hxxps://cdn[.]discordapp[.]com/attachments/1259612319319719976/1259614307432402984/unpacker[.]rar?ex=668c52bd&is=668b013d&hm=ece9bf2ebbda1c0fd5cc78e0ba120be498031806cbfa94a80bf033ed4703dfd5&

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
07/07/2024, 21:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1259612319319719976/1259614307432402984/unpacker.rar?ex=668c52bd&is=668b013d&hm=ece9bf2ebbda1c0fd5cc78e0ba120be498031806cbfa94a80bf033ed4703dfd5&

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
5088	winrar-x64-701.exe
3804	winrar-x64-701.exe
1840	winrar-x64-701.exe
5588	winrar-x64-701.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1015551233-1106003478-1645743776-1000\{8A37259C-370F-4791-B767-D45676BF9D48}	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 799339.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3320	msedge.exe
3320	msedge.exe
3896	msedge.exe
3896	msedge.exe
532	identity_helper.exe
532	identity_helper.exe
1052	msedge.exe
1052	msedge.exe
744	msedge.exe
744	msedge.exe
4628	msedge.exe
4628	msedge.exe
6104	msedge.exe
6104	msedge.exe
6104	msedge.exe
6104	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe

Suspicious use of FindShellTrayWindow 56 IoCs

pid	Process
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
5088	winrar-x64-701.exe
3804	winrar-x64-701.exe
1840	winrar-x64-701.exe
3804	winrar-x64-701.exe
3804	winrar-x64-701.exe
1840	winrar-x64-701.exe
1840	winrar-x64-701.exe
5088	winrar-x64-701.exe
5088	winrar-x64-701.exe
5588	winrar-x64-701.exe
5588	winrar-x64-701.exe
5588	winrar-x64-701.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3896 wrote to memory of 4680	3896	msedge.exe	82
PID 3896 wrote to memory of 4680	3896	msedge.exe	82
PID 3896 wrote to memory of 4564	3896	msedge.exe	84
PID 3896 wrote to memory of 4564	3896	msedge.exe	84
PID 3896 wrote to memory of 4564	3896	msedge.exe	84
PID 3896 wrote to memory of 4564	3896	msedge.exe	84
PID 3896 wrote to memory of 4564	3896	msedge.exe	84
PID 3896 wrote to memory of 4564	3896	msedge.exe	84
PID 3896 wrote to memory of 4564	3896	msedge.exe	84
PID 3896 wrote to memory of 4564	3896	msedge.exe	84
PID 3896 wrote to memory of 4564	3896	msedge.exe	84
PID 3896 wrote to memory of 4564	3896	msedge.exe	84
PID 3896 wrote to memory of 4564	3896	msedge.exe	84
PID 3896 wrote to memory of 4564	3896	msedge.exe	84
PID 3896 wrote to memory of 4564	3896	msedge.exe	84
PID 3896 wrote to memory of 4564	3896	msedge.exe	84
PID 3896 wrote to memory of 4564	3896	msedge.exe	84
PID 3896 wrote to memory of 4564	3896	msedge.exe	84
PID 3896 wrote to memory of 4564	3896	msedge.exe	84
PID 3896 wrote to memory of 4564	3896	msedge.exe	84
PID 3896 wrote to memory of 4564	3896	msedge.exe	84
PID 3896 wrote to memory of 4564	3896	msedge.exe	84
PID 3896 wrote to memory of 4564	3896	msedge.exe	84
PID 3896 wrote to memory of 4564	3896	msedge.exe	84
PID 3896 wrote to memory of 4564	3896	msedge.exe	84
PID 3896 wrote to memory of 4564	3896	msedge.exe	84
PID 3896 wrote to memory of 4564	3896	msedge.exe	84
PID 3896 wrote to memory of 4564	3896	msedge.exe	84
PID 3896 wrote to memory of 4564	3896	msedge.exe	84
PID 3896 wrote to memory of 4564	3896	msedge.exe	84
PID 3896 wrote to memory of 4564	3896	msedge.exe	84
PID 3896 wrote to memory of 4564	3896	msedge.exe	84
PID 3896 wrote to memory of 4564	3896	msedge.exe	84
PID 3896 wrote to memory of 4564	3896	msedge.exe	84
PID 3896 wrote to memory of 4564	3896	msedge.exe	84
PID 3896 wrote to memory of 4564	3896	msedge.exe	84
PID 3896 wrote to memory of 4564	3896	msedge.exe	84
PID 3896 wrote to memory of 4564	3896	msedge.exe	84
PID 3896 wrote to memory of 4564	3896	msedge.exe	84
PID 3896 wrote to memory of 4564	3896	msedge.exe	84
PID 3896 wrote to memory of 4564	3896	msedge.exe	84
PID 3896 wrote to memory of 4564	3896	msedge.exe	84
PID 3896 wrote to memory of 3320	3896	msedge.exe	85
PID 3896 wrote to memory of 3320	3896	msedge.exe	85
PID 3896 wrote to memory of 2876	3896	msedge.exe	86
PID 3896 wrote to memory of 2876	3896	msedge.exe	86
PID 3896 wrote to memory of 2876	3896	msedge.exe	86
PID 3896 wrote to memory of 2876	3896	msedge.exe	86
PID 3896 wrote to memory of 2876	3896	msedge.exe	86
PID 3896 wrote to memory of 2876	3896	msedge.exe	86
PID 3896 wrote to memory of 2876	3896	msedge.exe	86
PID 3896 wrote to memory of 2876	3896	msedge.exe	86
PID 3896 wrote to memory of 2876	3896	msedge.exe	86
PID 3896 wrote to memory of 2876	3896	msedge.exe	86
PID 3896 wrote to memory of 2876	3896	msedge.exe	86
PID 3896 wrote to memory of 2876	3896	msedge.exe	86
PID 3896 wrote to memory of 2876	3896	msedge.exe	86
PID 3896 wrote to memory of 2876	3896	msedge.exe	86
PID 3896 wrote to memory of 2876	3896	msedge.exe	86
PID 3896 wrote to memory of 2876	3896	msedge.exe	86
PID 3896 wrote to memory of 2876	3896	msedge.exe	86
PID 3896 wrote to memory of 2876	3896	msedge.exe	86
PID 3896 wrote to memory of 2876	3896	msedge.exe	86
PID 3896 wrote to memory of 2876	3896	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1259612319319719976/1259614307432402984/unpacker.rar?ex=668c52bd&is=668b013d&hm=ece9bf2ebbda1c0fd5cc78e0ba120be498031806cbfa94a80bf033ed4703dfd5&
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffd0df46f8,0x7fffd0df4708,0x7fffd0df4718
  2⤵
  PID:4680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,1094188909945247915,2214747529075783757,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
  2⤵
  PID:4564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,1094188909945247915,2214747529075783757,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2552 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,1094188909945247915,2214747529075783757,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:8
  2⤵
  PID:2876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1094188909945247915,2214747529075783757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:3872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1094188909945247915,2214747529075783757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:3304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1094188909945247915,2214747529075783757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:1
  2⤵
  PID:4448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1094188909945247915,2214747529075783757,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1
  2⤵
  PID:1012
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,1094188909945247915,2214747529075783757,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3456 /prefetch:8
  2⤵
  PID:2172
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,1094188909945247915,2214747529075783757,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3456 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1094188909945247915,2214747529075783757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
  2⤵
  PID:4452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1094188909945247915,2214747529075783757,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3512 /prefetch:1
  2⤵
  PID:4456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2128,1094188909945247915,2214747529075783757,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5072 /prefetch:8
  2⤵
  PID:464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1094188909945247915,2214747529075783757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1
  2⤵
  PID:4572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2128,1094188909945247915,2214747529075783757,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5116 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1094188909945247915,2214747529075783757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:1
  2⤵
  PID:1656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1094188909945247915,2214747529075783757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
  2⤵
  PID:3552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1094188909945247915,2214747529075783757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
  2⤵
  PID:4328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1094188909945247915,2214747529075783757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1
  2⤵
  PID:3824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2128,1094188909945247915,2214747529075783757,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6120 /prefetch:8
  2⤵
  PID:4092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2128,1094188909945247915,2214747529075783757,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6128 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1094188909945247915,2214747529075783757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
  2⤵
  PID:2336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2128,1094188909945247915,2214747529075783757,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6492 /prefetch:8
  2⤵
  PID:3276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1094188909945247915,2214747529075783757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6480 /prefetch:1
  2⤵
  PID:4596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1094188909945247915,2214747529075783757,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6536 /prefetch:1
  2⤵
  PID:4036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1094188909945247915,2214747529075783757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6996 /prefetch:1
  2⤵
  PID:2852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1094188909945247915,2214747529075783757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6916 /prefetch:1
  2⤵
  PID:4352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1094188909945247915,2214747529075783757,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:1
  2⤵
  PID:2160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2128,1094188909945247915,2214747529075783757,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6048 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4628
- C:\Users\Admin\Downloads\winrar-x64-701.exe
  "C:\Users\Admin\Downloads\winrar-x64-701.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5088
- C:\Users\Admin\Downloads\winrar-x64-701.exe
  "C:\Users\Admin\Downloads\winrar-x64-701.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3804
- C:\Users\Admin\Downloads\winrar-x64-701.exe
  "C:\Users\Admin\Downloads\winrar-x64-701.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1840
- C:\Users\Admin\Downloads\winrar-x64-701.exe
  "C:\Users\Admin\Downloads\winrar-x64-701.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,1094188909945247915,2214747529075783757,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4940 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6104

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4212

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2120

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv RedaXyMtMEOWbBKIo4ZXUA.0.1
1⤵
PID:2852

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\139c42f54f0648d6a164ba92b43b8c0e /t 1876 /p 1840
1⤵
PID:5428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e81c757cdb64c4fd5c91e6ade1a16308

SHA1
19dc7ff5e8551a2b08874131d962b697bb84ad9b

SHA256
82141d451d07bdb68991f33c59129214dd6d3d10158aeb7a1dc81efbc5fb12b3

SHA512
ba8de0b3b04fec5a96d361459dde0941b1b70f5be231fdec94806efa3ecf1e8faf8e27b1800fa606dc4a82e29d4cf5109b94109e5ad242ddf9f4671e2acbcfbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2e57ec8bd99545e47a55d581964d0549

SHA1
bd7055ea7df7696298a94dedfc91136e3b530db8

SHA256
a50ba35608edc2f3360cc71be0d4b29bba0e3382d1f08f24df5322ce2ad2443c

SHA512
6b9b73d983c472149629c842e16e4f7c2f8a0a3bb6dd64837ef647db810ef1beb3a02b15dc1eec2c5de8aee6b3ca195c7d26c432705061c5b0ec7841a5bbf106

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
33a6c7b0f883948713a8b3600341f8b4

SHA1
1def525df7f5c867a9fec030c7a4bcac9730b4bd

SHA256
d696ac9d7324fdef0a98460aa15e20427d353feb314b76280d850f4d7c6017e8

SHA512
cc7d5e3b0c1cceea6644ae99a0d9359b49970ebb0a4de973ae0da8bd5a89dd89f2c772d76df73d2f1adf5c28e50b84e24bff031c7814386d2e3c84c207cf1449

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
558B

MD5
10fcba7187b05ff52a983ed28b54c632

SHA1
d382950f0e50347b0241e8752baa60d1d19b4da7

SHA256
1e9335b49ad2e9b15ca12c2ad56f6501b97c9edb8f3f31b13bed38c8db65a80b

SHA512
9c7e41bd3917d911a680b998c03d7daa9e11621690475aa2a2844658cde013f204fc90918b0d75f63436e6e332b96bd5260a84d615eb9d3f9b88f8aabf24edf1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
601b6e48b054e11a826d7d7de2a75151

SHA1
7de083348063b3e014c7aaeaa63c88ff66f6c5f3

SHA256
96ebd9943d5187645d0885c0205cf732cdb3dcac44c0cbb725a3b60114e7f87b

SHA512
a9d6e6cfa1955f5abc3260d61edcb3f2301f970e31e609c63a27afc97be6132e63df8d5362363138a8afc4dc51ae202d1528f3e701cac19646cbadbb4f0d77d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ed869945afc426b0b6d7b55f4bdc7c21

SHA1
32f39c8ad632750ac9d078e1057bf3b5cbbcfd13

SHA256
c1fc7a31468a62ab0adce70895f77592ec40e487372f317ba4191b6d1d692294

SHA512
c1477390dd3531083fe7ae26035fdc33e2172522214cb5a63c72bfcdc36da27d956bf8f657e05954a9da648d9a7a9b50055648124ff3e151bf082474c1506a49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ba71ec3987278f7cdc62c72b185604da

SHA1
7bff25e6aeefe7d42a7eafe18020f23d299ea3e9

SHA256
97f59d764b09140a38c7c8bbafbc721005037d77bf3007522e430b6d5808f042

SHA512
149157f193feed081348f28eb0fef397b69acb6184a265e244315fdbf6b925153f7d4391f591f020c7f1180e0544d36533debbee0674aa82814610212a5e9abd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
703B

MD5
ed87fed15abe2841d65aff62a0b85c63

SHA1
19a594f34aeaf742f3006813ec90bfd2b9c59d8d

SHA256
154075ab38ffadf487244ec5668173718125cd275e5b33125573ab0cbf5df900

SHA512
a62efd944d157b864f1a7281ce452cb4ff1b8fdd739a63d4480b73b95cad033f2ee1c34225580aaa6dc65d515d22103eb84539a92b505a62242e6aea83a62124

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57f9c1.TMP

Filesize
535B

MD5
12c7e22504ebadbb78477da838c89331

SHA1
6bdf7d7a6ae4428c2e05b3d3da90b6b18266287b

SHA256
b84a93141656118feac2790c4c47288e85badeaeba2961d2379aa3bddbb9ab4c

SHA512
4d6db44eb25616695ea867700524afff96949dcc796eed4f684d11126eae5b2e8047e2b31843dfed96e477dc7baf788a15e6695f08e78b8aa5d2745a7cca209b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1426a11ba0085fa9d84eadb47f7dfa5f

SHA1
fc98e576186b834aff7d00e5c1a46f6b936edfa8

SHA256
3c8f37fa575e2c8ed6e4d108015a43919ba2d9d38e7880911c8e22cd38c4b247

SHA512
ed4bc4519907af3a4c2081fee3a28ad589858004218a4df113cdb508feb29ca10aaaf8e6adebe226aa8e6c62597a9489220446e22b1406816d9e9ceb5ffe61cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
22d07684f5e3bb62b74067669ebdbfca

SHA1
9caed03d039ed0a4442dd6ab8dcb44ba1d7dd4e1

SHA256
996dbd29d8592757c787d7810ef618cda41491d45b472d638d680ca0169e59c3

SHA512
9d6e0c4c5d286386ee3a87ca09b12692a2f1f056dda4847917357a23fe3238df9040033c57dfd008b58817053f511194f9eed70e2f8d91ee4313817273497a0b

Download Submit
C:\Users\Admin\Downloads\unpacker.rar

Filesize
6.7MB

MD5
8907e0d97f03892416e9341a958351e3

SHA1
f74062652ef6cc7e5ae7fd45e0f05fabc620d1cc

SHA256
d7129a7044f200ddc3f85f9d8d5910d41d67639ed1fb3e0168dc141d21fe7001

SHA512
d74071d7a7cf2874770cdc9161c95635e3708e48d6f0ba8d774024d588d0ae83068a9d5c7377ae6963b08fbbb01f105fe0ccefe16051153ced76fa16369c7e2a

Download Submit
C:\Users\Admin\Downloads\winrar-x64-701.exe

Filesize
3.7MB

MD5
3a2f16a044d8f6d2f9443dff6bd1c7d4

SHA1
48c6c0450af803b72a0caa7d5e3863c3f0240ef1

SHA256
31f7ba37180f820313b2d32e76252344598409cb932109dd84a071cd58b64aa6

SHA512
61daee2ce82c3b8e79f7598a79d72e337220ced7607e3ed878a3059ac03257542147dbd377e902cc95f04324e2fb7c5e07d1410f0a1815d5a05c5320e5715ef6

Download Submit