hxxps://cdn[.]discordapp[.]com/attachments/1242945817900486678/1242951296374276249/OTPBOT[.]rar?ex=664fb419&is=664e6299&hm=0099c795892a247f6e50c3d801ff6743e80238fe4f7fef5cff8b770e30ca3af5&

Analysis

max time kernel
750s
max time network
732s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
22-05-2024 21:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1242945817900486678/1242951296374276249/OTPBOT.rar?ex=664fb419&is=664e6299&hm=0099c795892a247f6e50c3d801ff6743e80238fe4f7fef5cff8b770e30ca3af5&

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

winrar-x64-701.exe

pid process

2620 winrar-x64-701.exe

pid	process
2620	winrar-x64-701.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

Processes:

msedge.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3001105534-2705918504-2956618779-1000\{921DCEE8-AAAA-47CE-91B6-20340084954F}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings	msedge.exe

NTFS ADS 3 IoCs

Processes:

msedge.exemsedge.exemsedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\OTPBOT.rar:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 852170.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\winrar-x64-701.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

msedge.exemsedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exe

pid	process
2980	msedge.exe
2980	msedge.exe
4560	msedge.exe
4560	msedge.exe
2268	msedge.exe
2268	msedge.exe
2724	msedge.exe
2724	msedge.exe
240	identity_helper.exe
240	identity_helper.exe
3488	msedge.exe
3488	msedge.exe
1800	msedge.exe
1800	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

Processes:

msedge.exe

pid	process
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe

Suspicious use of FindShellTrayWindow 48 IoCs

Processes:

msedge.exe

pid	process
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	process
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

winrar-x64-701.exe

pid process

2620 winrar-x64-701.exe
2620 winrar-x64-701.exe
2620 winrar-x64-701.exe

pid	process
2620	winrar-x64-701.exe
2620	winrar-x64-701.exe
2620	winrar-x64-701.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4560 wrote to memory of 4736	4560	msedge.exe	msedge.exe
PID 4560 wrote to memory of 4736	4560	msedge.exe	msedge.exe
PID 4560 wrote to memory of 1792	4560	msedge.exe	msedge.exe
PID 4560 wrote to memory of 1792	4560	msedge.exe	msedge.exe
PID 4560 wrote to memory of 1792	4560	msedge.exe	msedge.exe
PID 4560 wrote to memory of 1792	4560	msedge.exe	msedge.exe
PID 4560 wrote to memory of 1792	4560	msedge.exe	msedge.exe
PID 4560 wrote to memory of 1792	4560	msedge.exe	msedge.exe
PID 4560 wrote to memory of 1792	4560	msedge.exe	msedge.exe
PID 4560 wrote to memory of 1792	4560	msedge.exe	msedge.exe
PID 4560 wrote to memory of 1792	4560	msedge.exe	msedge.exe
PID 4560 wrote to memory of 1792	4560	msedge.exe	msedge.exe
PID 4560 wrote to memory of 1792	4560	msedge.exe	msedge.exe
PID 4560 wrote to memory of 1792	4560	msedge.exe	msedge.exe
PID 4560 wrote to memory of 1792	4560	msedge.exe	msedge.exe
PID 4560 wrote to memory of 1792	4560	msedge.exe	msedge.exe
PID 4560 wrote to memory of 1792	4560	msedge.exe	msedge.exe
PID 4560 wrote to memory of 1792	4560	msedge.exe	msedge.exe
PID 4560 wrote to memory of 1792	4560	msedge.exe	msedge.exe
PID 4560 wrote to memory of 1792	4560	msedge.exe	msedge.exe
PID 4560 wrote to memory of 1792	4560	msedge.exe	msedge.exe
PID 4560 wrote to memory of 1792	4560	msedge.exe	msedge.exe
PID 4560 wrote to memory of 1792	4560	msedge.exe	msedge.exe
PID 4560 wrote to memory of 1792	4560	msedge.exe	msedge.exe
PID 4560 wrote to memory of 1792	4560	msedge.exe	msedge.exe
PID 4560 wrote to memory of 1792	4560	msedge.exe	msedge.exe
PID 4560 wrote to memory of 1792	4560	msedge.exe	msedge.exe
PID 4560 wrote to memory of 1792	4560	msedge.exe	msedge.exe
PID 4560 wrote to memory of 1792	4560	msedge.exe	msedge.exe
PID 4560 wrote to memory of 1792	4560	msedge.exe	msedge.exe
PID 4560 wrote to memory of 1792	4560	msedge.exe	msedge.exe
PID 4560 wrote to memory of 1792	4560	msedge.exe	msedge.exe
PID 4560 wrote to memory of 1792	4560	msedge.exe	msedge.exe
PID 4560 wrote to memory of 1792	4560	msedge.exe	msedge.exe
PID 4560 wrote to memory of 1792	4560	msedge.exe	msedge.exe
PID 4560 wrote to memory of 1792	4560	msedge.exe	msedge.exe
PID 4560 wrote to memory of 1792	4560	msedge.exe	msedge.exe
PID 4560 wrote to memory of 1792	4560	msedge.exe	msedge.exe
PID 4560 wrote to memory of 1792	4560	msedge.exe	msedge.exe
PID 4560 wrote to memory of 1792	4560	msedge.exe	msedge.exe
PID 4560 wrote to memory of 1792	4560	msedge.exe	msedge.exe
PID 4560 wrote to memory of 1792	4560	msedge.exe	msedge.exe
PID 4560 wrote to memory of 2980	4560	msedge.exe	msedge.exe
PID 4560 wrote to memory of 2980	4560	msedge.exe	msedge.exe
PID 4560 wrote to memory of 488	4560	msedge.exe	msedge.exe
PID 4560 wrote to memory of 488	4560	msedge.exe	msedge.exe
PID 4560 wrote to memory of 488	4560	msedge.exe	msedge.exe
PID 4560 wrote to memory of 488	4560	msedge.exe	msedge.exe
PID 4560 wrote to memory of 488	4560	msedge.exe	msedge.exe
PID 4560 wrote to memory of 488	4560	msedge.exe	msedge.exe
PID 4560 wrote to memory of 488	4560	msedge.exe	msedge.exe
PID 4560 wrote to memory of 488	4560	msedge.exe	msedge.exe
PID 4560 wrote to memory of 488	4560	msedge.exe	msedge.exe
PID 4560 wrote to memory of 488	4560	msedge.exe	msedge.exe
PID 4560 wrote to memory of 488	4560	msedge.exe	msedge.exe
PID 4560 wrote to memory of 488	4560	msedge.exe	msedge.exe
PID 4560 wrote to memory of 488	4560	msedge.exe	msedge.exe
PID 4560 wrote to memory of 488	4560	msedge.exe	msedge.exe
PID 4560 wrote to memory of 488	4560	msedge.exe	msedge.exe
PID 4560 wrote to memory of 488	4560	msedge.exe	msedge.exe
PID 4560 wrote to memory of 488	4560	msedge.exe	msedge.exe
PID 4560 wrote to memory of 488	4560	msedge.exe	msedge.exe
PID 4560 wrote to memory of 488	4560	msedge.exe	msedge.exe
PID 4560 wrote to memory of 488	4560	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1242945817900486678/1242951296374276249/OTPBOT.rar?ex=664fb419&is=664e6299&hm=0099c795892a247f6e50c3d801ff6743e80238fe4f7fef5cff8b770e30ca3af5&
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4560

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffa87d3cb8,0x7fffa87d3cc8,0x7fffa87d3cd8
2⤵
PID:4736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1856,1871804857016931426,15858707962973919048,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1864 /prefetch:2
2⤵
PID:1792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1856,1871804857016931426,15858707962973919048,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1856,1871804857016931426,15858707962973919048,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2480 /prefetch:8
2⤵
PID:488

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,1871804857016931426,15858707962973919048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
2⤵
PID:2976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,1871804857016931426,15858707962973919048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
2⤵
PID:1596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1856,1871804857016931426,15858707962973919048,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4532 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,1871804857016931426,15858707962973919048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1884 /prefetch:1
2⤵
PID:3112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1856,1871804857016931426,15858707962973919048,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5300 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:2724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,1871804857016931426,15858707962973919048,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3128 /prefetch:1
2⤵
PID:1720

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1856,1871804857016931426,15858707962973919048,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6044 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,1871804857016931426,15858707962973919048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
2⤵
PID:2032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,1871804857016931426,15858707962973919048,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:1
2⤵
PID:3696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,1871804857016931426,15858707962973919048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
2⤵
PID:3280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,1871804857016931426,15858707962973919048,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
2⤵
PID:3548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,1871804857016931426,15858707962973919048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:1
2⤵
PID:4628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,1871804857016931426,15858707962973919048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:1
2⤵
PID:4872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,1871804857016931426,15858707962973919048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6360 /prefetch:1
2⤵
PID:4020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,1871804857016931426,15858707962973919048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6732 /prefetch:1
2⤵
PID:760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,1871804857016931426,15858707962973919048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6940 /prefetch:1
2⤵
PID:1960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1856,1871804857016931426,15858707962973919048,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6716 /prefetch:8
2⤵
PID:4636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1856,1871804857016931426,15858707962973919048,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3128 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3488

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,1871804857016931426,15858707962973919048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
2⤵
PID:2108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,1871804857016931426,15858707962973919048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6776 /prefetch:1
2⤵
PID:2152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,1871804857016931426,15858707962973919048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:1
2⤵
PID:2820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,1871804857016931426,15858707962973919048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:1
2⤵
PID:828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1856,1871804857016931426,15858707962973919048,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6684 /prefetch:8
2⤵
PID:3572

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1856,1871804857016931426,15858707962973919048,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4888 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:1800

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1856,1871804857016931426,15858707962973919048,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6628 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2356

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1696

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4868

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2028

C:\Users\Admin\Downloads\winrar-x64-701.exe
"C:\Users\Admin\Downloads\winrar-x64-701.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\754ebfaf-8bb4-451c-ad52-c0dc04ddf150.tmp

Filesize
11KB

MD5
e7e6e9d4031b3e80adbca35ce8167380

SHA1
f437c9a4b19e948ff584c9d0b138a4e697861772

SHA256
9687a9f1bcd51975cb171bd586951a87edff56c1b60eef1237b93c21b5712427

SHA512
48a303811f0bf033118255cbc246bc145dc45d070d231e3cf2334376ba9257e0cef77f0f5e23e49bd2d26cef6845961227e285a9d2430a043bb03de5901573c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
390187670cb1e0eb022f4f7735263e82

SHA1
ea1401ccf6bf54e688a0dc9e6946eae7353b26f1

SHA256
3e6c56356d6509a3fd4b2403555be55e251f4a962379b29735c1203e57230947

SHA512
602f64d74096d4fb7a23b23374603246d42b17cc854835e3b2f4d464997b73f289a3b40eb690e3ee707829d4ff886865e982f72155d96be6bc00166f44878062

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8294f1821fd3419c0a42b389d19ecfc6

SHA1
cd4982751377c2904a1d3c58e801fa013ea27533

SHA256
92a96c9309023c8b9e1396ff41f7d9d3ff8a3687972e76b9ebd70b04e3bf223a

SHA512
372d369f7ad1b0e07200d3aa6b2cfce5beafa7a97f63932d4c9b3b01a0e8b7eb39881867f87ded55a9973abea973b2d2c9b6fc4892f81cec644702b9edb1566d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
412dfeea73b7f2ea71f7823f7ddfcfec

SHA1
6ca2314264aa28044ffc671fce235b570e3990a6

SHA256
8f08cbb22867c1d74426072754ebb29b137dae3353973d08e90a76bf5e4cf9a2

SHA512
5aa1cfcd54cd0685fb3c440d553a8485ce778d49e834d4f85e34e124a3aa50ba29a30d4cbfc24d0b18475582b5acae93e6bb0cdc36175863d29bce4141b97406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
5173297254a6861c8a356e2809222a3d

SHA1
4978c62527c646c4b0c80b06699aa930fe7710b1

SHA256
3bb089516e7ab6466e56cd59ec9d7c1c00eb933e3a822d8c639740d334a5dd8b

SHA512
2533e62b019662c00e1a0b0b15a9fb1f5a301a238b2e7cea9e3bc9c5e135ea8e841d65bcd3a07c6d647b092ef69430ccfc7c2bed6790327ffcd478ea821119d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
401B

MD5
10c952857807de0563b31e79fdab0b3a

SHA1
0d1a77d89b5c1b10408a2165c2d676ee944a295a

SHA256
81a11be6ba05731112cb574245f3b3b4fc23917ca65ea4c0bce34a696c011395

SHA512
d9b93e8aa04439aee7e8fd25e81b22ceefa974a1fd12f6396aaa2f12f0979e6a2d123f36c924500d329c1d6dfa91496de3791d17043d78cfd8af51b4bcedef69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
688B

MD5
684f5d86f007ff8ad7454adab2be26fa

SHA1
4ccceb776bd1e3c2fd6c5ef905e9d306a6282c8d

SHA256
eb827f3c65605e7a829a349c02faf6ade96293aec77c4a6cefc3c9dd6010cce9

SHA512
195413d0bc47b9b1e357389d45403ddcf076e58fbdad90b715a0cb0a3f82e3d18f8b94dbfa30b05c8a03adce5aa7943310fba756d81ccf85b8e32143db985664

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4680fbf92fd0e78a7885bfee6986505c

SHA1
f162592395d89f2e4abeaa8a8c5dec85fb604ef8

SHA256
afb525fe10322fbde2343552cf14739ead75bb95abc51c4b57f0d8db69b41c12

SHA512
bc4a29894ed7db97a8adf80bcca1160c7d22428204d2645f7899faff40124e729310867a2a9c49109d4b9835e223bb70e089f463f2bb9521243d36b4d349354e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a501ee8a49093c034ef86f1d18c4ea45

SHA1
48f2637718fbc8c6ddae7f99f1d62accfb6539f5

SHA256
ce0f0dde3c41d5365112e179a3bfea7ba8c7767ec016c6417e8c4d18b893617c

SHA512
0f129d5ae7b2a0c3ed135d1a107dcd22788a087ec9a523325b12348f9e4453081d15dee9b30f193f809c7c63d9a562f00064a46b561fb57dc536b5dd8a90ced7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5a09e6a223176fa9fa5dfec69cf6983a

SHA1
766789bdb280c3d17f91b7d9f5eef100fa38ad26

SHA256
a446aac12fe69752786783b4825aa5b7775c1a435eaface662240a125a68f7ee

SHA512
cc8f0cb5ae39c90b4d53b8ccee390bca2c44f5fe3eb2ee99f82b5bd58e05ab679c1a62f63c3b8ff2ae678f24e365a8e3f8b4fc7506aba46d9c2081b549ca1f60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3f025ec6eb8abb8a6c86ae17fc13d2d1

SHA1
b3574d188e6db49e96d5ef1f805be1ee262a53fe

SHA256
487013282655274d4312533950317f18d18e604678feb42490d6271cf39c8a18

SHA512
4675726f32a2d32097b166448ffcd1f0036a2af98e7f23cbbf482d0c9aae3d7d736d305886368979dcf949dc723ef8e2240f866c1531a601d42f211cb8ff1151

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
87e4b0802aa1d6ebf8e6e235dfc1e45d

SHA1
4d8200e64a5ee584ff77254a18c6bd244137ea99

SHA256
3258698568c48a960fe604b59ff7828de6d172ee40642c24c594abc8f65250a7

SHA512
ce7f57922be4b7bba552b8ce1b067baac758e6d3037a876af922458cb3eded3f1eaf871063014fcd01974bcd5e439961fcdd3da0fb04f6bdce6bc9bad963e7e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8bb13b61d4bcfa2668cc52e7a7fcad32

SHA1
9c614d70d351a2f9154bfc62a34cd4fc62a4f614

SHA256
0581032cb0efb46e3ec2691b34e9a7013355021a7662f9fa87e95069e4913927

SHA512
47db450a410fd057e625c3a8d9f0b4ea25d1fb80ac30091b3f24e1dca7a225b63d3ab22479bacab109d24c44eedd7b3f4ea026f6744a32121197894df1b32375

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0884416d29852667e9ff9f5bc22d80ec

SHA1
372b3fa5f7e732c07bc26c7bf2a841432a38c787

SHA256
9e7367e0f15f63675ae92889fe85681cc52c718eea82a6e4b36fc8a6c83882ab

SHA512
aa98e1d2f3d96442fffe3c3388f0ee648838e895661d668f38044d415f6bb5aea921884f803cefc56d30a31733aef3de47793c6ee00eda59c11f623f4a35b7d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
368B

MD5
9876ded147bf77690b98ed0a00d759a7

SHA1
233a05c462095542522fceb39a053a49e2f37a1f

SHA256
9297993c070216058a16d4cec34fb5158cd0ade91b261c03b175d147fd613f9d

SHA512
27486b89b972568f12b6f495d20b0625397f29e4da7e8c5bfd68413147f65e9c72a85250ddb7928f377485965b324ec94de8d7eb466689d0ab5563e14a4ef4c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
868B

MD5
e46687eabf739dc18b9e5b8cc5e9e06e

SHA1
cb7936eed2be5e1b424805069889f9665c2b9e3f

SHA256
aa86f3134317a37d6fda09aeb9c82f4307c3bf43d58fd4b86cfef3c6a4475416

SHA512
53b101cb12fce244103feec3a38c81c997bfed5b8291a7044c9d549f87a5b77b6db917b90643a9d0259567f2e7fb9c1ffb9172ec0fe899041a79ff5756df5770

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
870B

MD5
17b823351ff7f8275e4d63df2e57ab83

SHA1
bce2bbcce398942c1847f715c098e4614b135580

SHA256
2b8b43e98e4a5425681614f24802d99f685059477722f857df3abbf8f2f2feab

SHA512
77b31daecd2fea9af587bf6421476d4c18c4072a46e68e0f4c36d8211fbf886f1cfb1e5e2e314bf04a7c0028d0532e9c58d81cafe11a46c11e137a282d87a3aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe586608.TMP

Filesize
370B

MD5
fc2c353629349e765a12929928ad9a78

SHA1
d6fc97542df3b2991063065c76bea843c74d4a2d

SHA256
1958e25292620da171041da9e2df0601aa510af0db59adf75fb190d1f7a5c341

SHA512
156d72cbc34e9cac3684c27a4bc8a5c87c5cfe031f836837834ed2f6992410256cdf5532fe3a086d4b87237e2f1568a829bee5851f67ab2ac5e6f0e421b0671a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
c5eab456e2ee212a3144ad9db5115ba4

SHA1
a2de9eab58fe10211a56dfa50e2ae5bb3bed513e

SHA256
d7f64ac361dd468a71ec196a244ea865fff27ccc3d75f93c6f5a24876971cfc5

SHA512
8b271447c72937e441ef5db2735104eedff66397bf065825d979900a34cd846259d85001764e6155fb015d4411d1d08b601228154b499c593b13487f7b9efc66

Download Submit
C:\Users\Admin\Downloads\OTPBOT.rar

Filesize
15.2MB

MD5
7916a13e3e696e94212dc8c2f7509a12

SHA1
a95973839a04ee466db580cf331ac62e60665a39

SHA256
1cf39d304c3cb61703573f93b654fb89fe30627b252053ae91d20e6636e576af

SHA512
642adae82c7ad0c9979d3ab67995a69e20d59ed876251d2a925cead0c1d639ed2876ab3ae3fad6a9f05e8714a15fb6da8f7acbe4fd698288490e33a732449593

Download Submit
C:\Users\Admin\Downloads\OTPBOT.rar:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 852170.crdownload

Filesize
3.8MB

MD5
46c17c999744470b689331f41eab7df1

SHA1
b8a63127df6a87d333061c622220d6d70ed80f7c

SHA256
c5b5def1c8882b702b6b25cbd94461c737bc151366d2d9eba5006c04886bfc9a

SHA512
4b02a3e85b699f62df1b4fe752c4dee08cfabc9b8bb316bc39b854bd5187fc602943a95788ec680c7d3dc2c26ad882e69c0740294bd6cb3b32cdcd165a9441b6

Download Submit
\??\pipe\LOCAL\crashpad_4560_QTKEOSNBDSJXTPXB

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit