hxxps://rapeair[.]com/shall/Resolve/?email=oadmin@bpd[.]treas[.]gov

Analysis

max time kernel
146s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
01/08/2023, 17:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://rapeair.com/shall/Resolve/[email protected]

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3340	msedge.exe
3340	msedge.exe
3440	msedge.exe
3440	msedge.exe
2088	identity_helper.exe
2088	identity_helper.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3440 wrote to memory of 652	3440	msedge.exe	83
PID 3440 wrote to memory of 652	3440	msedge.exe	83
PID 3440 wrote to memory of 2472	3440	msedge.exe	87
PID 3440 wrote to memory of 2472	3440	msedge.exe	87
PID 3440 wrote to memory of 2472	3440	msedge.exe	87
PID 3440 wrote to memory of 2472	3440	msedge.exe	87
PID 3440 wrote to memory of 2472	3440	msedge.exe	87
PID 3440 wrote to memory of 2472	3440	msedge.exe	87
PID 3440 wrote to memory of 2472	3440	msedge.exe	87
PID 3440 wrote to memory of 2472	3440	msedge.exe	87
PID 3440 wrote to memory of 2472	3440	msedge.exe	87
PID 3440 wrote to memory of 2472	3440	msedge.exe	87
PID 3440 wrote to memory of 2472	3440	msedge.exe	87
PID 3440 wrote to memory of 2472	3440	msedge.exe	87
PID 3440 wrote to memory of 2472	3440	msedge.exe	87
PID 3440 wrote to memory of 2472	3440	msedge.exe	87
PID 3440 wrote to memory of 2472	3440	msedge.exe	87
PID 3440 wrote to memory of 2472	3440	msedge.exe	87
PID 3440 wrote to memory of 2472	3440	msedge.exe	87
PID 3440 wrote to memory of 2472	3440	msedge.exe	87
PID 3440 wrote to memory of 2472	3440	msedge.exe	87
PID 3440 wrote to memory of 2472	3440	msedge.exe	87
PID 3440 wrote to memory of 2472	3440	msedge.exe	87
PID 3440 wrote to memory of 2472	3440	msedge.exe	87
PID 3440 wrote to memory of 2472	3440	msedge.exe	87
PID 3440 wrote to memory of 2472	3440	msedge.exe	87
PID 3440 wrote to memory of 2472	3440	msedge.exe	87
PID 3440 wrote to memory of 2472	3440	msedge.exe	87
PID 3440 wrote to memory of 2472	3440	msedge.exe	87
PID 3440 wrote to memory of 2472	3440	msedge.exe	87
PID 3440 wrote to memory of 2472	3440	msedge.exe	87
PID 3440 wrote to memory of 2472	3440	msedge.exe	87
PID 3440 wrote to memory of 2472	3440	msedge.exe	87
PID 3440 wrote to memory of 2472	3440	msedge.exe	87
PID 3440 wrote to memory of 2472	3440	msedge.exe	87
PID 3440 wrote to memory of 2472	3440	msedge.exe	87
PID 3440 wrote to memory of 2472	3440	msedge.exe	87
PID 3440 wrote to memory of 2472	3440	msedge.exe	87
PID 3440 wrote to memory of 2472	3440	msedge.exe	87
PID 3440 wrote to memory of 2472	3440	msedge.exe	87
PID 3440 wrote to memory of 2472	3440	msedge.exe	87
PID 3440 wrote to memory of 2472	3440	msedge.exe	87
PID 3440 wrote to memory of 3340	3440	msedge.exe	86
PID 3440 wrote to memory of 3340	3440	msedge.exe	86
PID 3440 wrote to memory of 4404	3440	msedge.exe	88
PID 3440 wrote to memory of 4404	3440	msedge.exe	88
PID 3440 wrote to memory of 4404	3440	msedge.exe	88
PID 3440 wrote to memory of 4404	3440	msedge.exe	88
PID 3440 wrote to memory of 4404	3440	msedge.exe	88
PID 3440 wrote to memory of 4404	3440	msedge.exe	88
PID 3440 wrote to memory of 4404	3440	msedge.exe	88
PID 3440 wrote to memory of 4404	3440	msedge.exe	88
PID 3440 wrote to memory of 4404	3440	msedge.exe	88
PID 3440 wrote to memory of 4404	3440	msedge.exe	88
PID 3440 wrote to memory of 4404	3440	msedge.exe	88
PID 3440 wrote to memory of 4404	3440	msedge.exe	88
PID 3440 wrote to memory of 4404	3440	msedge.exe	88
PID 3440 wrote to memory of 4404	3440	msedge.exe	88
PID 3440 wrote to memory of 4404	3440	msedge.exe	88
PID 3440 wrote to memory of 4404	3440	msedge.exe	88
PID 3440 wrote to memory of 4404	3440	msedge.exe	88
PID 3440 wrote to memory of 4404	3440	msedge.exe	88
PID 3440 wrote to memory of 4404	3440	msedge.exe	88
PID 3440 wrote to memory of 4404	3440	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://rapeair.com/shall/Resolve/[email protected]
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd32f646f8,0x7ffd32f64708,0x7ffd32f64718
  2⤵
  PID:652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,16941243054314521956,3373825447953458821,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,16941243054314521956,3373825447953458821,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
  2⤵
  PID:2472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,16941243054314521956,3373825447953458821,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8
  2⤵
  PID:4404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,16941243054314521956,3373825447953458821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:60
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,16941243054314521956,3373825447953458821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:4416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,16941243054314521956,3373825447953458821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4648 /prefetch:1
  2⤵
  PID:3056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,16941243054314521956,3373825447953458821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
  2⤵
  PID:1964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,16941243054314521956,3373825447953458821,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1
  2⤵
  PID:4472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,16941243054314521956,3373825447953458821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:1
  2⤵
  PID:1360
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,16941243054314521956,3373825447953458821,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5868 /prefetch:8
  2⤵
  PID:1332
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,16941243054314521956,3373825447953458821,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5868 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,16941243054314521956,3373825447953458821,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4876 /prefetch:1
  2⤵
  PID:3192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,16941243054314521956,3373825447953458821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3992 /prefetch:1
  2⤵
  PID:3932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,16941243054314521956,3373825447953458821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4640 /prefetch:1
  2⤵
  PID:1748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,16941243054314521956,3373825447953458821,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2620 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1848

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1628

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2488

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
70e2e6954b953053c0c4f3b6e6ad9330

SHA1
cb61ba67b3bffa1d833bb85cc9547669ec46f62f

SHA256
f6e770a3b88ad3fda592419b6c00553bdadc50d5fb466ef872271389977f2ab4

SHA512
eeacb0e62f68f56285f7605963ca9bb82f542d4e2ccc323266c08c9990cecdebd574e1ab304ae08ea8c6c94c50683180f83562f972e92799ebbcfcd8f503fb5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
d1af7cce7e8c19a68898fc9e90b0e483

SHA1
f4a358ca84bab21e8421acf0197933a599a55cdf

SHA256
4dbdb96ad318fb99f92c289aecdb086b24a6d526a64a4c9d4688ab11e87b4db4

SHA512
ad8f3a3bf147e82161bc1e2e72e74d0886125a6920e68fd1528d66cb6cdb80d4e56ed7b2919991c030a390ecdf7ec74a36b7dd550ce84e98512fcb3a0fe6cd9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
726B

MD5
c2230b913da222610ca4a6d6fcedf286

SHA1
b4f530a519fe3c494df73fadd2b657e9a262ccb1

SHA256
0f2e03d8c9b26677e817d8e527e74e5e11d00163c05f4da2986829eb6c4406d1

SHA512
8672667e9f6132a3c534fe52b153d84ceba06dff60716c38e0ec100d23234c31f5792c458e59a779cdee6168db959db4b396c8372e55db170c6f77b1126a482f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
66995424016ec59ac637ebb8c7723e73

SHA1
70ca10170d453ebe01ec87c35d9c0325c3a92bde

SHA256
59565ef3492069a3a669634f0a3738b3147324bbcd71d6db8536a4a0232a4a5c

SHA512
3dcec40f5b5ed0e9a61fc3a8b5492e0bc7483536ef4cf47f656a87293721562fcf84413202004c29643c698318411f912c1766f29f9e2521c8e1d83b0e504b2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e24044ad4dccae865667b679fe89f150

SHA1
e5067315b04ab315cc74bb34d46d1c7be8153a03

SHA256
087b80a0a03caf38fca407852ed14334ccf60863a2316d6df727b0241ca7e7ab

SHA512
170e3c30fb6564fc65560ca46438ea40b6022ef1a7cc3b7a156dbb6a4f74c0e8657bac353a1b17b45faca784691c840e30d970c7345b0e0dc9fcc19541b6c2b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
5a478f1e08816969e8214f982850b754

SHA1
1cf5e7192f3c6e31c7e27b6cb34ebf89036eec0c

SHA256
665cf5612c61412c9acc928b1e155c8f11ae83905ce614d9a1a7ad72cc0fd489

SHA512
7e7ff60c157841f6f5bb206ebbce29f6df3a6c0c671805415ad7226654e13da49ad76e39a6d0afe28992348f3b5685ecacbfb44178fd61998c54caebbfd97832

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
ae875bf42ede3513ae6daf35e726b92a

SHA1
8163857ae5eeb2103ab5d3327bfbb3b3afa75191

SHA256
7bba7d17b5f6a513b09d3778e26be1ff07a07e4eda704029d0d94b48e89f2994

SHA512
fb6935ee9f7910881ebffca0b84f9aa67db4e9cb0b9f007ea35daa767332ba0051214b1220640f6578a1b77ab907b5a0fdcfa279d58485c5fe3601d031bdbc70

Download Submit