a9124d09971894cb953dfc35d0e7c88619a002beace27199ee44b6148b007e05

Resubmissions

01/02/2024, 03:58

240201-ejrm5sagd3 8

01/02/2024, 03:29

01/02/2024, 02:53

01/02/2024, 02:34

01/02/2024, 02:29

01/02/2024, 01:53

01/02/2024, 01:50

Analysis

max time kernel
147s
max time network
152s
platform
windows11-21h2_x64
resource
win11-20231222-en
resource tags

arch:x64arch:x86image:win11-20231222-enlocale:en-usos:windows11-21h2-x64system
submitted
01/02/2024, 03:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ripcord.exe
Size

5.1MB
MD5

d0a33e1edcfbdacf2fb59d7a74e6f6c3
SHA1

02f49cd2bad65f06c0b670dedfec00a8cbacfe65
SHA256

a9124d09971894cb953dfc35d0e7c88619a002beace27199ee44b6148b007e05
SHA512

c84c5ed0f463a7d74e60ed323610d8e822d4a10ded60b6d837b1d6b42e0aba1b7345d464daef14d8405f1749c94c1bc95745d2bf39f5941647eca228149f6e33
SSDEEP

49152:HfSMhaKQ8jCKeOEI3sPn82Du1HEyMBGX7+rVRxKJYv7ut1mQlihnIcRAaZG7ikN2:3FcgSZQXZwQ3VYrhD9EM7EwiARZ

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
1276	Virus Maker.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1184116928-951304463-2249875399-1000\{E9A154CD-480D-4652-9EAA-70933FE38F92}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2188	msedge.exe
2188	msedge.exe
1808	msedge.exe
1808	msedge.exe
1272	identity_helper.exe
1272	identity_helper.exe
1636	msedge.exe
1636	msedge.exe
2288	msedge.exe
2288	msedge.exe
976	msedge.exe
976	msedge.exe
1260	msedge.exe
1260	msedge.exe
1260	msedge.exe
1260	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1444	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs

pid	Process
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	1444	7zFM.exe
Token: 35	1444	7zFM.exe
Token: SeSecurityPrivilege	1444	7zFM.exe
Token: SeDebugPrivilege	1276	Virus Maker.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1444	7zFM.exe
1444	7zFM.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4092	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1808 wrote to memory of 2348	1808	msedge.exe	84
PID 1808 wrote to memory of 2348	1808	msedge.exe	84
PID 1808 wrote to memory of 3400	1808	msedge.exe	87
PID 1808 wrote to memory of 3400	1808	msedge.exe	87
PID 1808 wrote to memory of 3400	1808	msedge.exe	87
PID 1808 wrote to memory of 3400	1808	msedge.exe	87
PID 1808 wrote to memory of 3400	1808	msedge.exe	87
PID 1808 wrote to memory of 3400	1808	msedge.exe	87
PID 1808 wrote to memory of 3400	1808	msedge.exe	87
PID 1808 wrote to memory of 3400	1808	msedge.exe	87
PID 1808 wrote to memory of 3400	1808	msedge.exe	87
PID 1808 wrote to memory of 3400	1808	msedge.exe	87
PID 1808 wrote to memory of 3400	1808	msedge.exe	87
PID 1808 wrote to memory of 3400	1808	msedge.exe	87
PID 1808 wrote to memory of 3400	1808	msedge.exe	87
PID 1808 wrote to memory of 3400	1808	msedge.exe	87
PID 1808 wrote to memory of 3400	1808	msedge.exe	87
PID 1808 wrote to memory of 3400	1808	msedge.exe	87
PID 1808 wrote to memory of 3400	1808	msedge.exe	87
PID 1808 wrote to memory of 3400	1808	msedge.exe	87
PID 1808 wrote to memory of 3400	1808	msedge.exe	87
PID 1808 wrote to memory of 3400	1808	msedge.exe	87
PID 1808 wrote to memory of 3400	1808	msedge.exe	87
PID 1808 wrote to memory of 3400	1808	msedge.exe	87
PID 1808 wrote to memory of 3400	1808	msedge.exe	87
PID 1808 wrote to memory of 3400	1808	msedge.exe	87
PID 1808 wrote to memory of 3400	1808	msedge.exe	87
PID 1808 wrote to memory of 3400	1808	msedge.exe	87
PID 1808 wrote to memory of 3400	1808	msedge.exe	87
PID 1808 wrote to memory of 3400	1808	msedge.exe	87
PID 1808 wrote to memory of 3400	1808	msedge.exe	87
PID 1808 wrote to memory of 3400	1808	msedge.exe	87
PID 1808 wrote to memory of 3400	1808	msedge.exe	87
PID 1808 wrote to memory of 3400	1808	msedge.exe	87
PID 1808 wrote to memory of 3400	1808	msedge.exe	87
PID 1808 wrote to memory of 3400	1808	msedge.exe	87
PID 1808 wrote to memory of 3400	1808	msedge.exe	87
PID 1808 wrote to memory of 3400	1808	msedge.exe	87
PID 1808 wrote to memory of 3400	1808	msedge.exe	87
PID 1808 wrote to memory of 3400	1808	msedge.exe	87
PID 1808 wrote to memory of 3400	1808	msedge.exe	87
PID 1808 wrote to memory of 3400	1808	msedge.exe	87
PID 1808 wrote to memory of 2188	1808	msedge.exe	85
PID 1808 wrote to memory of 2188	1808	msedge.exe	85
PID 1808 wrote to memory of 1732	1808	msedge.exe	86
PID 1808 wrote to memory of 1732	1808	msedge.exe	86
PID 1808 wrote to memory of 1732	1808	msedge.exe	86
PID 1808 wrote to memory of 1732	1808	msedge.exe	86
PID 1808 wrote to memory of 1732	1808	msedge.exe	86
PID 1808 wrote to memory of 1732	1808	msedge.exe	86
PID 1808 wrote to memory of 1732	1808	msedge.exe	86
PID 1808 wrote to memory of 1732	1808	msedge.exe	86
PID 1808 wrote to memory of 1732	1808	msedge.exe	86
PID 1808 wrote to memory of 1732	1808	msedge.exe	86
PID 1808 wrote to memory of 1732	1808	msedge.exe	86
PID 1808 wrote to memory of 1732	1808	msedge.exe	86
PID 1808 wrote to memory of 1732	1808	msedge.exe	86
PID 1808 wrote to memory of 1732	1808	msedge.exe	86
PID 1808 wrote to memory of 1732	1808	msedge.exe	86
PID 1808 wrote to memory of 1732	1808	msedge.exe	86
PID 1808 wrote to memory of 1732	1808	msedge.exe	86
PID 1808 wrote to memory of 1732	1808	msedge.exe	86
PID 1808 wrote to memory of 1732	1808	msedge.exe	86
PID 1808 wrote to memory of 1732	1808	msedge.exe	86

C:\Users\Admin\AppData\Local\Temp\Ripcord.exe
"C:\Users\Admin\AppData\Local\Temp\Ripcord.exe"
1⤵
PID:1636

