c639fa0e1df8bbba1012aeed41741edfaec4972d739ad43f5f2c89a6ca95cd1a

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2024, 15:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Tulpical.exe
Size

1.3MB
MD5

7b0e6bc080da00a4bb6d58a52143a968
SHA1

b1c92b979ec66c3224b0c9b9a950152396b3cca8
SHA256

c639fa0e1df8bbba1012aeed41741edfaec4972d739ad43f5f2c89a6ca95cd1a
SHA512

299c43386b1798f29646f1b1e3d5def42c47b8bc2313ded80345da8394d6026dad6c07b08c00ad853683aacbd209dd30b3178a2ad828ec5ba7faa0c5e181bf22
SSDEEP

24576:bDbbb+fGfNv4PRq8wTcHcGfjAoH9xLOp7+kkG71KHVP7EBtdzARCL17RA8Zonh/d:TWeeMFzkG78P7EBttYCL1dCh/QcmYD

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
5924	winrar-x64-701.exe
3656	winrar-x64-701.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2412658365-3084825385-3340777666-1000\{28357C3B-9D23-4759-B481-BC684C5E8442}	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 275165.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
3580	msedge.exe
3580	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1856	identity_helper.exe
1856	identity_helper.exe
5268	msedge.exe
5268	msedge.exe
5868	msedge.exe
5868	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe

Suspicious use of FindShellTrayWindow 45 IoCs

pid	Process
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
5924	winrar-x64-701.exe
5924	winrar-x64-701.exe
3656	winrar-x64-701.exe
3656	winrar-x64-701.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1864 wrote to memory of 3096	1864	msedge.exe	95
PID 1864 wrote to memory of 3096	1864	msedge.exe	95
PID 1864 wrote to memory of 3820	1864	msedge.exe	96
PID 1864 wrote to memory of 3820	1864	msedge.exe	96
PID 1864 wrote to memory of 3820	1864	msedge.exe	96
PID 1864 wrote to memory of 3820	1864	msedge.exe	96
PID 1864 wrote to memory of 3820	1864	msedge.exe	96
PID 1864 wrote to memory of 3820	1864	msedge.exe	96
PID 1864 wrote to memory of 3820	1864	msedge.exe	96
PID 1864 wrote to memory of 3820	1864	msedge.exe	96
PID 1864 wrote to memory of 3820	1864	msedge.exe	96
PID 1864 wrote to memory of 3820	1864	msedge.exe	96
PID 1864 wrote to memory of 3820	1864	msedge.exe	96
PID 1864 wrote to memory of 3820	1864	msedge.exe	96
PID 1864 wrote to memory of 3820	1864	msedge.exe	96
PID 1864 wrote to memory of 3820	1864	msedge.exe	96
PID 1864 wrote to memory of 3820	1864	msedge.exe	96
PID 1864 wrote to memory of 3820	1864	msedge.exe	96
PID 1864 wrote to memory of 3820	1864	msedge.exe	96
PID 1864 wrote to memory of 3820	1864	msedge.exe	96
PID 1864 wrote to memory of 3820	1864	msedge.exe	96
PID 1864 wrote to memory of 3820	1864	msedge.exe	96
PID 1864 wrote to memory of 3820	1864	msedge.exe	96
PID 1864 wrote to memory of 3820	1864	msedge.exe	96
PID 1864 wrote to memory of 3820	1864	msedge.exe	96
PID 1864 wrote to memory of 3820	1864	msedge.exe	96
PID 1864 wrote to memory of 3820	1864	msedge.exe	96
PID 1864 wrote to memory of 3820	1864	msedge.exe	96
PID 1864 wrote to memory of 3820	1864	msedge.exe	96
PID 1864 wrote to memory of 3820	1864	msedge.exe	96
PID 1864 wrote to memory of 3820	1864	msedge.exe	96
PID 1864 wrote to memory of 3820	1864	msedge.exe	96
PID 1864 wrote to memory of 3820	1864	msedge.exe	96
PID 1864 wrote to memory of 3820	1864	msedge.exe	96
PID 1864 wrote to memory of 3820	1864	msedge.exe	96
PID 1864 wrote to memory of 3820	1864	msedge.exe	96
PID 1864 wrote to memory of 3820	1864	msedge.exe	96
PID 1864 wrote to memory of 3820	1864	msedge.exe	96
PID 1864 wrote to memory of 3820	1864	msedge.exe	96
PID 1864 wrote to memory of 3820	1864	msedge.exe	96
PID 1864 wrote to memory of 3820	1864	msedge.exe	96
PID 1864 wrote to memory of 3820	1864	msedge.exe	96
PID 1864 wrote to memory of 3580	1864	msedge.exe	97
PID 1864 wrote to memory of 3580	1864	msedge.exe	97
PID 1864 wrote to memory of 3884	1864	msedge.exe	98
PID 1864 wrote to memory of 3884	1864	msedge.exe	98
PID 1864 wrote to memory of 3884	1864	msedge.exe	98
PID 1864 wrote to memory of 3884	1864	msedge.exe	98
PID 1864 wrote to memory of 3884	1864	msedge.exe	98
PID 1864 wrote to memory of 3884	1864	msedge.exe	98
PID 1864 wrote to memory of 3884	1864	msedge.exe	98
PID 1864 wrote to memory of 3884	1864	msedge.exe	98
PID 1864 wrote to memory of 3884	1864	msedge.exe	98
PID 1864 wrote to memory of 3884	1864	msedge.exe	98
PID 1864 wrote to memory of 3884	1864	msedge.exe	98
PID 1864 wrote to memory of 3884	1864	msedge.exe	98
PID 1864 wrote to memory of 3884	1864	msedge.exe	98
PID 1864 wrote to memory of 3884	1864	msedge.exe	98
PID 1864 wrote to memory of 3884	1864	msedge.exe	98
PID 1864 wrote to memory of 3884	1864	msedge.exe	98
PID 1864 wrote to memory of 3884	1864	msedge.exe	98
PID 1864 wrote to memory of 3884	1864	msedge.exe	98
PID 1864 wrote to memory of 3884	1864	msedge.exe	98
PID 1864 wrote to memory of 3884	1864	msedge.exe	98

C:\Users\Admin\AppData\Local\Temp\Tulpical.exe
"C:\Users\Admin\AppData\Local\Temp\Tulpical.exe"
1⤵
PID:3352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffab94a46f8,0x7ffab94a4708,0x7ffab94a4718
  2⤵
  PID:3096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1952,15370800583006242929,12590629984353455884,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
  2⤵
  PID:3820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1952,15370800583006242929,12590629984353455884,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2512 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1952,15370800583006242929,12590629984353455884,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:8
  2⤵
  PID:3884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,15370800583006242929,12590629984353455884,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
  2⤵
  PID:3828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,15370800583006242929,12590629984353455884,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3536 /prefetch:1
  2⤵
  PID:500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,15370800583006242929,12590629984353455884,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4072 /prefetch:1
  2⤵
  PID:3544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,15370800583006242929,12590629984353455884,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4260 /prefetch:1
  2⤵
  PID:1480
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1952,15370800583006242929,12590629984353455884,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3428 /prefetch:8
  2⤵
  PID:4636
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1952,15370800583006242929,12590629984353455884,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3428 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,15370800583006242929,12590629984353455884,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
  2⤵
  PID:4992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,15370800583006242929,12590629984353455884,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1
  2⤵
  PID:4760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,15370800583006242929,12590629984353455884,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1
  2⤵
  PID:4636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,15370800583006242929,12590629984353455884,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
  2⤵
  PID:1880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,15370800583006242929,12590629984353455884,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1
  2⤵
  PID:656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1952,15370800583006242929,12590629984353455884,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5372 /prefetch:8
  2⤵
  PID:5260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1952,15370800583006242929,12590629984353455884,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5424 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:5268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,15370800583006242929,12590629984353455884,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:1
  2⤵
  PID:5584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,15370800583006242929,12590629984353455884,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
  2⤵
  PID:5716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,15370800583006242929,12590629984353455884,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:1
  2⤵
  PID:5796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1952,15370800583006242929,12590629984353455884,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6128 /prefetch:8
  2⤵
  PID:5352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,15370800583006242929,12590629984353455884,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5912 /prefetch:1
  2⤵
  PID:5404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1952,15370800583006242929,12590629984353455884,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6432 /prefetch:8
  2⤵
  PID:5472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1952,15370800583006242929,12590629984353455884,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6624 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5868
- C:\Users\Admin\Downloads\winrar-x64-701.exe
  "C:\Users\Admin\Downloads\winrar-x64-701.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,15370800583006242929,12590629984353455884,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6044 /prefetch:1
  2⤵
  PID:5464
- C:\Users\Admin\Downloads\winrar-x64-701.exe
  "C:\Users\Admin\Downloads\winrar-x64-701.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,15370800583006242929,12590629984353455884,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6032 /prefetch:1
  2⤵
  PID:3180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,15370800583006242929,12590629984353455884,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6336 /prefetch:1
  2⤵
  PID:5616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1952,15370800583006242929,12590629984353455884,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5064 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1852

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1324

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4372

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\76b1425552464c5ba17c5069a7e7bf0c /t 5944 /p 5924
1⤵
PID:5692

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\cb1c7e6819fd4df6a8bfd19fe16dc68d /t 5872 /p 3656
1⤵
PID:5344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2783c40400a8912a79cfd383da731086

SHA1
001a131fe399c30973089e18358818090ca81789

SHA256
331fa67da5f67bbb42794c3aeab8f7819f35347460ffb352ccc914e0373a22c5

SHA512
b7c7d3aa966ad39a86aae02479649d74dcbf29d9cb3a7ff8b9b2354ea60704da55f5c0df803fd0a7191170a8e72fdd5eacfa1a739d7a74e390a7b74bdced1685

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
82404ced7d76f0110ee8439b43627d2e

SHA1
beb6bf4361835251aaffef352606a20b43a5b79e

SHA256
87bc30c4ea47c1ad7644ab7b92649aa3c57608aa9932e4bca4944845ba9eaa31

SHA512
4e7c941a82faf6cf626132b7111663d1b9c144df7ad36c2541f7a041a80f6aba8c8c75027a610331b8993dcd87890b9d5c2530949c417a9a898aea4c57ee0cda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
32e64cedd26aaf8a8bd90eba6f6d56b3

SHA1
066f38e40dd09266253a0a8d5f36891d560ad684

SHA256
684a6fc47356e0ea4da28eac98bb70b2ba6a02b7c043723e0a21d8627cf0ace2

SHA512
4ada7c5ba4c1e09885ca38c7c8920f10a6fc940b312e496925f7df31048f71441bfd23819d8cecd0b81faf7b8e6306bf832f53fff86157bff14e4f7107adbd3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
482B

MD5
93b054663c54782106fa908f07b00ed4

SHA1
93fdf17d1552d52ab5c365d66dfe82ce3d613aa8

SHA256
d1e3897ceb15197ad91d0bf007b527a90614c558f29d7cab14f485d31e8415f0

SHA512
3932063ee80d2b5e6722e503eec3103f1881ddf679cd61deb2418453d571c7da4df1dd65097e1669274782f3a4ada00dbb5085fc834bda5a62a9bd64c8d6ee46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8326df511fba1295da8d144f7a54cf45

SHA1
15692c4b2a9ec2309b16fcd63be8b97f7fc4af73

SHA256
d53fd7e938633f323518f8b08d247b3e76816412dd1edc0ed57b8ba77c579010

SHA512
e4b0e02c7370a976660b81f55d023fdc7c409ca0a1681e1c794cd90cc56f2c3a952c476d27ac88320c70beb0a27fbc307bb9f837bc2963f3fa5164fc9d33749b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f9f4c4019ff06491f6be27e7643405b4

SHA1
319773f27c5515c8f6efc2b9abdb6da6becef82b

SHA256
af23c7f0d6d86b51fb552baeaa4f8cf31337ce9f8b85932051d9b30dba2ac1cf

SHA512
8c7e26d794d4c518f9a92fb5253a7110cc89d6b0d6112ae85dbc1e010048932cf56805b1854dc211e8c36d14fd1a6e031877fa7c1698e9903e13d018eb30f972

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a8017077cf9bac2696597600f2f78734

SHA1
1d1bbaa3b69cc4a1265c1520a65e21e860b86be3

SHA256
c9dd92ce0b7e58f3bfed72912d9a58245148ed7b6250d8fc05d268e681d52c3c

SHA512
b6392ae1d50df6edab92a698f4c5d8d7d830d0233b59d1426921f294d4259f1c57c0ae11d6176f753b9cffa8bf7ba58dc58939b29446a3c5eb4ba6002a3b8108

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7fe9bde33a046205d8d25073382f9e84

SHA1
1173f7b638d9a2426e23c8996863ed8b433d1c97

SHA256
cd0bb67670a5beaf636a2d1a878d68dd4ed605c8fddb7405307c2bd12747262e

SHA512
c5ed37c3eed66f16cbfe84c45197a7ccdd34c71015b81c3e16b602d497414c699f62f96c19ecc3c5888c9ac3a18b481259cccab47d82a43174ac09332f551438

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
705B

MD5
0774e2bc4b2c5d9976074922256d5932

SHA1
e446dbd613408751a8537d69f6566f3b4e0d5c2d

SHA256
4cbede92933356e457733318adb03d260fc177dd1244cb4dd1d7c576155d3cd7

SHA512
6cae46a09c037c6a72398ed06b0982cd7f572b41d971e5d87b75540e0883764d6c2a945feff32a0e2077d12ef5bc562d42c9ae6ef4186f32f65cdaf396030b43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f31e53c051feab05c6735ab47d38559f

SHA1
7951e741d1bed7992f1312df1a63b6bb68d85208

SHA256
d575edf24a0c4dabf28b4a1b17a6d0bc6b3162ad3e905c06432bc15fc3b47fa0

SHA512
c85f770efd30c9ce1ff8646f47d9e3c13525afbac8ef2487eca27f0a70f9fb0a8ee478d169c0b2f7a8bb243026ca898961ef34c6cf08c9116fa306490956369e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe580328.TMP

Filesize
705B

MD5
e877c9a406d2287941e828fbe10bf234

SHA1
68c5c601b1d95f3858165154ed009ddcd27d3343

SHA256
d924a598eba31d6eec9d4a6fad5ee2c1bd1ca653ef9d8f51926ef9cb705d2c7e

SHA512
f8ece3d5170331dd0825ba2f8c9467725a7df9c6c9baf4b829199bd25b93c2aa91503e19f27c5e70644beca2269d10ebd6f8f59e28dc6c54f912fc951c6872a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
047514ba48e1535111dc531d404e8328

SHA1
d030bb8d4dda8ed0b9f0e9ac2661ba25086c4269

SHA256
abb690f73177254d65d28ba5181baf67b54fffcf92e05f4f5e0adfadf457e4c6

SHA512
41f4e216dbd28e56cc67264cb50d01170c4d668da9872866f9c8debd1b7b5f617e7d47c38ac6c6bccf5351aac20704c772381c8003322f66754c233009b5991f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ce8a60a17ee1246be1e4b137508409bd

SHA1
fa0cd4caafc52966bd04004921fb7a5339d51be3

SHA256
22d9932588986d3e8de172d9fdc070d6fcb698c2dfe6cd7eeba63f4912c975bb

SHA512
08e6247961eab0dd695ea7c6d662ad46c83a696667c607f6556681d1ca8677c32f61cd36a15928bc8fbaeaf34d74ff83f7fcab2cf8617c626182349156922e74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
35dd55b6250ea0e545dc2a92a41152af

SHA1
94a388ed43e68dc3634ff38c6b9000da768ba097

SHA256
d2f0c9c6f37db450a162e1daff1fe5ba01493151db7a46f8180eefe96258fbd4

SHA512
00aa49d7dd5d5a3c8976237a1bf4aafea685767ff2484dca241e2390e97e3bad95d4e35a411e7ef26726514965934e38b96dce147f97d1da39a39d276cd94b2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
be6fcffbfb0af4c528ca3e2471cfc92f

SHA1
95d1d3980ac59d6f7f7713a5371bd5fc14d6a80c

SHA256
4dc2129b80ba3c6a19837b123fec6bf9aac9ac87f5374ecafd19fcc468540f39

SHA512
8ec2c249d968d9f8cb16d43d280186d9b6e14deb9ee5da2cfe947326bfa93997968b7144e825aaa1c349e1568e79c9c8b4c5d7622354ee72a8d148d491c487e1

Download Submit
C:\Users\Admin\Downloads\winrar-x64-701.exe

Filesize
3.7MB

MD5
3a2f16a044d8f6d2f9443dff6bd1c7d4

SHA1
48c6c0450af803b72a0caa7d5e3863c3f0240ef1

SHA256
31f7ba37180f820313b2d32e76252344598409cb932109dd84a071cd58b64aa6

SHA512
61daee2ce82c3b8e79f7598a79d72e337220ced7607e3ed878a3059ac03257542147dbd377e902cc95f04324e2fb7c5e07d1410f0a1815d5a05c5320e5715ef6

Download Submit