zgrat | hxxps://vbwindowsdefnkmebe[.]pages[.]dev/windows[.]exe

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
15-05-2024 08:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://vbwindowsdefnkmebe.pages.dev/windows.exe

Score

10^/10

zgrat persistence rat

Malware Config

Signatures

Detect ZGRat V1 34 IoCs

resource	yara_rule
behavioral1/memory/5176-69-0x0000022D794D0000-0x0000022D7970E000-memory.dmp	family_zgrat_v1
behavioral1/memory/5176-77-0x0000022D794D0000-0x0000022D79707000-memory.dmp	family_zgrat_v1
behavioral1/memory/5176-75-0x0000022D794D0000-0x0000022D79707000-memory.dmp	family_zgrat_v1
behavioral1/memory/5176-73-0x0000022D794D0000-0x0000022D79707000-memory.dmp	family_zgrat_v1
behavioral1/memory/5176-93-0x0000022D794D0000-0x0000022D79707000-memory.dmp	family_zgrat_v1
behavioral1/memory/5176-95-0x0000022D794D0000-0x0000022D79707000-memory.dmp	family_zgrat_v1
behavioral1/memory/5176-109-0x0000022D794D0000-0x0000022D79707000-memory.dmp	family_zgrat_v1
behavioral1/memory/5176-106-0x0000022D794D0000-0x0000022D79707000-memory.dmp	family_zgrat_v1
behavioral1/memory/5176-133-0x0000022D794D0000-0x0000022D79707000-memory.dmp	family_zgrat_v1
behavioral1/memory/5176-132-0x0000022D794D0000-0x0000022D79707000-memory.dmp	family_zgrat_v1
behavioral1/memory/5176-125-0x0000022D794D0000-0x0000022D79707000-memory.dmp	family_zgrat_v1
behavioral1/memory/5176-123-0x0000022D794D0000-0x0000022D79707000-memory.dmp	family_zgrat_v1
behavioral1/memory/5176-121-0x0000022D794D0000-0x0000022D79707000-memory.dmp	family_zgrat_v1
behavioral1/memory/5176-129-0x0000022D794D0000-0x0000022D79707000-memory.dmp	family_zgrat_v1
behavioral1/memory/5176-127-0x0000022D794D0000-0x0000022D79707000-memory.dmp	family_zgrat_v1
behavioral1/memory/5176-119-0x0000022D794D0000-0x0000022D79707000-memory.dmp	family_zgrat_v1
behavioral1/memory/5176-117-0x0000022D794D0000-0x0000022D79707000-memory.dmp	family_zgrat_v1
behavioral1/memory/5176-115-0x0000022D794D0000-0x0000022D79707000-memory.dmp	family_zgrat_v1
behavioral1/memory/5176-113-0x0000022D794D0000-0x0000022D79707000-memory.dmp	family_zgrat_v1
behavioral1/memory/5176-111-0x0000022D794D0000-0x0000022D79707000-memory.dmp	family_zgrat_v1
behavioral1/memory/5176-99-0x0000022D794D0000-0x0000022D79707000-memory.dmp	family_zgrat_v1
behavioral1/memory/5176-107-0x0000022D794D0000-0x0000022D79707000-memory.dmp	family_zgrat_v1
behavioral1/memory/5176-103-0x0000022D794D0000-0x0000022D79707000-memory.dmp	family_zgrat_v1
behavioral1/memory/5176-101-0x0000022D794D0000-0x0000022D79707000-memory.dmp	family_zgrat_v1
behavioral1/memory/5176-89-0x0000022D794D0000-0x0000022D79707000-memory.dmp	family_zgrat_v1
behavioral1/memory/5176-88-0x0000022D794D0000-0x0000022D79707000-memory.dmp	family_zgrat_v1
behavioral1/memory/5176-85-0x0000022D794D0000-0x0000022D79707000-memory.dmp	family_zgrat_v1
behavioral1/memory/5176-83-0x0000022D794D0000-0x0000022D79707000-memory.dmp	family_zgrat_v1
behavioral1/memory/5176-81-0x0000022D794D0000-0x0000022D79707000-memory.dmp	family_zgrat_v1
behavioral1/memory/5176-97-0x0000022D794D0000-0x0000022D79707000-memory.dmp	family_zgrat_v1
behavioral1/memory/5176-91-0x0000022D794D0000-0x0000022D79707000-memory.dmp	family_zgrat_v1
behavioral1/memory/5176-79-0x0000022D794D0000-0x0000022D79707000-memory.dmp	family_zgrat_v1
behavioral1/memory/5176-71-0x0000022D794D0000-0x0000022D79707000-memory.dmp	family_zgrat_v1
behavioral1/memory/5176-70-0x0000022D794D0000-0x0000022D79707000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	explorere

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{C2C9946F-BF9A-4B6A-A474-D93A39453B33}.lnk	explorere

Executes dropped EXE 8 IoCs

pid	Process
5176	windows.exe
5968	windows.exe
912	windows.exe
384	explorere
5444	windows.exe
2120	explorere
4924	explorere
4852	explorere

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{AB1F3E47-AEF1-400E-A108-233A046C3A34} = "C:\\ProgramData\\windows\\explorere {0E5F88F2-8842-4587-BAA0-4F799FD9DF2C}"	explorere

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 5176 set thread context of 912	5176	windows.exe	127
PID 5968 set thread context of 5444	5968	windows.exe	131
PID 384 set thread context of 4924	384	explorere	137
PID 2120 set thread context of 4852	2120	explorere	144

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 248038.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
5064	msedge.exe
5064	msedge.exe
3948	msedge.exe
3948	msedge.exe
4332	identity_helper.exe
4332	identity_helper.exe
2536	msedge.exe
2536	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	5176	windows.exe
Token: SeDebugPrivilege	5968	windows.exe
Token: SeDebugPrivilege	5176	windows.exe
Token: SeDebugPrivilege	384	explorere
Token: SeDebugPrivilege	5968	windows.exe
Token: SeDebugPrivilege	2120	explorere
Token: SeDebugPrivilege	384	explorere
Token: SeDebugPrivilege	2120	explorere

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3948 wrote to memory of 2360	3948	msedge.exe	83
PID 3948 wrote to memory of 2360	3948	msedge.exe	83
PID 3948 wrote to memory of 428	3948	msedge.exe	84
PID 3948 wrote to memory of 428	3948	msedge.exe	84
PID 3948 wrote to memory of 428	3948	msedge.exe	84
PID 3948 wrote to memory of 428	3948	msedge.exe	84
PID 3948 wrote to memory of 428	3948	msedge.exe	84
PID 3948 wrote to memory of 428	3948	msedge.exe	84
PID 3948 wrote to memory of 428	3948	msedge.exe	84
PID 3948 wrote to memory of 428	3948	msedge.exe	84
PID 3948 wrote to memory of 428	3948	msedge.exe	84
PID 3948 wrote to memory of 428	3948	msedge.exe	84
PID 3948 wrote to memory of 428	3948	msedge.exe	84
PID 3948 wrote to memory of 428	3948	msedge.exe	84
PID 3948 wrote to memory of 428	3948	msedge.exe	84
PID 3948 wrote to memory of 428	3948	msedge.exe	84
PID 3948 wrote to memory of 428	3948	msedge.exe	84
PID 3948 wrote to memory of 428	3948	msedge.exe	84
PID 3948 wrote to memory of 428	3948	msedge.exe	84
PID 3948 wrote to memory of 428	3948	msedge.exe	84
PID 3948 wrote to memory of 428	3948	msedge.exe	84
PID 3948 wrote to memory of 428	3948	msedge.exe	84
PID 3948 wrote to memory of 428	3948	msedge.exe	84
PID 3948 wrote to memory of 428	3948	msedge.exe	84
PID 3948 wrote to memory of 428	3948	msedge.exe	84
PID 3948 wrote to memory of 428	3948	msedge.exe	84
PID 3948 wrote to memory of 428	3948	msedge.exe	84
PID 3948 wrote to memory of 428	3948	msedge.exe	84
PID 3948 wrote to memory of 428	3948	msedge.exe	84
PID 3948 wrote to memory of 428	3948	msedge.exe	84
PID 3948 wrote to memory of 428	3948	msedge.exe	84
PID 3948 wrote to memory of 428	3948	msedge.exe	84
PID 3948 wrote to memory of 428	3948	msedge.exe	84
PID 3948 wrote to memory of 428	3948	msedge.exe	84
PID 3948 wrote to memory of 428	3948	msedge.exe	84
PID 3948 wrote to memory of 428	3948	msedge.exe	84
PID 3948 wrote to memory of 428	3948	msedge.exe	84
PID 3948 wrote to memory of 428	3948	msedge.exe	84
PID 3948 wrote to memory of 428	3948	msedge.exe	84
PID 3948 wrote to memory of 428	3948	msedge.exe	84
PID 3948 wrote to memory of 428	3948	msedge.exe	84
PID 3948 wrote to memory of 428	3948	msedge.exe	84
PID 3948 wrote to memory of 5064	3948	msedge.exe	85
PID 3948 wrote to memory of 5064	3948	msedge.exe	85
PID 3948 wrote to memory of 5092	3948	msedge.exe	86
PID 3948 wrote to memory of 5092	3948	msedge.exe	86
PID 3948 wrote to memory of 5092	3948	msedge.exe	86
PID 3948 wrote to memory of 5092	3948	msedge.exe	86
PID 3948 wrote to memory of 5092	3948	msedge.exe	86
PID 3948 wrote to memory of 5092	3948	msedge.exe	86
PID 3948 wrote to memory of 5092	3948	msedge.exe	86
PID 3948 wrote to memory of 5092	3948	msedge.exe	86
PID 3948 wrote to memory of 5092	3948	msedge.exe	86
PID 3948 wrote to memory of 5092	3948	msedge.exe	86
PID 3948 wrote to memory of 5092	3948	msedge.exe	86
PID 3948 wrote to memory of 5092	3948	msedge.exe	86
PID 3948 wrote to memory of 5092	3948	msedge.exe	86
PID 3948 wrote to memory of 5092	3948	msedge.exe	86
PID 3948 wrote to memory of 5092	3948	msedge.exe	86
PID 3948 wrote to memory of 5092	3948	msedge.exe	86
PID 3948 wrote to memory of 5092	3948	msedge.exe	86
PID 3948 wrote to memory of 5092	3948	msedge.exe	86
PID 3948 wrote to memory of 5092	3948	msedge.exe	86
PID 3948 wrote to memory of 5092	3948	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://vbwindowsdefnkmebe.pages.dev/windows.exe
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd5e2e46f8,0x7ffd5e2e4708,0x7ffd5e2e4718
  2⤵
  PID:2360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,17110691578075835761,14851188188130077867,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1948 /prefetch:2
  2⤵
  PID:428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1880,17110691578075835761,14851188188130077867,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2436 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1880,17110691578075835761,14851188188130077867,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:8
  2⤵
  PID:5092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,17110691578075835761,14851188188130077867,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:4040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,17110691578075835761,14851188188130077867,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:4836
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1880,17110691578075835761,14851188188130077867,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 /prefetch:8
  2⤵
  PID:2812
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1880,17110691578075835761,14851188188130077867,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1880,17110691578075835761,14851188188130077867,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=180 /prefetch:8
  2⤵
  PID:4208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,17110691578075835761,14851188188130077867,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4876 /prefetch:1
  2⤵
  PID:3660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1880,17110691578075835761,14851188188130077867,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5952 /prefetch:8
  2⤵
  PID:1628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1880,17110691578075835761,14851188188130077867,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5684 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2536
- C:\Users\Admin\Downloads\windows.exe
  "C:\Users\Admin\Downloads\windows.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:5176
- - C:\Users\Admin\Downloads\windows.exe
    "C:\Users\Admin\Downloads\windows.exe"
    3⤵
    - Executes dropped EXE
    PID:912
  - - C:\ProgramData\windows\explorere
      "C:\ProgramData\windows\explorere" {4B08985C-0E0F-4678-84A8-2A0974B289FF}
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:384
    - - C:\ProgramData\windows\explorere
        
        "C:\ProgramData\windows\explorere"
        5⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,17110691578075835761,14851188188130077867,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3972 /prefetch:1
  2⤵
  PID:5324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,17110691578075835761,14851188188130077867,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6048 /prefetch:1
  2⤵
  PID:5144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,17110691578075835761,14851188188130077867,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6396 /prefetch:1
  2⤵
  PID:5804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,17110691578075835761,14851188188130077867,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6420 /prefetch:1
  2⤵
  PID:4660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,17110691578075835761,14851188188130077867,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3144 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3964

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2348

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2264

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5668

C:\Users\Admin\Downloads\windows.exe
"C:\Users\Admin\Downloads\windows.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:5968
- C:\Users\Admin\Downloads\windows.exe
  "C:\Users\Admin\Downloads\windows.exe"
  2⤵
  - Executes dropped EXE
  PID:5444
- - C:\ProgramData\windows\explorere
    "C:\ProgramData\windows\explorere" {4B08985C-0E0F-4678-84A8-2A0974B289FF}
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    PID:2120
  - - C:\ProgramData\windows\explorere
      "C:\ProgramData\windows\explorere"
      4⤵
      Executes dropped EXE
      PID:4852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\windows.exe.log

Filesize
1KB

MD5
aabcf0a58c791388481062e804b82e5d

SHA1
322d0ac30e15cb80d799a416e5cb35db10e259ac

SHA256
75cb2c51dac49b960ce0c25b495793a5b04500d44e49b42681f93d0114de5bb7

SHA512
64220c514cd1fbf6c2a3eb981196b62ff4b7cdb12d6b1fab3ab815be56b47169997fb1dec1cac7055f73556e03c7f156b43c2e9793dfb674dc9f44a0e5bac7ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2daa93382bba07cbc40af372d30ec576

SHA1
c5e709dc3e2e4df2ff841fbde3e30170e7428a94

SHA256
1826d2a57b1938c148bf212a47d947ed1bfb26cfc55868931f843ee438117f30

SHA512
65635cb59c81548a9ef8fdb0942331e7f3cd0c30ce1d4dba48aed72dbb27b06511a55d2aeaadfadbbb4b7cb4b2e2772bbabba9603b3f7d9c8b9e4a7fbf3d6b6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ecdc2754d7d2ae862272153aa9b9ca6e

SHA1
c19bed1c6e1c998b9fa93298639ad7961339147d

SHA256
a13d791473f836edcab0e93451ce7b7182efbbc54261b2b5644d319e047a00a7

SHA512
cd4fb81317d540f8b15f1495a381bb6f0f129b8923a7c06e4b5cf777d2625c30304aee6cc68aa20479e08d84e5030b43fbe93e479602400334dfdd7297f702f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
196B

MD5
4f4ac01fac88ac5f7805fab1368444ce

SHA1
d107836ffcd1b2079cc17477f433e35e086ad9c9

SHA256
238a8b4b5ba7d5fec0696eec8f0f6d7698569dfc25d5ded23f8a21c52c911335

SHA512
8331f648978a986ba1650ba151a0085bf080abe5fc22b6f060bb723034ef07d3a0647d33a08694f286c0787eefe5b719b3a15d9c4f15854b2b3df9259374bf45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
78e83e64db30aee1de7c4c78e7967f57

SHA1
90e38fbce1be51642205135dce2679225f1e0e82

SHA256
09b6333a88556624b3c84c3348702afe154ddd7e80d115fe5983d3f83e710c06

SHA512
c4116a29a08d82dde8307695b0cb804db5db9bd9d9b3304758de74ea4d60999cbdb7acb1e19b5d57a8ec4b7d63bce509f6acbc282043461fd610bf1766801e2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
72693ebcca023bcf9b098a785ef3921a

SHA1
1404afd253753f24b7f5ad1ffdbe4f4f708a6be7

SHA256
93e22c53e18a10b762af6f43820291a9b1b66f10c65851d81252059245a6783d

SHA512
aa863d8e5e04f71398a68dd225ab6a9f9ac7ad105021b9e0c450ddb3d9d0954c8ca976796186f0ece1e2f8054ec1ecd800339e33f51a5636ff24f3c06b627d18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7e4566576c1a30d259f975c44b40c9a2

SHA1
99cbd45a228f4f827074f6be87ce41823a0be70e

SHA256
7c92d6ee1095f5f7bba202416343001ba5080d16e6c4fdb7da36bf8820fc7a02

SHA512
21cc028be24857c05ca906692653d42dd843a33de9bb48d94008cf2c025f3bbb6aeaddeefdd3acfc6f308dd3b32a6941438b39ba7b76b5a04115fab278870dca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4a2ce5c458514e45b92e609e359e4166

SHA1
f12b1a53cd00f517c20badf611650c9ea440a2e9

SHA256
d9cb1e185db1e86221a3ef7f2366c7b42458e016fdf3e6e0c99692136d3c0ff4

SHA512
87869a946ad26c0c5eadb39fe18df9d823966f236591da4afb01fedc605bbd8e4ca56468b8a9f8a6fa3ecc4f781fc4a6c79713d032a1a7eb62f2adb028fe9d1b

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 248038.crdownload

Filesize
4.5MB

MD5
ef0124f238734460752a0de9e85501bc

SHA1
8dcbd7b8c753329ffc4a68a4bac8c3ab5ba62dfb

SHA256
4a299f5b0de81d51e75d45e9b49e830e4230346329d9ed15197ddf1ac2853644

SHA512
6aa0476b378bf34eb274ef2b62d8cb12f2c5014cae0e02a6ffea55e4c0fd009e07f8816b23bb6ad2ed57a0a8173668ae3c24f94bcecd131348c5347510fcac3c

Download Submit
memory/2120-19704-0x000002099A1C0000-0x000002099A214000-memory.dmp