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffda63f3cb8,0x7ffda63f3cc8,0x7ffda63f3cd8
  2⤵
  PID:2348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1892,7060631544056681988,3295802924266047783,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2360 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1892,7060631544056681988,3295802924266047783,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2544 /prefetch:8
  2⤵
  PID:1732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,7060631544056681988,3295802924266047783,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:2
  2⤵
  PID:3400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,7060631544056681988,3295802924266047783,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:2076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,7060631544056681988,3295802924266047783,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:4528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,7060631544056681988,3295802924266047783,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1
  2⤵
  PID:3020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,7060631544056681988,3295802924266047783,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4940 /prefetch:1
  2⤵
  PID:660
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1892,7060631544056681988,3295802924266047783,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3460 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1892,7060631544056681988,3295802924266047783,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,7060631544056681988,3295802924266047783,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1
  2⤵
  PID:4064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,7060631544056681988,3295802924266047783,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3804 /prefetch:1
  2⤵
  PID:1544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1892,7060631544056681988,3295802924266047783,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5244 /prefetch:8
  2⤵
  PID:4388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1892,7060631544056681988,3295802924266047783,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4072 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:2288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,7060631544056681988,3295802924266047783,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3552 /prefetch:1
  2⤵
  PID:4112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,7060631544056681988,3295802924266047783,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:1
  2⤵
  PID:3832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,7060631544056681988,3295802924266047783,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1
  2⤵
  PID:2796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,7060631544056681988,3295802924266047783,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4072 /prefetch:1
  2⤵
  PID:2936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,7060631544056681988,3295802924266047783,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
  2⤵
  PID:4340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,7060631544056681988,3295802924266047783,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:1
  2⤵
  PID:808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,7060631544056681988,3295802924266047783,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3804 /prefetch:1
  2⤵
  PID:4772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,7060631544056681988,3295802924266047783,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:1
  2⤵
  PID:5036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,7060631544056681988,3295802924266047783,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4012 /prefetch:1
  2⤵
  PID:1960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,7060631544056681988,3295802924266047783,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4072 /prefetch:1
  2⤵
  PID:588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,7060631544056681988,3295802924266047783,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
  2⤵
  PID:4576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,7060631544056681988,3295802924266047783,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:1
  2⤵
  PID:4044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1892,7060631544056681988,3295802924266047783,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6520 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,7060631544056681988,3295802924266047783,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6424 /prefetch:1
  2⤵
  PID:4712
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Virus Maker.rar"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1444
- - C:\Users\Admin\AppData\Local\Temp\7zO4A558E98\Virus Maker.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO4A558E98\Virus Maker.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,7060631544056681988,3295802924266047783,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2308 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1260

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1748

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6dbe72a1f5827efc08f70d06ef815d46

SHA1
6aacd61519fce53ecb92e5e61207a6c29c01f47b

SHA256
dd673404dd6deb2d2b331316370fd05e47c01b9dc489640f05b50898d536a6e3

SHA512
2e6115ca818df5f5b7985caf3ce2324e266b376f6180f84b44e9ae725e037a8456c2cd63e22b9750e2ba27f4c7460dfa429ce9910517a728b056e5f1e730e25a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
62KB

MD5
c3c0eb5e044497577bec91b5970f6d30

SHA1
d833f81cf21f68d43ba64a6c28892945adc317a6

SHA256
eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb

SHA512
83d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
67KB

MD5
88a552e6be1ac3978c49143983276b3a

SHA1
dbf4f4dc62a3da564b1a87b5191dc9a72a9b9423

SHA256
927121d8118a41fa3460b9ad84daeae59ea60dc9607e462b7e1341bea60da8d5

SHA512
125b13be3d209ff5cc12d8f9f12d01d271cd50c2800059241ebb419167c21adfa9d979ff6b8d88052f5d302e98090b7c8ceff4894b397168d8ba6d8a6204fb9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
27KB

MD5
04fccbe6021d7201a04b4d59695fb874

SHA1
e3a40b620ac77c3b6fee99e07fa70d3d699a0c2a

SHA256
d677a9a18d34b1a35b9ed1a12d4e421a28e28e25f1343703307774824f95a84f

SHA512
f0fca5a0f86fbef378e173ba0edf94b61f879e90fe2d29b461adc42ca9891e8de84ae6b7f8b37aea749b76b5d84fb0922f6ea426bfa9a8cf404527306f144024

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
84KB

MD5
74e33b4b54f4d1f3da06ab47c5936a13

SHA1
6e5976d593b6ee3dca3c4dbbb90071b76e1cd85c

SHA256
535fc48679c38decd459ad656bdd6914e539754265244d0cc7b1da6bddf3e287

SHA512
79218e8ee50484af968480ff9b211815c97c3f3035414e685aa5d15d9b4152682d87b66202339f212bf3b463a074bf7a4431107b50303f28e2eb4b17843991c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
1.1MB

