hxxps://gofile[.]io/d/zslZs8

Analysis

max time kernel
148s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
04/10/2024, 02:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/zslZs8

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\MoveRedo.exe	OpenWith.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Winword.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Winword.exe

Modifies registry class 34 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 0100000000000000ffffffff	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\MRUListEx = ffffffff	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1 = 8c003100000000000259f37d110050524f4752417e310000740009000400efbec55259610259f37d2e0000003f0000000000010000000000000000004a00000000004d229200500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\NodeSlot = "2"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	OpenWith.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 75949.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\d3d10.dll:Zone.Identifier	msedge.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3720	Winword.exe
3720	Winword.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2852	msedge.exe
2852	msedge.exe
1764	msedge.exe
1764	msedge.exe
4868	msedge.exe
4868	msedge.exe
3456	identity_helper.exe
3456	identity_helper.exe
1444	msedge.exe
1444	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4812	OpenWith.exe
4692	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe

Suspicious use of SetWindowsHookEx 34 IoCs

pid	Process
4812	OpenWith.exe
4812	OpenWith.exe
4812	OpenWith.exe
4812	OpenWith.exe
4812	OpenWith.exe
4812	OpenWith.exe
4812	OpenWith.exe
4812	OpenWith.exe
4812	OpenWith.exe
4812	OpenWith.exe
4812	OpenWith.exe
4812	OpenWith.exe
4812	OpenWith.exe
4812	OpenWith.exe
4812	OpenWith.exe
4812	OpenWith.exe
4692	OpenWith.exe
4692	OpenWith.exe
4692	OpenWith.exe
4692	OpenWith.exe
4692	OpenWith.exe
4692	OpenWith.exe
4692	OpenWith.exe
4692	OpenWith.exe
4692	OpenWith.exe
3720	Winword.exe
3720	Winword.exe
3720	Winword.exe
3720	Winword.exe
3720	Winword.exe
3720	Winword.exe
3720	Winword.exe
3720	Winword.exe
3720	Winword.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1764 wrote to memory of 3512	1764	msedge.exe	77
PID 1764 wrote to memory of 3512	1764	msedge.exe	77
PID 1764 wrote to memory of 1408	1764	msedge.exe	78
PID 1764 wrote to memory of 1408	1764	msedge.exe	78
PID 1764 wrote to memory of 1408	1764	msedge.exe	78
PID 1764 wrote to memory of 1408	1764	msedge.exe	78
PID 1764 wrote to memory of 1408	1764	msedge.exe	78
PID 1764 wrote to memory of 1408	1764	msedge.exe	78
PID 1764 wrote to memory of 1408	1764	msedge.exe	78
PID 1764 wrote to memory of 1408	1764	msedge.exe	78
PID 1764 wrote to memory of 1408	1764	msedge.exe	78
PID 1764 wrote to memory of 1408	1764	msedge.exe	78
PID 1764 wrote to memory of 1408	1764	msedge.exe	78
PID 1764 wrote to memory of 1408	1764	msedge.exe	78
PID 1764 wrote to memory of 1408	1764	msedge.exe	78
PID 1764 wrote to memory of 1408	1764	msedge.exe	78
PID 1764 wrote to memory of 1408	1764	msedge.exe	78
PID 1764 wrote to memory of 1408	1764	msedge.exe	78
PID 1764 wrote to memory of 1408	1764	msedge.exe	78
PID 1764 wrote to memory of 1408	1764	msedge.exe	78
PID 1764 wrote to memory of 1408	1764	msedge.exe	78
PID 1764 wrote to memory of 1408	1764	msedge.exe	78
PID 1764 wrote to memory of 1408	1764	msedge.exe	78
PID 1764 wrote to memory of 1408	1764	msedge.exe	78
PID 1764 wrote to memory of 1408	1764	msedge.exe	78
PID 1764 wrote to memory of 1408	1764	msedge.exe	78
PID 1764 wrote to memory of 1408	1764	msedge.exe	78
PID 1764 wrote to memory of 1408	1764	msedge.exe	78
PID 1764 wrote to memory of 1408	1764	msedge.exe	78
PID 1764 wrote to memory of 1408	1764	msedge.exe	78
PID 1764 wrote to memory of 1408	1764	msedge.exe	78
PID 1764 wrote to memory of 1408	1764	msedge.exe	78
PID 1764 wrote to memory of 1408	1764	msedge.exe	78
PID 1764 wrote to memory of 1408	1764	msedge.exe	78
PID 1764 wrote to memory of 1408	1764	msedge.exe	78
PID 1764 wrote to memory of 1408	1764	msedge.exe	78
PID 1764 wrote to memory of 1408	1764	msedge.exe	78
PID 1764 wrote to memory of 1408	1764	msedge.exe	78
PID 1764 wrote to memory of 1408	1764	msedge.exe	78
PID 1764 wrote to memory of 1408	1764	msedge.exe	78
PID 1764 wrote to memory of 1408	1764	msedge.exe	78
PID 1764 wrote to memory of 1408	1764	msedge.exe	78
PID 1764 wrote to memory of 2852	1764	msedge.exe	79
PID 1764 wrote to memory of 2852	1764	msedge.exe	79
