hxxps://www[.]mediafire[.]com/file/e0b0j21sp3rclel/Wind[.]rar/file

Resubmissions

06-08-2024 19:16

240806-xyq92a1fka 8

06-08-2024 19:12

240806-xwtmdaxfnp 8

Analysis

max time kernel
145s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-08-2024 19:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/file/e0b0j21sp3rclel/Wind.rar/file

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
5604	winrar-x64-701.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-656926755-4116854191-210765258-1000\{7CB07B7B-DD09-4999-A2CB-99D6C8660569}	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 526237.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
5028	msedge.exe
5028	msedge.exe
744	msedge.exe
744	msedge.exe
4060	identity_helper.exe
4060	identity_helper.exe
4588	msedge.exe
4588	msedge.exe
3148	msedge.exe
3148	msedge.exe
5496	msedge.exe
5496	msedge.exe
5260	msedge.exe
5260	msedge.exe
5260	msedge.exe
5260	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 24 IoCs

pid	Process
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe

Suspicious use of FindShellTrayWindow 51 IoCs

pid	Process
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
5604	winrar-x64-701.exe
5604	winrar-x64-701.exe
5604	winrar-x64-701.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 744 wrote to memory of 4584	744	msedge.exe	86
PID 744 wrote to memory of 4584	744	msedge.exe	86
PID 744 wrote to memory of 2260	744	msedge.exe	88
PID 744 wrote to memory of 2260	744	msedge.exe	88
PID 744 wrote to memory of 2260	744	msedge.exe	88
PID 744 wrote to memory of 2260	744	msedge.exe	88
PID 744 wrote to memory of 2260	744	msedge.exe	88
PID 744 wrote to memory of 2260	744	msedge.exe	88
PID 744 wrote to memory of 2260	744	msedge.exe	88
PID 744 wrote to memory of 2260	744	msedge.exe	88
PID 744 wrote to memory of 2260	744	msedge.exe	88
PID 744 wrote to memory of 2260	744	msedge.exe	88
PID 744 wrote to memory of 2260	744	msedge.exe	88
PID 744 wrote to memory of 2260	744	msedge.exe	88
PID 744 wrote to memory of 2260	744	msedge.exe	88
PID 744 wrote to memory of 2260	744	msedge.exe	88
PID 744 wrote to memory of 2260	744	msedge.exe	88
PID 744 wrote to memory of 2260	744	msedge.exe	88
PID 744 wrote to memory of 2260	744	msedge.exe	88
PID 744 wrote to memory of 2260	744	msedge.exe	88
PID 744 wrote to memory of 2260	744	msedge.exe	88
PID 744 wrote to memory of 2260	744	msedge.exe	88
PID 744 wrote to memory of 2260	744	msedge.exe	88
PID 744 wrote to memory of 2260	744	msedge.exe	88
PID 744 wrote to memory of 2260	744	msedge.exe	88
PID 744 wrote to memory of 2260	744	msedge.exe	88
PID 744 wrote to memory of 2260	744	msedge.exe	88
PID 744 wrote to memory of 2260	744	msedge.exe	88
PID 744 wrote to memory of 2260	744	msedge.exe	88
PID 744 wrote to memory of 2260	744	msedge.exe	88
PID 744 wrote to memory of 2260	744	msedge.exe	88
PID 744 wrote to memory of 2260	744	msedge.exe	88
PID 744 wrote to memory of 2260	744	msedge.exe	88
PID 744 wrote to memory of 2260	744	msedge.exe	88
PID 744 wrote to memory of 2260	744	msedge.exe	88
PID 744 wrote to memory of 2260	744	msedge.exe	88
PID 744 wrote to memory of 2260	744	msedge.exe	88
PID 744 wrote to memory of 2260	744	msedge.exe	88
PID 744 wrote to memory of 2260	744	msedge.exe	88
PID 744 wrote to memory of 2260	744	msedge.exe	88
PID 744 wrote to memory of 2260	744	msedge.exe	88
PID 744 wrote to memory of 2260	744	msedge.exe	88
PID 744 wrote to memory of 5028	744	msedge.exe	89
PID 744 wrote to memory of 5028	744	msedge.exe	89
PID 744 wrote to memory of 1792	744	msedge.exe	90
PID 744 wrote to memory of 1792	744	msedge.exe	90
PID 744 wrote to memory of 1792	744	msedge.exe	90
PID 744 wrote to memory of 1792	744	msedge.exe	90
PID 744 wrote to memory of 1792	744	msedge.exe	90
PID 744 wrote to memory of 1792	744	msedge.exe	90
PID 744 wrote to memory of 1792	744	msedge.exe	90
PID 744 wrote to memory of 1792	744	msedge.exe	90
PID 744 wrote to memory of 1792	744	msedge.exe	90
PID 744 wrote to memory of 1792	744	msedge.exe	90
PID 744 wrote to memory of 1792	744	msedge.exe	90
PID 744 wrote to memory of 1792	744	msedge.exe	90
PID 744 wrote to memory of 1792	744	msedge.exe	90
PID 744 wrote to memory of 1792	744	msedge.exe	90
PID 744 wrote to memory of 1792	744	msedge.exe	90
PID 744 wrote to memory of 1792	744	msedge.exe	90
PID 744 wrote to memory of 1792	744	msedge.exe	90
PID 744 wrote to memory of 1792	744	msedge.exe	90
PID 744 wrote to memory of 1792	744	msedge.exe	90
PID 744 wrote to memory of 1792	744	msedge.exe	90