Filesize
336KB

Download
memory/5176-129-0x0000022D794D0000-0x0000022D79707000-memory.dmp

Filesize
2.2MB

Download
memory/5176-99-0x0000022D794D0000-0x0000022D79707000-memory.dmp

Filesize
2.2MB

Download
memory/5176-73-0x0000022D794D0000-0x0000022D79707000-memory.dmp

Filesize
2.2MB

Download
memory/5176-93-0x0000022D794D0000-0x0000022D79707000-memory.dmp

Filesize
2.2MB

Download
memory/5176-95-0x0000022D794D0000-0x0000022D79707000-memory.dmp

Filesize
2.2MB

Download
memory/5176-109-0x0000022D794D0000-0x0000022D79707000-memory.dmp

Filesize
2.2MB

Download
memory/5176-106-0x0000022D794D0000-0x0000022D79707000-memory.dmp

Filesize
2.2MB

Download
memory/5176-133-0x0000022D794D0000-0x0000022D79707000-memory.dmp

Filesize
2.2MB

Download
memory/5176-132-0x0000022D794D0000-0x0000022D79707000-memory.dmp

Filesize
2.2MB

Download
memory/5176-125-0x0000022D794D0000-0x0000022D79707000-memory.dmp

Filesize
2.2MB

Download
memory/5176-123-0x0000022D794D0000-0x0000022D79707000-memory.dmp

Filesize
2.2MB

Download
memory/5176-121-0x0000022D794D0000-0x0000022D79707000-memory.dmp

Filesize
2.2MB

Download
memory/5176-77-0x0000022D794D0000-0x0000022D79707000-memory.dmp

Filesize
2.2MB

Download
memory/5176-127-0x0000022D794D0000-0x0000022D79707000-memory.dmp

Filesize
2.2MB

Download
memory/5176-119-0x0000022D794D0000-0x0000022D79707000-memory.dmp

Filesize
2.2MB

Download
memory/5176-117-0x0000022D794D0000-0x0000022D79707000-memory.dmp

Filesize
2.2MB

Download
memory/5176-115-0x0000022D794D0000-0x0000022D79707000-memory.dmp

Filesize
2.2MB

Download
memory/5176-113-0x0000022D794D0000-0x0000022D79707000-memory.dmp

Filesize
2.2MB

Download
memory/5176-111-0x0000022D794D0000-0x0000022D79707000-memory.dmp

Filesize
2.2MB

Download
memory/5176-75-0x0000022D794D0000-0x0000022D79707000-memory.dmp

Filesize
2.2MB

Download
memory/5176-107-0x0000022D794D0000-0x0000022D79707000-memory.dmp

Filesize
2.2MB

Download
memory/5176-103-0x0000022D794D0000-0x0000022D79707000-memory.dmp

Filesize
2.2MB

Download
memory/5176-101-0x0000022D794D0000-0x0000022D79707000-memory.dmp

Filesize
2.2MB

Download
memory/5176-89-0x0000022D794D0000-0x0000022D79707000-memory.dmp

Filesize
2.2MB

Download
memory/5176-88-0x0000022D794D0000-0x0000022D79707000-memory.dmp

Filesize
2.2MB

Download
memory/5176-85-0x0000022D794D0000-0x0000022D79707000-memory.dmp

Filesize
2.2MB

Download
memory/5176-83-0x0000022D794D0000-0x0000022D79707000-memory.dmp

Filesize
2.2MB

Download
memory/5176-81-0x0000022D794D0000-0x0000022D79707000-memory.dmp

Filesize
2.2MB

Download
memory/5176-97-0x0000022D794D0000-0x0000022D79707000-memory.dmp

Filesize
2.2MB

Download
memory/5176-91-0x0000022D794D0000-0x0000022D79707000-memory.dmp

Filesize
2.2MB

Download
memory/5176-79-0x0000022D794D0000-0x0000022D79707000-memory.dmp

Filesize
2.2MB

Download
memory/5176-71-0x0000022D794D0000-0x0000022D79707000-memory.dmp

Filesize
2.2MB

Download
memory/5176-70-0x0000022D794D0000-0x0000022D79707000-memory.dmp

Filesize
2.2MB

Download
memory/5176-4981-0x0000022D79810000-0x0000022D7988A000-memory.dmp

Filesize
488KB

Download
memory/5176-4982-0x0000022D78D40000-0x0000022D78D8C000-memory.dmp

Filesize
304KB

Download
memory/5176-69-0x0000022D794D0000-0x0000022D7970E000-memory.dmp

Filesize
2.2MB

Download
memory/5176-68-0x0000022D76BD0000-0x0000022D77050000-memory.dmp

Filesize
4.5MB

Download
memory/5176-9883-0x0000022D79890000-0x0000022D798E4000-memory.dmp

Filesize
336KB

Download