PID 1764 wrote to memory of 1232	1764	msedge.exe	80
PID 1764 wrote to memory of 1232	1764	msedge.exe	80
PID 1764 wrote to memory of 1232	1764	msedge.exe	80
PID 1764 wrote to memory of 1232	1764	msedge.exe	80
PID 1764 wrote to memory of 1232	1764	msedge.exe	80
PID 1764 wrote to memory of 1232	1764	msedge.exe	80
PID 1764 wrote to memory of 1232	1764	msedge.exe	80
PID 1764 wrote to memory of 1232	1764	msedge.exe	80
PID 1764 wrote to memory of 1232	1764	msedge.exe	80
PID 1764 wrote to memory of 1232	1764	msedge.exe	80
PID 1764 wrote to memory of 1232	1764	msedge.exe	80
PID 1764 wrote to memory of 1232	1764	msedge.exe	80
PID 1764 wrote to memory of 1232	1764	msedge.exe	80
PID 1764 wrote to memory of 1232	1764	msedge.exe	80
PID 1764 wrote to memory of 1232	1764	msedge.exe	80
PID 1764 wrote to memory of 1232	1764	msedge.exe	80
PID 1764 wrote to memory of 1232	1764	msedge.exe	80
PID 1764 wrote to memory of 1232	1764	msedge.exe	80
PID 1764 wrote to memory of 1232	1764	msedge.exe	80
PID 1764 wrote to memory of 1232	1764	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/zslZs8
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa7c973cb8,0x7ffa7c973cc8,0x7ffa7c973cd8
  2⤵
  PID:3512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1716,130738024095202439,7178182174386960741,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1832 /prefetch:2
  2⤵
  PID:1408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1716,130738024095202439,7178182174386960741,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2360 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1716,130738024095202439,7178182174386960741,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:8
  2⤵
  PID:1232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,130738024095202439,7178182174386960741,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:2352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,130738024095202439,7178182174386960741,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:2212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,130738024095202439,7178182174386960741,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4572 /prefetch:1
  2⤵
  PID:4712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1716,130738024095202439,7178182174386960741,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4056 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,130738024095202439,7178182174386960741,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:1
  2⤵
  PID:4512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,130738024095202439,7178182174386960741,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1
  2⤵
  PID:236
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1716,130738024095202439,7178182174386960741,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5260 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,130738024095202439,7178182174386960741,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4724 /prefetch:1
  2⤵
  PID:2404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,130738024095202439,7178182174386960741,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
  2⤵
  PID:3764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,130738024095202439,7178182174386960741,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
  2⤵
  PID:3824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,130738024095202439,7178182174386960741,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3748 /prefetch:1
  2⤵
  PID:424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1716,130738024095202439,7178182174386960741,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5312 /prefetch:8
  2⤵
  PID:3944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1716,130738024095202439,7178182174386960741,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6264 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1716,130738024095202439,7178182174386960741,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4104 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,130738024095202439,7178182174386960741,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1
  2⤵
  PID:4840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,130738024095202439,7178182174386960741,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:1092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,130738024095202439,7178182174386960741,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1
  2⤵
  PID:3000

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3356

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3592

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1092

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4812

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4692
- C:\Program Files\Microsoft Office\root\Office16\Winword.exe
  "C:\Program Files\Microsoft Office\root\Office16\Winword.exe" /n "C:\Users\Admin\Downloads\d3d10.dll"
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:3720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3e2612636cf368bc811fdc8db09e037d

SHA1
d69e34379f97e35083f4c4ea1249e6f1a5f51d56

SHA256
2eecaacf3f2582e202689a16b0ac1715c628d32f54261671cf67ba6abbf6c9f9

SHA512
b3cc3bf967d014f522e6811448c4792eed730e72547f83eb4974e832e958deb7e7f4c3ce8e0ed6f9c110525d0b12f7fe7ab80a914c2fe492e1f2d321ef47f96d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e8115549491cca16e7bfdfec9db7f89a

SHA1
d1eb5c8263cbe146cd88953bb9886c3aeb262742

SHA256
dfa9a8b54936607a5250bec0ed3e2a24f96f4929ca550115a91d0d5d68e4d08e

SHA512
851207c15de3531bd230baf02a8a96550b81649ccbdd44ad74875d97a700271ef96e8be6e1c95b2a0119561aee24729cb55c29eb0b3455473688ef9132ed7f54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
c30de574ff2af3c7c05cd15ae20bcefa

SHA1
9dd5007f8e788ddf970f556452b102a721395ac3

SHA256
fc53197d48daf488a0b335f89d8f39b848c2f3ac8d973a7dcaef5497c8b9ee0e

SHA512
dc977e06355e70a1d260b12a3c8505a08d85e2d7943ffe23f3cbb41156e72cf03dfa03775d0555ef5594734196604cc6f9b03eb7a0b18efe390a7afb29f5bedf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
391B

MD5
d3dec18bb94719971f2fca51c7457284

SHA1
fbe56fd514e178ecccb27b047e9c4a28f85969c4

SHA256
49bf2e0fd563e5a70eef9e3826e4e676d36763b75a56a667b99d061d8e40c433

SHA512
a5dbb443eb2e99435f0b302177eaee58b207806279d7c3e299371d401277bb0ae008902eb70075664976212571430c26febc7e47d71a47bd3a75829be5f9baa1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f5356a4ae8f691254dad1bdabe24c540

SHA1
1b6fd021a10bf86f17a0cf3a92b79e74f18712d8

SHA256
e3c45e793052fe71be14646e6ac132bc7f6029c4b83251d9534fdb88d7b33e05

SHA512
aca48f9ee110cd5849401b26435289e7aa8c8a2db58a1f276157635dad837dcb89fce8d8916d89ad55904ace6f7ace94d5d9cf5e25e97f60216fd9cfde7f8dd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c654cbb626fabc29885e056b4066d33d

SHA1
15c037b60ad33a06ba17c8e554e8913080030f9b

SHA256
9725fe4d29c611477e785ec45f1f4a0d5bbcde1ed3fbd5a3f301eec18fd1d813

SHA512
ff5f8f520f9846ac928f13715b29903f3057a9cee7006b1749252ff9053cd42a15afd0b22e8a9a90caac15b68bdfa4c5c9c76ebff158e6a5f06ba2e422b2638d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
7aae22551cea7d475feb3f75d034589e

SHA1
d0aa8045f6d9d63752294615d994c8e700b9b3d5

SHA256
ea1a000360186e52bd4c49807711a838aba6b94f418b7516d64a7ecbcd6e4ba0

SHA512
0be881b97a59726caac9603216f628245bdc1f323aed455c98aa2535cd828579bcb829d89f709c45f6626ac710f0526e1ba8594b3ed139a78c85be26ad23ced0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
264e431ccc2b3e9993ad17fbe872c407

SHA1
dc9ae1643b585808e0102c1afe0738f501c84fa5

SHA256
28ebf987a40922730224c4f364009728ca5fddf628af816de977c59f15f46cf2

SHA512
3efd6931126693ce2a9074cb64a38c14b1cc9b6931813d6fb9b9d76cbee6b979381d033a21cd8e155cdd4a949bdcf0e228f03350aa4948dcc994bcd432e1b0a9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
360B

MD5
0667592a5a77f994e323c9103cd9e3dc

SHA1
c81840494598101d98aefbec3535a2045240b458

SHA256
2bc9d231078c5bb8b3db140260f3f793135c2aa757054679515b16a79e95b4b6

SHA512
a91969942cea6cad44a3b98669b18bf259496cf3c37f10c544ba73a855b1e988864ce86f437102d6962226ffeb94f03831998165848f89e2eec82cbdcff0c9e9

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 75949.crdownload

Filesize
1.3MB

MD5
fcb85c95a1ce078aa4c99b1a26baab12

SHA1
523c3db00cb71b849033c75da18c86f1a89727fd

SHA256
e574b91da312cf4ede47f2885147d81a126b9b59b2ca2d545d0290cd5c1315da

SHA512
7353ec3a209cb064bfbc88a9ebdbc1d7963ae53b8bb39f235ad0942bd7e14473deb0adf95da768691220b7f61312d9222a514e25749987634e5ae586bed2583d

Download Submit
C:\Users\Admin\Downloads\d3d10.dll:Zone.Identifier

Filesize
152B

MD5
25509547b40bcdf818964361fe54710b

SHA1
e1ee8d6b218c4ac4dcecccb520ffa4e0dddd5eb3

SHA256
0795086d353bbf9228c086a186bd1ed9f9779022be1c9b2ca68313b29f349aca

SHA512
6d53f119331664fd46be112d118426f38fb8ec52e9403167cc63065ce6d5ee4fd135091d824de127621d2dd004b04e4faae5f6347fbecbc5cd037e42c5bea7e1

Download Submit
memory/3720-179-0x00007FFA49830000-0x00007FFA49840000-memory.dmp

Filesize
64KB

Download
memory/3720-176-0x00007FFA4C190000-0x00007FFA4C1A0000-memory.dmp

Filesize
64KB

Download
memory/3720-175-0x00007FFA4C190000-0x00007FFA4C1A0000-memory.dmp

Filesize
64KB

Download
memory/3720-174-0x00007FFA4C190000-0x00007FFA4C1A0000-memory.dmp

Filesize
64KB

Download
memory/3720-178-0x00007FFA4C190000-0x00007FFA4C1A0000-memory.dmp

Filesize
64KB

Download
memory/3720-180-0x00007FFA49830000-0x00007FFA49840000-memory.dmp

Filesize
64KB

Download
memory/3720-177-0x00007FFA4C190000-0x00007FFA4C1A0000-memory.dmp

Filesize
64KB

Download
memory/3720-241-0x00007FFA4C190000-0x00007FFA4C1A0000-memory.dmp

Filesize
64KB

Download
memory/3720-242-0x00007FFA4C190000-0x00007FFA4C1A0000-memory.dmp

Filesize
64KB

Download
memory/3720-244-0x00007FFA4C190000-0x00007FFA4C1A0000-memory.dmp

Filesize
64KB

Download
memory/3720-243-0x00007FFA4C190000-0x00007FFA4C1A0000-memory.dmp

Filesize
64KB

Download