hxxps://cdn[.]discordapp[.]com/attachments/1170706767446028359/1170707997824135278/Deathsec_Multi_Tool[.]rar?ex=663e1949&is=663cc7c9&hm=c01d9f4afd22aa6df7f1435657a9e302fafb153f74554319bad58409bfc84341&

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 00:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1170706767446028359/1170707997824135278/Deathsec_Multi_Tool.rar?ex=663e1949&is=663cc7c9&hm=c01d9f4afd22aa6df7f1435657a9e302fafb153f74554319bad58409bfc84341&

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
6012	winrar-x64-701b1.exe
6124	winrar-x64-701b1.exe
5664	winrar-x64-701b1.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-711569230-3659488422-571408806-1000\{A4BEC0C4-EB51-419C-86C9-17C268EF77A4}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings	OpenWith.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 561996.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1072	msedge.exe
1072	msedge.exe
4800	msedge.exe
4800	msedge.exe
4320	identity_helper.exe
4320	identity_helper.exe
3580	msedge.exe
3580	msedge.exe
1280	msedge.exe
1280	msedge.exe
5900	msedge.exe
5900	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4932	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe

Suspicious use of FindShellTrayWindow 53 IoCs

pid	Process
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe

Suspicious use of SetWindowsHookEx 27 IoCs

pid	Process
6012	winrar-x64-701b1.exe
6012	winrar-x64-701b1.exe
6012	winrar-x64-701b1.exe
6124	winrar-x64-701b1.exe
6124	winrar-x64-701b1.exe
6124	winrar-x64-701b1.exe
5664	winrar-x64-701b1.exe
5664	winrar-x64-701b1.exe
5664	winrar-x64-701b1.exe
5788	OpenWith.exe
5756	OpenWith.exe
5980	OpenWith.exe
4932	OpenWith.exe
5980	OpenWith.exe
5980	OpenWith.exe
4932	OpenWith.exe
4932	OpenWith.exe
4932	OpenWith.exe
4932	OpenWith.exe
4932	OpenWith.exe
4932	OpenWith.exe
4932	OpenWith.exe
4932	OpenWith.exe
4932	OpenWith.exe
4932	OpenWith.exe
4932	OpenWith.exe
4932	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4800 wrote to memory of 1820	4800	msedge.exe	86
PID 4800 wrote to memory of 1820	4800	msedge.exe	86
PID 4800 wrote to memory of 3620	4800	msedge.exe	87
PID 4800 wrote to memory of 3620	4800	msedge.exe	87
PID 4800 wrote to memory of 3620	4800	msedge.exe	87
PID 4800 wrote to memory of 3620	4800	msedge.exe	87
PID 4800 wrote to memory of 3620	4800	msedge.exe	87
PID 4800 wrote to memory of 3620	4800	msedge.exe	87
PID 4800 wrote to memory of 3620	4800	msedge.exe	87
PID 4800 wrote to memory of 3620	4800	msedge.exe	87
PID 4800 wrote to memory of 3620	4800	msedge.exe	87
PID 4800 wrote to memory of 3620	4800	msedge.exe	87
PID 4800 wrote to memory of 3620	4800	msedge.exe	87
PID 4800 wrote to memory of 3620	4800	msedge.exe	87
PID 4800 wrote to memory of 3620	4800	msedge.exe	87
PID 4800 wrote to memory of 3620	4800	msedge.exe	87
PID 4800 wrote to memory of 3620	4800	msedge.exe	87
PID 4800 wrote to memory of 3620	4800	msedge.exe	87
PID 4800 wrote to memory of 3620	4800	msedge.exe	87
PID 4800 wrote to memory of 3620	4800	msedge.exe	87
PID 4800 wrote to memory of 3620	4800	msedge.exe	87
PID 4800 wrote to memory of 3620	4800	msedge.exe	87
PID 4800 wrote to memory of 3620	4800	msedge.exe	87
PID 4800 wrote to memory of 3620	4800	msedge.exe	87
PID 4800 wrote to memory of 3620	4800	msedge.exe	87
PID 4800 wrote to memory of 3620	4800	msedge.exe	87
PID 4800 wrote to memory of 3620	4800	msedge.exe	87
PID 4800 wrote to memory of 3620	4800	msedge.exe	87
PID 4800 wrote to memory of 3620	4800	msedge.exe	87
PID 4800 wrote to memory of 3620	4800	msedge.exe	87
PID 4800 wrote to memory of 3620	4800	msedge.exe	87
PID 4800 wrote to memory of 3620	4800	msedge.exe	87
PID 4800 wrote to memory of 3620	4800	msedge.exe	87
PID 4800 wrote to memory of 3620	4800	msedge.exe	87
PID 4800 wrote to memory of 3620	4800	msedge.exe	87
PID 4800 wrote to memory of 3620	4800	msedge.exe	87
PID 4800 wrote to memory of 3620	4800	msedge.exe	87
PID 4800 wrote to memory of 3620	4800	msedge.exe	87
PID 4800 wrote to memory of 3620	4800	msedge.exe	87
PID 4800 wrote to memory of 3620	4800	msedge.exe	87
PID 4800 wrote to memory of 3620	4800	msedge.exe	87
PID 4800 wrote to memory of 3620	4800	msedge.exe	87
PID 4800 wrote to memory of 1072	4800	msedge.exe	88
PID 4800 wrote to memory of 1072	4800	msedge.exe	88
PID 4800 wrote to memory of 4304	4800	msedge.exe	89
PID 4800 wrote to memory of 4304	4800	msedge.exe	89
PID 4800 wrote to memory of 4304	4800	msedge.exe	89
PID 4800 wrote to memory of 4304	4800	msedge.exe	89
PID 4800 wrote to memory of 4304	4800	msedge.exe	89
PID 4800 wrote to memory of 4304	4800	msedge.exe	89
PID 4800 wrote to memory of 4304	4800	msedge.exe	89
PID 4800 wrote to memory of 4304	4800	msedge.exe	89
PID 4800 wrote to memory of 4304	4800	msedge.exe	89
PID 4800 wrote to memory of 4304	4800	msedge.exe	89
PID 4800 wrote to memory of 4304	4800	msedge.exe	89
PID 4800 wrote to memory of 4304	4800	msedge.exe	89
PID 4800 wrote to memory of 4304	4800	msedge.exe	89
PID 4800 wrote to memory of 4304	4800	msedge.exe	89
PID 4800 wrote to memory of 4304	4800	msedge.exe	89
PID 4800 wrote to memory of 4304	4800	msedge.exe	89
PID 4800 wrote to memory of 4304	4800	msedge.exe	89
PID 4800 wrote to memory of 4304	4800	msedge.exe	89
PID 4800 wrote to memory of 4304	4800	msedge.exe	89
PID 4800 wrote to memory of 4304	4800	msedge.exe	89

