hxxps://f94[.]workupload[.]com/download/dBhgb9rxtnw

Analysis

max time kernel
114s
max time network
93s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
21/07/2024, 06:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://f94.workupload.com/download/dBhgb9rxtnw

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Applications\7zFM.exe\shell	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Applications\7zFM.exe\shell\open\command\ = "\"C:\\Program Files\\7-Zip\\7zFM.exe\" \"%1\""	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 5000310000000000e958b1881000372d5a6970003c0009000400efbee958b188e958b1882e0000005af600000000190000000000000000000000000000003104680037002d005a0069007000000014000000	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 8c00310000000000e958078d110050524f4752417e310000740009000400efbec5525961e958078d2e0000003f0000000000010000000000000000004a000000000075f5c300500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Applications\7zFM.exe\shell\open\command	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Applications\7zFM.exe	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	OpenWith.exe
Key created	\Registry\User\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\NotificationData	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Applications	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = ffffffff	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Applications\7zFM.exe\shell\open	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\NodeSlot = "1"	OpenWith.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\WaveCrack.rar:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2960	msedge.exe
2960	msedge.exe
5052	msedge.exe
5052	msedge.exe
3156	identity_helper.exe
3156	identity_helper.exe
4024	msedge.exe
4024	msedge.exe
1708	msedge.exe
1708	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4136	OpenWith.exe
32	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	32	7zFM.exe
Token: 35	32	7zFM.exe
Token: SeSecurityPrivilege	32	7zFM.exe
Token: SeSecurityPrivilege	32	7zFM.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
32	7zFM.exe
32	7zFM.exe
32	7zFM.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe

Suspicious use of SetWindowsHookEx 30 IoCs

pid	Process
4136	OpenWith.exe
4136	OpenWith.exe
4136	OpenWith.exe
4136	OpenWith.exe
4136	OpenWith.exe
4136	OpenWith.exe
4136	OpenWith.exe
4136	OpenWith.exe
4136	OpenWith.exe
4136	OpenWith.exe
4136	OpenWith.exe
4136	OpenWith.exe
4136	OpenWith.exe
4136	OpenWith.exe
4136	OpenWith.exe
4136	OpenWith.exe
4136	OpenWith.exe
4136	OpenWith.exe
4136	OpenWith.exe
4136	OpenWith.exe
4136	OpenWith.exe
4136	OpenWith.exe
4136	OpenWith.exe
4136	OpenWith.exe
4136	OpenWith.exe
4136	OpenWith.exe
4136	OpenWith.exe
4136	OpenWith.exe
4136	OpenWith.exe
4136	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5052 wrote to memory of 2216	5052	msedge.exe	78
PID 5052 wrote to memory of 2216	5052	msedge.exe	78
PID 5052 wrote to memory of 3904	5052	msedge.exe	79
PID 5052 wrote to memory of 3904	5052	msedge.exe	79
PID 5052 wrote to memory of 3904	5052	msedge.exe	79
PID 5052 wrote to memory of 3904	5052	msedge.exe	79
PID 5052 wrote to memory of 3904	5052	msedge.exe	79
PID 5052 wrote to memory of 3904	5052	msedge.exe	79
PID 5052 wrote to memory of 3904	5052	msedge.exe	79
PID 5052 wrote to memory of 3904	5052	msedge.exe	79
PID 5052 wrote to memory of 3904	5052	msedge.exe	79
PID 5052 wrote to memory of 3904	5052	msedge.exe	79
PID 5052 wrote to memory of 3904	5052	msedge.exe	79
PID 5052 wrote to memory of 3904	5052	msedge.exe	79
PID 5052 wrote to memory of 3904	5052	msedge.exe	79
PID 5052 wrote to memory of 3904	5052	msedge.exe	79
PID 5052 wrote to memory of 3904	5052	msedge.exe	79
PID 5052 wrote to memory of 3904	5052	msedge.exe	79
PID 5052 wrote to memory of 3904	5052	msedge.exe	79
PID 5052 wrote to memory of 3904	5052	msedge.exe	79
PID 5052 wrote to memory of 3904	5052	msedge.exe	79
PID 5052 wrote to memory of 3904	5052	msedge.exe	79
PID 5052 wrote to memory of 3904	5052	msedge.exe	79
PID 5052 wrote to memory of 3904	5052	msedge.exe	79
PID 5052 wrote to memory of 3904	5052	msedge.exe	79
PID 5052 wrote to memory of 3904	5052	msedge.exe	79
PID 5052 wrote to memory of 3904	5052	msedge.exe	79
PID 5052 wrote to memory of 3904	5052	msedge.exe	79
PID 5052 wrote to memory of 3904	5052	msedge.exe	79
PID 5052 wrote to memory of 3904	5052	msedge.exe	79
PID 5052 wrote to memory of 3904	5052	msedge.exe	79
PID 5052 wrote to memory of 3904	5052	msedge.exe	79
PID 5052 wrote to memory of 3904	5052	msedge.exe	79
PID 5052 wrote to memory of 3904	5052	msedge.exe	79
PID 5052 wrote to memory of 3904	5052	msedge.exe	79
PID 5052 wrote to memory of 3904	5052	msedge.exe	79
PID 5052 wrote to memory of 3904	5052	msedge.exe	79
PID 5052 wrote to memory of 3904	5052	msedge.exe	79
PID 5052 wrote to memory of 3904	5052	msedge.exe	79
PID 5052 wrote to memory of 3904	5052	msedge.exe	79
PID 5052 wrote to memory of 3904	5052	msedge.exe	79
PID 5052 wrote to memory of 3904	5052	msedge.exe	79
PID 5052 wrote to memory of 2960	5052	msedge.exe	80
PID 5052 wrote to memory of 2960	5052	msedge.exe	80
PID 5052 wrote to memory of 4784	5052	msedge.exe	81
PID 5052 wrote to memory of 4784	5052	msedge.exe	81
PID 5052 wrote to memory of 4784	5052	msedge.exe	81
PID 5052 wrote to memory of 4784	5052	msedge.exe	81
PID 5052 wrote to memory of 4784	5052	msedge.exe	81
PID 5052 wrote to memory of 4784	5052	msedge.exe	81
PID 5052 wrote to memory of 4784	5052	msedge.exe	81
PID 5052 wrote to memory of 4784	5052	msedge.exe	81
PID 5052 wrote to memory of 4784	5052	msedge.exe	81
PID 5052 wrote to memory of 4784	5052	msedge.exe	81
PID 5052 wrote to memory of 4784	5052	msedge.exe	81
PID 5052 wrote to memory of 4784	5052	msedge.exe	81
PID 5052 wrote to memory of 4784	5052	msedge.exe	81
PID 5052 wrote to memory of 4784	5052	msedge.exe	81
PID 5052 wrote to memory of 4784	5052	msedge.exe	81
PID 5052 wrote to memory of 4784	5052	msedge.exe	81
PID 5052 wrote to memory of 4784	5052	msedge.exe	81
PID 5052 wrote to memory of 4784	5052	msedge.exe	81
PID 5052 wrote to memory of 4784	5052	msedge.exe	81
PID 5052 wrote to memory of 4784	5052	msedge.exe	81

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://f94.workupload.com/download/dBhgb9rxtnw
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc23e93cb8,0x7ffc23e93cc8,0x7ffc23e93cd8
  2⤵
  PID:2216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,16130888461660261019,8478104650537291229,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:2
  2⤵
  PID:3904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,16130888461660261019,8478104650537291229,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,16130888461660261019,8478104650537291229,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2604 /prefetch:8
  2⤵
  PID:4784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16130888461660261019,8478104650537291229,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3144 /prefetch:1
  2⤵
  PID:4732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16130888461660261019,8478104650537291229,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:3192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16130888461660261019,8478104650537291229,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:1
  2⤵
  PID:2104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16130888461660261019,8478104650537291229,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4680 /prefetch:1
  2⤵
  PID:1664
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,16130888461660261019,8478104650537291229,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5492 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16130888461660261019,8478104650537291229,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
  2⤵
  PID:1420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16130888461660261019,8478104650537291229,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
  2⤵
  PID:3352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,16130888461660261019,8478104650537291229,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4584 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16130888461660261019,8478104650537291229,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
  2⤵
  PID:2148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,16130888461660261019,8478104650537291229,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5840 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1708

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1064

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4680

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4136
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\WaveCrack.rar"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:32

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f1d33f465a73554cd1c183cbcd0a28a2

SHA1
f5c16fc4edff600cb307f762d950500aa29a1e8b

SHA256
22d8c228cdcfd3e05431d7377748014035a3488ad3a0d4aecc334e724245a1f9

SHA512
7cc94f77f3943143ee86eabbfddcb110ce52c6ff0975842e3a3d06072f51f2c48914ee61f24484a539888ad19a7e6a1becfb029485cd5984bc736434a63cee95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
575466f58c7d9d3224035d23f102d140

SHA1
2fce4082fa83534b3ddc91e42fb242baee4afa1c

SHA256
9da0e657652daa1ef86af7c3db62b0af9cce372a5f765c98c68479922ccf1923

SHA512
06503e718fe967076dd8a061b57debdc663b9616b005f8567099a84fc7184880633079335d622c243918efc3356b40e683708fb0583084abeed7db6168a212ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
8bad6916ebc17f79de174f2410781ed0

SHA1
6b6760e99e97767669ba73ef7a4a758e975ecf6e

SHA256
679f56378ddc91871bce50ce8d5c764b441c908a976b4311402e2248da535fd0

SHA512
7ff04c50b92d3ca05cbb4c35b2cf3416ecc27f3abad6d66527da69e7a2aaf2143732e7e1bb19d8b97e642e17ebe2f845bbfd56e4fe6613fa57c910adb8c726db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5e763da4acbefb1176f7c591029af34d

SHA1
08affcccb000bd01239ee47b85d811ccf8d2584c

SHA256
a80f099f0923514aec7358a29f5ac9093471f0670901228b596ed735e5fb5c64

SHA512
f1ad448cd3c6f966118829b15834d45752293c1e2262876984b79234e898743c125b6285dca0dbb01046670e0d7b74290d6813e5844fad7fa59e1c9e3eea4cd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
864c5058194baa3d421b7af1e3b08932

SHA1
14e8ed9c9a8c84bbf4e0dbe0f53ec2ab71d56383

SHA256
67737dbb61fa28bf53a3ef2c55274e4b3bf3d68b04386b5d90dd950fbc0aa5a3

SHA512
fa64df6677cbbe1e339a9b3f5cca8c00c50fd33401c9ca6c87284710910be013150454551f49f927bae130d4d703c2bc4e94f134166de9b5b22bbedb3fbd914d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c265910fdca6b39552de3a99e1bd560a

SHA1
ea65f139a0c4bf6f43f2d2c31bb0df13f82e0744

SHA256
f6bc9aa78be38428edf5a770ba75af69811b78d5d21ffe60752c25ff0ef5daaa

SHA512
b35921f3e1ecdc6aaacd885ddfc4e7cf60b39cc1df6359035ff634412a8836ddf820d28da58c8ba04f80a00595875bd9c01ce0d31c3ed445936152f3b6d2651e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6ae81359b8e1cd4336df363e2c063e5f

SHA1
845f8c0a4b66b7d3a81247b5d0e2da5d58fd56b1

SHA256
6c3a4364e950bd952ddee852665214b5128dbba1e921aa1f751e82257397bb0e

SHA512
aa0ca843373b4d1024c1ba706c417f44644cb3af3695a6b1c43cd2964eb80069c3da62b581142349c9976c010d9172199d1ab0d06e2269d1ff795ed6d117d531

Download Submit
C:\Users\Admin\Downloads\WaveCrack.rar

Filesize
517KB

MD5
a8a6cf33d26a788e9bdddc0248ee7604

SHA1
3a0a7a1ef31d86522915e596c4abdbbcf402f97d

SHA256
ca0fa1aa3f3b10084ceedc5038bb32d9a0f7730be3d82a61d24b8efb5eed0381

SHA512
14eb43e1da8d22e8d45804e3723f29b180d9560acd25a9f8c06ec1a6b897b21492e3f9dd2d46408ba3cb30a649416541c2a1de441df3855ff8fe4335b9412700

Download Submit
C:\Users\Admin\Downloads\WaveCrack.rar:Zone.Identifier

Filesize
120B

MD5
0591906b44ccc8f0b475142ac737da5e

SHA1
b72cf58316e03eddc4adcb80c1b45db930ac8774

SHA256
646ba4ae281ee480a4c25c8eb3a01b1212f6a726f467fb271c1542c70230a8de

SHA512
ae4c3dbd9abb67cf81eece7e89a3b261d21b43d8d7b7b674f1b5e5d131fc4e479f76419e2689cbeda1a6756de5462dd12bb8f922c46176759fc451880df10015

Download Submit