hxxps://cdn[.]discordapp[.]com/attachments/778517571808919565/1243615426152235119/Cobra_loader[.]rar?ex=66521e9e&is=6650cd1e&hm=8b1bc83aed9bd36d7d476586142ac81c48bb6dccaa2e2ad9de6d55873858cf49&

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24/05/2024, 19:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/778517571808919565/1243615426152235119/Cobra_loader.rar?ex=66521e9e&is=6650cd1e&hm=8b1bc83aed9bd36d7d476586142ac81c48bb6dccaa2e2ad9de6d55873858cf49&

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
1324	winrar-x64-701.exe
2288	winrar-x64-701.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-711569230-3659488422-571408806-1000\{23FF06C7-5F86-4263-B8BA-65A2EEBE2142}	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 402875.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
540	msedge.exe
540	msedge.exe
2436	msedge.exe
2436	msedge.exe
4420	identity_helper.exe
4420	identity_helper.exe
972	msedge.exe
972	msedge.exe
5220	msedge.exe
5220	msedge.exe
6076	msedge.exe
6076	msedge.exe
5204	msedge.exe
5204	msedge.exe
5204	msedge.exe
5204	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe

Suspicious use of FindShellTrayWindow 60 IoCs

pid	Process
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
456	OpenWith.exe
456	OpenWith.exe
456	OpenWith.exe
1324	winrar-x64-701.exe
1324	winrar-x64-701.exe
1324	winrar-x64-701.exe
2288	winrar-x64-701.exe
2288	winrar-x64-701.exe
2288	winrar-x64-701.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 5084	2436	msedge.exe	82
PID 2436 wrote to memory of 5084	2436	msedge.exe	82
PID 2436 wrote to memory of 320	2436	msedge.exe	86
PID 2436 wrote to memory of 320	2436	msedge.exe	86
PID 2436 wrote to memory of 320	2436	msedge.exe	86
PID 2436 wrote to memory of 320	2436	msedge.exe	86
PID 2436 wrote to memory of 320	2436	msedge.exe	86
PID 2436 wrote to memory of 320	2436	msedge.exe	86
PID 2436 wrote to memory of 320	2436	msedge.exe	86
PID 2436 wrote to memory of 320	2436	msedge.exe	86
PID 2436 wrote to memory of 320	2436	msedge.exe	86
PID 2436 wrote to memory of 320	2436	msedge.exe	86
PID 2436 wrote to memory of 320	2436	msedge.exe	86
PID 2436 wrote to memory of 320	2436	msedge.exe	86
PID 2436 wrote to memory of 320	2436	msedge.exe	86
PID 2436 wrote to memory of 320	2436	msedge.exe	86
PID 2436 wrote to memory of 320	2436	msedge.exe	86
PID 2436 wrote to memory of 320	2436	msedge.exe	86
PID 2436 wrote to memory of 320	2436	msedge.exe	86
PID 2436 wrote to memory of 320	2436	msedge.exe	86
PID 2436 wrote to memory of 320	2436	msedge.exe	86
PID 2436 wrote to memory of 320	2436	msedge.exe	86
PID 2436 wrote to memory of 320	2436	msedge.exe	86
PID 2436 wrote to memory of 320	2436	msedge.exe	86
PID 2436 wrote to memory of 320	2436	msedge.exe	86
PID 2436 wrote to memory of 320	2436	msedge.exe	86
PID 2436 wrote to memory of 320	2436	msedge.exe	86
PID 2436 wrote to memory of 320	2436	msedge.exe	86
PID 2436 wrote to memory of 320	2436	msedge.exe	86
PID 2436 wrote to memory of 320	2436	msedge.exe	86
PID 2436 wrote to memory of 320	2436	msedge.exe	86
PID 2436 wrote to memory of 320	2436	msedge.exe	86
PID 2436 wrote to memory of 320	2436	msedge.exe	86
PID 2436 wrote to memory of 320	2436	msedge.exe	86
PID 2436 wrote to memory of 320	2436	msedge.exe	86
PID 2436 wrote to memory of 320	2436	msedge.exe	86
PID 2436 wrote to memory of 320	2436	msedge.exe	86
PID 2436 wrote to memory of 320	2436	msedge.exe	86
PID 2436 wrote to memory of 320	2436	msedge.exe	86
PID 2436 wrote to memory of 320	2436	msedge.exe	86
PID 2436 wrote to memory of 320	2436	msedge.exe	86
PID 2436 wrote to memory of 320	2436	msedge.exe	86
PID 2436 wrote to memory of 540	2436	msedge.exe	87
PID 2436 wrote to memory of 540	2436	msedge.exe	87
PID 2436 wrote to memory of 3392	2436	msedge.exe	88
PID 2436 wrote to memory of 3392	2436	msedge.exe	88
PID 2436 wrote to memory of 3392	2436	msedge.exe	88
PID 2436 wrote to memory of 3392	2436	msedge.exe	88
PID 2436 wrote to memory of 3392	2436	msedge.exe	88
PID 2436 wrote to memory of 3392	2436	msedge.exe	88
PID 2436 wrote to memory of 3392	2436	msedge.exe	88
PID 2436 wrote to memory of 3392	2436	msedge.exe	88
PID 2436 wrote to memory of 3392	2436	msedge.exe	88
PID 2436 wrote to memory of 3392	2436	msedge.exe	88
PID 2436 wrote to memory of 3392	2436	msedge.exe	88
PID 2436 wrote to memory of 3392	2436	msedge.exe	88
PID 2436 wrote to memory of 3392	2436	msedge.exe	88
PID 2436 wrote to memory of 3392	2436	msedge.exe	88
PID 2436 wrote to memory of 3392	2436	msedge.exe	88
PID 2436 wrote to memory of 3392	2436	msedge.exe	88
PID 2436 wrote to memory of 3392	2436	msedge.exe	88
PID 2436 wrote to memory of 3392	2436	msedge.exe	88
PID 2436 wrote to memory of 3392	2436	msedge.exe	88
PID 2436 wrote to memory of 3392	2436	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/778517571808919565/1243615426152235119/Cobra_loader.rar?ex=66521e9e&is=6650cd1e&hm=8b1bc83aed9bd36d7d476586142ac81c48bb6dccaa2e2ad9de6d55873858cf49&
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc8b8946f8,0x7ffc8b894708,0x7ffc8b894718
  2⤵
  PID:5084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,13760780624133410691,10081911077367833558,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:2
  2⤵
  PID:320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,13760780624133410691,10081911077367833558,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,13760780624133410691,10081911077367833558,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:8
  2⤵
  PID:3392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13760780624133410691,10081911077367833558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13760780624133410691,10081911077367833558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:1516
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,13760780624133410691,10081911077367833558,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5316 /prefetch:8
  2⤵
  PID:3360
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,13760780624133410691,10081911077367833558,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5316 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2068,13760780624133410691,10081911077367833558,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5096 /prefetch:8
  2⤵
  PID:4640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13760780624133410691,10081911077367833558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4624 /prefetch:1
  2⤵
  PID:3112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2068,13760780624133410691,10081911077367833558,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5500 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13760780624133410691,10081911077367833558,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:1
  2⤵
  PID:5416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13760780624133410691,10081911077367833558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6392 /prefetch:1
  2⤵
  PID:5576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13760780624133410691,10081911077367833558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6216 /prefetch:1
  2⤵
  PID:5948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2068,13760780624133410691,10081911077367833558,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6480 /prefetch:8
  2⤵
  PID:5232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2068,13760780624133410691,10081911077367833558,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6472 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:5220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13760780624133410691,10081911077367833558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6476 /prefetch:1
  2⤵
  PID:5132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13760780624133410691,10081911077367833558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6228 /prefetch:1
  2⤵
  PID:1280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13760780624133410691,10081911077367833558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6108 /prefetch:1
  2⤵
  PID:5568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13760780624133410691,10081911077367833558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6640 /prefetch:1
  2⤵
  PID:5764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13760780624133410691,10081911077367833558,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6468 /prefetch:1
  2⤵
  PID:5744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13760780624133410691,10081911077367833558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:1
  2⤵
  PID:4892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13760780624133410691,10081911077367833558,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6868 /prefetch:1
  2⤵
  PID:3468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13760780624133410691,10081911077367833558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6688 /prefetch:1
  2⤵
  PID:5148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13760780624133410691,10081911077367833558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7016 /prefetch:1
  2⤵
  PID:5652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13760780624133410691,10081911077367833558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1836 /prefetch:1
  2⤵
  PID:5156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2068,13760780624133410691,10081911077367833558,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7140 /prefetch:8
  2⤵
  PID:5864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2068,13760780624133410691,10081911077367833558,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7144 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6076
- C:\Users\Admin\Downloads\winrar-x64-701.exe
  "C:\Users\Admin\Downloads\winrar-x64-701.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,13760780624133410691,10081911077367833558,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5204

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4104

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2028

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:456

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\6b7c0f1b20924341b3c65091c9108425 /t 5040 /p 1324
1⤵
PID:1800

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3664

C:\Users\Admin\Downloads\winrar-x64-701.exe
"C:\Users\Admin\Downloads\winrar-x64-701.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2288

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\90fcb81e4578408a845f123ff2494821 /t 4952 /p 2288
1⤵
PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1ac52e2503cc26baee4322f02f5b8d9c

SHA1
38e0cee911f5f2a24888a64780ffdf6fa72207c8

SHA256
f65058c6f1a745b37a64d4c97a8e8ee940210273130cec97a67f568088b5d4d4

SHA512
7670d606bc5197ecb7db3ddaecd6f74a80e6decae92b94e0e8145a7f463fa099058e89f9dfa1c45b9197c36e5e21994698186a2ec970bbdb0937fe28ca46a834

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b2a1398f937474c51a48b347387ee36a

SHA1
922a8567f09e68a04233e84e5919043034635949

SHA256
2dc0bf08246ddd5a32288c895d676017578d792349ca437b1b36e7b2f0ade6d6

SHA512
4a660c0549f7a850e07d8d36dab33121af02a7bd7e9b2f0137930b4c8cd89b6c5630e408f882684e6935dcb0d5cb5e01a854950eeda252a4881458cafcc7ef7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
a70e222a0c518f857da6eaeff6a0330d

SHA1
00f494cd708d1a8dafc7f2a041a9029616a4413a

SHA256
4943a423d211caa229b27d4b235273630156571520dec078113b946e98056243

SHA512
1a3e1d95ccab09e586f1da8fbfafee4f9d4e1daa5d0e0d85089c38873de3c056c8a0107fa7405e8a7fb7762c78d8c49df159515387ecdc5fe9917caabd7269f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
a87ab46310bb09a3ea57067f409997d8

SHA1
b820ceda36a93db63929822ee98f47eef8c3c353

SHA256
6a1730b9c678daab48ccd2c175a51eb673d747fca12c33f4f22b5f02859c9226

SHA512
3581cc1414f12251014cc877ac89186880b3ca507d0a6a70d0f19c2a5fcf284d0b4c8237b81e66b00efc4f51a873a5272ebaf91fbea23630ffc795dd7b6e095b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b9a3e10fcca168006b9c8f306c6dcdbc

SHA1
15cc0034d5995c109e3a1bdb633562a02fd9d8d5

SHA256
ba43f674995b83e781338881d4537b1553dbceff2434802c710b5492b13cf734

SHA512
df711869bc0f7bd6482d8ce02b941dbf7fee5536e3b630912eba1e47860899c81e7a92e759895c8247cf2c9577efb221a9436e1d4797b8f40b45b6adfda6e71d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d733509644d8ada0a87ddb1d22578af2

SHA1
e6cbf49c71f42363a6a4bfb470142b891c5d194d

SHA256
c6908717b62bdd8bc65e069d34aca0eec49ffe698559f80a3d4cd6f3daa650c4

SHA512
2798027941cde734f52be4488b073bab642671daba4e68546a1074cae720f7644535330744d879a75ca382c992f1b57332d5b68fcd0fd4fb562a749ae15c9c92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
03b1f2749ac01275d6c95238a4a8d708

SHA1
44edbb9aa80fa140db0f7df7f32f695413053122

SHA256
68660efe20de5d2ffd193a784d4b2c6b838465f2182f4c836878c18b25776d4d

SHA512
e862b700d0cf7cc2fefcd3cc4d62538a71fc348c38a6129e9e61104f7241dc7353465bee2d5a4fb448af0d395111bb23f481a0376def39f9c691e42ae2ec19b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
91e6c2688b073c2b82e022362508661a

SHA1
b93219c69b1066cbc9d147b597b23b95df6e1da8

SHA256
8fbd5c97ff9e81e3059096a4fe8c0cb034fab12db6031e0a12ec77b7917b53cd

SHA512
d77fcc3573dae2170d074cdde73e001972d88bbebb6369cbf452f74ca3c5ea618c3205e6d40a7f3c7cd95a90d6a3ca085d59f8a3ebd1f5f2765b052dde963426

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
fb419b9bcb7737cfb3c44a831865910a

SHA1
ded56f9f497bebc33629fdef9007fa83a6d0df65

SHA256
3ee20077bd677f3055e258a8775e61d2871191ff985b366989cfb265a43997ae

SHA512
e441c8e7219e95f8e2afec26a37d3caf90b9165c6e2f759294b88470dd087e3421431faa24cf63107d3f6c7ef539c318816bb5140063a741cc86a8700f12ae0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4a4c6a61fa89f877256aeb55471fec82

SHA1
ed3546388da696802227e98a3ba6201b9cb974cd

SHA256
a07e021bc320415bfdbc1c3e40bd55ee50b75ffe09493281dea6e342dadd8897

SHA512
cfb60ff9805d0a32bd23879d5818258b68ddb7ec3e45aec79daf8889c16d7689e7ac83923e14a0bfd9517448c7664141a27bcc2f4a51026d17368a0ed50dc50b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7720aedf75fe85de8b04e152dc581ee6

SHA1
8fc537db09d5074ca41c5b91eb60569f349f9ab4

SHA256
927f38b6cd97339b391747c90c70c0f29dd69dcddb3964a96d189950d3d760c9

SHA512
3dce330a92e8b5fb6b54be2a67adf57e855bf8d6d4ce8b5e2f8a43887c05c8b38685d42aaf731a6ea68fbb92942d03ac35c384ac5f0f0718098af62a7d40400e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57b0f1.TMP

Filesize
1KB

MD5
1d9a1792623afc5ff15bb5c849a471f6

SHA1
444abb67611492d2d06c5b28acfd9aa26047a374

SHA256
22db91bf045ee9f820a7aa8bfcbdff4ac4dbb00b50d60820e5b18d8e4420b672

SHA512
b52b3646c2ab30ccaff366acde11fc1de9ae68c2aed3d73df3520b88351193a3aebb53d5b93f8ea7d80d05db98193a6982bd65014bba8b9bfc5159e8314fa537

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
aa37def7ad29c6527262d7776a0e2a9f

SHA1
08c4ff7a26d48aa9c33dc640578777d4419015c8

SHA256
be1f6692e22d4a01d26c26f8ddd86def5011f4155abd6ff0092cac700066d9d2

SHA512
eac08eeda61105a2b954f3c7603d98c3ca0f933eecc322fcd656ff187c4b8c977056b82f4976832973d07f649684b88639cd108c02bc738e727e1a78dadc810c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8eb9263f3fb39c0bf8147769cbc9c9ed

SHA1
f6cc4eb813975fe44df452686ede6404aaf6b1f4

SHA256
447cd7aa7775dfc1ba1dd8c235141f7de75884fba491ad899c2d55b85c0f58fe

SHA512
bc1db1fd1ca58e89f673565dea5cfb87f1790f7dd333db5de2847b1bab31b355d6e5fce38284275b45aa064c93314c6cbff46388f25abdf0d26b860e855ef4aa

Download Submit
C:\Users\Admin\Downloads\Cobra_loader.rar

Filesize
6.7MB

MD5
b539a1d5156ada8f1f6e5ad9930dfe35

SHA1
2357fe7a43b3ae44b21e25a232556c75cf48ce89

SHA256
8fd324094cf16794400d4f2c6d2493d5a1e825a23a16599d2c52822ba9b4d216

SHA512
a35ebebf6581e9745f4489a3a952373a061ae21a2cb5bfda631774ab8e248d98ffb8d0aad78c34547ce7db59083f2f562d35a43bf6d068146e7f0edce2c124d2

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 402875.crdownload

Filesize
3.8MB

MD5
46c17c999744470b689331f41eab7df1

SHA1
b8a63127df6a87d333061c622220d6d70ed80f7c

SHA256
c5b5def1c8882b702b6b25cbd94461c737bc151366d2d9eba5006c04886bfc9a

SHA512
4b02a3e85b699f62df1b4fe752c4dee08cfabc9b8bb316bc39b854bd5187fc602943a95788ec680c7d3dc2c26ad882e69c0740294bd6cb3b32cdcd165a9441b6

Download Submit