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1170706767446028359/1170707997824135278/Deathsec_Multi_Tool.rar?ex=663e1949&is=663cc7c9&hm=c01d9f4afd22aa6df7f1435657a9e302fafb153f74554319bad58409bfc84341&
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff28d446f8,0x7fff28d44708,0x7fff28d44718
  2⤵
  PID:1820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,2290431520073607911,13981280255220384618,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
  2⤵
  PID:3620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,2290431520073607911,13981280255220384618,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,2290431520073607911,13981280255220384618,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:8
  2⤵
  PID:4304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2290431520073607911,13981280255220384618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
  2⤵
  PID:1160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2290431520073607911,13981280255220384618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1
  2⤵
  PID:4524
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,2290431520073607911,13981280255220384618,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5352 /prefetch:8
  2⤵
  PID:3436
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,2290431520073607911,13981280255220384618,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5352 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2290431520073607911,13981280255220384618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
  2⤵
  PID:1824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2290431520073607911,13981280255220384618,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
  2⤵
  PID:5092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2072,2290431520073607911,13981280255220384618,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3444 /prefetch:8
  2⤵
  PID:4596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2290431520073607911,13981280255220384618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4752 /prefetch:1
  2⤵
  PID:1016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2072,2290431520073607911,13981280255220384618,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6088 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2290431520073607911,13981280255220384618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6244 /prefetch:1
  2⤵
  PID:2168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2290431520073607911,13981280255220384618,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6248 /prefetch:1
  2⤵
  PID:2760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2290431520073607911,13981280255220384618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:1
  2⤵
  PID:3220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2290431520073607911,13981280255220384618,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:1
  2⤵
  PID:1696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2290431520073607911,13981280255220384618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4016 /prefetch:1
  2⤵
  PID:4200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2290431520073607911,13981280255220384618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1
  2⤵
  PID:4164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2290431520073607911,13981280255220384618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3560 /prefetch:1
  2⤵
  PID:720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2072,2290431520073607911,13981280255220384618,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6448 /prefetch:8
  2⤵
  PID:1560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2072,2290431520073607911,13981280255220384618,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4964 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:1280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2290431520073607911,13981280255220384618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:1
  2⤵
  PID:3100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2290431520073607911,13981280255220384618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
  2⤵
  PID:5224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2290431520073607911,13981280255220384618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:1
  2⤵
  PID:5300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2290431520073607911,13981280255220384618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6332 /prefetch:1
  2⤵
  PID:5452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2072,2290431520073607911,13981280255220384618,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2128 /prefetch:8
  2⤵
  PID:5544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2072,2290431520073607911,13981280255220384618,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5720 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5900
- C:\Users\Admin\Downloads\winrar-x64-701b1.exe
  "C:\Users\Admin\Downloads\winrar-x64-701b1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:6012
- C:\Users\Admin\Downloads\winrar-x64-701b1.exe
  "C:\Users\Admin\Downloads\winrar-x64-701b1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:6124
- C:\Users\Admin\Downloads\winrar-x64-701b1.exe
  "C:\Users\Admin\Downloads\winrar-x64-701b1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,2290431520073607911,13981280255220384618,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3544 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4596

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3752

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3580

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:3436

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\566c457777724fbb84571c72a6d9bbfd /t 6016 /p 6012
1⤵
PID:5576

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\6ff42a218ca04ee3b4048af1aa24833c /t 6128 /p 6124
1⤵
PID:4060

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5788

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5756

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5980

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4932

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1ac52e2503cc26baee4322f02f5b8d9c

SHA1
38e0cee911f5f2a24888a64780ffdf6fa72207c8

SHA256
f65058c6f1a745b37a64d4c97a8e8ee940210273130cec97a67f568088b5d4d4

SHA512
7670d606bc5197ecb7db3ddaecd6f74a80e6decae92b94e0e8145a7f463fa099058e89f9dfa1c45b9197c36e5e21994698186a2ec970bbdb0937fe28ca46a834

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b2a1398f937474c51a48b347387ee36a

SHA1
922a8567f09e68a04233e84e5919043034635949

SHA256
2dc0bf08246ddd5a32288c895d676017578d792349ca437b1b36e7b2f0ade6d6

SHA512
4a660c0549f7a850e07d8d36dab33121af02a7bd7e9b2f0137930b4c8cd89b6c5630e408f882684e6935dcb0d5cb5e01a854950eeda252a4881458cafcc7ef7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
918e39e79a18168024b197faeade5893

SHA1
324a16e3027ce39220989f23530fc1f7c3f694c1

SHA256
89d878fd603b12fcd2aa6f94ba93c0a52bcf89acb82e037a58bf0045a9e7c2d2

SHA512
52f8e2da3d48d2efdb377de2ddb9d6bbe6607d5f25484956f2ba4969e1b537e11444b34e6c4c340d7babdd7378152fae0787534418e6fe86e4d0e59f8af5e4bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
698B

MD5
a24ed9d6954f246c37bb5c670f22ec63

SHA1
8dd7d82c3e93a5fd959891d484ed3727920a5433

SHA256
cf43f467bf4617e23e9d95647a8e8805e7722d2511363c9da5aab92b3293d73c

SHA512
7e74a4dd59df52a2b6acd51b84cc57251daf120e233b291d21a0f7f341d2fc996229899cc4b209f422ad32aff42d756640e2b50fbf07ef17b7d9b70e771b05d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3582c075eef897ebdb507a552c9e021c

SHA1
8ea76709e67254b3f12300c4aeb89b7733c04106

SHA256
8da62d4009fffea0284afd7446ddb87af866b188b1cfa5efbc905725ad750005

SHA512
36f61145dc74de10e47102caddd6a0fdf8eb2193fc419b4198c41bd0854f6ae7ab77a8a9fddf53fd4dad4db5288d08312f5daa8f437f9e6332b5d295ba60afaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a1c9827bdf19c68852df99773c584145

SHA1
6974a549815b4c375b3a6897806a6b2a04efdf60

SHA256
9b77b9b454294af3b14413106938a22bfa8c8c6f1a60039851a869490e81c761

SHA512
eff5ea17d479ac093e559c4e336125c223edcb7dd0a9b66ebd0172fe2b62b5495deb3f8e7edc54261cd563d62b142d0644fc7b1531ba62965ff6fd8b84dfd682

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c23583666f316ba712fdaa4cc513b78c

SHA1
f7cbff80d221f48f378de6cd2c7507458a3abdff

SHA256
ad619351a34ddbb61a3462b029cca6a20e216de62af036241abe986c7c0d19b6

SHA512
cedf18867aff88fdb3939112c1fd389302d45dda6bdc693f8165bf69590f5d5739fc2172d069650ca15c4d8fc593245e25413c04e3567cb7e4d68e595997b81d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
267df3b8f2aa9a4b7fac971de66c1f40

SHA1
2d6811500cf44fa6b81c33bab42e8a971f481bef

SHA256
21963ed4423a29ac74dc790cd7ebe9d2dffd2ae993830c885498b2e6bc637b1a

SHA512
08a15c76831fcf26a2da870d2d86c365b2d53cea979b8eca8fa5ac69accac0fb1c1fe7490a56ed490a4179b13f52821cfba782d41cd81519ee7ac2e7d77288e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
21ce913a1f150802a605dcef15da168c

SHA1
e792dff17364c8f05ff619e0dc94dc0315bb2fd0

SHA256
e009cb880d406dee8d1651ff0008456f98275f6a24a1ac088c2f033623e9559f

SHA512
b041be4e3f9edaa6f4841cd09ee340aebf3ad6180a148e9ce0d822768471f4d2f8fe74e1e3c06db6b3e60e0d2610579a15d05d812a832cf123b3ea9a3eb4c6a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4da0ccdb138885e83df0c3c126f18a4e

SHA1
9c72dbac08a4df93bba2eadd9633a6be9df01515

SHA256
23e3fd3c279b59c5e736046ee014c7f43d4b0fcdb6563932053e90147dca7c73

SHA512
2fa4d52e2c48d4d6f9a705835425670156c10245be13729fe601db3d6a79948fb79178cf5c1c9ff3d0e7e0e5a93a4bfb2f5e574c47da6b1a8d0f18dd9fafecb2

Download Submit
C:\Users\Admin\Downloads\Deathsec_Multi_Tool.rar

Filesize
26.7MB

MD5
0942b9f8d568607b04aeddba99a996b8

SHA1
ad408fb45869e3a96bc1af81a2f4657b068e0b6f

SHA256
62986d4f43811734a53e0e5159ef994cf49148dce1fa1390ef88d679d745f71b

SHA512
ab5c114833f56f434fa5adf69e20e8dcc88910d7bef3ce7d9490c7b09eb2553b05cbe3989c84aaa8a6598650bcb480ff1003b715987372aa3bc7a84ecab105fd

Download Submit
C:\Users\Admin\Downloads\winrar-x64-701b1.exe

Filesize
3.7MB

MD5
8c80e9a6c80f878dbbbb84c0eeb06841

SHA1
776c1ebfefd195cdd974c7da149fd9335ef03684

SHA256
8249444b8ec33512027cde2bd6edb51bea9e9b4f35c4b261319d7a52d3befffc

SHA512
2032fcb28818c44e478ce4d73b76454ff50bd7ff67371b6de3b60978a3474f5dbf135d37b92f4d960c7a9bb95b594590f5beb385fddd0d49aeeca4e817028863

Download Submit