hxxps://github[.]com/Bximenos/Minecraft-Vape-Client?tab=readme-ov-file

Resubmissions

22-05-2024 03:27

240522-dz6lkaaf49 8

22-05-2024 03:24

240522-dx9v7sag4y 8

Analysis

max time kernel
81s
max time network
82s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 03:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Bximenos/Minecraft-Vape-Client?tab=readme-ov-file

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

winrar-x64-701.exe

pid process

5748 winrar-x64-701.exe

pid	process
5748	winrar-x64-701.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 3 IoCs

Processes:

msedge.exeOpenWith.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3558294865-3673844354-2255444939-1000\{298C9161-2776-482D-9781-A5BE6EBF37A6}	msedge.exe

NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Unconfirmed 116596.crdownload:SmartScreen msedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 116596.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exe

pid	process
3520	msedge.exe
3520	msedge.exe
1708	msedge.exe
1708	msedge.exe
3328	identity_helper.exe
3328	identity_helper.exe
5192	msedge.exe
5192	msedge.exe
6088	msedge.exe
6088	msedge.exe
5444	msedge.exe
5444	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

Processes:

msedge.exe

pid	process
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe

Suspicious use of FindShellTrayWindow 58 IoCs

Processes:

msedge.exe

pid	process
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

OpenWith.exewinrar-x64-701.exe

pid process

5300 OpenWith.exe
5300 OpenWith.exe
5300 OpenWith.exe
5748 winrar-x64-701.exe
5748 winrar-x64-701.exe
5748 winrar-x64-701.exe

pid	process
5300	OpenWith.exe
5300	OpenWith.exe
5300	OpenWith.exe
5748	winrar-x64-701.exe
5748	winrar-x64-701.exe
5748	winrar-x64-701.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1708 wrote to memory of 3120	1708	msedge.exe	msedge.exe
PID 1708 wrote to memory of 3120	1708	msedge.exe	msedge.exe
PID 1708 wrote to memory of 3060	1708	msedge.exe	msedge.exe
PID 1708 wrote to memory of 3060	1708	msedge.exe	msedge.exe
PID 1708 wrote to memory of 3060	1708	msedge.exe	msedge.exe
PID 1708 wrote to memory of 3060	1708	msedge.exe	msedge.exe
PID 1708 wrote to memory of 3060	1708	msedge.exe	msedge.exe
PID 1708 wrote to memory of 3060	1708	msedge.exe	msedge.exe
PID 1708 wrote to memory of 3060	1708	msedge.exe	msedge.exe
PID 1708 wrote to memory of 3060	1708	msedge.exe	msedge.exe
PID 1708 wrote to memory of 3060	1708	msedge.exe	msedge.exe
PID 1708 wrote to memory of 3060	1708	msedge.exe	msedge.exe
PID 1708 wrote to memory of 3060	1708	msedge.exe	msedge.exe
PID 1708 wrote to memory of 3060	1708	msedge.exe	msedge.exe
PID 1708 wrote to memory of 3060	1708	msedge.exe	msedge.exe
PID 1708 wrote to memory of 3060	1708	msedge.exe	msedge.exe
PID 1708 wrote to memory of 3060	1708	msedge.exe	msedge.exe
PID 1708 wrote to memory of 3060	1708	msedge.exe	msedge.exe
PID 1708 wrote to memory of 3060	1708	msedge.exe	msedge.exe
PID 1708 wrote to memory of 3060	1708	msedge.exe	msedge.exe
PID 1708 wrote to memory of 3060	1708	msedge.exe	msedge.exe
PID 1708 wrote to memory of 3060	1708	msedge.exe	msedge.exe
PID 1708 wrote to memory of 3060	1708	msedge.exe	msedge.exe
PID 1708 wrote to memory of 3060	1708	msedge.exe	msedge.exe
PID 1708 wrote to memory of 3060	1708	msedge.exe	msedge.exe
PID 1708 wrote to memory of 3060	1708	msedge.exe	msedge.exe
PID 1708 wrote to memory of 3060	1708	msedge.exe	msedge.exe
PID 1708 wrote to memory of 3060	1708	msedge.exe	msedge.exe
PID 1708 wrote to memory of 3060	1708	msedge.exe	msedge.exe
PID 1708 wrote to memory of 3060	1708	msedge.exe	msedge.exe
PID 1708 wrote to memory of 3060	1708	msedge.exe	msedge.exe
PID 1708 wrote to memory of 3060	1708	msedge.exe	msedge.exe
PID 1708 wrote to memory of 3060	1708	msedge.exe	msedge.exe
PID 1708 wrote to memory of 3060	1708	msedge.exe	msedge.exe
PID 1708 wrote to memory of 3060	1708	msedge.exe	msedge.exe
PID 1708 wrote to memory of 3060	1708	msedge.exe	msedge.exe
PID 1708 wrote to memory of 3060	1708	msedge.exe	msedge.exe
PID 1708 wrote to memory of 3060	1708	msedge.exe	msedge.exe
PID 1708 wrote to memory of 3060	1708	msedge.exe	msedge.exe
PID 1708 wrote to memory of 3060	1708	msedge.exe	msedge.exe
PID 1708 wrote to memory of 3060	1708	msedge.exe	msedge.exe
PID 1708 wrote to memory of 3060	1708	msedge.exe	msedge.exe
PID 1708 wrote to memory of 3520	1708	msedge.exe	msedge.exe
PID 1708 wrote to memory of 3520	1708	msedge.exe	msedge.exe
PID 1708 wrote to memory of 4664	1708	msedge.exe	msedge.exe
PID 1708 wrote to memory of 4664	1708	msedge.exe	msedge.exe
PID 1708 wrote to memory of 4664	1708	msedge.exe	msedge.exe
PID 1708 wrote to memory of 4664	1708	msedge.exe	msedge.exe
PID 1708 wrote to memory of 4664	1708	msedge.exe	msedge.exe
PID 1708 wrote to memory of 4664	1708	msedge.exe	msedge.exe
PID 1708 wrote to memory of 4664	1708	msedge.exe	msedge.exe
PID 1708 wrote to memory of 4664	1708	msedge.exe	msedge.exe
PID 1708 wrote to memory of 4664	1708	msedge.exe	msedge.exe
PID 1708 wrote to memory of 4664	1708	msedge.exe	msedge.exe
PID 1708 wrote to memory of 4664	1708	msedge.exe	msedge.exe
PID 1708 wrote to memory of 4664	1708	msedge.exe	msedge.exe
PID 1708 wrote to memory of 4664	1708	msedge.exe	msedge.exe
PID 1708 wrote to memory of 4664	1708	msedge.exe	msedge.exe
PID 1708 wrote to memory of 4664	1708	msedge.exe	msedge.exe
PID 1708 wrote to memory of 4664	1708	msedge.exe	msedge.exe
PID 1708 wrote to memory of 4664	1708	msedge.exe	msedge.exe
PID 1708 wrote to memory of 4664	1708	msedge.exe	msedge.exe
PID 1708 wrote to memory of 4664	1708	msedge.exe	msedge.exe
PID 1708 wrote to memory of 4664	1708	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Bximenos/Minecraft-Vape-Client?tab=readme-ov-file
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa7bf346f8,0x7ffa7bf34708,0x7ffa7bf34718
2⤵
PID:3120

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,7283498094382112969,17582289640587971940,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
2⤵
PID:3060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,7283498094382112969,17582289640587971940,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2412 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,7283498094382112969,17582289640587971940,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:8
2⤵
PID:4664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7283498094382112969,17582289640587971940,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
2⤵
PID:4636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7283498094382112969,17582289640587971940,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
2⤵
PID:412

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,7283498094382112969,17582289640587971940,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5368 /prefetch:8
2⤵
PID:3544

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,7283498094382112969,17582289640587971940,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5368 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3328

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7283498094382112969,17582289640587971940,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1
2⤵
PID:4008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7283498094382112969,17582289640587971940,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
2⤵
PID:4192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7283498094382112969,17582289640587971940,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3032 /prefetch:1
2⤵
PID:2624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7283498094382112969,17582289640587971940,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:1
2⤵
PID:5104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7283498094382112969,17582289640587971940,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:1
2⤵
PID:1456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7283498094382112969,17582289640587971940,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4788 /prefetch:1
2⤵
PID:2532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2096,7283498094382112969,17582289640587971940,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6020 /prefetch:8
2⤵
PID:4424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2096,7283498094382112969,17582289640587971940,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6476 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7283498094382112969,17582289640587971940,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6328 /prefetch:1
2⤵
PID:5520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7283498094382112969,17582289640587971940,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6088 /prefetch:1
2⤵
PID:5776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2096,7283498094382112969,17582289640587971940,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6316 /prefetch:8
2⤵
PID:6080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2096,7283498094382112969,17582289640587971940,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6356 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:6088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7283498094382112969,17582289640587971940,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1
2⤵
PID:5276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7283498094382112969,17582289640587971940,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6088 /prefetch:1
2⤵
PID:4316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7283498094382112969,17582289640587971940,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:1
2⤵
PID:2640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7283498094382112969,17582289640587971940,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6256 /prefetch:1
2⤵
PID:5812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7283498094382112969,17582289640587971940,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6652 /prefetch:1
2⤵
PID:5816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7283498094382112969,17582289640587971940,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
2⤵
PID:1752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7283498094382112969,17582289640587971940,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2680 /prefetch:1
2⤵
PID:3160

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7283498094382112969,17582289640587971940,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1880 /prefetch:1
2⤵
PID:5384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2096,7283498094382112969,17582289640587971940,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5924 /prefetch:8
2⤵
PID:5924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2096,7283498094382112969,17582289640587971940,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6960 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5444

C:\Users\Admin\Downloads\winrar-x64-701.exe
"C:\Users\Admin\Downloads\winrar-x64-701.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5748

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5088

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:848

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5300

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\953d450c4ac54132bd86b72432b57782 /t 5740 /p 5748
1⤵
PID:5900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f61fa5143fe872d1d8f1e9f8dc6544f9

SHA1
df44bab94d7388fb38c63085ec4db80cfc5eb009

SHA256
284a24b5b40860240db00ef3ae6a33c9fa8349ab5490a634e27b2c6e9a191c64

SHA512
971000784a6518bb39c5cf043292c7ab659162275470f5f6b632ea91a6bcae83bc80517ceb983dd5abfe8fb4e157344cb65c27e609a879eec00b33c5fad563a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
87f7abeb82600e1e640b843ad50fe0a1

SHA1
045bbada3f23fc59941bf7d0210fb160cb78ae87

SHA256
b35d6906050d90a81d23646f86c20a8f5d42f058ffc6436fb0a2b8bd71ee1262

SHA512
ea8e7f24ab823ad710ce079c86c40aa957353a00d2775732c23e31be88a10d212e974c4691279aa86016c4660f5795febf739a15207833df6ed964a9ed99d618

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
8cecb32df1032f03cd2401bafa416126

SHA1
9ead19a8b0d48882cf6d322c653f4f918b46f7dd

SHA256
384740d3acf40662f89a8dced5d93bc17a2cbc436116773662f137772867c45f

SHA512
daddc629c10ec94f9bf870c576ee363977ccfa2d5f4bd85aa3d80e37b27745843d64868f24ca8b95dfe822fff1878e055dd4fffe92a614f96911708a1d9fa93c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
b113e00e7e833223bfd93799a2c8c44a

