Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
226s -
max time network
264s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
12/07/2023, 15:36
Static task
static1
Behavioral task
behavioral1
Sample
WinrarKG.exe
Resource
win10v2004-20230703-en
General
-
Target
WinrarKG.exe
-
Size
381KB
-
MD5
0d2c7fdaffd974980053fc7ca44a054c
-
SHA1
9b8b9a5d2bdceddea776f519ae026adbf88625a3
-
SHA256
3194849b09575cf8052c8d10e99e264b280b29b57b9415cdd1bfbb6297dfe7af
-
SHA512
e8c75907fa14b09266a576c8abfebcc2f3ac0ea4c05a71bb3837b0132973a35370f96c63188e6bc0f22d7160c6682ea2b5a58bcbc411b7607d7ffdac8a944749
-
SSDEEP
6144:AIqmOc0YZtOc0YZtOc0YZN1J4KfrNpx1J4K5rNpk:7Oc0otOc0otOc0ohJfRplJ5Rpk
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1498570331-2313266200-788959944-1000\{A43BE482-F303-4775-8062-9F18C8055D9E} msedge.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
pid Process 2168 WinrarKG.exe 3776 msedge.exe 3776 msedge.exe 3464 msedge.exe 3464 msedge.exe 3280 identity_helper.exe 3280 identity_helper.exe 4200 msedge.exe 4200 msedge.exe 3764 msedge.exe 3764 msedge.exe 4448 WinrarKG.exe 4448 WinrarKG.exe 1432 msedge.exe 1432 msedge.exe 1432 msedge.exe 1432 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs
pid Process 3464 msedge.exe 3464 msedge.exe 3464 msedge.exe 3464 msedge.exe 3464 msedge.exe 3464 msedge.exe 3464 msedge.exe 3464 msedge.exe 3464 msedge.exe 3464 msedge.exe 3464 msedge.exe 3464 msedge.exe 3464 msedge.exe 3464 msedge.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2168 WinrarKG.exe Token: SeDebugPrivilege 4448 WinrarKG.exe -
Suspicious use of FindShellTrayWindow 33 IoCs
pid Process 3464 msedge.exe 3464 msedge.exe 3464 msedge.exe 3464 msedge.exe 3464 msedge.exe 3464 msedge.exe 3464 msedge.exe 3464 msedge.exe 3464 msedge.exe 3464 msedge.exe 3464 msedge.exe 3464 msedge.exe 3464 msedge.exe 3464 msedge.exe 3464 msedge.exe 3464 msedge.exe 3464 msedge.exe 3464 msedge.exe 3464 msedge.exe 3464 msedge.exe 3464 msedge.exe 3464 msedge.exe 3464 msedge.exe 3464 msedge.exe 3464 msedge.exe 3464 msedge.exe 3464 msedge.exe 3464 msedge.exe 3464 msedge.exe 3464 msedge.exe 3464 msedge.exe 3464 msedge.exe 3464 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3464 msedge.exe 3464 msedge.exe 3464 msedge.exe 3464 msedge.exe 3464 msedge.exe 3464 msedge.exe 3464 msedge.exe 3464 msedge.exe 3464 msedge.exe 3464 msedge.exe 3464 msedge.exe 3464 msedge.exe 3464 msedge.exe 3464 msedge.exe 3464 msedge.exe 3464 msedge.exe 3464 msedge.exe 3464 msedge.exe 3464 msedge.exe 3464 msedge.exe 3464 msedge.exe 3464 msedge.exe 3464 msedge.exe 3464 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3464 wrote to memory of 1952 3464 msedge.exe 98 PID 3464 wrote to memory of 1952 3464 msedge.exe 98 PID 3464 wrote to memory of 3304 3464 msedge.exe 101 PID 3464 wrote to memory of 3304 3464 msedge.exe 101 PID 3464 wrote to memory of 3304 3464 msedge.exe 101 PID 3464 wrote to memory of 3304 3464 msedge.exe 101 PID 3464 wrote to memory of 3304 3464 msedge.exe 101 PID 3464 wrote to memory of 3304 3464 msedge.exe 101 PID 3464 wrote to memory of 3304 3464 msedge.exe 101 PID 3464 wrote to memory of 3304 3464 msedge.exe 101 PID 3464 wrote to memory of 3304 3464 msedge.exe 101 PID 3464 wrote to memory of 3304 3464 msedge.exe 101 PID 3464 wrote to memory of 3304 3464 msedge.exe 101 PID 3464 wrote to memory of 3304 3464 msedge.exe 101 PID 3464 wrote to memory of 3304 3464 msedge.exe 101 PID 3464 wrote to memory of 3304 3464 msedge.exe 101 PID 3464 wrote to memory of 3304 3464 msedge.exe 101 PID 3464 wrote to memory of 3304 3464 msedge.exe 101 PID 3464 wrote to memory of 3304 3464 msedge.exe 101 PID 3464 wrote to memory of 3304 3464 msedge.exe 101 PID 3464 wrote to memory of 3304 3464 msedge.exe 101 PID 3464 wrote to memory of 3304 3464 msedge.exe 101 PID 3464 wrote to memory of 3304 3464 msedge.exe 101 PID 3464 wrote to memory of 3304 3464 msedge.exe 101 PID 3464 wrote to memory of 3304 3464 msedge.exe 101 PID 3464 wrote to memory of 3304 3464 msedge.exe 101 PID 3464 wrote to memory of 3304 3464 msedge.exe 101 PID 3464 wrote to memory of 3304 3464 msedge.exe 101 PID 3464 wrote to memory of 3304 3464 msedge.exe 101 PID 3464 wrote to memory of 3304 3464 msedge.exe 101 PID 3464 wrote to memory of 3304 3464 msedge.exe 101 PID 3464 wrote to memory of 3304 3464 msedge.exe 101 PID 3464 wrote to memory of 3304 3464 msedge.exe 101 PID 3464 wrote to memory of 3304 3464 msedge.exe 101 PID 3464 wrote to memory of 3304 3464 msedge.exe 101 PID 3464 wrote to memory of 3304 3464 msedge.exe 101 PID 3464 wrote to memory of 3304 3464 msedge.exe 101 PID 3464 wrote to memory of 3304 3464 msedge.exe 101 PID 3464 wrote to memory of 3304 3464 msedge.exe 101 PID 3464 wrote to memory of 3304 3464 msedge.exe 101 PID 3464 wrote to memory of 3304 3464 msedge.exe 101 PID 3464 wrote to memory of 3304 3464 msedge.exe 101 PID 3464 wrote to memory of 3776 3464 msedge.exe 102 PID 3464 wrote to memory of 3776 3464 msedge.exe 102 PID 3464 wrote to memory of 1940 3464 msedge.exe 103 PID 3464 wrote to memory of 1940 3464 msedge.exe 103 PID 3464 wrote to memory of 1940 3464 msedge.exe 103 PID 3464 wrote to memory of 1940 3464 msedge.exe 103 PID 3464 wrote to memory of 1940 3464 msedge.exe 103 PID 3464 wrote to memory of 1940 3464 msedge.exe 103 PID 3464 wrote to memory of 1940 3464 msedge.exe 103 PID 3464 wrote to memory of 1940 3464 msedge.exe 103 PID 3464 wrote to memory of 1940 3464 msedge.exe 103 PID 3464 wrote to memory of 1940 3464 msedge.exe 103 PID 3464 wrote to memory of 1940 3464 msedge.exe 103 PID 3464 wrote to memory of 1940 3464 msedge.exe 103 PID 3464 wrote to memory of 1940 3464 msedge.exe 103 PID 3464 wrote to memory of 1940 3464 msedge.exe 103 PID 3464 wrote to memory of 1940 3464 msedge.exe 103 PID 3464 wrote to memory of 1940 3464 msedge.exe 103 PID 3464 wrote to memory of 1940 3464 msedge.exe 103 PID 3464 wrote to memory of 1940 3464 msedge.exe 103 PID 3464 wrote to memory of 1940 3464 msedge.exe 103 PID 3464 wrote to memory of 1940 3464 msedge.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\WinrarKG.exe"C:\Users\Admin\AppData\Local\Temp\WinrarKG.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2168
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3464 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff8b2a46f8,0x7fff8b2a4708,0x7fff8b2a47182⤵PID:1952
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,7543733000289464899,8783484590660481945,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:22⤵PID:3304
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,7543733000289464899,8783484590660481945,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2416 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3776
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,7543733000289464899,8783484590660481945,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:82⤵PID:1940
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7543733000289464899,8783484590660481945,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:12⤵PID:3088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7543733000289464899,8783484590660481945,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:12⤵PID:1580
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7543733000289464899,8783484590660481945,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4848 /prefetch:12⤵PID:1968
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7543733000289464899,8783484590660481945,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4888 /prefetch:12⤵PID:4116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,7543733000289464899,8783484590660481945,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5256 /prefetch:82⤵PID:1700
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,7543733000289464899,8783484590660481945,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5256 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3280
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7543733000289464899,8783484590660481945,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:12⤵PID:1956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7543733000289464899,8783484590660481945,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:12⤵PID:3144
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7543733000289464899,8783484590660481945,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4604 /prefetch:12⤵PID:1400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7543733000289464899,8783484590660481945,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:12⤵PID:4064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7543733000289464899,8783484590660481945,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:12⤵PID:1708
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7543733000289464899,8783484590660481945,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:12⤵PID:1468
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2128,7543733000289464899,8783484590660481945,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4488 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4200
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2128,7543733000289464899,8783484590660481945,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5372 /prefetch:82⤵PID:1512
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7543733000289464899,8783484590660481945,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:12⤵PID:4112
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7543733000289464899,8783484590660481945,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:12⤵PID:3864
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7543733000289464899,8783484590660481945,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4624 /prefetch:12⤵PID:4296
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2128,7543733000289464899,8783484590660481945,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5136 /prefetch:82⤵PID:1748
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2128,7543733000289464899,8783484590660481945,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=2692 /prefetch:82⤵PID:4964
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7543733000289464899,8783484590660481945,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:12⤵PID:1892
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2128,7543733000289464899,8783484590660481945,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6252 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3764
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,7543733000289464899,8783484590660481945,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=336 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1432
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4304
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:184
-
C:\Users\Admin\Downloads\IDK\WinrarKG.exe"C:\Users\Admin\Downloads\IDK\WinrarKG.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4448 -
C:\Users\Admin\Downloads\IDK\library\winrarkg_cli.exe"C:\Users\Admin\Downloads\IDK\library\winrarkg_cli.exe" Abel "Unlimited Business License"2⤵PID:2220
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5f89359ddbce523373ec63acde6384f81
SHA1ef1123ab114037e475a3a8279a8ef4d99b1e1745
SHA256dc4f4c97b11cffb0f0c46f51b340a1cf68f1a8cf1419c41e1121ce4f67f8e542
SHA512659be7499a63bb4c50640bcdc1c9b76860d4a7b3e83a132132bed87e866eb882b1526b96dc8417673edefb62b6e0201af853de2acae8c2bd9584807cdf7ec9f6
-
Filesize
152B
MD58411007bafe7b1182af1ad3a1809b4f8
SHA14a78ee0762aadd53accae8bb211b8b18dc602070
SHA2561f274d0d144942d00e43fb94f9c27fc91c68dce50cd374ac6be4472b08215ca3
SHA512909e2e33b7614cb8bbd14e0dfff1b7f98f4abbf735f88292546ce3bfa665e4cb5ee4418561004e56afc5dd30d21483b05f6358dad5624c0dc3ab1ba9a3be18eb
-
Filesize
695KB
MD535f95253f2dd56851172ba0f23dbb8cf
SHA1797e0e0a17803d49fc619581740eaf26951143e3
SHA2567d4ab095542d7fc75211ab8d513608f3670a6911d8021b8331df620b5f281041
SHA5124885ed7f3858d1a5ea47719ebf35e3cbb5c77df01cc0f5d9f1bdcbc79cc3993dabdb515a9f0d493ce4813db9eae1dedd178e63b1ae6f838d5544713c5492ad4c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD56792f5e6a59ef00928c2f5d93fdf8147
SHA139f4c974d662a85736d7a08857b8ab9f7505283f
SHA2561a8256b61f003531d9399a37175bbd1dc93d79045cd0220e86e4b9f85bc5435b
SHA512bd07dd239f21618175bc5f72f522c4ad0fda75e2a437390fbe5862a8ce185cba5702d598af8c68bc0dcf4d328be68abf891b8477007dd36eb6d99acc8054d7e9
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
5KB
MD5ef1e12cdf40770079ff77e625dd934d3
SHA11d1f48f73137214d4a6c9e335998c94138500c4d
SHA256d27c37cccb20beb9255e0f6867ece4008ffc06de31c4927a20c76c7abfbab4e2
SHA5120a57c6116ac983f44fcce802d582aa3928a276791ded3a7a841a786e3b19fb881116108f10ae536064659eeae3719192315c8a4507c1a678fd2022aec418dbef
-
Filesize
6KB
MD567fdb703cd36e522133f5dae321bcd22
SHA11fc5f3d96c34d425351f7feaf3cafdf77063cb30
SHA256f0f8be32e4b8f9c6c03d537c55213438bb8cd2252ba96737b3dcfe49a0be0abd
SHA51290cca5578e20e4c3738daedd832836285a65edd92a886f6e7af2a27893858fc98b89749bbfde68c75877c708e5321239533f37092fcf7bb7a6fdea0f6a19a067
-
Filesize
6KB
MD58e53fb9cc99b26f9b3e7747fabf72157
SHA13697ce67f696474f515bc887513a6d192daebef2
SHA2568bdfdb80cccc8d9350c8e923856af919962a8468c260b1b0055def2dea81fdb4
SHA512af685cdc2be96f29ce0e4680a5690f459285f57afaab83432818989381712ed7158945855367a57fee7deacfe4aeab27a08f9f0001ace668b8b20650429a399e
-
Filesize
6KB
MD5a24cadfafebe4513fc106b1a05a3ebba
SHA11cd7e6b4be38de49ba817328dc561404185bb745
SHA256fe12370e288b899345935f0e01e3ef054cfbb5673b32939715701cdfbb546390
SHA5128c6dce7f79ea6ea3339d7d88b5911c2cb17acd2cec95a6901ab69269e3acc8297990a699faecd2596ded6d5826bf597a4112e5401b358e98b0ebab064a979115
-
Filesize
6KB
MD542055c50d2d86e98064baa36bd44dc86
SHA12c4d1d598342ed8d65ff3f11b78c86f8bfcb1604
SHA256a8ea662e047148cd6a032e444f0790d0312cb0697f991d20ce2f2c9c38fd7403
SHA51286257ee4f2f29062a38bcb49c1907309b0e9f17aeb8d5411f6863c0475a57363764705f7979e16a4103d142144e0ad23c57891c1bb8053cbc1eaf915f295ba8f
-
Filesize
24KB
MD58caf4d73cc5a7d5e3fb3f9f1a9d4a0cc
SHA183f8586805286b716c70ddd14a2b7ec6a4d9d0fe
SHA2560e0c905b688340512e84db6cf8af6dbdfe29195fefde15bd02e4917a2c5fda8c
SHA512084ef25ea21ee1083735c61b758281ba84b607e42d0186c35c3700b24a176ada47bf2e76ed7dadd3846f2b458c977e83835ced01cda47cdd7ab2d00e5a1a294e
-
Filesize
1KB
MD5fde6db735fea16f7ab21c0a2118284ba
SHA1fa8c93d8c847cce66ac896b5985899172f9665ea
SHA2562fd3bf28527a0a26cd52d1470f22d49fe49b1a4d22f5cfc7700aa8280ebefd1e
SHA512f97eab60b3d2bbac6fae1ff36139293e58ffebccc9ff8bc57294cb12414cb064cd473c7b421dd41beb9c2d182cc00db34aa7e1ff5acd9fc811db4999ec19e59a
-
Filesize
1KB
MD52474f075e3e0de0f20e58651a8be1b5a
SHA15cc56a768fd8189fead5015a5a7c73a3e6536b1e
SHA256be75ddb2444219f83687caf948f41e929a5b0b052e121ab36f3c64e89db4e146
SHA512a8cc4758550aa5f06546dcad2b0077908f1dcc2a11f253ab226d4dc61f36ab8a427b64648eb5f386bfb54bc79f14947e90dbedf0fac8dd28881109bc69418e47
-
Filesize
1KB
MD5023ae59076b72b5ac1bbe278491b596e
SHA1f0f2514f330ecedf8dc0883064111feabfb4ae15
SHA256b8a95eae801dc4a3d8cdcd4a60267c28d23f86b5af5e0635f7d023db5723027c
SHA5126cbe79140653f0feca3997c0b853e23f4f6ad0dfe439c36457db636893eb86e6b1e090c9f9d03a810f1ed9a1aaca03db51f4cb48a7f131304ef4f6a8ffd5bb44
-
Filesize
1KB
MD5cff9c632a906cd2b4c507516aeffae0b
SHA18203a2b3be2ceb654d19d892bb6b7587360ff6d0
SHA2568e5ce751d92f85698aab1915cd97d50df9ad166d4f586d890e517d6d51102029
SHA512e5bcc236b95f85c0491cd448a6fe4a662660f399535219e995ca2ebe2a1e79eebe180ec74837b78078316895b7835d1b8745aefc19dbb15ddefeead697186032
-
Filesize
871B
MD5ffe1b25d02c4937cc76989aa4dc8370b
SHA15e2276688b1cdd48912f757cc0d995360131a3db
SHA256a85f0b25aa917974670b22e32aeb88db61fde15ec9d3b681dccbb166c0cfbe8a
SHA5129fdda0c42db782042394d9c4ec1e499618f678ba9eddbe0ef24c359b537fc1d087ca64dcd812f809de80c510f362f0ee07447e7777a0cb5d30d5325e845a16c6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\c88eb938-5c6a-4829-9b9e-b92f637ac410.tmp
Filesize950B
MD5224a6f0a8a65edca904901583de0d47e
SHA198035776affa28233c38efd81a62b734bde876b1
SHA2566c41749ae3472333ddd7d736db46166eca136dc5949f2a0358a41f1631668899
SHA5123a4281ec2aa72fa7ebeed11f1404fa115f6dbf26e38a647a201326a4de12e3a343f11f647f9aadb22d38b8cb7296cade3076cb361d9d9bba2316f571b9ee7a11
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
13KB
MD571ce4ed4c5bf7be5dde233e66b618719
SHA1f91b25ef4afd35ee913006f7e9c0c0a9cd78bc49
SHA25620e90a178a36535390276a19640d62074e8027451582f062d03578a77c0161de
SHA51256cfca35ae39ba8c2fcb000faab412367a185633fa2d9de50fc2dd223b92f43d55ae556e5a442fd6c86de61c9b9cc5dbe483977d788c9652971e06af1161be06
-
Filesize
13KB
MD515f24bc800e30be80e0a650729622128
SHA16245445dbdcba1da0730556e5e9612be52da322a
SHA2565031009fe583fa4346e5733374a3d2db5f5b7c0019233f7198f740c172d4c830
SHA512d207a5c1d59f24de5a8c8f2e294b237ba5a9edda638b1ceab7b89a5a7d2a576f1fe153ee8935211281ab088626c8b25abf4346ae9ae28120dae21760d9646309
-
Filesize
12KB
MD5e213c34bb9e52a28550af937161bb064
SHA1ddbca9d7083142ea595b7a6676e095d9fb4bb456
SHA256c735a62b6407f805da6bd0ec55073146429b245fcaf3e502e55b0328010d5eb8
SHA512ac40632d2facf2cf17531b6ef8b83aa381ec852f4310ce2caefa844290a7ccd7037684f130c40131bf1416c83b2f754223e75b4927568820966c9fcd12b46907
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
353KB
MD58cd6176a9986cf22f420dd1235d466ea
SHA1330c0eab77ce63146e1106506ee0eb312314ace4
SHA256c7ce2907de4273bc9ebdc0d9dd678d3881aaa154b9cb9c3d601f5515face0f17
SHA512eae616c61a15cf1a34c350ced96a34b39e47cf99ff83cfbd392d5e23de2ba34ba52d1fc07515dd8115cd565ef3e914229433e6ec6557179b571d399335811a7a