MD5
fdc479da91ca92fb15ce23b847171962

SHA1
e096d0f96fd8806069af0a22110d44a4cd21421f

SHA256
7f790aacd2c2c295d6c7cf4177233bd90c07d951dba3f68e42c05c566209593c

SHA512
c50be621c38991a09a629f8a7c4a8c3a9c8947cf71b6dcd5a99fcbe16ed66b0d433d208120d0dd235d344bb4d70310576bbbdc012cfdac30f62c904e3418c230

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
37d51652214f1cecba98247ec24ea545

SHA1
8e763db0bd5ba0aae065e73c80869160b4b8d390

SHA256
8491f5c90dcf56a2be4437da2d9fc6e33cdef0de036c87dbd7df4320df03b079

SHA512
6f06da573007814f654547237b5e776878e028e2c1f49c9a5f65232a888f1be706661e71086fe472160473884b47e41b88b7a97e24cf87f8191e4466458dde51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
473B

MD5
56122ebd27ca2c810b5b1e1dee28d541

SHA1
22f5c6b20af237a2027f3339c0fa3b70829d0387

SHA256
4db35471ba59fd9394c2fd9230b4b2d766eaf2a60e31c1c7121b4793f3e48e2b

SHA512
35674f3f597cd53939de4046b33d55321254ee3004700beec27a021d9ea839a0170231e991ae757671e0111b9be97c81361a616e54a2756f9aad26df6ae9a3be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
c78cef6c70d428779c3a7da7e9f58b59

SHA1
18dee9c203ad871d4e9d0a348affc607239f37d5

SHA256
8345a92d22ee4b50fc0f5479c8657f9571f2a2cc91073fdc3f73f47e2916b5d6

SHA512
706a2cebb403e3634f79e936b5bd7c9481660648f501c3e2497eb2f0455f3a0396940465b00b61c25a4a166f6c3913acc35e42905ece586fe02383f755196670

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d83c061cb1df9d06cbb10a3b9c8e4a83

SHA1
ec4488b9c3f6ecfa841c5d254f9bd9180bfbdc6a

SHA256
af1022e1112f5cf66297ab4c21978a1898a752d0c0098634cbeba5edd5d9bf6e

SHA512
690c03761063ca66d108636e00492cf6e96dcf7e1d0ab9a50f1de24850793fc8be0a912d67fb5ba42591d3817004a2d5725f4b338ab206885a4ea0e5305cf094

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3ab186467b7f7a490afb5b122387cba7

SHA1
457e49a4ba52c8e4dba2a1c6ca69fa9be3b48d19

SHA256
abfeec3e12b9e8d748e9761b27ff06dbc65f871ff3f4f57352792afb6e50d940

SHA512
8a485fc8e738b93aa0f608df4b4e426ddd7029f699f71c4e22113537c727ace1c8894255ef1ea7fed8c075a148a5227ec6d9a3abf268aa4dbb96eedd8190c385

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
be9c27756b99f11b7d7efca45f101c64

SHA1
7bf596f1d7b6149d94c37af62e2aa2d4625d2b8f

SHA256
72085b0335e5f20c5d95279f5de73bf8523ab4024d4e1de1a5b6ed21616ef324

SHA512
950508794c2b3dba20707f48fe7dfbf5a655f1883993994784ac452bed119d865e9a1e65f1a907c66ceb1b089912ca0a698808afda27841e27da286aad2d0611

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d5fad8a024845818ca467a08df37bc0f

SHA1
de741554d14af805e9b52fc862a6ff9aa7a2ef24

SHA256
531d059e3fd5e52f92d94bc70d35d214baaca1dc1ec2d1076f1e5b1f53ec0ed8

SHA512
f477c01be5d37a75134e2484dd4daca6f1d32108ff95ec6a61dea57faf0e7cf7e1e81d5c993516e9f7cdbe7aefa45287fc1e6533aea52572fdf4549bfeaba86c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
705B

MD5
cdf86bd85be897433f09370105170ccb

SHA1
77ad7faeb04a19ca60d3f34d2cbee04a6591f307

SHA256
e9953395efe3171e08d456802971ca216766eb086111ab79a87e5887ae0160e2

SHA512
540b225a8a5ee5ca7fd78980bfe4f445ae889ae9b66165a07ee9c315c43e9b93204cabf64bb34e690bbb0b0f905a27fb323f6669eea63b46aa96939c22ef7796

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
705B

MD5
58db63074ed8e4b39d32994f741ef18b

SHA1
7c58b3e7b8c4b8fa0aeee7c7e07a0767a24a026a

SHA256
d885dd8b01d25b8187637fccd9b74ad452e24ffd4ea1c162c0c89b38a478057c

SHA512
440af072b5c7b7b882bda16723f6997a8bf2087cd2d84f42cba4a0a0beb407292f03c5624a991af567c5c9829b96afad24d78db09c50caccc47be4de0ea2ca61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe582239.TMP

Filesize
538B

MD5
472c9f61351e0db851cc56ed3a6c644f

SHA1
b96c117e08f1fb37daee59aa0e2a1f7d4a754c99

SHA256
d0ae3c8fb467fa597e4d56b3fd394cbae0a9a5a093f1129e68c72ae9ae801099

SHA512
40f9f6645801b435623da686e95d25b077142b6c76365bb585a3c4003ae48c8e1100cc0ded214db99ecc25974751c43641b8343fb027b1f1033027ae0c3080b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\ddc738cc-04fb-4ceb-987d-8d7ca780129d.tmp

Filesize
25KB

MD5
e5477be1e6c4cc9f570c69a84dd4f681

SHA1
fdcbdc83ccfef1c270b927c6815e641f6d96a132

SHA256
f06ab204d1d24ecd2d13e473bf807a8fc65ed09114a227966b4a308bd7eaa531

SHA512
24eb3338f0a7be6df183c5d5f22831bed07ce0779dcc124e805364a128a08f571160a6809556cd1de323c9d3cc64299855978967c8693b8324cd9bb22f5ffe14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
08b015d17ebf3f580e8a0465b9be6166

SHA1
f0994234733430e74df302aee5366257ef1d8dd2

SHA256
b3b1e9254a477f3fcd5850c7431dc06b2558f7859f0a3a53074b7c9069b1f468

SHA512
dfedd06147bceab6859bd17af45a42da0bd3e53fd4cbffcefafec1202d0513fce5cb2ea9308803667788dc724fb02c47bb726ecebb26e171044270b9ad00c1f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8b7b6242f01ea87eaf2eca73569b6470

SHA1
65be953d74ae6efc83787b3c7c834b865691292c

SHA256
5b1b9b12af943b0c37bb9bf6a67b4003aa9d07db9b7258f5d4068b09a5071835

SHA512
e22a3f84abb1e4e8bbe6f953421d094fca98e92d98219fa7bb5694606b0c4ab6f041b311f2a7187f7b8d9256c3ee085f9e6ea3a717d4ea2a9d75fcf5342ca3ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8bd60ffc83a18d5e4fe62a9c61a0afe0

SHA1
d5fa0d9f5772dc2ebaeaf02f7c22229494d5c856

SHA256
6a0fe63c490e4813a8ae732a85fd84bcb60c6806f14e024731589ad99a84248e

SHA512
d571ce8fcdb6634a60f2c7d25d41bc8e935b5ef1475f2c564860550cea82006c3876d12f15376ddb349c1eb94b51c4b767641311ede1fbd77f3cd37c206f217c

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
fa451c524df3ae5f9d7d764f83ebe74d

SHA1
4d23431ff3f3536e2a9169aec97bc4af5967d30d

SHA256
bf12169b34fa5240ba8a63ef13a3844140fc254ff6d8147cf82493f5f7d2fbef

SHA512
2bdb629194cbd6337e12050000ea8690ed627cc30d8528d15adbc5a59a1f48d1a39e9b0b27a5ee82ffb95286386bf895c7bf601d00ae6ea96a06db7a56c30461

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
c21b33647a4a3fa17421e7c1a0b71a88

SHA1
ff29fdad49344cde95d344fe7f7458c0352cc066

SHA256
61caab128bb58f926102904b7986b86480eed3dfbcad66fdc830e3e548da4bc8

SHA512
0fff231c5b5e3aead65625a3b6de1912c15d071533884a593e1218f0f9c600609ff42a8a205a4a9afef27d2efa88ee5a9d35f98be4e11ba5f991fd56b563d574

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO4A558E98\Virus Maker.exe

Filesize
3.7MB

MD5
c00845708ee4e6cbaa628a0886076c4d

SHA1
e011d28a40304957961654e62d00754a772fdee8

SHA256
16f14bd60c84a7838b99c34a791d5d334f08ee1e588c95162290ced38db8b092

SHA512
2b6a09b934ad6076008ad1b8bc960b6c3bf39968275f9f46fe1afbed7228eb196b46172c175106da70af80ad78aafc327869e71860af6472c74867dba022fb59

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO4A558E98\Virus Maker.exe

Filesize
3.6MB

MD5
34c7fb2c79a4356f253f63b210bcebcb

SHA1
0b43fdfdbabb370b1d5bf5bb6c42ef8d1e4fffb7

SHA256
a38471863830a6401dff327b772c4fe75c5643972849c7d50773ec97a2136015

SHA512
bdaa6bdced9c9bebf73ad5529c0d98cd563e8c30b004ebd08d4988720d9c8daaf3c95f5c8a99d8bc67db896759f292d45e6c422052c9742fc9ae4d73a734e4b6

Download Submit
C:\Users\Admin\Downloads\Virus Maker.rar

Filesize
82KB

MD5
d1f61793e7898df4b27e3345764ceca8

SHA1
f03b91146aeaf753b565620a022a238830ed56d4

SHA256
d32f3a860b863d38f117c2e7efcaa6909583d418f8578b526a7ed0153529644b

SHA512
6491767f6db68886d000b173306377f3b0bf2d6db765ce4c14139c9ad09fa44e6cb75489f3858e45c4000333d2ad517721f81cc48e94de25c75c17cac36bb617

Download Submit
memory/1276-517-0x00000000062B0000-0x0000000006856000-memory.dmp

Filesize
5.6MB

Download
memory/1276-516-0x0000000005BC0000-0x0000000005C5C000-memory.dmp

Filesize
624KB

Download
memory/1276-515-0x0000000000DA0000-0x000000000114E000-memory.dmp

Filesize
3.7MB

Download
memory/1276-518-0x0000000005DA0000-0x0000000005E32000-memory.dmp

Filesize
584KB

Download
memory/1276-519-0x0000000005CC0000-0x0000000005CD0000-memory.dmp

Filesize
64KB

Download
memory/1276-521-0x0000000005F30000-0x0000000005F86000-memory.dmp

Filesize
344KB

Download
memory/1276-520-0x0000000005C80000-0x0000000005C8A000-memory.dmp

Filesize
40KB

Download
memory/1276-522-0x0000000005CC0000-0x0000000005CD0000-memory.dmp

Filesize
64KB

Download
memory/1276-514-0x0000000074CD0000-0x0000000075481000-memory.dmp

Filesize
7.7MB

Download
memory/1276-546-0x0000000074CD0000-0x0000000075481000-memory.dmp

Filesize
7.7MB

Download
memory/1276-547-0x0000000005CC0000-0x0000000005CD0000-memory.dmp

Filesize
64KB

Download
memory/1276-548-0x0000000005CC0000-0x0000000005CD0000-memory.dmp

Filesize
64KB

Download