881109bc69418e47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
023ae59076b72b5ac1bbe278491b596e

SHA1
f0f2514f330ecedf8dc0883064111feabfb4ae15

SHA256
b8a95eae801dc4a3d8cdcd4a60267c28d23f86b5af5e0635f7d023db5723027c

SHA512
6cbe79140653f0feca3997c0b853e23f4f6ad0dfe439c36457db636893eb86e6b1e090c9f9d03a810f1ed9a1aaca03db51f4cb48a7f131304ef4f6a8ffd5bb44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
cff9c632a906cd2b4c507516aeffae0b

SHA1
8203a2b3be2ceb654d19d892bb6b7587360ff6d0

SHA256
8e5ce751d92f85698aab1915cd97d50df9ad166d4f586d890e517d6d51102029

SHA512
e5bcc236b95f85c0491cd448a6fe4a662660f399535219e995ca2ebe2a1e79eebe180ec74837b78078316895b7835d1b8745aefc19dbb15ddefeead697186032

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59354f.TMP

Filesize
871B

MD5
ffe1b25d02c4937cc76989aa4dc8370b

SHA1
5e2276688b1cdd48912f757cc0d995360131a3db

SHA256
a85f0b25aa917974670b22e32aeb88db61fde15ec9d3b681dccbb166c0cfbe8a

SHA512
9fdda0c42db782042394d9c4ec1e499618f678ba9eddbe0ef24c359b537fc1d087ca64dcd812f809de80c510f362f0ee07447e7777a0cb5d30d5325e845a16c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\c88eb938-5c6a-4829-9b9e-b92f637ac410.tmp

Filesize
950B

MD5
224a6f0a8a65edca904901583de0d47e

SHA1
98035776affa28233c38efd81a62b734bde876b1

SHA256
6c41749ae3472333ddd7d736db46166eca136dc5949f2a0358a41f1631668899

SHA512
3a4281ec2aa72fa7ebeed11f1404fa115f6dbf26e38a647a201326a4de12e3a343f11f647f9aadb22d38b8cb7296cade3076cb361d9d9bba2316f571b9ee7a11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
13KB

MD5
71ce4ed4c5bf7be5dde233e66b618719

SHA1
f91b25ef4afd35ee913006f7e9c0c0a9cd78bc49

SHA256
20e90a178a36535390276a19640d62074e8027451582f062d03578a77c0161de

SHA512
56cfca35ae39ba8c2fcb000faab412367a185633fa2d9de50fc2dd223b92f43d55ae556e5a442fd6c86de61c9b9cc5dbe483977d788c9652971e06af1161be06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
13KB

MD5
15f24bc800e30be80e0a650729622128

SHA1
6245445dbdcba1da0730556e5e9612be52da322a

SHA256
5031009fe583fa4346e5733374a3d2db5f5b7c0019233f7198f740c172d4c830

SHA512
d207a5c1d59f24de5a8c8f2e294b237ba5a9edda638b1ceab7b89a5a7d2a576f1fe153ee8935211281ab088626c8b25abf4346ae9ae28120dae21760d9646309

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
e213c34bb9e52a28550af937161bb064

SHA1
ddbca9d7083142ea595b7a6676e095d9fb4bb456

SHA256
c735a62b6407f805da6bd0ec55073146429b245fcaf3e502e55b0328010d5eb8

SHA512
ac40632d2facf2cf17531b6ef8b83aa381ec852f4310ce2caefa844290a7ccd7037684f130c40131bf1416c83b2f754223e75b4927568820966c9fcd12b46907

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_og3mrtjc.hgk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\winrarkg-v1.0.0.0-win-x86-x64.zip

Filesize
353KB

MD5
8cd6176a9986cf22f420dd1235d466ea

SHA1
330c0eab77ce63146e1106506ee0eb312314ace4

SHA256
c7ce2907de4273bc9ebdc0d9dd678d3881aaa154b9cb9c3d601f5515face0f17

SHA512
eae616c61a15cf1a34c350ced96a34b39e47cf99ff83cfbd392d5e23de2ba34ba52d1fc07515dd8115cd565ef3e914229433e6ec6557179b571d399335811a7a

Download Submit
memory/2168-136-0x000001A76F540000-0x000001A76F550000-memory.dmp

Filesize
64KB

Download
memory/2168-149-0x000001A76F540000-0x000001A76F550000-memory.dmp

Filesize
64KB

Download
memory/2168-147-0x000001A7708F0000-0x000001A770912000-memory.dmp

Filesize
136KB

Download
memory/2168-148-0x000001A76F540000-0x000001A76F550000-memory.dmp

Filesize
64KB

Download
memory/2168-135-0x000001A76F540000-0x000001A76F550000-memory.dmp

Filesize
64KB

Download
memory/2168-133-0x000001A754F40000-0x000001A754FA4000-memory.dmp

Filesize
400KB

Download
memory/2168-134-0x000001A76F540000-0x000001A76F550000-memory.dmp

Filesize
64KB

Download
memory/2168-137-0x000001A76F540000-0x000001A76F550000-memory.dmp

Filesize
64KB

Download
memory/4448-709-0x000001DDCA370000-0x000001DDCA380000-memory.dmp

Filesize
64KB

Download
memory/4448-711-0x000001DDCA370000-0x000001DDCA380000-memory.dmp

Filesize
64KB

Download
memory/4448-712-0x000001DDCA370000-0x000001DDCA380000-memory.dmp

Filesize
64KB

Download
memory/4448-722-0x000001DDCA370000-0x000001DDCA380000-memory.dmp

Filesize
64KB

Download
memory/4448-725-0x000001DDCA370000-0x000001DDCA380000-memory.dmp

Filesize
64KB

Download
memory/4448-710-0x000001DDCA370000-0x000001DDCA380000-memory.dmp

Filesize
64KB

Download