SHA1
a7475a42b2f7df7f41e82827512dd79384dc8f72

SHA256
c721d84328618061afdbf92a9ecac4362e5af1c2d105b69ac41399a9a9cf9d57

SHA512
74692503fb6bdf75e1fd8ccc24ad96c348896f458bfda5626494c4d3abb47ced808abb1ff3248a8c147b44c0112a9bed9e270f7794944352829c9ef78ea8d7e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
154ae533603c1bcd8d98c94f0c413dc9

SHA1
0efcae30fa1b34b3bef2c04b169a8753c6669ee3

SHA256
6bbdccad08ef45477d6604cf8517b23ee613929ca73fe5cfed382c74f0b79232

SHA512
54d576a614359230d1627c50c1d8096670d01a0fa75463fd45d0c4678d70e27de76954e229505ffa7286c88cc3c590303a5a83c7aac8be70de84754abe3c195c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
1dbb54ff61b2a909c099f014a9434861

SHA1
dee551f7c8aeeccdf9dacf472ecf5d0c45261069

SHA256
a4853bed58ba19f471227a3621ce97caff8ae866665c4a4904da38f4945261ce

SHA512
a72a86b5582d54f4d4643895f0ea100616fee8dabd4402220f73eb9ea06929865dc583506a9edf169a38caf9cfbddf4ab2f9f2ca27cca88f81f6ba91e1b08711

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1c4c5cc7bbb6ea475c5164bf5c68cf64

SHA1
2a012461df4387df350466733d61ff5f035f8d0d

SHA256
5262def03a7a25ca33417a13194fcb67cb3430381f286ec2d9936a67a16bde4c

SHA512
39de5940a0191a7cca4533584518c16dd143c5cd529c2eb6976007fffff4eddd20a4bda887546dcad14ef67723c8857bd9913613a08728f71b48f61869568d80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b339dacbec7e2ec06349fbe4284e585e

SHA1
0e19fa0f36b36ba0ca1af1e690635e4a37b31147

SHA256
360e0767f083e87b2c436730c187664b889063b0713a84e2efd6a8e2ab4fa6a5

SHA512
2db6c8082c047b1823e1e922c806e7440c70655e934d28d727e3e6ce754678547e8e51f39f6cd38a6fbc988acb09ce3883361ac59f2205c112ee1c2663f3e23c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
f6db081296190784ae02cda7bd5106e9

SHA1
6585724a1c20c6f3194845b328a59040cbc00dcb

SHA256
3be0d1fbb736c8f3b36af14a40775dfc411a66dbb2ef8b2d4b95f337813ccb58

SHA512
801e9216d84ae2cfd02cc1a0c2f97107c80433fb94d11d4bf4768c8d27f6055dad4605988e62ab9d18c8c80cdca41b25beeb0c9e794bc5f4c1cd55cfa5d4eccb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8bf3b0bbbe25a9891f48387c7e4ba0a1

SHA1
ce22fbe4cba5767b6f9a322bc6b236202c4a7f26

SHA256
6e4d11f5f943131ff1abad990a419e46d6050cb03bc6c471315c62c4efeb8d26

SHA512
3e432f03795e26a3797090cca5dd94e9d9949107379f3d7ec019ecc399204d3d1082f05fac8707b4f2ae4f0bb21f954a5a5b8a1eb6d1b0a02da4a9d29a6176ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a291aa5cf53606d478a558acb6cb3076

SHA1
49dff5e27679d56a7560fb736cc3eb5e0b4f5034

SHA256
1efe26062e23af2ac9c6c32adf04d278701506b1fc9ef291aff3c6a31b5d82b9

SHA512
4413afa3ccc0e712b0984fd9c266713c6808582724a4b303f5cb51e99fd2a8eebb06c2d6fcad9aef25ae0913db3924876720358e17d150ef3e3c14fc8b73b36c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9deabb45aafd1e4660d06c909cadf4a1

SHA1
a9dabfe9f918be7238e0b01248c6205517315aa1

SHA256
37fdac605c0641adbd92fc754c7d0c5a130a9099e3a19f4e651711ad4d09729a

SHA512
0623a28fb9d190bd4930ebb85371e5a1acc4469b1fb671dabb66dd8c0109aee695e60c806ab3fa3d8f6d02d938463dd92809300433e5403127d345b5ebff06f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
23a7071bae01f2dc0535f8285ab055f2

SHA1
d99c19607bd03b649d62c885eed70d06a975a93c

SHA256
7190643fd9a6d86578336aaa73bf63b47a790dd4b91e41420b18e4fe20fa784b

SHA512
b32802389e178afe48d28667948371683b8a4c7671180ab1b84f16f6faf40e4ed7d89181f001dad9b81d2493692e75323767cb69d60f7d08ec9a4746f7485651

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57d84f.TMP

Filesize
1KB

MD5
f0dc1225bbbcc315f0478a1c36593f53

SHA1
5c546baaf36a2d133979acf7f5349b3c7fea4420

SHA256
25170563ccf421a8b957e3c55c5407f57a0dd036af99b832c802c863202a5343

SHA512
87b146af23da3b6db603c6ac7ccb3bdb325d24c9dd2d696b3151af16ace99fc29b743b395c459a2c2391f7e5cb6fcc26c85b27affb0a09516ff33ceab1b189e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\d9d49253-2fb6-4b6a-9556-8ef61f080ab8.tmp

Filesize
6KB

MD5
ae2afcdbd7e085c896f13bffcbc84720

SHA1
6287234b79dfad460fd86ca249b506714dcfb660

SHA256
1f6994e51a21fb2b4dee8b3d9d0bb47ebffb4cc732729675eba09d1abea3cebf

SHA512
d721ac3a2570e7a357e6f000fae6f7bb753c7c673a635137bc28704c0d29435d42b173ea6fad1aa54f34519b1116c3e5e83a28364b3f2f360c09ba32f2c8e0ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
91e01bd403a8731dcb05a59bdec663e0

SHA1
ff2483f9cbd6dc2cac62d837256b67bb3e8c9491

SHA256
2e76e173f8e3939b07234ea7d5b9e495e907ccb212d166a811ad26c274babe1c

SHA512
30b5a3ddc92ea28ede23fb60213604add6ec2eb828657a88c290e4806e3cc9cc6adb83a14fc07c0e84f6eb968c3a7ee182ecd7744b0565a60d8af567dcbb4dc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
9e62d56172956afeb81163099d6457c2

SHA1
77b4cd99b263a7edb3f9a43c5342cc599c6a0072

SHA256
1988380c3a428fb040d97f18bde839977a597770dac9dd846d424cf5793d338b

SHA512
c57283cfbcf573d364f8b262850b8f334c1398fcb3a844d5761734eff6cb368f41eba509db6cb94424e70a3d49d6ff968b00cfdd3ef6cd7679572586857633f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
3a4b1c1baea09057788b5e83a39780d0

SHA1
d72c97fab7285b2c20fe9bd4eb4256b7ac93bc74

SHA256
439149d3bb7f34428a1041b12c60ed6c4b591c842deff7773b63e4c650b0d5a2

SHA512
96f0ebc7b9586dd641466937dc12ce4c9a031a5724cd1c50794c3a1f84abb39bec558035bba82465eb02f862c1948d5d04d83078d0318ae2985b5c712ce11ad1

Download Submit
C:\Users\Admin\Downloads\winrar-x64-701.exe

Filesize
3.7MB

MD5
3a2f16a044d8f6d2f9443dff6bd1c7d4

SHA1
48c6c0450af803b72a0caa7d5e3863c3f0240ef1

SHA256
31f7ba37180f820313b2d32e76252344598409cb932109dd84a071cd58b64aa6

SHA512
61daee2ce82c3b8e79f7598a79d72e337220ced7607e3ed878a3059ac03257542147dbd377e902cc95f04324e2fb7c5e07d1410f0a1815d5a05c5320e5715ef6

Download Submit
\??\pipe\LOCAL\crashpad_1708_NMSOLDWDKPUUBEJX

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit