hxxps://gofile[.]io/d/hmYSyV

Analysis

max time kernel
150s
max time network
153s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
25/05/2024, 12:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/hmYSyV

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
2032	winrar-x64-701.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3001105534-2705918504-2956618779-1000\{BCF6D874-AEDD-48C4-A479-039B36E0BDCA}	msedge.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\virus.rar:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 527900.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\winrar-x64-701.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2368	msedge.exe
2368	msedge.exe
4560	msedge.exe
4560	msedge.exe
3132	msedge.exe
3132	msedge.exe
3872	msedge.exe
3872	msedge.exe
3156	identity_helper.exe
3156	identity_helper.exe
3276	msedge.exe
3276	msedge.exe
1992	msedge.exe
1992	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2148	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe

Suspicious use of FindShellTrayWindow 46 IoCs

pid	Process
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe

Suspicious use of SetWindowsHookEx 19 IoCs

pid	Process
4184	OpenWith.exe
4184	OpenWith.exe
4184	OpenWith.exe
4184	OpenWith.exe
4184	OpenWith.exe
2148	OpenWith.exe
2148	OpenWith.exe
2148	OpenWith.exe
2148	OpenWith.exe
2148	OpenWith.exe
2148	OpenWith.exe
2148	OpenWith.exe
2148	OpenWith.exe
2148	OpenWith.exe
2148	OpenWith.exe
2148	OpenWith.exe
2032	winrar-x64-701.exe
2032	winrar-x64-701.exe
2032	winrar-x64-701.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4560 wrote to memory of 4736	4560	msedge.exe	80
PID 4560 wrote to memory of 4736	4560	msedge.exe	80
PID 4560 wrote to memory of 1960	4560	msedge.exe	81
PID 4560 wrote to memory of 1960	4560	msedge.exe	81
PID 4560 wrote to memory of 1960	4560	msedge.exe	81
PID 4560 wrote to memory of 1960	4560	msedge.exe	81
PID 4560 wrote to memory of 1960	4560	msedge.exe	81
PID 4560 wrote to memory of 1960	4560	msedge.exe	81
PID 4560 wrote to memory of 1960	4560	msedge.exe	81
PID 4560 wrote to memory of 1960	4560	msedge.exe	81
PID 4560 wrote to memory of 1960	4560	msedge.exe	81
PID 4560 wrote to memory of 1960	4560	msedge.exe	81
PID 4560 wrote to memory of 1960	4560	msedge.exe	81
PID 4560 wrote to memory of 1960	4560	msedge.exe	81
PID 4560 wrote to memory of 1960	4560	msedge.exe	81
PID 4560 wrote to memory of 1960	4560	msedge.exe	81
PID 4560 wrote to memory of 1960	4560	msedge.exe	81
PID 4560 wrote to memory of 1960	4560	msedge.exe	81
PID 4560 wrote to memory of 1960	4560	msedge.exe	81
PID 4560 wrote to memory of 1960	4560	msedge.exe	81
PID 4560 wrote to memory of 1960	4560	msedge.exe	81
PID 4560 wrote to memory of 1960	4560	msedge.exe	81
PID 4560 wrote to memory of 1960	4560	msedge.exe	81
PID 4560 wrote to memory of 1960	4560	msedge.exe	81
PID 4560 wrote to memory of 1960	4560	msedge.exe	81
PID 4560 wrote to memory of 1960	4560	msedge.exe	81
PID 4560 wrote to memory of 1960	4560	msedge.exe	81
PID 4560 wrote to memory of 1960	4560	msedge.exe	81
PID 4560 wrote to memory of 1960	4560	msedge.exe	81
PID 4560 wrote to memory of 1960	4560	msedge.exe	81
PID 4560 wrote to memory of 1960	4560	msedge.exe	81
PID 4560 wrote to memory of 1960	4560	msedge.exe	81
PID 4560 wrote to memory of 1960	4560	msedge.exe	81
PID 4560 wrote to memory of 1960	4560	msedge.exe	81
PID 4560 wrote to memory of 1960	4560	msedge.exe	81
PID 4560 wrote to memory of 1960	4560	msedge.exe	81
PID 4560 wrote to memory of 1960	4560	msedge.exe	81
PID 4560 wrote to memory of 1960	4560	msedge.exe	81
PID 4560 wrote to memory of 1960	4560	msedge.exe	81
PID 4560 wrote to memory of 1960	4560	msedge.exe	81
PID 4560 wrote to memory of 1960	4560	msedge.exe	81
PID 4560 wrote to memory of 1960	4560	msedge.exe	81
PID 4560 wrote to memory of 2368	4560	msedge.exe	82
PID 4560 wrote to memory of 2368	4560	msedge.exe	82
PID 4560 wrote to memory of 488	4560	msedge.exe	83
PID 4560 wrote to memory of 488	4560	msedge.exe	83
PID 4560 wrote to memory of 488	4560	msedge.exe	83
PID 4560 wrote to memory of 488	4560	msedge.exe	83
PID 4560 wrote to memory of 488	4560	msedge.exe	83
PID 4560 wrote to memory of 488	4560	msedge.exe	83
PID 4560 wrote to memory of 488	4560	msedge.exe	83
PID 4560 wrote to memory of 488	4560	msedge.exe	83
PID 4560 wrote to memory of 488	4560	msedge.exe	83
PID 4560 wrote to memory of 488	4560	msedge.exe	83
PID 4560 wrote to memory of 488	4560	msedge.exe	83
PID 4560 wrote to memory of 488	4560	msedge.exe	83
PID 4560 wrote to memory of 488	4560	msedge.exe	83
PID 4560 wrote to memory of 488	4560	msedge.exe	83
PID 4560 wrote to memory of 488	4560	msedge.exe	83
PID 4560 wrote to memory of 488	4560	msedge.exe	83
PID 4560 wrote to memory of 488	4560	msedge.exe	83
PID 4560 wrote to memory of 488	4560	msedge.exe	83
PID 4560 wrote to memory of 488	4560	msedge.exe	83
PID 4560 wrote to memory of 488	4560	msedge.exe	83

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/hmYSyV
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffa8603cb8,0x7fffa8603cc8,0x7fffa8603cd8
  2⤵
  PID:4736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,15944762698944769348,10229967053225792243,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:2
  2⤵
  PID:1960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,15944762698944769348,10229967053225792243,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,15944762698944769348,10229967053225792243,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:8
  2⤵
  PID:488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,15944762698944769348,10229967053225792243,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,15944762698944769348,10229967053225792243,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
  2⤵
  PID:2148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,15944762698944769348,10229967053225792243,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4460 /prefetch:1
  2⤵
  PID:2348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,15944762698944769348,10229967053225792243,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4444 /prefetch:1
  2⤵
  PID:5000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,15944762698944769348,10229967053225792243,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4836 /prefetch:1
  2⤵
  PID:1128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1908,15944762698944769348,10229967053225792243,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4692 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,15944762698944769348,10229967053225792243,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4504 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3872
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,15944762698944769348,10229967053225792243,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6092 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,15944762698944769348,10229967053225792243,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
  2⤵
  PID:1952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,15944762698944769348,10229967053225792243,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:1
  2⤵
  PID:1936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1908,15944762698944769348,10229967053225792243,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5024 /prefetch:8
  2⤵
  PID:4580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1908,15944762698944769348,10229967053225792243,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5808 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:3276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,15944762698944769348,10229967053225792243,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
  2⤵
  PID:4188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,15944762698944769348,10229967053225792243,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:1
  2⤵
  PID:3872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,15944762698944769348,10229967053225792243,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4532 /prefetch:1
  2⤵
  PID:1008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,15944762698944769348,10229967053225792243,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
  2⤵
  PID:896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,15944762698944769348,10229967053225792243,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:1
  2⤵
  PID:3168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,15944762698944769348,10229967053225792243,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4624 /prefetch:1
  2⤵
  PID:1992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,15944762698944769348,10229967053225792243,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4424 /prefetch:1
  2⤵
  PID:4108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,15944762698944769348,10229967053225792243,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6412 /prefetch:1
  2⤵
  PID:1032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,15944762698944769348,10229967053225792243,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6228 /prefetch:1
  2⤵
  PID:1988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1908,15944762698944769348,10229967053225792243,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6332 /prefetch:8
  2⤵
  PID:2124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1908,15944762698944769348,10229967053225792243,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6652 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1992
- C:\Users\Admin\Downloads\winrar-x64-701.exe
  "C:\Users\Admin\Downloads\winrar-x64-701.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,15944762698944769348,10229967053225792243,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6596 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1596

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1172

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1664

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4184

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
390187670cb1e0eb022f4f7735263e82

SHA1
ea1401ccf6bf54e688a0dc9e6946eae7353b26f1

SHA256
3e6c56356d6509a3fd4b2403555be55e251f4a962379b29735c1203e57230947

SHA512
602f64d74096d4fb7a23b23374603246d42b17cc854835e3b2f4d464997b73f289a3b40eb690e3ee707829d4ff886865e982f72155d96be6bc00166f44878062

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8294f1821fd3419c0a42b389d19ecfc6

SHA1
cd4982751377c2904a1d3c58e801fa013ea27533

SHA256
92a96c9309023c8b9e1396ff41f7d9d3ff8a3687972e76b9ebd70b04e3bf223a

SHA512
372d369f7ad1b0e07200d3aa6b2cfce5beafa7a97f63932d4c9b3b01a0e8b7eb39881867f87ded55a9973abea973b2d2c9b6fc4892f81cec644702b9edb1566d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\716806cc-ebe2-4375-85e7-2771ed428fdf.tmp

Filesize
1KB

MD5
361f581bede42261d1e7dac8768a154a

SHA1
474fc2abc9bd2aa0b0cd7931cb7b2fa0e2a481be

SHA256
37ba84a6e65f61d03331f45eabe3cf0f89944a31920380c2c4fbd4d19523cf70

SHA512
90b1daf358b4c4ade4b931b1af1cbd1be44b8b85643f23978621dc84271b6a73f56c40df9c404f8a9042b069c0d43d37210cd454cdee08d55f3f18e35cddc311

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

Filesize
19KB

MD5
76a3f1e9a452564e0f8dce6c0ee111e8

SHA1
11c3d925cbc1a52d53584fd8606f8f713aa59114

SHA256
381396157ed5e8021dd8e660142b35eb71a63aecd33062a1103ce9c709c7632c

SHA512
a1156a907649d6f2c3f7256405d9d5c62a626b8d4cd717fa2f29d2fbe91092a2b3fdd0716f8f31e59708fe12274bc2dea6c9ae6a413ea290e70ddf921fe7f274

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

Filesize
67KB

MD5
d2d55f8057f8b03c94a81f3839b348b9

SHA1
37c399584539734ff679e3c66309498c8b2dd4d9

SHA256
6e273f3491917d37f4dbb6c3f4d3f862cada25c20a36b245ea7c6bd860fb400c

SHA512
7bcdbb9e8d005a532ec12485a9c4b777ddec4aee66333757cdae3f84811099a574e719d45eb4487072d0162fa4654349dd73705a8d1913834535b1a3e2247dc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

Filesize
40KB

MD5
3c2ac6ed09323fe172784cdec7f3d671

SHA1
79eb656ac99f1a2efa7fbf8e8923f84dd2b63355

SHA256
67d42a456baa3edbec1eb21c94f294c04a72bac350acfae80f4f2b65afe8bc5f

SHA512
ac95a571afa882744a42447e84c1ca5231303ba33700f63e99d58860e9635ddc861745678d5c74b137af3d50daf05ea710abe65b11ffba95e2b2f6aaafb65071

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
62KB

MD5
c3c0eb5e044497577bec91b5970f6d30

SHA1
d833f81cf21f68d43ba64a6c28892945adc317a6

SHA256
eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb

SHA512
83d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
84KB

MD5
74e33b4b54f4d1f3da06ab47c5936a13

SHA1
6e5976d593b6ee3dca3c4dbbb90071b76e1cd85c

SHA256
535fc48679c38decd459ad656bdd6914e539754265244d0cc7b1da6bddf3e287

SHA512
79218e8ee50484af968480ff9b211815c97c3f3035414e685aa5d15d9b4152682d87b66202339f212bf3b463a074bf7a4431107b50303f28e2eb4b17843991c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

Filesize
1.2MB

MD5
1f7c0a3a257e5f561b61cb6af85289a3

SHA1
7bfd5ea039ee0f291fa4e5ef23ad91d583e840d5

SHA256
d15d37dd6e8b273c4bc1e4d64b8d462f33af2fd58831ea3e28c1cb6fcdec8669

SHA512
64a0eaa739a6f7f6e5579975a1dacb1741fe8d2f106c08df6cc87fde0bdad59ee80dbc8f7ea38cc926b5a51e469e32cb11effc0cb1ef50475fbc7747d240a442

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
1bdf7ed4c29c48f4864e6d0e39350767

SHA1
edd60003492221b0846105c007d8737ea3f6ed06

SHA256
528349610608e04f8cc6fcb0f65f2da4693a67401cc5032c6e5ccc40d5080d8f

SHA512
340e80ad161cb4fc3ffe282d6c93ebe3dcec96d4bde7422b9faca28487ad468b1e3830c0c5c9339b5669ad387008e3d41404eaceb1f0dc8735e34cedbb423ad5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
9df8db5ff6b9f855e1d22c75ec70437a

SHA1
062a6a0d2e3389220c84e46f1ab555e0f16d046e

SHA256
d8235d193fddf19f95c568bb6632ab5318f86cb3e7d722bebea33923a1596237

SHA512
13e40bd1aab211584e5615efb7f012624c3ab309069c761a596d0360440d997a7bb3a907f34d085b6df27c5a0ba6b568d46eaa581cb014c6a2584de275f2cee9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
ee9086a5a9e7e4c16b662e76ea767ac4

SHA1
01621793fbc3ea9e5f3b6cb1f23ea37ce1161ef7

SHA256
e31ee3ab69382e517d9a581c447e0c22a9c29366b5a22910cc7409938a7367ab

SHA512
2f3b971bf375aea264788307eff668445d75d878f8b9628f1862561d03747ec8aa9f7ae97121eef16b560a33d05324f5351f89e8cf6d620e9c2f5e999097fcf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
761B

MD5
c2335c00460696f6429cfa81bd3715a0

SHA1
fc1b55b698095cdb8e8812989e34584cee2af887

SHA256
9050c1e12fd8d215434f2bd0cf345d5807ba89f02098cfbe408b9d9dc343d942

SHA512
464ac8c95b18cb3bdeadffd04ef04abc1b5723cdade2b8a8ddc4bc0fe753aba5868cc2b6e8f49b3c268dbd336d8ce82316748d9dc8177ca6761c1f460d75f0bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
876ba60b96ecde733360d645aa60a132

SHA1
a638deccc11bf759448b73a309754d7abeba3bb2

SHA256
1a82f92902087b9e64d33b449c4bb0f47a9dc96fe5e3804bd72b5f82b6c97c28

SHA512
4b81a2182dff0cd18fcb131974da4711d8dbe02dbc91b00e01a1f6f5d051eb7d9cdc87e49588a2a221b5c7e94d9633416d4f6a01f3feb2ab053c399062175a57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
acc520571b4f25ba44ce3d5efe469789

SHA1
0b0b89eb3dd0e50fc5b270cfbed2a86faa8c26c0

SHA256
191d54e889b29a93e9d9c2c91c410c0cc4856799254e11e114bd9383d58eda0d

SHA512
0c8f1995ff98a42f6ca192ce1f20d1d8433b8b3be91dca1ee4e84384b9764b2392052c5521d7b90dbaff36be96a1f498f79bdb0ed9a2f6b5a03751eeb9beb7a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f63299d53b686d8c37b1ad65e1a4f2fb

SHA1
276203f5c4d6c2a8659acf6d943e7dbe82ecdb16

SHA256
3b22e0832d44d938b3376e6f4d8adf05ab7f1a561c8c3d3ce5ffe7e98b0c2e1e

SHA512
4ea329144c5c165552e82a3b4a96d39b1655d6fa9a455bf02ae4088860922da4e9f98c3568d152210765adfcb62bd19be07e17bdb6621331d36a146ceb3411ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
95011d64f66e46d28155744e1898f2ca

SHA1
4b28302a311583a47ecc2d51059b3768f2a29f9d

SHA256
c62746f93816767b11511e8395c46a4d293c96514be348c9be71eb2972e1ac6c

SHA512
90745b019475a4a98bd8abdb08289b660ea7587e1976efbd2a1939b6a5bd5424e2b82a162338b1486fe1c9a682046ba8468b2967b2e595f3d846e4587c3fa135

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
22efb6674086366a4bef7a89dc28f51e

SHA1
69f4c1bf11eda9ad8f895458b523e703185c294c

SHA256
c0721ecfad97524e3468025303e6c8617757d18a3fdc3a931aa67b1b36bd5b75

SHA512
dd78c469b3126a7bf8ccc7c4d6d11969d1e6a4f4df3fc9af3d9750b35284c0551a90defd735488ef0faa4573fefbe6465c466c8992b7a34295df127a09533886

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
920ab0ecb287560c0dae2b73c16373d1

SHA1
0d238db8c02606e5e8de50af00736016d8d8eb57

SHA256
81c3dbe8c050d40795e248d0504379e8c77801b60f27d19f6ebc424cf057d89d

SHA512
55bfb322bf7f815a2d58b59835e0742e5b67041a024ec3917b3e332e52997777bffe743cb215893a3dc0207638ed1098a758679bb189da56bc9b78c4c5fbe042

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9b34aae334aba6de00913a92baba5d01

SHA1
607bbc21872d84c58bef53c2fe1d8748748c5291

SHA256
fb0c4ac6765f86917f7f280b04558ce8ebf7f9bec6f19af312c1ffb940082f8a

SHA512
4e851108b29f0b22d752ec4e9d0a5e28c3a457bd3e994b230050587579e850123c9f4260947ab7e752f58b534b78913add0e309cdf28c1bf96e1c3ef96e5b899

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
20ddacbf214be2b8565f5349b8bcf587

SHA1
3db171bdc71f9a10383925c211587c1f52b8943c

SHA256
fcd8fd5c2436de5293fc4d317923817cac91a1ada7d0e08b5ae12786d85e6600

SHA512
5f3da1e1463ed3d0e4d069fa0c6392446b92617ec7e17e8ec2851d60714e438fc9a2b70b63918d3942853899f41a4e9e395f63e49e3a275c3bf74af82f745364

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57de98.TMP

Filesize
370B

MD5
ed1544145b1ca4a836d029daf5dca8a3

SHA1
1a4d27f858ad4bded6e3519ca21da5543198591b

SHA256
a0d3b2d153daa7debf30139a0922aebd0d3c94d89ff20328f90883906552e60e

SHA512
d9e8d1ad23de8e9e61462f1cd10ddb98c08588c367689f4e223d98ab43a3797022f2b43a9772718cb6b6e8a1a9838b9ebe08eb722b089d25d24b6790b8ddac70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
92a14c7bceb1f2f7c0a3a8145dbcc803

SHA1
0a32443576af5fbc080792fd81c2c26afbbd8eb5

SHA256
0a8c3a168f53b0068cc8e9bd66ee0c96407a0faa652e52153bd544be4f9f607e

SHA512
855bb5758fcf91b1d2aae653694ea5c59b87b7d0bf4c7ed7c3cbbce239becce9d597f2934ed8c48b9337b99587e38f2043eec747613971fba1ac30c9208b1b85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e104d87a60ee25473d9a68398253ba0e

SHA1
6512ba35e58b6b698bcd6126e4e63fa9f61fc32c

SHA256
d17c5f187fb696e879c2b5a04dcd85c7a3d79bc62019507f4935bf283f31765d

SHA512
4920b644ddbcf93b287efd0c50fcc16ed112c51ac7f61af81ac0dcdaa1569483f9369300d9bb010fe5fb6750ce21adc8fafa29ea0b7c19340b5615d51535cba2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
3fa456cd306d682f6a41aa7339ad62ec

SHA1
752531976c21b0b276a27f64a298331cf0395469

SHA256
45a805d7cb34796be114565442a785e8acc8ec7695bc7f43f97abce83baf6ce6

SHA512
58d524194fc72b9cc2d9c4aedfe142594158a52d1ca7b82547d27df2cd8bbadeabd98d49eb66f91ce38eee811d158e846e4178bcaa2d5ab9b0eab454d4b36937

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 527900.crdownload

Filesize
3.8MB

MD5
46c17c999744470b689331f41eab7df1

SHA1
b8a63127df6a87d333061c622220d6d70ed80f7c

SHA256
c5b5def1c8882b702b6b25cbd94461c737bc151366d2d9eba5006c04886bfc9a

SHA512
4b02a3e85b699f62df1b4fe752c4dee08cfabc9b8bb316bc39b854bd5187fc602943a95788ec680c7d3dc2c26ad882e69c0740294bd6cb3b32cdcd165a9441b6

Download Submit
C:\Users\Admin\Downloads\virus.rar

Filesize
2.1MB

MD5
902f2e724b3976b5ed786eac027854af

SHA1
c34b731fdd72c9adc22f0e2c33fcf868adbaf2d1

SHA256
756ca5eff4ddb4d5eca111e88703484ee54bdb716f28368f860a9dd6964d6a4b

SHA512
ce5196a6095fd4fd836775160370d34297806f48e4cfd3b4a0ccf83e5430bb1e448acd3a7322d279589e12aa9f347db7c5681a39f91a31574a9a0eaab8c4b091

Download Submit
C:\Users\Admin\Downloads\virus.rar:Zone.Identifier

Filesize
58B

MD5
f328e184c322cba91dc3c014fe2ef3e9

SHA1
2aab1f0a70009051dcc87350e0f3b079da02fbb2

SHA256
fe25e31061b432c3a3fdd8f797c6dadad253e83dfb305ee997a7302cd70b618d

SHA512
e59501b550ea64155d134ae832812004ec298a44519eb03183542599174b7691be3225f6fa5064d45ed7ec81f0a93721eb8f401d7e2a49c4b91a70ded006c97e

Download Submit
C:\Users\Admin\Downloads\winrar-x64-701.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit