hxxps://www[.]mediafire[.]com/folder/akvqjwezncven/ZrSoft

Analysis

max time kernel
145s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04/10/2024, 21:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/folder/akvqjwezncven/ZrSoft

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
5204	winrar-x64-701.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	OpenWith.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 413461.crdownload:SmartScreen	msedge.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5728	vlc.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3240	msedge.exe
3240	msedge.exe
3396	msedge.exe
3396	msedge.exe
3124	identity_helper.exe
3124	identity_helper.exe
5492	msedge.exe
5492	msedge.exe
5496	msedge.exe
5496	msedge.exe
5784	msedge.exe
5784	msedge.exe
5784	msedge.exe
5784	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
5712	OpenWith.exe
5728	vlc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 27 IoCs

pid	Process
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe

Suspicious use of SendNotifyMessage 34 IoCs

pid	Process
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
5728	vlc.exe
5728	vlc.exe
5728	vlc.exe
5728	vlc.exe
5728	vlc.exe
5728	vlc.exe
5728	vlc.exe
5728	vlc.exe
3396	msedge.exe
3396	msedge.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
5712	OpenWith.exe
5712	OpenWith.exe
5712	OpenWith.exe
5712	OpenWith.exe
5712	OpenWith.exe
5712	OpenWith.exe
5712	OpenWith.exe
5728	vlc.exe
5204	winrar-x64-701.exe
5204	winrar-x64-701.exe
5204	winrar-x64-701.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3396 wrote to memory of 4948	3396	msedge.exe	82
PID 3396 wrote to memory of 4948	3396	msedge.exe	82
PID 3396 wrote to memory of 4404	3396	msedge.exe	83
PID 3396 wrote to memory of 4404	3396	msedge.exe	83
PID 3396 wrote to memory of 4404	3396	msedge.exe	83
PID 3396 wrote to memory of 4404	3396	msedge.exe	83
PID 3396 wrote to memory of 4404	3396	msedge.exe	83
PID 3396 wrote to memory of 4404	3396	msedge.exe	83
PID 3396 wrote to memory of 4404	3396	msedge.exe	83
PID 3396 wrote to memory of 4404	3396	msedge.exe	83
PID 3396 wrote to memory of 4404	3396	msedge.exe	83
PID 3396 wrote to memory of 4404	3396	msedge.exe	83
PID 3396 wrote to memory of 4404	3396	msedge.exe	83
PID 3396 wrote to memory of 4404	3396	msedge.exe	83
PID 3396 wrote to memory of 4404	3396	msedge.exe	83
PID 3396 wrote to memory of 4404	3396	msedge.exe	83
PID 3396 wrote to memory of 4404	3396	msedge.exe	83
PID 3396 wrote to memory of 4404	3396	msedge.exe	83
PID 3396 wrote to memory of 4404	3396	msedge.exe	83
PID 3396 wrote to memory of 4404	3396	msedge.exe	83
PID 3396 wrote to memory of 4404	3396	msedge.exe	83
PID 3396 wrote to memory of 4404	3396	msedge.exe	83
PID 3396 wrote to memory of 4404	3396	msedge.exe	83
PID 3396 wrote to memory of 4404	3396	msedge.exe	83
PID 3396 wrote to memory of 4404	3396	msedge.exe	83
PID 3396 wrote to memory of 4404	3396	msedge.exe	83
PID 3396 wrote to memory of 4404	3396	msedge.exe	83
PID 3396 wrote to memory of 4404	3396	msedge.exe	83
PID 3396 wrote to memory of 4404	3396	msedge.exe	83
PID 3396 wrote to memory of 4404	3396	msedge.exe	83
PID 3396 wrote to memory of 4404	3396	msedge.exe	83
PID 3396 wrote to memory of 4404	3396	msedge.exe	83
PID 3396 wrote to memory of 4404	3396	msedge.exe	83
PID 3396 wrote to memory of 4404	3396	msedge.exe	83
PID 3396 wrote to memory of 4404	3396	msedge.exe	83
PID 3396 wrote to memory of 4404	3396	msedge.exe	83
PID 3396 wrote to memory of 4404	3396	msedge.exe	83
PID 3396 wrote to memory of 4404	3396	msedge.exe	83
PID 3396 wrote to memory of 4404	3396	msedge.exe	83
PID 3396 wrote to memory of 4404	3396	msedge.exe	83
PID 3396 wrote to memory of 4404	3396	msedge.exe	83
PID 3396 wrote to memory of 4404	3396	msedge.exe	83
PID 3396 wrote to memory of 3240	3396	msedge.exe	84
PID 3396 wrote to memory of 3240	3396	msedge.exe	84
PID 3396 wrote to memory of 1556	3396	msedge.exe	85
PID 3396 wrote to memory of 1556	3396	msedge.exe	85
PID 3396 wrote to memory of 1556	3396	msedge.exe	85
PID 3396 wrote to memory of 1556	3396	msedge.exe	85
PID 3396 wrote to memory of 1556	3396	msedge.exe	85
PID 3396 wrote to memory of 1556	3396	msedge.exe	85
PID 3396 wrote to memory of 1556	3396	msedge.exe	85
PID 3396 wrote to memory of 1556	3396	msedge.exe	85
PID 3396 wrote to memory of 1556	3396	msedge.exe	85
PID 3396 wrote to memory of 1556	3396	msedge.exe	85
PID 3396 wrote to memory of 1556	3396	msedge.exe	85
PID 3396 wrote to memory of 1556	3396	msedge.exe	85
PID 3396 wrote to memory of 1556	3396	msedge.exe	85
PID 3396 wrote to memory of 1556	3396	msedge.exe	85
PID 3396 wrote to memory of 1556	3396	msedge.exe	85
PID 3396 wrote to memory of 1556	3396	msedge.exe	85
PID 3396 wrote to memory of 1556	3396	msedge.exe	85
PID 3396 wrote to memory of 1556	3396	msedge.exe	85
PID 3396 wrote to memory of 1556	3396	msedge.exe	85
PID 3396 wrote to memory of 1556	3396	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/folder/akvqjwezncven/ZrSoft
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe72da46f8,0x7ffe72da4708,0x7ffe72da4718
  2⤵
  PID:4948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,2619182434427872086,5183942429162318770,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
  2⤵
  PID:4404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,2619182434427872086,5183942429162318770,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,2619182434427872086,5183942429162318770,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2852 /prefetch:8
  2⤵
  PID:1556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2619182434427872086,5183942429162318770,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:3624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2619182434427872086,5183942429162318770,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
  2⤵
  PID:4356
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,2619182434427872086,5183942429162318770,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5924 /prefetch:8
  2⤵
  PID:2584
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,2619182434427872086,5183942429162318770,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5924 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2619182434427872086,5183942429162318770,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1
  2⤵
  PID:4768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2619182434427872086,5183942429162318770,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1
  2⤵
  PID:4056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2619182434427872086,5183942429162318770,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
  2⤵
  PID:740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2619182434427872086,5183942429162318770,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
  2⤵
  PID:4740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2619182434427872086,5183942429162318770,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6564 /prefetch:1
  2⤵
  PID:3468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2619182434427872086,5183942429162318770,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6500 /prefetch:1
  2⤵
  PID:2556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2092,2619182434427872086,5183942429162318770,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=7144 /prefetch:8
  2⤵
  PID:2236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2619182434427872086,5183942429162318770,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7080 /prefetch:1
  2⤵
  PID:4556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2619182434427872086,5183942429162318770,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
  2⤵
  PID:5420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2619182434427872086,5183942429162318770,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7420 /prefetch:1
  2⤵
  PID:5508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2619182434427872086,5183942429162318770,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7196 /prefetch:1
  2⤵
  PID:5604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2619182434427872086,5183942429162318770,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6704 /prefetch:1
  2⤵
  PID:5732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2619182434427872086,5183942429162318770,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1
  2⤵
  PID:5968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2619182434427872086,5183942429162318770,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6948 /prefetch:1
  2⤵
  PID:5976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2619182434427872086,5183942429162318770,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2692 /prefetch:1
  2⤵
  PID:5144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2619182434427872086,5183942429162318770,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2308 /prefetch:1
  2⤵
  PID:5252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,2619182434427872086,5183942429162318770,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5624 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2619182434427872086,5183942429162318770,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6488 /prefetch:1
  2⤵
  PID:996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2619182434427872086,5183942429162318770,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7192 /prefetch:1
  2⤵
  PID:4440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2619182434427872086,5183942429162318770,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6728 /prefetch:1
  2⤵
  PID:5184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2619182434427872086,5183942429162318770,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7460 /prefetch:1
  2⤵
  PID:6092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2619182434427872086,5183942429162318770,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7064 /prefetch:1
  2⤵
  PID:624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2619182434427872086,5183942429162318770,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2116 /prefetch:1
  2⤵
  PID:1764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2092,2619182434427872086,5183942429162318770,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6740 /prefetch:8
  2⤵
  PID:5644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2619182434427872086,5183942429162318770,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7624 /prefetch:1
  2⤵
  PID:5408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2619182434427872086,5183942429162318770,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7580 /prefetch:1
  2⤵
  PID:5404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2619182434427872086,5183942429162318770,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7720 /prefetch:1
  2⤵
  PID:3868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2619182434427872086,5183942429162318770,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7712 /prefetch:1
  2⤵
  PID:400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,2619182434427872086,5183942429162318770,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7616 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5496
- C:\Users\Admin\Downloads\winrar-x64-701.exe
  "C:\Users\Admin\Downloads\winrar-x64-701.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,2619182434427872086,5183942429162318770,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6700 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5784

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3052

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5076

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5712
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\ZrSoft_.rar"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:5728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e4f80e7950cbd3bb11257d2000cb885e

SHA1
10ac643904d539042d8f7aa4a312b13ec2106035

SHA256
1184ee8d32d0edecddd93403fb888fad6b3e2a710d37335c3989cc529bc08124

SHA512
2b92c9807fdcd937e514d4e7e1cc7c2d3e3aa162099b7289ceac2feea72d1a4afbadf1c09b3075d470efadf9a9edd63e07ea7e7a98d22243e45b3d53473fa4f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2dc1a9f2f3f8c3cfe51bb29b078166c5

SHA1
eaf3c3dad3c8dc6f18dc3e055b415da78b704402

SHA256
dcb76fa365c2d9ee213b224a91cdd806d30b1e8652d72a22f2371124fa4479fa

SHA512
682061d9cc86a6e5d99d022da776fb554350fc95efbf29cd84c1db4e2b7161b76cd1de48335bcc3a25633079fb0bd412e4f4795ed6291c65e9bc28d95330bb25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
ecff93b019ecfff04cbcf9f2b86f2625

SHA1
d332545e9ccf0b76aa3f39d221d16ae840989a14

SHA256
c1afbf95b934ee9e5e2b8a8c1377f6b4ce57083456161af69b85b54fc5365283

SHA512
0ba854e53ff5680c5d85e569644d300faf32e014ffb5b510be37f548c4ff92617c54b31f8fb537bcb52602fda1605c08f07219388fd243e76adb694d0173890b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
4b4c06300339abb75fde3ded639fd05f

SHA1
b72813e3e7f9bb1ef5f4df1c3add7bc7e995ca88

SHA256
29c22ca890535c765c259ba3194f1c37cfae240541164dc60b5be3abdf8e8c08

SHA512
7e33b19ea020d55e5d597c7b158d8595dd4f98f40e89536fb2b67d500e813bd272bc57b4a5a0e90868f9cfe11d44edab112156c519670d6b8e0d4fe4e855097d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
10KB

MD5
a1b69fb828c944322a32e3f24ff31f9a

SHA1
e9dbe8b5c8a696538c9c68653ff2971127c73e55

SHA256
6ef9e7d0b69ffcf242d05d78f36954da4bd467e435bc3ef4d2827340fd570a6f

SHA512
09201c152a59f0d7c3006d58dd3071b32d1b3e62680b2ca525a5d3bcbbac11ac11cbe0e8c981f7718b897d2ebdc47713cf3d8f52e23b944c4b445400421788bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
9KB

MD5
41eaa000390c849c40ff21debd782c0d

SHA1
b84503db737c3ab6345fbf8836485f876407270b

SHA256
9e14f1cba4807b9b203281423b1582235659862514c2b716ef429bbea44f6034

SHA512
9d6d2ab5bbb6a5099ec4d3aeb8987a24db07d7ca2fcfadecd332f2b853be740ed05f47790092948309afc2977e505d3aa1ac7bd0a86a101da169cc5935585b83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
12KB

MD5
54dc653ae445a367ce9674f2d09c2423

SHA1
4281bd21f972a2f24bf6b205dfdef8140c043da2

SHA256
588573a5327949c22a192851e49f9b0dab0bf21b57cda87bf5fba2edd36b6407

SHA512
3250968826645ce9303b71c03a8a0e8ad729db9825e225531b690e24db09ef0c5d5fa5f9f6147b1cea1fa4ebdf01fe637ef83f69997ef8f7e5eb3ebd34d28909

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e8a3a2ab5ce743871e0a9e0dceadb63b

SHA1
f08f3deaa06ed7f99f5afec1a56908e37cd543af

SHA256
b81a900572402018dcd6764b47e19f8083d85e2b105bd527d372340a531faa59

SHA512
b862ec0f945c8bb3ec0962cb5e711cbc247fde4db4546ab3b1862d3cf9f098a90833a56fb055a6e36a1f770465b49159eed9de3fc34e0e73bfcd5db387e9ba30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
85a20ccd06b2c1a2494c62a35f0bc562

SHA1
00c6f81944e1362283d0a1ba1cd9d8dd16ee6d2c

SHA256
83b8031fe2be00467cd3c297ad00307625e461839d3e76b9e056132f84c700a1

SHA512
058e220515ba018b1a41ee3a46083f4cd70bc0997ee7c7de2b7d5bfe700165ff5f3573b023a86d1d4b2d8f91b12f093dbc9fd059284647d795178f7eb7e5f179

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
035338509748ba4ed020feaeab928828

SHA1
5b3376aa0669858c385a26eed8cd3124925a1658

SHA256
e1d9fb23549d79d2b0e489b8922f75e6f151fec458ea28dcc45cd99b9939a433

SHA512
84df82829ae8243c9a05218918044f4bff251c0ab085c4f49ae551252673f34ef7c509f3155483d01301bbd07d239efe3a5182003d0ef97119b91150bd949aee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
12KB

MD5
cf2f5f1581115acc7becce358640fdd3

SHA1
8dbeb1fd88513bcfda4e248c9bd18e75adb94126

SHA256
89ef2f2d63b3025cd1e547ab9f1e15bc0631bb8191aabdcc2fa90144fd7872b7

SHA512
bd5d49a68cd8380e1b17b79b0fd6990513a286603f5a02b2a4276cc815c83b36b765862f60080f7e5207b3eba59d7176eb4b7afd16f4c97a25afccfb531400b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
4472218c7a71c46dd5059561144d22cb

SHA1
db85ab899542929402bfd33abee999281cea764f

SHA256
b0bfedc4b262d3c949538b56d6cbfd1d0ef06e4b047ca74a2ed3096279377904

SHA512
cecb6d66ebecbae29c4df7a5c5776e827772fc3fa8556a22243e00c7756feaeb0ed7e1a9a49aeccb30b849dc4ba45779d2f2de788496a320cf45b48ec064bf3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
9523f17cb4859e073b849d44e572adb0

SHA1
fe32300a37bb3d2cd6ce8bac30851931d1193504

SHA256
8d0c25fc88c0b4a07b58c84a6d916fc7353a13071e51b79ba33167999ba0d9ef

SHA512
f99acf28b2225d24014388919725839d827d5ab6ce5278bb0d87898d56209bc55fc6a0fd2a0a7248da8df05648e98d7f70f8216aeb76dfe85df31131b8d36e5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
eebd20119d1c2333d7c4f14074d0ccc3

SHA1
0e18e5d5c039fd014e7d1ae58b173fcf3890a785

SHA256
dce53987529fd96ee8c81b70915bb9084ae8224bf40cc5e4b693f9391931424c

SHA512
23985211217b80166def45695563f5fecde18a677212d63ec7e4534817f85f4610bdf6772a2f532e59570d3b89696e5a93944142ab75eb6005e7b60edabdebea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e4a3.TMP

Filesize
2KB

MD5
9f9e4ef1cf31370edb92801341a92e8a

SHA1
7ecc7356379a8c5253cc6794e9d735049bb1835d

SHA256
6742739cf4bb418e00bc4b379039d50a3c2271a92ee653584be91203eff69acb

SHA512
b9232d400af480856d9ef4cb7e611ab974be918eebee2f21de95b4f749f94f2f1a2a87b2749163d40640d9014806aa8be570bc0bb376e986a2468421ab2ec9ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
acbe96acc4c0970b69ad2e7b8fe2497e

SHA1
f7e15adaaf52b81cd8bcf85386512a110e739e68

SHA256
3fd922c7aeb4d26aebd8f153d616d8f0e46ddbebe05455643308f5241d16d5e9

SHA512
a49ca4a5d93502e0546a9cc87811bbbd0be1ebe38e36f16c983c70c0ed13d817d403d2f26bed3731a85b4df3dfaf00a459ae4a3451b129b21a0515c7ab615566

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
73b04204d2c69ad3d6445d4c0895aaab

SHA1
56b1afacf13324f8d955d5539bcc3477483c4755

SHA256
84017bcf6d7ca12965b3a64ea25b54b7d94d8a9713aecb158ea93f302f7003c0

SHA512
a3d9f28c4613d5c76125aad5f9cadc1e79f20f5a6c1078d28e37de6267d470401228d7201426de74605f370bb5881c4be2a0636c6f9454cb60780018f92b848e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
67f0d4a2e3e6e77116a15e00b6207a2d

SHA1
96fcfdc834144a57b9a64a2855cc7c4ea37bf6b1

SHA256
38a96a6bda764b881e1401f766398ce9b614c62f04c6207be048d01380e7a108

SHA512
9b36c4f3c29718276730ff3982d3dce9ca75a80bf2606bc06166f03d80221308aa7d04271b0c0f2cbb1099267ecd95cb954bdb734240fca3367203b92148118b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
1df4efd4e45a6b88d03ea2789c75cc07

SHA1
a34282ec0e6579d6bd983d07273babee421c75d5

SHA256
bc096a2eeb434ccdaaa07fa9e5d3c4e094c7fca8b47424804e833a59a9b82211

SHA512
fdfe0f2b63faec245db18c7f66a779c47649611f6a300dcc9709642c16cc27d0863ae473a426c24e71414cfb11d79667155b420b1a14025b35c7a292bbf91352

Download Submit
C:\Users\Admin\Downloads\ZrSoft_.rar

Filesize
45.2MB

MD5
ee0421732e639cab311ebd6a89a7f423

SHA1
03326de0c8ac3d444e733ec57f5591a00458d6a6

SHA256
fba507441fd482d20eb17505d4cd463daf338edc3959917eb39578ef0ea42da2

SHA512
57b214ff48db8507f81a4a5e4c72c56d8a14e36a614f6def5dcc74f7e23cb7f278d820ccf67c86cea8e437edc038cb3bbbeeed8f8e6773dd4a7ed9a7b02de51f

Download Submit
C:\Users\Admin\Downloads\winrar-x64-701.exe

Filesize
3.7MB

MD5
3a2f16a044d8f6d2f9443dff6bd1c7d4

SHA1
48c6c0450af803b72a0caa7d5e3863c3f0240ef1

SHA256
31f7ba37180f820313b2d32e76252344598409cb932109dd84a071cd58b64aa6

SHA512
61daee2ce82c3b8e79f7598a79d72e337220ced7607e3ed878a3059ac03257542147dbd377e902cc95f04324e2fb7c5e07d1410f0a1815d5a05c5320e5715ef6

Download Submit
memory/5728-377-0x000002B2474E0000-0x000002B248590000-memory.dmp

Filesize
16.7MB

Download
memory/5728-376-0x00007FFE5F7A0000-0x00007FFE5FA56000-memory.dmp

Filesize
2.7MB

Download
memory/5728-375-0x00007FFE5FA60000-0x00007FFE5FA94000-memory.dmp

Filesize
208KB

Download
memory/5728-374-0x00007FF74C590000-0x00007FF74C688000-memory.dmp

Filesize
992KB

Download