Analysis
-
max time kernel
314s -
max time network
315s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
16-06-2024 17:51
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://2171327227-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fx6iuCFufBANQ4p57bb5o%2Fuploads%2FRpH0JMwRRCpWNsWwyUl0%2Fallwin%20menu%20v2.rar?alt=media&token=f1919cdb-fd2e-40a8-9a86-c609ccbf7e0e
Resource
win10v2004-20240611-en
General
-
Target
https://2171327227-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fx6iuCFufBANQ4p57bb5o%2Fuploads%2FRpH0JMwRRCpWNsWwyUl0%2Fallwin%20menu%20v2.rar?alt=media&token=f1919cdb-fd2e-40a8-9a86-c609ccbf7e0e
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
Processes:
allwin v2.exeallwin v2.exeallwin v2.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ allwin v2.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ allwin v2.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ allwin v2.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
allwin v2.exeallwin v2.exeallwin v2.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion allwin v2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion allwin v2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion allwin v2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion allwin v2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion allwin v2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion allwin v2.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
7zFM.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation 7zFM.exe -
Executes dropped EXE 7 IoCs
Processes:
winrar-x64-701.exewinrar-x64-701.exe7z2406-x64.exe7zFM.exeallwin v2.exeallwin v2.exeallwin v2.exepid process 4412 winrar-x64-701.exe 3720 winrar-x64-701.exe 536 7z2406-x64.exe 4488 7zFM.exe 3580 allwin v2.exe 1796 allwin v2.exe 3352 allwin v2.exe -
Loads dropped DLL 4 IoCs
Processes:
7zFM.exepid process 3432 3432 4488 7zFM.exe 3432 -
Registers COM server for autorun 1 TTPs 3 IoCs
Processes:
7z2406-x64.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32 7z2406-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll" 7z2406-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment" 7z2406-x64.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zO881B9C0B\allwin v2.exe themida behavioral1/memory/3580-808-0x00007FF70DB10000-0x00007FF70F720000-memory.dmp themida behavioral1/memory/3580-809-0x00007FF70DB10000-0x00007FF70F720000-memory.dmp themida behavioral1/memory/3580-810-0x00007FF70DB10000-0x00007FF70F720000-memory.dmp themida behavioral1/memory/3580-811-0x00007FF70DB10000-0x00007FF70F720000-memory.dmp themida behavioral1/memory/3580-812-0x00007FF70DB10000-0x00007FF70F720000-memory.dmp themida behavioral1/memory/3580-813-0x00007FF70DB10000-0x00007FF70F720000-memory.dmp themida behavioral1/memory/3580-815-0x00007FF70DB10000-0x00007FF70F720000-memory.dmp themida behavioral1/memory/3580-814-0x00007FF70DB10000-0x00007FF70F720000-memory.dmp themida behavioral1/memory/3580-816-0x00007FF70DB10000-0x00007FF70F720000-memory.dmp themida behavioral1/memory/3580-835-0x00007FF70DB10000-0x00007FF70F720000-memory.dmp themida behavioral1/memory/3580-836-0x00007FF70DB10000-0x00007FF70F720000-memory.dmp themida behavioral1/memory/1796-842-0x00007FF728B20000-0x00007FF72A730000-memory.dmp themida behavioral1/memory/1796-843-0x00007FF728B20000-0x00007FF72A730000-memory.dmp themida behavioral1/memory/1796-846-0x00007FF728B20000-0x00007FF72A730000-memory.dmp themida behavioral1/memory/1796-845-0x00007FF728B20000-0x00007FF72A730000-memory.dmp themida behavioral1/memory/1796-848-0x00007FF728B20000-0x00007FF72A730000-memory.dmp themida behavioral1/memory/1796-849-0x00007FF728B20000-0x00007FF72A730000-memory.dmp themida behavioral1/memory/1796-847-0x00007FF728B20000-0x00007FF72A730000-memory.dmp themida behavioral1/memory/1796-844-0x00007FF728B20000-0x00007FF72A730000-memory.dmp themida behavioral1/memory/1796-850-0x00007FF728B20000-0x00007FF72A730000-memory.dmp themida behavioral1/memory/1796-860-0x00007FF728B20000-0x00007FF72A730000-memory.dmp themida behavioral1/memory/1796-861-0x00007FF728B20000-0x00007FF72A730000-memory.dmp themida behavioral1/memory/3352-866-0x00007FF728B20000-0x00007FF72A730000-memory.dmp themida behavioral1/memory/3352-867-0x00007FF728B20000-0x00007FF72A730000-memory.dmp themida behavioral1/memory/3352-863-0x00007FF728B20000-0x00007FF72A730000-memory.dmp themida behavioral1/memory/3352-864-0x00007FF728B20000-0x00007FF72A730000-memory.dmp themida behavioral1/memory/3352-865-0x00007FF728B20000-0x00007FF72A730000-memory.dmp themida behavioral1/memory/3352-869-0x00007FF728B20000-0x00007FF72A730000-memory.dmp themida behavioral1/memory/3352-870-0x00007FF728B20000-0x00007FF72A730000-memory.dmp themida behavioral1/memory/3352-868-0x00007FF728B20000-0x00007FF72A730000-memory.dmp themida -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
allwin v2.exeallwin v2.exeallwin v2.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA allwin v2.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA allwin v2.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA allwin v2.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 36 IoCs
Processes:
allwin v2.exeallwin v2.exeallwin v2.exepid process 3580 allwin v2.exe 3580 allwin v2.exe 3580 allwin v2.exe 3580 allwin v2.exe 3580 allwin v2.exe 3580 allwin v2.exe 3580 allwin v2.exe 3580 allwin v2.exe 3580 allwin v2.exe 3580 allwin v2.exe 3580 allwin v2.exe 3580 allwin v2.exe 3580 allwin v2.exe 1796 allwin v2.exe 1796 allwin v2.exe 1796 allwin v2.exe 1796 allwin v2.exe 1796 allwin v2.exe 1796 allwin v2.exe 1796 allwin v2.exe 1796 allwin v2.exe 1796 allwin v2.exe 1796 allwin v2.exe 1796 allwin v2.exe 1796 allwin v2.exe 3352 allwin v2.exe 3352 allwin v2.exe 3352 allwin v2.exe 3352 allwin v2.exe 3352 allwin v2.exe 3352 allwin v2.exe 3352 allwin v2.exe 3352 allwin v2.exe 3352 allwin v2.exe 3352 allwin v2.exe 3352 allwin v2.exe -
Drops file in Program Files directory 64 IoCs
Processes:
7z2406-x64.exedescription ioc process File opened for modification C:\Program Files\7-Zip\Lang\gu.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\he.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sr-spl.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\af.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\da.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\lv.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\hi.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ku-ckb.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\7z.sfx 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\eo.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\kk.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\an.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\co.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\va.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\7z.exe 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\mk.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ro.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\7zCon.sfx 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ar.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\hy.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\uz-cyrl.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\readme.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ast.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sq.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\7-zip32.dll 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\bg.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ru.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\tk.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\7z.dll 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\be.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sl.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\lt.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\az.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ga.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\io.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\cs.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\hu.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\nn.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\pt-br.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\fur.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\nl.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sv.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\tr.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\tt.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\uz.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\bn.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\pa-in.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\es.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\fa.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\hr.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\yo.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\descript.ion 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\cy.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\id.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ta.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ku.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\mn.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\uk.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ba.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\it.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ne.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\et.txt 7z2406-x64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 24 IoCs
Processes:
7z2406-x64.exemsedge.exeOpenWith.exeOpenWith.exemsedge.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip32.dll" 7z2406-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment" 7z2406-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000} 7z2406-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll" 7z2406-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip 7z2406-x64.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4204450073-1267028356-951339405-1000\{EE5A3C04-D8C8-4B15-8839-0BB8AF0608A0} msedge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension" 7z2406-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension" 7z2406-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32 7z2406-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment" 7z2406-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 7z2406-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip 7z2406-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 7z2406-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000} 7z2406-x64.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip 7z2406-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip 7z2406-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 7z2406-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip 7z2406-x64.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32 7z2406-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 7z2406-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 7z2406-x64.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings msedge.exe -
NTFS ADS 2 IoCs
Processes:
msedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 79040.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 323272.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 52 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exeallwin v2.exe7zFM.exeallwin v2.exeallwin v2.exepid process 4380 msedge.exe 4380 msedge.exe 4640 msedge.exe 4640 msedge.exe 3620 identity_helper.exe 3620 identity_helper.exe 4076 msedge.exe 4076 msedge.exe 2740 msedge.exe 2740 msedge.exe 4060 msedge.exe 4060 msedge.exe 4260 msedge.exe 4260 msedge.exe 4260 msedge.exe 4260 msedge.exe 3404 msedge.exe 3404 msedge.exe 3580 allwin v2.exe 3580 allwin v2.exe 3580 allwin v2.exe 3580 allwin v2.exe 3580 allwin v2.exe 3580 allwin v2.exe 3580 allwin v2.exe 3580 allwin v2.exe 3580 allwin v2.exe 3580 allwin v2.exe 4488 7zFM.exe 4488 7zFM.exe 4488 7zFM.exe 4488 7zFM.exe 1796 allwin v2.exe 1796 allwin v2.exe 1796 allwin v2.exe 1796 allwin v2.exe 1796 allwin v2.exe 1796 allwin v2.exe 1796 allwin v2.exe 1796 allwin v2.exe 1796 allwin v2.exe 1796 allwin v2.exe 3352 allwin v2.exe 3352 allwin v2.exe 3352 allwin v2.exe 3352 allwin v2.exe 3352 allwin v2.exe 3352 allwin v2.exe 3352 allwin v2.exe 3352 allwin v2.exe 3352 allwin v2.exe 3352 allwin v2.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
Processes:
OpenWith.exeOpenWith.exe7zFM.exepid process 4548 OpenWith.exe 220 OpenWith.exe 4488 7zFM.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 21 IoCs
Processes:
msedge.exepid process 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
7zFM.exedescription pid process Token: SeRestorePrivilege 4488 7zFM.exe Token: 35 4488 7zFM.exe Token: SeSecurityPrivilege 4488 7zFM.exe Token: SeSecurityPrivilege 4488 7zFM.exe -
Suspicious use of FindShellTrayWindow 62 IoCs
Processes:
msedge.exe7zFM.exepid process 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4488 7zFM.exe 4488 7zFM.exe 4488 7zFM.exe 4488 7zFM.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
OpenWith.exewinrar-x64-701.exewinrar-x64-701.exe7z2406-x64.exeOpenWith.exepid process 4548 OpenWith.exe 4548 OpenWith.exe 4548 OpenWith.exe 4548 OpenWith.exe 4548 OpenWith.exe 4548 OpenWith.exe 4548 OpenWith.exe 4548 OpenWith.exe 4548 OpenWith.exe 4548 OpenWith.exe 4548 OpenWith.exe 4548 OpenWith.exe 4548 OpenWith.exe 4548 OpenWith.exe 4548 OpenWith.exe 4548 OpenWith.exe 4548 OpenWith.exe 4548 OpenWith.exe 4548 OpenWith.exe 4548 OpenWith.exe 4548 OpenWith.exe 4548 OpenWith.exe 4548 OpenWith.exe 4548 OpenWith.exe 4548 OpenWith.exe 4548 OpenWith.exe 4548 OpenWith.exe 4548 OpenWith.exe 4548 OpenWith.exe 4548 OpenWith.exe 4548 OpenWith.exe 4548 OpenWith.exe 4548 OpenWith.exe 4548 OpenWith.exe 4548 OpenWith.exe 4548 OpenWith.exe 4548 OpenWith.exe 4548 OpenWith.exe 4548 OpenWith.exe 4548 OpenWith.exe 4548 OpenWith.exe 4412 winrar-x64-701.exe 4412 winrar-x64-701.exe 4412 winrar-x64-701.exe 3720 winrar-x64-701.exe 3720 winrar-x64-701.exe 3720 winrar-x64-701.exe 536 7z2406-x64.exe 220 OpenWith.exe 220 OpenWith.exe 220 OpenWith.exe 220 OpenWith.exe 220 OpenWith.exe 220 OpenWith.exe 220 OpenWith.exe 220 OpenWith.exe 220 OpenWith.exe 220 OpenWith.exe 220 OpenWith.exe 220 OpenWith.exe 220 OpenWith.exe 220 OpenWith.exe 220 OpenWith.exe 220 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 4640 wrote to memory of 3492 4640 msedge.exe msedge.exe PID 4640 wrote to memory of 3492 4640 msedge.exe msedge.exe PID 4640 wrote to memory of 2812 4640 msedge.exe msedge.exe PID 4640 wrote to memory of 2812 4640 msedge.exe msedge.exe PID 4640 wrote to memory of 2812 4640 msedge.exe msedge.exe PID 4640 wrote to memory of 2812 4640 msedge.exe msedge.exe PID 4640 wrote to memory of 2812 4640 msedge.exe msedge.exe PID 4640 wrote to memory of 2812 4640 msedge.exe msedge.exe PID 4640 wrote to memory of 2812 4640 msedge.exe msedge.exe PID 4640 wrote to memory of 2812 4640 msedge.exe msedge.exe PID 4640 wrote to memory of 2812 4640 msedge.exe msedge.exe PID 4640 wrote to memory of 2812 4640 msedge.exe msedge.exe PID 4640 wrote to memory of 2812 4640 msedge.exe msedge.exe PID 4640 wrote to memory of 2812 4640 msedge.exe msedge.exe PID 4640 wrote to memory of 2812 4640 msedge.exe msedge.exe PID 4640 wrote to memory of 2812 4640 msedge.exe msedge.exe PID 4640 wrote to memory of 2812 4640 msedge.exe msedge.exe PID 4640 wrote to memory of 2812 4640 msedge.exe msedge.exe PID 4640 wrote to memory of 2812 4640 msedge.exe msedge.exe PID 4640 wrote to memory of 2812 4640 msedge.exe msedge.exe PID 4640 wrote to memory of 2812 4640 msedge.exe msedge.exe PID 4640 wrote to memory of 2812 4640 msedge.exe msedge.exe PID 4640 wrote to memory of 2812 4640 msedge.exe msedge.exe PID 4640 wrote to memory of 2812 4640 msedge.exe msedge.exe PID 4640 wrote to memory of 2812 4640 msedge.exe msedge.exe PID 4640 wrote to memory of 2812 4640 msedge.exe msedge.exe PID 4640 wrote to memory of 2812 4640 msedge.exe msedge.exe PID 4640 wrote to memory of 2812 4640 msedge.exe msedge.exe PID 4640 wrote to memory of 2812 4640 msedge.exe msedge.exe PID 4640 wrote to memory of 2812 4640 msedge.exe msedge.exe PID 4640 wrote to memory of 2812 4640 msedge.exe msedge.exe PID 4640 wrote to memory of 2812 4640 msedge.exe msedge.exe PID 4640 wrote to memory of 2812 4640 msedge.exe msedge.exe PID 4640 wrote to memory of 2812 4640 msedge.exe msedge.exe PID 4640 wrote to memory of 2812 4640 msedge.exe msedge.exe PID 4640 wrote to memory of 2812 4640 msedge.exe msedge.exe PID 4640 wrote to memory of 2812 4640 msedge.exe msedge.exe PID 4640 wrote to memory of 2812 4640 msedge.exe msedge.exe PID 4640 wrote to memory of 2812 4640 msedge.exe msedge.exe PID 4640 wrote to memory of 2812 4640 msedge.exe msedge.exe PID 4640 wrote to memory of 2812 4640 msedge.exe msedge.exe PID 4640 wrote to memory of 2812 4640 msedge.exe msedge.exe PID 4640 wrote to memory of 4380 4640 msedge.exe msedge.exe PID 4640 wrote to memory of 4380 4640 msedge.exe msedge.exe PID 4640 wrote to memory of 3308 4640 msedge.exe msedge.exe PID 4640 wrote to memory of 3308 4640 msedge.exe msedge.exe PID 4640 wrote to memory of 3308 4640 msedge.exe msedge.exe PID 4640 wrote to memory of 3308 4640 msedge.exe msedge.exe PID 4640 wrote to memory of 3308 4640 msedge.exe msedge.exe PID 4640 wrote to memory of 3308 4640 msedge.exe msedge.exe PID 4640 wrote to memory of 3308 4640 msedge.exe msedge.exe PID 4640 wrote to memory of 3308 4640 msedge.exe msedge.exe PID 4640 wrote to memory of 3308 4640 msedge.exe msedge.exe PID 4640 wrote to memory of 3308 4640 msedge.exe msedge.exe PID 4640 wrote to memory of 3308 4640 msedge.exe msedge.exe PID 4640 wrote to memory of 3308 4640 msedge.exe msedge.exe PID 4640 wrote to memory of 3308 4640 msedge.exe msedge.exe PID 4640 wrote to memory of 3308 4640 msedge.exe msedge.exe PID 4640 wrote to memory of 3308 4640 msedge.exe msedge.exe PID 4640 wrote to memory of 3308 4640 msedge.exe msedge.exe PID 4640 wrote to memory of 3308 4640 msedge.exe msedge.exe PID 4640 wrote to memory of 3308 4640 msedge.exe msedge.exe PID 4640 wrote to memory of 3308 4640 msedge.exe msedge.exe PID 4640 wrote to memory of 3308 4640 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://2171327227-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fx6iuCFufBANQ4p57bb5o%2Fuploads%2FRpH0JMwRRCpWNsWwyUl0%2Fallwin%20menu%20v2.rar?alt=media&token=f1919cdb-fd2e-40a8-9a86-c609ccbf7e0e1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcbab846f8,0x7ffcbab84708,0x7ffcbab847182⤵PID:3492
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,10856265890746264696,8292028114939263350,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:22⤵PID:2812
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,10856265890746264696,8292028114939263350,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4380 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,10856265890746264696,8292028114939263350,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:82⤵PID:3308
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,10856265890746264696,8292028114939263350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:12⤵PID:5052
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,10856265890746264696,8292028114939263350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:12⤵PID:2220
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,10856265890746264696,8292028114939263350,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5272 /prefetch:82⤵PID:5008
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,10856265890746264696,8292028114939263350,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5272 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3620 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,10856265890746264696,8292028114939263350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:12⤵PID:3664
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,10856265890746264696,8292028114939263350,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:12⤵PID:448
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2120,10856265890746264696,8292028114939263350,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3224 /prefetch:82⤵PID:4292
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,10856265890746264696,8292028114939263350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:12⤵PID:4300
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,10856265890746264696,8292028114939263350,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5852 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4076 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,10856265890746264696,8292028114939263350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5944 /prefetch:12⤵PID:4608
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,10856265890746264696,8292028114939263350,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:12⤵PID:3476
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,10856265890746264696,8292028114939263350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:12⤵PID:4660
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,10856265890746264696,8292028114939263350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:12⤵PID:4968
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2120,10856265890746264696,8292028114939263350,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4752 /prefetch:82⤵PID:4480
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2120,10856265890746264696,8292028114939263350,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6344 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2740 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,10856265890746264696,8292028114939263350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6392 /prefetch:12⤵PID:2984
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,10856265890746264696,8292028114939263350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6168 /prefetch:12⤵PID:1844
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,10856265890746264696,8292028114939263350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3756 /prefetch:12⤵PID:3320
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,10856265890746264696,8292028114939263350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3720 /prefetch:12⤵PID:4992
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2120,10856265890746264696,8292028114939263350,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4768 /prefetch:82⤵PID:1708
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,10856265890746264696,8292028114939263350,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6728 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4060 -
C:\Users\Admin\Downloads\winrar-x64-701.exe"C:\Users\Admin\Downloads\winrar-x64-701.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4412 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,10856265890746264696,8292028114939263350,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4260 -
C:\Users\Admin\Downloads\winrar-x64-701.exe"C:\Users\Admin\Downloads\winrar-x64-701.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3720 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,10856265890746264696,8292028114939263350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3108 /prefetch:12⤵PID:3360
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,10856265890746264696,8292028114939263350,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1956 /prefetch:12⤵PID:1412
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,10856265890746264696,8292028114939263350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3164 /prefetch:12⤵PID:5068
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,10856265890746264696,8292028114939263350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:12⤵PID:1728
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,10856265890746264696,8292028114939263350,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6120 /prefetch:12⤵PID:3680
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,10856265890746264696,8292028114939263350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3656 /prefetch:12⤵PID:4464
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,10856265890746264696,8292028114939263350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1296 /prefetch:12⤵PID:1612
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,10856265890746264696,8292028114939263350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6124 /prefetch:12⤵PID:868
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2120,10856265890746264696,8292028114939263350,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6148 /prefetch:82⤵PID:4648
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,10856265890746264696,8292028114939263350,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7076 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3404 -
C:\Users\Admin\Downloads\7z2406-x64.exe"C:\Users\Admin\Downloads\7z2406-x64.exe"2⤵
- Executes dropped EXE
- Registers COM server for autorun
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:536
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2736
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4772
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4548
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\d1fc621b090d4b85b02a244b96a2a24c /t 2760 /p 44121⤵PID:3380
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1540
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:220
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\allwin menu v2.rar"1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4488 -
C:\Users\Admin\AppData\Local\Temp\7zO881B9C0B\allwin v2.exe"C:\Users\Admin\AppData\Local\Temp\7zO881B9C0B\allwin v2.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3580
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\3ff8d1de579c450c938df1980328c7c9 /t 2776 /p 37201⤵PID:2864
-
C:\Users\Admin\Desktop\allwin v2.exe"C:\Users\Admin\Desktop\allwin v2.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1796
-
C:\Users\Admin\Desktop\allwin v2.exe"C:\Users\Admin\Desktop\allwin v2.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3352
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
99KB
MD57ec019d8445f4dcdb91a380c9d592957
SHA115fd8375e2e282a90d3df14041272e5ac29e7c93
SHA2561cc179f097ee439bb35a582059cbc727d9cea0d5c43dfaa57f9f03050cfaea03
SHA512d71a79091fcc6a96c24d95662a18cc24145b9531145ef0bcb4e882c12f5bb5ca6c7a9b9e50024c9c0bf4cb6bf40dca7627cecbfddd637142d04a194e1956ae9b
-
Filesize
1.8MB
MD51939f878ae8d0cbcc553007480a0c525
SHA1df9255af8e398e72925309b840b14df1ae504805
SHA25686926f78fad0d8c75c7ae01849bf5931f4484596d28d3690766f16c4fb943c19
SHA512a5e4431f641e030df426c8f0db79d4cef81a67ee98e9253f79c1d9e41d4fc939de6f3fd5fc3a7170042842f69be2bb15187bf472eeaaf8edd55898e90b4f1ddd
-
Filesize
960KB
MD55764deed342ca47eb4b97ae94eedc524
SHA1e9cbefd32e5ddd0d914e98cfb0df2592bebc5987
SHA256c5c7ad094ad71d8784c8b0990bf37a55ffc7c7ab77866286d77b7b6721943e4f
SHA5126809130394a683c56a0245906d709b2289a631f630055d5e6161b001e216d58045d314b0148512d8c01f0c2bf5f9f16e93fa7d61ab3d24beab4f9c3d4db13c18
-
Filesize
152B
MD5dabfafd78687947a9de64dd5b776d25f
SHA116084c74980dbad713f9d332091985808b436dea
SHA256c7658f407cbe799282ef202e78319e489ed4e48e23f6d056b505bc0d73e34201
SHA512dae1de5245cd9b72117c430250aa2029eb8df1b85dc414ac50152d8eba4d100bcf0320ac18446f865dc96949f8b06a5b9e7a0c84f9c1b0eada318e80f99f9d2b
-
Filesize
152B
MD5c39b3aa574c0c938c80eb263bb450311
SHA1f4d11275b63f4f906be7a55ec6ca050c62c18c88
SHA25666f8d413a30451055d4b6fa40e007197a4bb93a66a28ca4112967ec417ffab6c
SHA512eeca2e21cd4d66835beb9812e26344c8695584253af397b06f378536ca797c3906a670ed239631729c96ebb93acfb16327cf58d517e83fb8923881c5fdb6d232
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD546285e47b8368b78042c2ec7218e9009
SHA14c1730221f976a2524bf8e0868dd2b698e410a57
SHA256b814c4a697e97e55d75afb8ea83feb6bddbb4923ea014f78f940690053b2ef24
SHA512e09f9121552511a48de3bc901a8a45f1e2d3d36be46418b4644ff42685afd999c94693c441a9db16b2085ad3e7ad6346bf3546f09da913b66c8e1f07bb47e9f4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD5a901c7ce29a8707b3ce757986fbc1f5f
SHA1b5b40293ab601d9020c00374863df606f6f52636
SHA256d16fb1bea56491b2d056c1bd39212f5d38a851fd541530ce49c75e20916982e8
SHA5125a8ebac0812730f37169f77418d339e92a176f2d5a8d94b8656023914c17f6f83a2c73f8dbd2e51156ec9f8fd245690943866757504178ad250eb7f41a021d50
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
928B
MD54bded05e3e780e925c6a6ea486548d77
SHA181c6f0d925a0339bca0fe84086ede6b441dab9ea
SHA25689576f093b92e2f4167b0c7c3dacb867d5ec22ef9733a934967e985b08158ac5
SHA512e4cd6c29a97b665c484e389cb7d967deb19f9818e22e249a1004ab9065589789b2553b36222ccd21ddf791347857dbda29d1e1183ba2116594cdf81b97411467
-
Filesize
707B
MD5edf96b89e0cf52cde93f12cc5d44d10b
SHA1e540be5c6861f9e517211a91273f420dbcf50f3e
SHA2561909a2dc11c767b3d0c245f583c85f3b384f0e640c706931f48776e2fd0daf5d
SHA512de53aafac1946b387d3d9358cf39e3b15ad7c8c81ca712ac155c857230260a453cd478720328e60b3e8e2adcaa925fbd8a5835248e690602383a84009b11c652
-
Filesize
111B
MD5807419ca9a4734feaf8d8563a003b048
SHA1a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c
-
Filesize
6KB
MD53b439d5948a10ca63755e6ecb5a4f026
SHA1df5cae28263e68a7435fb88c1a234a6d96df9493
SHA25690c888df89d8dd8a0c42c8ba61c6891d5d22f27a2e29809c5c7e4760251d9a6f
SHA512149b4bd2d0dc98a2ab443b84c9f032fd48987050e532b9bf63eb805ff65a2286ed7465cb4383d86c10590c41820cd32c550d55a520dd3297d4f9e83d63052584
-
Filesize
7KB
MD5b0240ab94037b9df784aaf336fa8ca1c
SHA15e0d67f1d8d807c3125bfd123a26148503512a7f
SHA256a7998a53ccc75b3f9b7fa35ed7c0297b0b5345d2adc3abd437277af5f1b399a7
SHA5125cb58084171e1fa7d78d533b1bbe4dc47d2229b2ed3aaee1cb553764be7bf1f05971dc1e3c9a8d0e1b4f628dbd822156b67885415247677335adbec53ab6db4d
-
Filesize
6KB
MD5829103b8265421ec235c0e53dad51c78
SHA18675bce89e7b19533257c7c23efa80b196cda23f
SHA256f7927204331f9f4f5641b0b9a37308e6022ab725ff1c2a871825fcbef007d3a4
SHA51286d728ff55a7f80513e0072100214e886bc89a86747d054a1fc3b5b5a3aa88a038ff9e5a64b7780318df8c6d5643eea32af6e6b57d7f0362da53b2fc67e4f1dc
-
Filesize
7KB
MD5cd818c39a44346a82fe43188daa2667a
SHA1bfc2e5d3a8cde24d971ec78c5c5b2872a19a8279
SHA256c51b0bc8f1f15bc99250c930447bfd1be58792518184c82e407b84451936ced2
SHA5128b682092b0d125b303efaaac906a83fb0b33a8a1ae05bfe7451d228c4500a40e5d2328047eec19a0564175f56cf8f909ac834397aa30a3c786d054c6c561051e
-
Filesize
7KB
MD57ad634bcb810134e467cd6596a8dfaa5
SHA164b7922d698b691e0e52061e32a3b4efff4a55ec
SHA25680fc9ab2dadd8496385ee107919ace02cafab09c11afc7653efbf05c4a9490cb
SHA5123574a703acee045e4695a0c3d2e1f9b61e041bf61c513ae881398c4b485816d21f3f315a35dacec377d84c570a54c57935318924c603dceb794ade7906bf5bbb
-
Filesize
1KB
MD539f896326240435c6198acb2a37f1cf1
SHA1ed41e890da97cdde5ae4da932ed0160694433976
SHA2566c57c6b5cfafd4d3ea51e158d580e1c5d28c6c4223f204ed618fcc5bfa6ba7c0
SHA5122032794c4742639542630f6cb87e0b519a6b007ce67987c831b9167ba7af33ddbbc864f739b0f3d162fc3514c39287574539e2f2170b940b76973262c73347e3
-
Filesize
873B
MD513b319d6bcf607d7312b6e56794471ce
SHA194b120b30639988a3b83043640f319765b65ea19
SHA256001be58eca0c33758b761417c5cf421c31d15c427494845a40e0cd6371909406
SHA512b2bae5c224b5a669c5a6c2087a398cdb3db6d3d7c3f88efe7d8612db76d9d08217a10be2629f4f70e0fd089089de92b7f6bb06948debe2b3a7d57732e1232c88
-
Filesize
204B
MD5adabc99ff790ac7fc93f7fbafbeb2915
SHA1a67654ae745e96573aca3991a53773a6dd09b182
SHA2567eee16d7949b01a6da9bb8cf12e92bb06378516ecaaac9f133f110c16c2f0474
SHA512b1f21750c860485204ac10cc796ffa7bbf0785726fb2d296dc911bb2167d28e835fc9ff06eea9f215f96a61e88d4f3e7ed4f0c27316035295571e3a24b4acfe0
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
11KB
MD563428e972d1687c7ff3f5dadbae95b63
SHA18bd57a51f1b20b25ec10a66736673bd88ff22b64
SHA256b5a081701b70c2267523da0e787e1f38f0d73155affc183d0bd03758080ed1d5
SHA512e3348e44f10c5e1d4618deb27bebe6d7c9432f0a448c9f04bf0736119ba59b6854e091e279e5c146e66e01026b59347118661e5183ed7659ba27c7a647549064
-
Filesize
11KB
MD5d8d8fa488dd8445f585eecc097001507
SHA1ac741161df1ff96eb9b28939b7c20a490305a72a
SHA2560a4b0f94c1c1b29961f6d834ae01541157ca7600a4f7efdba71a82aee5e2dd91
SHA5128dc321141e28db5f4dac39692f5a848582cafb28b03270672d59cb4fbd74774fa59b0c3f5d1c0905a3ec9e061e7e1412b8bac28005525e0c1789e903548aa5f9
-
Filesize
12KB
MD52093453a1aa53c28e0473986941f7af1
SHA16a32f3129e0e49e1d015f6f99724cef7bf3681a1
SHA256f9d67f32e721f07bbef3064653ba25c9e79ba6ff5db29e73a3d17b8d52cd0060
SHA512fa5ac262d612f126d9ca27bff650107622ab03adda94424ad65aa1fbcdf712039e6f1bb7aa09bd84354eef0ef54a458183fed94482111e08766097aeb2a92312
-
Filesize
12KB
MD5c0ec573823c0865173a8b54b40d48312
SHA15e9fb44defb1689089353a3f81a8656361617f0b
SHA256ad41ca4e2e3e60d92df617e93200d50f047479ce08e4e0c316c3bebc7633e7e1
SHA5128f9a374a877fffa2d83e2c888ae33844a023041d0245ff4a45386708626b6e4de3df7d039b16181a9b5c02b10b6c3425a930d5510077ba06c438fba84c953e56
-
Filesize
11KB
MD58a8fc0cadb2eb438c52cc73df1486e76
SHA16aaaa8075c901066db3e25489235c6fd1e5f2d48
SHA256f8723c25557d554abade8a070295611aea747b1d906ce91829810bd50f5728b9
SHA512d7bd4fb440fc0c0f8a3db26ed1422ee2f1ef19d6c90116c02cc91a7aed5bc1745c6af7e952785a441959ec1b360bcc00d6449d92125d4785eb5bd20899848419
-
Filesize
11.2MB
MD5a5f1ca838360a05c8f7f96dd456b58be
SHA1e8aa60a3c05dfd3a010e335a9bfc1ef78b235d8e
SHA256134edcd706fa9ac91bb800cb067418a7c77546faa7c3f31e1800317e553da78c
SHA512de5b4504b729e9cfb301250b43faec3f9b5ece749b731a02c33d89fdc936532f01b911db5e647ca359732192101dc64976cabb2b38077d45bd3dbca80532d8e4
-
Filesize
1.5MB
MD5d8af785ca5752bae36e8af5a2f912d81
SHA154da15671ad8a765f3213912cba8ebd8dac1f254
SHA2566220bbe6c26d87fc343e0ffa4e20ccfafeca7dab2742e41963c40b56fb884807
SHA512b635b449f49aac29234f677e662be35f72a059401ea0786d956485d07134f9dd10ed284338503f08ff7aad16833cf034eb955ca34e1faf35a8177ccad1f20c75
-
Filesize
11.5MB
MD5eac06147cac9ff6b39fc9a019bc34dbd
SHA1ba3de72d115c62035c67991e260cafdc8d5ab008
SHA2566951e9b8a6c2b30a6741b2ff1046c9b79f14f305375bf7fbb125afb632072da3
SHA5126b67d332956aec55b0555b97aa86c8be9015d9c1e05876108084af3e3753b838f261cdaf478705cd3c184082e86d2e0e900b1666f03ccc090653daed6e2c8b0e
-
Filesize
3.7MB
MD53a2f16a044d8f6d2f9443dff6bd1c7d4
SHA148c6c0450af803b72a0caa7d5e3863c3f0240ef1
SHA25631f7ba37180f820313b2d32e76252344598409cb932109dd84a071cd58b64aa6
SHA51261daee2ce82c3b8e79f7598a79d72e337220ced7607e3ed878a3059ac03257542147dbd377e902cc95f04324e2fb7c5e07d1410f0a1815d5a05c5320e5715ef6
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e