hxxp://whitegames[.]pro

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
24/07/2024, 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://whitegames.pro

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
4064	winrar-x64-701.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
22	drive.google.com
66	drive.google.com
67	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-464762018-485119342-1613148473-1000\{48A01C17-AA21-4FC2-B646-D4F76620E138}	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 845457.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3504	msedge.exe
3504	msedge.exe
3264	msedge.exe
3264	msedge.exe
692	identity_helper.exe
692	identity_helper.exe
5940	msedge.exe
5940	msedge.exe
6112	msedge.exe
6112	msedge.exe
4280	msedge.exe
4280	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

pid	Process
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe

Suspicious use of FindShellTrayWindow 61 IoCs

pid	Process
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4064	winrar-x64-701.exe
4064	winrar-x64-701.exe
4064	winrar-x64-701.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3264 wrote to memory of 3512	3264	msedge.exe	86
PID 3264 wrote to memory of 3512	3264	msedge.exe	86
PID 3264 wrote to memory of 3624	3264	msedge.exe	87
PID 3264 wrote to memory of 3624	3264	msedge.exe	87
PID 3264 wrote to memory of 3624	3264	msedge.exe	87
PID 3264 wrote to memory of 3624	3264	msedge.exe	87
PID 3264 wrote to memory of 3624	3264	msedge.exe	87
PID 3264 wrote to memory of 3624	3264	msedge.exe	87
PID 3264 wrote to memory of 3624	3264	msedge.exe	87
PID 3264 wrote to memory of 3624	3264	msedge.exe	87
PID 3264 wrote to memory of 3624	3264	msedge.exe	87
PID 3264 wrote to memory of 3624	3264	msedge.exe	87
PID 3264 wrote to memory of 3624	3264	msedge.exe	87
PID 3264 wrote to memory of 3624	3264	msedge.exe	87
PID 3264 wrote to memory of 3624	3264	msedge.exe	87
PID 3264 wrote to memory of 3624	3264	msedge.exe	87
PID 3264 wrote to memory of 3624	3264	msedge.exe	87
PID 3264 wrote to memory of 3624	3264	msedge.exe	87
PID 3264 wrote to memory of 3624	3264	msedge.exe	87
PID 3264 wrote to memory of 3624	3264	msedge.exe	87
PID 3264 wrote to memory of 3624	3264	msedge.exe	87
PID 3264 wrote to memory of 3624	3264	msedge.exe	87
PID 3264 wrote to memory of 3624	3264	msedge.exe	87
PID 3264 wrote to memory of 3624	3264	msedge.exe	87
PID 3264 wrote to memory of 3624	3264	msedge.exe	87
PID 3264 wrote to memory of 3624	3264	msedge.exe	87
PID 3264 wrote to memory of 3624	3264	msedge.exe	87
PID 3264 wrote to memory of 3624	3264	msedge.exe	87
PID 3264 wrote to memory of 3624	3264	msedge.exe	87
PID 3264 wrote to memory of 3624	3264	msedge.exe	87
PID 3264 wrote to memory of 3624	3264	msedge.exe	87
PID 3264 wrote to memory of 3624	3264	msedge.exe	87
PID 3264 wrote to memory of 3624	3264	msedge.exe	87
PID 3264 wrote to memory of 3624	3264	msedge.exe	87
PID 3264 wrote to memory of 3624	3264	msedge.exe	87
PID 3264 wrote to memory of 3624	3264	msedge.exe	87
PID 3264 wrote to memory of 3624	3264	msedge.exe	87
PID 3264 wrote to memory of 3624	3264	msedge.exe	87
PID 3264 wrote to memory of 3624	3264	msedge.exe	87
PID 3264 wrote to memory of 3624	3264	msedge.exe	87
PID 3264 wrote to memory of 3624	3264	msedge.exe	87
PID 3264 wrote to memory of 3624	3264	msedge.exe	87
PID 3264 wrote to memory of 3504	3264	msedge.exe	88
PID 3264 wrote to memory of 3504	3264	msedge.exe	88
PID 3264 wrote to memory of 3356	3264	msedge.exe	89
PID 3264 wrote to memory of 3356	3264	msedge.exe	89
PID 3264 wrote to memory of 3356	3264	msedge.exe	89
PID 3264 wrote to memory of 3356	3264	msedge.exe	89
PID 3264 wrote to memory of 3356	3264	msedge.exe	89
PID 3264 wrote to memory of 3356	3264	msedge.exe	89
PID 3264 wrote to memory of 3356	3264	msedge.exe	89
PID 3264 wrote to memory of 3356	3264	msedge.exe	89
PID 3264 wrote to memory of 3356	3264	msedge.exe	89
PID 3264 wrote to memory of 3356	3264	msedge.exe	89
PID 3264 wrote to memory of 3356	3264	msedge.exe	89
PID 3264 wrote to memory of 3356	3264	msedge.exe	89
PID 3264 wrote to memory of 3356	3264	msedge.exe	89
PID 3264 wrote to memory of 3356	3264	msedge.exe	89
PID 3264 wrote to memory of 3356	3264	msedge.exe	89
PID 3264 wrote to memory of 3356	3264	msedge.exe	89
PID 3264 wrote to memory of 3356	3264	msedge.exe	89
PID 3264 wrote to memory of 3356	3264	msedge.exe	89
PID 3264 wrote to memory of 3356	3264	msedge.exe	89
PID 3264 wrote to memory of 3356	3264	msedge.exe	89

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://whitegames.pro
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffce23046f8,0x7ffce2304708,0x7ffce2304718
  2⤵
  PID:3512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,1888678289949087213,13098779357390475133,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
  2⤵
  PID:3624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,1888678289949087213,13098779357390475133,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,1888678289949087213,13098779357390475133,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:8
  2⤵
  PID:3356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,1888678289949087213,13098779357390475133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:1472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,1888678289949087213,13098779357390475133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
  2⤵
  PID:4256
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,1888678289949087213,13098779357390475133,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5500 /prefetch:8
  2⤵
  PID:3804
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,1888678289949087213,13098779357390475133,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5500 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,1888678289949087213,13098779357390475133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4088 /prefetch:1
  2⤵
  PID:1664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,1888678289949087213,13098779357390475133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4128 /prefetch:1
  2⤵
  PID:5048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,1888678289949087213,13098779357390475133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
  2⤵
  PID:3876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2080,1888678289949087213,13098779357390475133,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5844 /prefetch:8
  2⤵
  PID:5188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,1888678289949087213,13098779357390475133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:1
  2⤵
  PID:5196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,1888678289949087213,13098779357390475133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6236 /prefetch:1
  2⤵
  PID:5332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,1888678289949087213,13098779357390475133,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6252 /prefetch:1
  2⤵
  PID:5340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,1888678289949087213,13098779357390475133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6184 /prefetch:1
  2⤵
  PID:5584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,1888678289949087213,13098779357390475133,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6152 /prefetch:1
  2⤵
  PID:5592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2080,1888678289949087213,13098779357390475133,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5532 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,1888678289949087213,13098779357390475133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6660 /prefetch:1
  2⤵
  PID:5748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,1888678289949087213,13098779357390475133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6500 /prefetch:1
  2⤵
  PID:5380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2080,1888678289949087213,13098779357390475133,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5940 /prefetch:8
  2⤵
  PID:5576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2080,1888678289949087213,13098779357390475133,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5824 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:6112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,1888678289949087213,13098779357390475133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6036 /prefetch:1
  2⤵
  PID:5132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,1888678289949087213,13098779357390475133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6668 /prefetch:1
  2⤵
  PID:2092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,1888678289949087213,13098779357390475133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:1
  2⤵
  PID:1108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,1888678289949087213,13098779357390475133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:1
  2⤵
  PID:5408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,1888678289949087213,13098779357390475133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:1
  2⤵
  PID:1816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,1888678289949087213,13098779357390475133,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5944 /prefetch:1
  2⤵
  PID:5904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2080,1888678289949087213,13098779357390475133,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7312 /prefetch:8
  2⤵
  PID:5912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,1888678289949087213,13098779357390475133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:1
  2⤵
  PID:4384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,1888678289949087213,13098779357390475133,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7416 /prefetch:1
  2⤵
  PID:6132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2080,1888678289949087213,13098779357390475133,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5968 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4280
- C:\Users\Admin\Downloads\winrar-x64-701.exe
  "C:\Users\Admin\Downloads\winrar-x64-701.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,1888678289949087213,13098779357390475133,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5024 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5948

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:372

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4564

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
04b60a51907d399f3685e03094b603cb

SHA1
228d18888782f4e66ca207c1a073560e0a4cc6e7

SHA256
87a9d9f1bd99313295b2ce703580b9d37c3a68b9b33026fdda4c2530f562e6a3

SHA512
2a8e3da94eaf0a6c4a2f29da6fec2796ba6a13cad6425bb650349a60eb3204643fc2fd1ab425f0251610cb9cce65e7dba459388b4e00c12ba3434a1798855c91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9622e603d436ca747f3a4407a6ca952e

SHA1
297d9aed5337a8a7290ea436b61458c372b1d497

SHA256
ace0e47e358fba0831b508cd23949a503ae0e6a5c857859e720d1b6479ff2261

SHA512
f774c5c44f0fcdfb45847626f6808076dccabfbcb8a37d00329ec792e2901dc59636ef15c95d84d0080272571542d43b473ce11c2209ac251bee13bd611b200a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
882dea7fbaaae044f109acc73e2a034d

SHA1
cedaf1db2ddad5474803e069cba1fcef22a91083

SHA256
41f6fc62c443681780e6ec5cd007b1a8efd502801a0e1c2cc534ce5a1dd1a3f5

SHA512
21c769f5f0d32e91ad84bd560fe54283461885e6c1d246eaf9b2bf01f62034c3bdc9a7079ab86441f95b3a4c70389aeaea472f4af3127ce8804deae5bbb3f3b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
d6210dddb81d6035b3cca631d4e8f762

SHA1
08068ccd26cd2146191e9cb56c0ec61f97ae8523

SHA256
a564d3b2cfd0aa4cbc3fdea96be830d4f3e7692f21f994fe487497e39892f77b

SHA512
16fb4a921ef2b4636c019b20e655710999c29cffaeebee812a9420b0b5f0a7fcb59565d498106a8318810d6ef7b482f7e5c6c2dc3ba37371eee7d11ee27f4f73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
456B

MD5
1bac9a2f1a2ce24076cfa2a4152fddb4

SHA1
162a7c358e2afdd836a6d11bc73cddf065276887

SHA256
29dd85ec23b630320c9e67f1dbd5ffd5a53c0789ca16d6cc8a28479d3eacbe82

SHA512
567affee39b995e310c37aac05a487a7d4b4531dfe0e3b98089e052f62ed4657e2ec2ab47cfa072a43d36af8f33636d97774b1ee3c43eb0d81ff89863afa2592

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
281fc0765c46f4c68cecf526aacc8117

SHA1
644591d43fb8933c47e9503bf1731e733da8ac9f

SHA256
36f4ce501fcff18dcc5b85e055c87f508c66e7785071a5bfbd98c245d9de70f0

SHA512
85a35ff440503003243e6e8fa4334ab2eb31ee790fc8be028a2859d211694e450149a3b14896de2713b1f36190e04b61aa47b5cc6a42864024c30092542d1c21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
8fc1d3e84d438f3a9ac4900f27543c95

SHA1
7520271a341cc6e8a3a41fd485dd86fe075f1014

SHA256
526b1c250c0e43c9c92c9181fbf123a796405e9a08bbf7240c69c8a80fc68df5

SHA512
bd47cce7b428dcd4c588966ff6328709b94a9a7ded6c47a7ad19632579fd489247bdee4944156659558ed434bb97ce72a0693378258d9d290ae8b7d4ed20060b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
f1c22452a0d7e89e43436b30a255fb9b

SHA1
39bb2ef81d07ed55a6f193a6b793a6f3f7bec59f

SHA256
b61f7d80e2edbb4022a58f9c7640dc313d070f19a23c1b5cca9831d7fb9b12de

SHA512
3723983e35b997bb3e845d8fc47638885f8b4e8465fa69707538adad0945dca3ecb4a68ad6b68bfda2dfc0779deac9fe4ed4064419a507d292c4cd44e25fe0ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
bef5c224a4e8e06ecaecd4bafe781a1e

SHA1
e66c2a70c65186f3523d0e0e52dff5ceaee1df75

SHA256
783e44d9d4f7399a31fd355b343c39452cdaddfc10c2277bdfcb85d6c9d5087b

SHA512
c3d142ef04d09f3cc5d6358e422e7fd129f7e1e540ed47049e196e03722beb7956cc6ebe28f8b604d889a66b7e711e7e4c1cb89a6bae313ff34c0a733ca4a364

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
52b2d2f89b10bf45e1c6a099eb7d968e

SHA1
9abdb7709122434d00f24920ac6b4528fcc501f6

SHA256
3f950dc37f7a3fd040b25810baa395a6a5cdd2245088c05e62fe1c7fa7a9b29f

SHA512
9f981005075cb5792eb215dd7cfe45e8a3bfc53fdc1b5b6908e3e8988297e417e8fa2defe8b4aa9de6302d12a4a9e5c392f26ba4b18fb9c22e5d4920962a6d7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c2b92e3785c4771f07278429b3c8dc0e

SHA1
80ae1d4b4e92c39ebb013054d6b10b6820c6587c

SHA256
2d1c7a21754116925cc5d10629d7e6b162ed70c6d272defe376800d3a9cf2a87

SHA512
c1bee3c16a20b13127d539d79f2ce14c301fe3f5d240a33775465cb89fb1ed343f48698c2f8759e20001b91382151ac5c0af6f86ecbe1d097fa86acf3cc24d53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d15c6dff9649b19470a0106bd08fe241

SHA1
a0ecfbc82ddc482872983898f15c9f0ae6b2f975

SHA256
9795a127e0c7abaa0262285a7812a1f2351b32fbb53b999f7a8d1180a6c232dc

SHA512
332d9c4575406954f3d3e1d9d2e7a70c4adf11d1ebf6ea62aeca58619af52a1a859bb60d0d4b6c8344b7b8ea52274578853ec14bc7437d94896641d2ca428a32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8559d1483dea4829d75321da67c233b4

SHA1
465e4669dc030a5d3963c88f31829dba9265f6ce

SHA256
4dac3d3de0bca1057a2eef84b32e789b60428e03e36517562e22a16d5b2d3b1e

SHA512
f83afbdf04a6ddeb1ba2800fd31103e87d1f331ba0dc1228b814f72b21dabca32b76a2e2c6c52a6f1c22b80cf87ad11850aeda7f33b589bacbc117bbca5418ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
71e65cd44ecb2207a839b75e479b500e

SHA1
2fbb4e081d598b3eabd6295b9a936a2fcb5344e8

SHA256
737e6c15daa5046624faa9d5c986de600df1f10601e296532a338b8ece91abee

SHA512
bb6ab133fe0d21ee4401abed0d5169fb4a6216382487698f4494b9206651bd7c22fedfd34fc502435562fa5fd7b11d105462ad31d8afed64ac2e2d8ff20a1884

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
5e558a92136054b3109ecdf3872b6d5d

SHA1
8aa5f239f7caa1370c509868fe1d7aeb1f232d66

SHA256
4cdd005a7e5daf46432f4392a3f65f505abb0c69d82e5bc49c50629c9709cee2

SHA512
73c36b086e069c0746a127b68d00892c2efa67f0fd31199920f703b494c2c8a0ea74d776f9643adf4bed03088930ca5538c218685b4ac0124645488f52432eef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
85552e0eaab6bf904b26d9a6b7601b75

SHA1
2a82c43472235063d8fa041fcb16c2fb68b1b9b4

SHA256
edf44a7e65d3b3761bad1876784003315af8123c6efb59f241a45a9965917174

SHA512
8661a9f695c281500118025b65d1cefa295c416ce7546b0aabf1925940533ead618dbda4ef3e4500b22e79c6b1e9bea0856bcb62da9f9fe6183921fd87c50b62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9594474848ce2f362915dae3a2e310eb

SHA1
4b63d8de61ee6ca30b754d79de45ed55caa126d2

SHA256
3805c386a1ddd45b9f4156d329c84513edb71c885d10fd9857d0a062a357ffa4

SHA512
da25f9cfdf2cb2369d594b4b5c7abc2cb5c74c56aaba3620906e548ddfae3d13682d8cacce7b6a7fc0c50289f9b69fb34f1165581db6e5a7a985c12331809a80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
828bcec6965ab62debac839ba1082448

SHA1
602e741ce53a4ba7ef2f91100666c21aafc83b89

SHA256
7fd248143e14b7d6f5942bcb2cb352117fc0e00ca5d97ac330eea35a26626a3d

SHA512
b05e9afb2034d26d71ffcf93b8b242852aac1dd46f1b2f35db4a6b7c9685191b4d1afac463865abe14bbb9a33440fda33e142409563380534c59052d634ec937

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5865aa.TMP

Filesize
204B

MD5
c594a9fb55dbb5b510b464432e5264ae

SHA1
5a75b124ae802e10afcff4e60478d81925e2a72a

SHA256
e8aa847f166693f97f88a799efe48336e7a792569205fa929ab391abd708b299

SHA512
b9f3a21067b30324a35c6f4848519e0ad92cc5c10fe902abebec44072bd08c649c2880d4977eb6067c9999c8cf4f54da858b0e6cfe3f15e297bc0c83d97ea86d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f992f93b6b73fa2169a81cdf51844abc

SHA1
3796d5c3cb31293d7c97adf58585fbef867db837

SHA256
5cdcc40f949911aba388b9369c4fb594cc2f56fc99d2e6409aeef27336374564

SHA512
9fc6c6898a364f45c6e99e2040178676c335e8fcef7107ed4a0a8c7270747e7ae65d9ad399ce4b5adf5a3eeb1acda3570968892b997131cf08f06e25acffe0ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a38fe75f9fa651755c7a98556edf61ad

SHA1
5188dba055be163654ae88319e009a19c5937c54

SHA256
5492f99af5cc81e51aa220980862063e79645a2a49edff75e790c1e30c9e130d

SHA512
996930572ad2bccc601511eea138634a20a23fa953a2bf013c65982801a0237783156e059b0aefc3af9be9757777f124419c11f16b6af2dead5b6587df8cc374

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
55ae9aef51c715933782770bb05c99d9

SHA1
04601e99e448a8504c228e34f89bdfc84908420d

SHA256
ec5d35e198d0d71a62ac8616ab872f0abbf73ec1f15d528341937e036b0aa297

SHA512
3b067ba7841835119e40bf023caece1266da03bc53a3b54379f725ad61d7d0fe282cfcff05090a5453ac3d95ebbb452a722e58f6edca90dc30cd8dbffa485303

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
c170ce97fd43769dfbfcb5bf6370eafe

SHA1
1b84d228b73a1bf5015074d9838605bdf4713932

SHA256
76815828453ad3308cf25f642a2b63220ae2284ecced10d46f2295026b15b0bc

SHA512
bfd1ef201f5282328f25e7b3cb2e5776305daec2a22f5de731346227c350b363bc6eeadf08f04962afdafbb36e2c08e9a0edf83625c9536e0dd5eb87e33372f3

Download Submit
C:\Users\Admin\Downloads\winrar-x64-701.exe

Filesize
3.7MB

MD5
3a2f16a044d8f6d2f9443dff6bd1c7d4

SHA1
48c6c0450af803b72a0caa7d5e3863c3f0240ef1

SHA256
31f7ba37180f820313b2d32e76252344598409cb932109dd84a071cd58b64aa6

SHA512
61daee2ce82c3b8e79f7598a79d72e337220ced7607e3ed878a3059ac03257542147dbd377e902cc95f04324e2fb7c5e07d1410f0a1815d5a05c5320e5715ef6

Download Submit