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/file/e0b0j21sp3rclel/Wind.rar/file
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff5ac446f8,0x7fff5ac44708,0x7fff5ac44718
  2⤵
  PID:4584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,17546036843737830119,8423545488707707784,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
  2⤵
  PID:2260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,17546036843737830119,8423545488707707784,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,17546036843737830119,8423545488707707784,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:8
  2⤵
  PID:1792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17546036843737830119,8423545488707707784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:4464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17546036843737830119,8423545488707707784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:3972
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,17546036843737830119,8423545488707707784,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5636 /prefetch:8
  2⤵
  PID:4768
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,17546036843737830119,8423545488707707784,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5636 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17546036843737830119,8423545488707707784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
  2⤵
  PID:848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17546036843737830119,8423545488707707784,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
  2⤵
  PID:1568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17546036843737830119,8423545488707707784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3496 /prefetch:1
  2⤵
  PID:3508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17546036843737830119,8423545488707707784,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1
  2⤵
  PID:4032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17546036843737830119,8423545488707707784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4820 /prefetch:1
  2⤵
  PID:4840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17546036843737830119,8423545488707707784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:1
  2⤵
  PID:2792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17546036843737830119,8423545488707707784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6160 /prefetch:1
  2⤵
  PID:4980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17546036843737830119,8423545488707707784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6320 /prefetch:1
  2⤵
  PID:1296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17546036843737830119,8423545488707707784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6172 /prefetch:1
  2⤵
  PID:2900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17546036843737830119,8423545488707707784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6856 /prefetch:1
  2⤵
  PID:2332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17546036843737830119,8423545488707707784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7220 /prefetch:1
  2⤵
  PID:4376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2148,17546036843737830119,8423545488707707784,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6996 /prefetch:8
  2⤵
  PID:4044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17546036843737830119,8423545488707707784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6108 /prefetch:1
  2⤵
  PID:1972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2148,17546036843737830119,8423545488707707784,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6164 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17546036843737830119,8423545488707707784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6052 /prefetch:1
  2⤵
  PID:2104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17546036843737830119,8423545488707707784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7384 /prefetch:1
  2⤵
  PID:3772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2148,17546036843737830119,8423545488707707784,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=7044 /prefetch:8
  2⤵
  PID:2660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2148,17546036843737830119,8423545488707707784,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5936 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:3148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17546036843737830119,8423545488707707784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4176 /prefetch:1
  2⤵
  PID:1392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17546036843737830119,8423545488707707784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6152 /prefetch:1
  2⤵
  PID:3776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17546036843737830119,8423545488707707784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7452 /prefetch:1
  2⤵
  PID:1028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17546036843737830119,8423545488707707784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7376 /prefetch:1
  2⤵
  PID:1236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17546036843737830119,8423545488707707784,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7268 /prefetch:1
  2⤵
  PID:4624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17546036843737830119,8423545488707707784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6932 /prefetch:1
  2⤵
  PID:3776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17546036843737830119,8423545488707707784,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7648 /prefetch:1
  2⤵
  PID:4520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17546036843737830119,8423545488707707784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6876 /prefetch:1
  2⤵
  PID:5268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2148,17546036843737830119,8423545488707707784,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7792 /prefetch:8
  2⤵
  PID:5348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2148,17546036843737830119,8423545488707707784,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7392 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5496
- C:\Users\Admin\Downloads\winrar-x64-701.exe
  "C:\Users\Admin\Downloads\winrar-x64-701.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,17546036843737830119,8423545488707707784,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5032 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5260

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4000

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\8fbceb92-f72c-4f30-92cc-d44f718ca581.tmp

Filesize
11KB

MD5
324764200742addf68399c266ea9b8de

SHA1
52f14b9939a4424ac985f98e4345729b8fbfe3c1

SHA256
d74542b02800dbde3157af8237b45e565ee51351732708a8aa0162b2f14079ef

SHA512
a18e31dbc0814d6721089c3675cfd37545a9a2a7acf86f169af9b2ea7515c4a6690c17031d436269e8c943c74d16bed13a9b5bdd171b16e03123ffed9105032c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9e3fc58a8fb86c93d19e1500b873ef6f

SHA1
c6aae5f4e26f5570db5e14bba8d5061867a33b56

SHA256
828f4eacac1c40b790fd70dbb6fa6ba03dcc681171d9b2a6579626d27837b1c4

SHA512
e5e245b56fa82075e060f468a3224cf2ef43f1b6d87f0351a2102d85c7c897e559be4caeaecfdc4059af29fdc674681b61229319dda95cb2ee649b2eb98d313e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
27304926d60324abe74d7a4b571c35ea

SHA1
78b8f92fcaf4a09eaa786bbe33fd1b0222ef29c1

SHA256
7039ad5c2b40f4d97c8c2269f4942be13436d739b2e1f8feb7a0c9f9fdb931de

SHA512
f5b6181d3f432238c7365f64fc8a373299e23ba8178bcc419471916ef8b23e909787c7c0617ab22e4eb90909c02bd7b84f1386fbc61e2bdb5a0eb474175da4bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\3ec1c45e-f9d7-47b1-8429-854afcd074bd.tmp

Filesize
9KB

MD5
b1f14e0d903a85b0bb672fff4214d20d

SHA1
a4e3b74ff410a3d8a8afe41db3e2e01c5405ca69

SHA256
1a1f50977050348bcf452a38a9c773f3b526ab8dfaa09fcd5e1e6ac5b1985b55

SHA512
c5baf7a0e4e441d2971edeb19cb245ab02088f0ae717e2d240b36e2fc68ab41a82fee6893ef73f9cd4df915d0753a5ed446855d8215460e64a642699d445d4b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\695f309a-35e0-441b-9f58-c6f5c3a3c6c5.tmp

Filesize
6KB

MD5
0c5729e081065df82cb91301e6543e53

SHA1
fdfe8764bd49177c81fb03f3e9ecc4cd3942bc75

SHA256
d2bc0df6043a76142b99e7f8c3ac01a2ed9c28a3de41f71a0460cda0d6dc8424

SHA512
1a3bdbd76e4674d28d7ece978a24f29082b89dfd5c80d04ba24b85c4193ad18cc81ce6b7ebfbaf51a93acbd078b06cff5fb489f31ae1796014068566d7a2e6ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001a

Filesize
62KB

MD5
6b04ab52540bdc8a646d6e42255a6c4b

SHA1
4cdfc59b5b62dafa3b20d23a165716b5218aa646

SHA256
33353d2328ea91f6abf5fb5c5f3899853dcc724a993b9086cab92d880da99f4d

SHA512
4f3b417c77c65936486388b618a7c047c84fb2e2dd8a470f7fe4ffec1ad6699d02fa9c1bbd551414eef0f2e6747a9ee59ca87198b20f9f4a9a01394ae69fa730

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001b

Filesize
31KB

MD5
c03ff64e7985603de96e7f84ec7dd438

SHA1
dfc067c6cb07b81281561fdfe995aca09c18d0e9

SHA256
0db8e9f0a185bd5dd2ec4259db0a0e89363afa953069f5238a0537671de6f526

SHA512
bb0fd94c5a8944a99f792f336bb8a840f23f6f0f1cb9661b156511a9984f0bb6c96baf05b7c1cf0efb83f43a224ecea52740432e3cfc85e0799428765eefb692

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
95b3cb57eb7a040f7a4d2629d6f89466

SHA1
56ca7190bedad6ff9e9ad679c423752ab107440b

SHA256
e1abd3c356aa493500f1355d04def930aa15191e6e84b4d80996bd02e0f01320

SHA512
e34f22eff334a7184843779928649db182c94da05fe790149f0a8423c639251c3ec7897a1ff91d3508a8fc67120d1e1965026588b497b43ece38412c8d0a1078

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
25ae8e4c7718a924300f57dcf2c5220a

SHA1
c95ac68c531b7287ea87a2d707e239c930495be2

SHA256
e34dc766c6d252ada4ab61c2454b0302b46d8479cb0b9f4688ea5a16050d28e7

SHA512
8767539f5fdf8704d603a6a22d0cd95d0f522df6f544243bd3457194cfd55b5efb81be020de947313854fec9ecc59acd33b6029d3c7c775a10aef25cf1209326

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
8799854de1346691dc3ee97a0320eb26

SHA1
a7b3c951ed658c9eb6bbc85cada68fcf542a6ddb

SHA256
2ed1ad71ad6761f095743e721c5849ead354fa63ed54c6891e68f17b3f210e18

SHA512
881b0946e06d57fba014feae649d2e4066825163b451c399bbe96e9014a953c5f3280dc4154e66d9002a248972d33f583553ff38948489a433fdf84dfc5fc1fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
ae4605e7eaa53e157e211d49858fa0c1

SHA1
929b089b18dc9922f2a5ec34231d8c0499daf1ae

SHA256
44128d0bf226e1051c4faf48c9699feb936c685b9211a5547d9f86f539ea5efd

SHA512
f1b1e8fe7696e2b3315dcd33bede0673df42f744bddb4001029f1b55a1973a1d49e661a0144d8700426dedbd1ed1badb633ceb9a0f9755a58d1517dc8ec00ff1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
12KB

MD5
d42fad9b471c81b1a1c1562b9a3cf94e

SHA1
be47ad481ab60d23399074307af8ab5279ffcdc2

SHA256
19c81763fadb2dd4de1f41081c48fd8f84f5274888cb64046b362b78591c0b2a

SHA512
a806ec914759409cadfeb8aea81eb5db4d7244d38b9123c3bc5686f7db770e608c3050f198f12792c7e0b169f7d441585c1afac9a73b449fd5327b5acbb0e18c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
8ea883d18580dc6d8212e84093c0eb6f

SHA1
39ca91c33bb9fe42fa0a4943ee40828dca8d1a7b

SHA256
790d6adaa54fb062a8d5b119ad6f0fc3db23209953a6d7560284e419d6c73ca4

SHA512
333644194feac5c74c13cfeeeaad78125b341c298ac3a7c163def2f97cbaf5771e246e6cc22b0b9389ebbde6e12e88ca542794b3cda07cae16d8caa0f96eaaf1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
437421388065362bd4ba1fc6b7a1cc8d

SHA1
0ddba3ee4b54296ce51246f97fed49356109a0d3

SHA256
c7275c69a7e2341c0880cb6178fab5e2e8570caba6b1479e9b185767640e88a1

SHA512
08fa6dcc92dae0e0d5df1b7500301f7095a737ace5ac0c27a63981d7e7570cc2d171fa4cdff8d37e3bb97fb3fc94e1dce28dd46dd4cafb65b668ad203898c9ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58e8f4.TMP

Filesize
538B

MD5
639faab6ae6d761033a490151368c12c

SHA1
6e37578a07c46537333b8eaf5085e83c98162666

SHA256
a925cc32dc1d6dd3420cecc0cfa5a37c92225c55049c4ce6ebd2626ee5f16b4a

SHA512
96c157e8412f4abff8d85d077c67acf773e5329d1916c8704f528da7420251b1c671070b6316761ac7882421afd4cec590644d955059f6fa4a1cb99cdaab9b6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\cfa924fb-4de0-457a-9786-e781b001bc26.tmp

Filesize
2KB

MD5
2216880d74a8ab27fdff1e3296ad034e

SHA1
1408bf18d6addb934e15cca5729ee6a03518662f

SHA256
68d312726c786507e9c3dad538b14b4ad6d326dc230a8029bfd417484afe45ff

SHA512
e41ffb851317cccc42969fc66ebd59dd94027dc3c23e345b8e5ced77247c21b59b764611b2b21d0f8878caab0b0b88909936ffe31abf9ef6eb45e19aff3ae06e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
495a6140e0d336c7c3a21530183bacec

SHA1
4deeeca7b43a230e224231601f4ca7da2d2c7da9

SHA256
2478a79495cd3bd28d441381ef55fa836ba618ae6d7ad530f40bf1ac994b0bc0

SHA512
10a8d761b78d56e90dd280c4706641deb33d3c628ceb75622984e25c4ad9a274f3fa6126fa30dde9823813159852b6bcea3dd99abb046d71c985d9fafb6aab19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\a8f965da-3153-49c9-ae0b-523f64b8982a.tmp

Filesize
11KB

MD5
938d920fe45ae6ace2ce91f49906e1b9

SHA1
f79d6e031c79ad8e481e8f340b2a52a2cc34d8d4

SHA256
bf20ec080b125bf10889d8f2bdabfaa686c7cb3fa7334c11b7f05f250d93a004

SHA512
6c1918f9af253b22a9f9ee8bdb4583344523c7b68c5b06f6f27ad3be0d1cd76fb06ec03bf7b3101d4f7fffc4a2463b05e3786310b0755a455fac40018aee3484

Download Submit
C:\Users\Admin\Downloads\winrar-x64-701.exe

Filesize
3.7MB

MD5
3a2f16a044d8f6d2f9443dff6bd1c7d4

SHA1
48c6c0450af803b72a0caa7d5e3863c3f0240ef1

SHA256
31f7ba37180f820313b2d32e76252344598409cb932109dd84a071cd58b64aa6

SHA512
61daee2ce82c3b8e79f7598a79d72e337220ced7607e3ed878a3059ac03257542147dbd377e902cc95f04324e2fb7c5e07d1410f0a1815d5a05c5320e5715ef6

Download Submit