hxxps://drive[.]usercontent[.]google[.]com/uc?id=10GWBP6mU64L_SJY3GEs7Jp5tmCK99HM9&export=download

Analysis

max time kernel
150s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
03/06/2024, 03:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://drive.usercontent.google.com/uc?id=10GWBP6mU64L_SJY3GEs7Jp5tmCK99HM9&export=download

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
3692	winrar-x64-701.exe
2132	winrar-x64-701.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3938118698-2964058152-2337880935-1000\{79C7C1B6-348D-497B-ABF7-B5A1034AF02F}	msedge.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\ver3_appfile.rar:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 131693.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\winrar-x64-701.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1132	msedge.exe
1132	msedge.exe
3260	msedge.exe
3260	msedge.exe
1804	identity_helper.exe
1804	identity_helper.exe
4120	msedge.exe
4120	msedge.exe
2928	msedge.exe
2928	msedge.exe
772	msedge.exe
772	msedge.exe
2800	msedge.exe
2800	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1440	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe

Suspicious use of FindShellTrayWindow 53 IoCs

pid	Process
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe

Suspicious use of SetWindowsHookEx 27 IoCs

pid	Process
1440	OpenWith.exe
1440	OpenWith.exe
1440	OpenWith.exe
1440	OpenWith.exe
1440	OpenWith.exe
1440	OpenWith.exe
1440	OpenWith.exe
1440	OpenWith.exe
1440	OpenWith.exe
1440	OpenWith.exe
1440	OpenWith.exe
1440	OpenWith.exe
1440	OpenWith.exe
1440	OpenWith.exe
1440	OpenWith.exe
1440	OpenWith.exe
1440	OpenWith.exe
1440	OpenWith.exe
1440	OpenWith.exe
1440	OpenWith.exe
1440	OpenWith.exe
3692	winrar-x64-701.exe
3692	winrar-x64-701.exe
3692	winrar-x64-701.exe
2132	winrar-x64-701.exe
2132	winrar-x64-701.exe
2132	winrar-x64-701.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3260 wrote to memory of 4892	3260	msedge.exe	76
PID 3260 wrote to memory of 4892	3260	msedge.exe	76
PID 3260 wrote to memory of 2352	3260	msedge.exe	77
PID 3260 wrote to memory of 2352	3260	msedge.exe	77
PID 3260 wrote to memory of 2352	3260	msedge.exe	77
PID 3260 wrote to memory of 2352	3260	msedge.exe	77
PID 3260 wrote to memory of 2352	3260	msedge.exe	77
PID 3260 wrote to memory of 2352	3260	msedge.exe	77
PID 3260 wrote to memory of 2352	3260	msedge.exe	77
PID 3260 wrote to memory of 2352	3260	msedge.exe	77
PID 3260 wrote to memory of 2352	3260	msedge.exe	77
PID 3260 wrote to memory of 2352	3260	msedge.exe	77
PID 3260 wrote to memory of 2352	3260	msedge.exe	77
PID 3260 wrote to memory of 2352	3260	msedge.exe	77
PID 3260 wrote to memory of 2352	3260	msedge.exe	77
PID 3260 wrote to memory of 2352	3260	msedge.exe	77
PID 3260 wrote to memory of 2352	3260	msedge.exe	77
PID 3260 wrote to memory of 2352	3260	msedge.exe	77
PID 3260 wrote to memory of 2352	3260	msedge.exe	77
PID 3260 wrote to memory of 2352	3260	msedge.exe	77
PID 3260 wrote to memory of 2352	3260	msedge.exe	77
PID 3260 wrote to memory of 2352	3260	msedge.exe	77
PID 3260 wrote to memory of 2352	3260	msedge.exe	77
PID 3260 wrote to memory of 2352	3260	msedge.exe	77
PID 3260 wrote to memory of 2352	3260	msedge.exe	77
PID 3260 wrote to memory of 2352	3260	msedge.exe	77
PID 3260 wrote to memory of 2352	3260	msedge.exe	77
PID 3260 wrote to memory of 2352	3260	msedge.exe	77
PID 3260 wrote to memory of 2352	3260	msedge.exe	77
PID 3260 wrote to memory of 2352	3260	msedge.exe	77
PID 3260 wrote to memory of 2352	3260	msedge.exe	77
PID 3260 wrote to memory of 2352	3260	msedge.exe	77
PID 3260 wrote to memory of 2352	3260	msedge.exe	77
PID 3260 wrote to memory of 2352	3260	msedge.exe	77
PID 3260 wrote to memory of 2352	3260	msedge.exe	77
PID 3260 wrote to memory of 2352	3260	msedge.exe	77
PID 3260 wrote to memory of 2352	3260	msedge.exe	77
PID 3260 wrote to memory of 2352	3260	msedge.exe	77
PID 3260 wrote to memory of 2352	3260	msedge.exe	77
PID 3260 wrote to memory of 2352	3260	msedge.exe	77
PID 3260 wrote to memory of 2352	3260	msedge.exe	77
PID 3260 wrote to memory of 2352	3260	msedge.exe	77
PID 3260 wrote to memory of 1132	3260	msedge.exe	78
PID 3260 wrote to memory of 1132	3260	msedge.exe	78
PID 3260 wrote to memory of 3592	3260	msedge.exe	79
PID 3260 wrote to memory of 3592	3260	msedge.exe	79
PID 3260 wrote to memory of 3592	3260	msedge.exe	79
PID 3260 wrote to memory of 3592	3260	msedge.exe	79
PID 3260 wrote to memory of 3592	3260	msedge.exe	79
PID 3260 wrote to memory of 3592	3260	msedge.exe	79
PID 3260 wrote to memory of 3592	3260	msedge.exe	79
PID 3260 wrote to memory of 3592	3260	msedge.exe	79
PID 3260 wrote to memory of 3592	3260	msedge.exe	79
PID 3260 wrote to memory of 3592	3260	msedge.exe	79
PID 3260 wrote to memory of 3592	3260	msedge.exe	79
PID 3260 wrote to memory of 3592	3260	msedge.exe	79
PID 3260 wrote to memory of 3592	3260	msedge.exe	79
PID 3260 wrote to memory of 3592	3260	msedge.exe	79
PID 3260 wrote to memory of 3592	3260	msedge.exe	79
PID 3260 wrote to memory of 3592	3260	msedge.exe	79
PID 3260 wrote to memory of 3592	3260	msedge.exe	79
PID 3260 wrote to memory of 3592	3260	msedge.exe	79
PID 3260 wrote to memory of 3592	3260	msedge.exe	79
PID 3260 wrote to memory of 3592	3260	msedge.exe	79

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.usercontent.google.com/uc?id=10GWBP6mU64L_SJY3GEs7Jp5tmCK99HM9&export=download
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xb8,0x10c,0x7ffffc8c3cb8,0x7ffffc8c3cc8,0x7ffffc8c3cd8
  2⤵
  PID:4892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,13356769957560102326,3256782099121489703,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1908 /prefetch:2
  2⤵
  PID:2352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1896,13356769957560102326,3256782099121489703,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1896,13356769957560102326,3256782099121489703,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:8
  2⤵
  PID:3592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,13356769957560102326,3256782099121489703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:3484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,13356769957560102326,3256782099121489703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:2500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,13356769957560102326,3256782099121489703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
  2⤵
  PID:3488
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1896,13356769957560102326,3256782099121489703,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5936 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1896,13356769957560102326,3256782099121489703,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5668 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1896,13356769957560102326,3256782099121489703,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5104 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,13356769957560102326,3256782099121489703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4604 /prefetch:1
  2⤵
  PID:736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,13356769957560102326,3256782099121489703,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1
  2⤵
  PID:1900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,13356769957560102326,3256782099121489703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,13356769957560102326,3256782099121489703,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
  2⤵
  PID:1628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,13356769957560102326,3256782099121489703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
  2⤵
  PID:1492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,13356769957560102326,3256782099121489703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1696 /prefetch:1
  2⤵
  PID:2644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,13356769957560102326,3256782099121489703,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1700 /prefetch:1
  2⤵
  PID:2996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,13356769957560102326,3256782099121489703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
  2⤵
  PID:940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,13356769957560102326,3256782099121489703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6340 /prefetch:1
  2⤵
  PID:4116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,13356769957560102326,3256782099121489703,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:1
  2⤵
  PID:2164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1896,13356769957560102326,3256782099121489703,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=1736 /prefetch:8
  2⤵
  PID:256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1896,13356769957560102326,3256782099121489703,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6056 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,13356769957560102326,3256782099121489703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
  2⤵
  PID:1204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,13356769957560102326,3256782099121489703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6452 /prefetch:1
  2⤵
  PID:4556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,13356769957560102326,3256782099121489703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6248 /prefetch:1
  2⤵
  PID:3848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,13356769957560102326,3256782099121489703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2980 /prefetch:1
  2⤵
  PID:2656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1896,13356769957560102326,3256782099121489703,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6472 /prefetch:8
  2⤵
  PID:3816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1896,13356769957560102326,3256782099121489703,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6532 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2800
- C:\Users\Admin\Downloads\winrar-x64-701.exe
  "C:\Users\Admin\Downloads\winrar-x64-701.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3692
- C:\Users\Admin\Downloads\winrar-x64-701.exe
  "C:\Users\Admin\Downloads\winrar-x64-701.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,13356769957560102326,3256782099121489703,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4788 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4064

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1068

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2648

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1440

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\6763fbfcd445445c945eedda7bdb5a24 /t 716 /p 3692
1⤵
PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
046d49efac191159051a8b2dea884f79

SHA1
d0cf8dc3bc6a23bf2395940cefcaad1565234a3a

SHA256
00dfb1705076450a45319666801a3a7032fc672675343434cb3d68baccb8e1f7

SHA512
46961e0f0e4d7f82b4417e4aac4434e86f2130e92b492b53a194255bd3bba0855069524cd645f910754d4d2dbf3f1dc467bcc997f01dc6b1d8d6028e2d957236

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
34d22039bc7833a3a27231b8eb834f70

SHA1
79c4290a2894b0e973d3c4b297fad74ef45607bb

SHA256
402defe561006133623c2a4791b2baf90b92d5708151c2bcac6d02d2771cd3d6

SHA512
c69ee22d8c52a61e59969aa757d58ab4f32492854fc7116975efc7c6174f5d998cc236bbf15bce330d81e39a026b18e29683b6d69c93d21fea6d14e21460a0a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
bed2f3b0729f3636f5545e02fb49ebe1

SHA1
b6435a2058e6f11d96bd19c4ccc224ac8e7dd9ac

SHA256
ce285b461ed520c8f6063a3eccd7c554d18ab2f48b01498a80bd84c4494eb6c3

SHA512
7e85d23241faaa376ef0cd92010e7e9bb229467cfe1b26a7e51254035a625df6dc6559b4a399a299a4b3d25d6837344886eaa5b4965df7cd519b0125dbc6a624

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
935c6e0e50f1e1959410abf3b09484e7

SHA1
e7df0f1e58834360b6cc668aceb57bb83c4659d3

SHA256
8aea0a05812a3b648325b65c80afbbef45c336def9d9f0c73bfe5d95e71cbc53

SHA512
cb889ac80f4f7a465c38426cefed29ab94a1cb16bf9071eededcd93ae085a758ecb8bc4cd363254c3cf5115ba6b76da4c543b152be36192f7901098de7918547

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
20ca12c16b0487b230ce4dfd5e0c04a9

SHA1
5eb8d529843dce426898553e65319f7d77eb42b6

SHA256
4d3ff9e079c51ea3ba4a57a8e8c7945723280886b3ca1cd9f631ceb2701b1db1

SHA512
f4650272bf99b2ccd269f234f46db52342dc7a6525ec62ba5f8ed7c783fe83a32af0e5cc15f97e044c7dae4973f349b0a2f1f480e80d79e318e07e160d90271a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
32f9ff7c88108721e6b9964181594234

SHA1
655a17eafcd0b22168dc8dc20094160a0c07c687

SHA256
781b193bfd7d6773171175d0d06c8d3af99af0fe781089b8a0f3e60e6dd13296

SHA512
c2c94018172b2c80d26802c70262fba6c527206bf3e2c5ea87e7f7258784cd8e779e9f80b4e9a5d1902f8037358467fb41e3d22fca71098043b500bf5ceb8b0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
faf07c8ff98c081948a838b7bb48e867

SHA1
6264586efa570501323dece517b5685546ca4e66

SHA256
3f42d142ddedc02510dabb2188d48397619d6ecc12f56524dc20042e8ed8d6bf

SHA512
5a98ebb3244af0f63c243c106bd40285d62ce3a65a5e9b79c7b178b9ce9b4f133ee9f71d3c6e14a3caeffb125aa3162153b35378e69dba1b5156a11156e18f79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
85853e83d2a8e180f6dcc8edc21dc255

SHA1
56658adec7a9b3a7736cb5667cb58062bd72ef73

SHA256
8a4a67d1d854c516805bc586e4e98f9f7f8f3d5f76cf7fd2fa5a4dd46247106d

SHA512
2338c3a7f6fe45fd81f30c9bb73c8a24ac3ac46ca38a25a40076c11fbae22956ef3f5482cae6fd3f63f31ba209042cab85ddca75892d9aa25dfd4ce37bbfa5f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
705B

MD5
c5796dad4a947658b81d683489f6df99

SHA1
8a4ca87e10d63ac1929dbe4066d57d391564be31

SHA256
8756a8528e0fca45c0496ebb9527c6298aa91994e1958f2cac0b3dff0e30b0e0

SHA512
79e279ad6f999a17751562b2811ecfab11003210b3344ea17e666c0c3c653fba0c9c62ed8a4b19e8b0a230d3cfb8ed3b23fa753998b02527a29f77066fa802cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5813f0.TMP

Filesize
705B

MD5
7ccfa8f7b6fcd3f08109c625ce4bbd84

SHA1
645acefbffabc65fe64121695300da6aa874addc

SHA256
25081ad78fdd6a84ef4abf453db383d987b5b1394600192d0775b5715f49b2df

SHA512
f3f7cbcc9b774ea211dbe08424244d25a85c8164e86844f59512ac2c60a69cbacb07a89de35c01249a5f7591129af8a2c89ef608d3780fcdae4617afc57cbb9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1dc9046cebaf9ac59358826492de1140

SHA1
5a10bac5161247ccca2eea55f1b2d9d264497b09

SHA256
1c39dfc7a8df97aad07dfcbd07f421ded30388a7ae36bc2ae4ed1f7699238b1c

SHA512
f177e918faf28854491cb3cdbd01c8008ae0d3b5af5fa6c5e6f868e4a3484f1a9d60ab5e258f0d8428575619a5ec802b610bf561916d93c4a9bd3735cce23317

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0688f16d15db66fa6df7008f66401e9d

SHA1
95a7747b7373c2435e3651db06ca28c4545b6b76

SHA256
08cdb8d2040230488c40a3ad10f8dfd46515693cda617d88cb5040afaf53fba0

SHA512
685048a0b3176b414ce91d60edf0f25ec9a18817ce7f647c523212720177bb31ac177e673a74fc3431f6395e1c791ced20e1863c14abb3880b72d6a03e074943

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\cd82a763-f06c-4d34-bc56-f19bf01c4a09.tmp

Filesize
11KB

MD5
3d2f1a7fbc4f0e9ae54016f69a59177d

SHA1
aa4bd8dd571afbf64ccf7fb952f78042682e46b3

SHA256
7e1bcc57b6165de4744d29fa9482c14b0b546a7bbc96300781565775d62778ad

SHA512
f378497bb07640bb864e676a372ba0a796dbd62612523819e688846794c04ae5ed7309e4710f45e3d6b6ef71ecaafd7ed602c3f2682508e737637d9f2bc9f40a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
14KB

MD5
ab1d70456850e87a7cb25dba0bb49e3f

SHA1
18f485d9f6402e0ee741adf2528d16915705aeb4

SHA256
002c89db19c9bb22d1eb2145d6e7439a43d3df75743f65eee4ad5a8874050de1

SHA512
f010913f3619fd642ee67a3dd2c3a5cee1b85db4e7997b6a2f24cf875f8cd1645e0ebf791b41b56677bb157718e5c8b6a9d9a9d1b6c221539cdf9f21a9fd7590

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 924694.crdownload

Filesize
6.9MB

MD5
70a4b0088163ebb0805eeff9bc766658

SHA1
746e8f51637b5861858ef453de04964b4eb23246

SHA256
5104e10875fb2a5e76fff9e552e9007d7be2049546dc8ce7443e2c62de4981ae

SHA512
a0c8be17811298ddb333d4f030b8dc6a12de7f24893d94cacfaac68324baeb68a8e75874ead938ff4dedb6b2ff9b01b85168b005475c5bc87bb4ec4bdb630b28

Download Submit
C:\Users\Admin\Downloads\ver3_appfile.rar:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\winrar-x64-701.exe

Filesize
3.7MB

MD5
3a2f16a044d8f6d2f9443dff6bd1c7d4

SHA1
48c6c0450af803b72a0caa7d5e3863c3f0240ef1

SHA256
31f7ba37180f820313b2d32e76252344598409cb932109dd84a071cd58b64aa6

SHA512
61daee2ce82c3b8e79f7598a79d72e337220ced7607e3ed878a3059ac03257542147dbd377e902cc95f04324e2fb7c5e07d1410f0a1815d5a05c5320e5715ef6

Download Submit