hxxps://filecr[.]com/windows/utorrent/

Analysis

max time kernel
145s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-10-2024 15:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://filecr.com/windows/utorrent/

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1728	msedge.exe
1728	msedge.exe
4260	msedge.exe
4260	msedge.exe
4332	identity_helper.exe
4332	identity_helper.exe
6092	msedge.exe
6092	msedge.exe
5292	msedge.exe
5292	msedge.exe
5816	msedge.exe
5816	msedge.exe
5816	msedge.exe
5816	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeRestorePrivilege	3596	7zG.exe
Token: 35	3596	7zG.exe
Token: SeSecurityPrivilege	3596	7zG.exe
Token: SeSecurityPrivilege	3596	7zG.exe
Token: SeRestorePrivilege	2944	7zG.exe
Token: 35	2944	7zG.exe
Token: SeSecurityPrivilege	2944	7zG.exe
Token: SeSecurityPrivilege	2944	7zG.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe

Suspicious use of SendNotifyMessage 30 IoCs

pid	Process
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4260 wrote to memory of 4136	4260	msedge.exe	82
PID 4260 wrote to memory of 4136	4260	msedge.exe	82
PID 4260 wrote to memory of 772	4260	msedge.exe	83
PID 4260 wrote to memory of 772	4260	msedge.exe	83
PID 4260 wrote to memory of 772	4260	msedge.exe	83
PID 4260 wrote to memory of 772	4260	msedge.exe	83
PID 4260 wrote to memory of 772	4260	msedge.exe	83
PID 4260 wrote to memory of 772	4260	msedge.exe	83
PID 4260 wrote to memory of 772	4260	msedge.exe	83
PID 4260 wrote to memory of 772	4260	msedge.exe	83
PID 4260 wrote to memory of 772	4260	msedge.exe	83
PID 4260 wrote to memory of 772	4260	msedge.exe	83
PID 4260 wrote to memory of 772	4260	msedge.exe	83
PID 4260 wrote to memory of 772	4260	msedge.exe	83
PID 4260 wrote to memory of 772	4260	msedge.exe	83
PID 4260 wrote to memory of 772	4260	msedge.exe	83
PID 4260 wrote to memory of 772	4260	msedge.exe	83
PID 4260 wrote to memory of 772	4260	msedge.exe	83
PID 4260 wrote to memory of 772	4260	msedge.exe	83
PID 4260 wrote to memory of 772	4260	msedge.exe	83
PID 4260 wrote to memory of 772	4260	msedge.exe	83
PID 4260 wrote to memory of 772	4260	msedge.exe	83
PID 4260 wrote to memory of 772	4260	msedge.exe	83
PID 4260 wrote to memory of 772	4260	msedge.exe	83
PID 4260 wrote to memory of 772	4260	msedge.exe	83
PID 4260 wrote to memory of 772	4260	msedge.exe	83
PID 4260 wrote to memory of 772	4260	msedge.exe	83
PID 4260 wrote to memory of 772	4260	msedge.exe	83
PID 4260 wrote to memory of 772	4260	msedge.exe	83
PID 4260 wrote to memory of 772	4260	msedge.exe	83
PID 4260 wrote to memory of 772	4260	msedge.exe	83
PID 4260 wrote to memory of 772	4260	msedge.exe	83
PID 4260 wrote to memory of 772	4260	msedge.exe	83
PID 4260 wrote to memory of 772	4260	msedge.exe	83
PID 4260 wrote to memory of 772	4260	msedge.exe	83
PID 4260 wrote to memory of 772	4260	msedge.exe	83
PID 4260 wrote to memory of 772	4260	msedge.exe	83
PID 4260 wrote to memory of 772	4260	msedge.exe	83
PID 4260 wrote to memory of 772	4260	msedge.exe	83
PID 4260 wrote to memory of 772	4260	msedge.exe	83
PID 4260 wrote to memory of 772	4260	msedge.exe	83
PID 4260 wrote to memory of 772	4260	msedge.exe	83
PID 4260 wrote to memory of 1728	4260	msedge.exe	84
PID 4260 wrote to memory of 1728	4260	msedge.exe	84
PID 4260 wrote to memory of 4080	4260	msedge.exe	85
PID 4260 wrote to memory of 4080	4260	msedge.exe	85
PID 4260 wrote to memory of 4080	4260	msedge.exe	85
PID 4260 wrote to memory of 4080	4260	msedge.exe	85
PID 4260 wrote to memory of 4080	4260	msedge.exe	85
PID 4260 wrote to memory of 4080	4260	msedge.exe	85
PID 4260 wrote to memory of 4080	4260	msedge.exe	85
PID 4260 wrote to memory of 4080	4260	msedge.exe	85
PID 4260 wrote to memory of 4080	4260	msedge.exe	85
PID 4260 wrote to memory of 4080	4260	msedge.exe	85
PID 4260 wrote to memory of 4080	4260	msedge.exe	85
PID 4260 wrote to memory of 4080	4260	msedge.exe	85
PID 4260 wrote to memory of 4080	4260	msedge.exe	85
PID 4260 wrote to memory of 4080	4260	msedge.exe	85
PID 4260 wrote to memory of 4080	4260	msedge.exe	85
PID 4260 wrote to memory of 4080	4260	msedge.exe	85
PID 4260 wrote to memory of 4080	4260	msedge.exe	85
PID 4260 wrote to memory of 4080	4260	msedge.exe	85
PID 4260 wrote to memory of 4080	4260	msedge.exe	85
PID 4260 wrote to memory of 4080	4260	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://filecr.com/windows/utorrent/
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x110,0x114,0x118,0xec,0x11c,0x7ffd2a9f46f8,0x7ffd2a9f4708,0x7ffd2a9f4718
  2⤵
  PID:4136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,3605541730111582218,3807725192727355086,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
  2⤵
  PID:772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,3605541730111582218,3807725192727355086,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,3605541730111582218,3807725192727355086,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:8
  2⤵
  PID:4080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,3605541730111582218,3807725192727355086,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:1568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,3605541730111582218,3807725192727355086,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:4920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,3605541730111582218,3807725192727355086,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4776 /prefetch:1
  2⤵
  PID:1936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,3605541730111582218,3807725192727355086,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4644 /prefetch:1
  2⤵
  PID:2484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,3605541730111582218,3807725192727355086,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:2024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,3605541730111582218,3807725192727355086,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4116 /prefetch:1
  2⤵
  PID:5080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,3605541730111582218,3807725192727355086,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
  2⤵
  PID:2824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,3605541730111582218,3807725192727355086,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
  2⤵
  PID:1064
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,3605541730111582218,3807725192727355086,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6916 /prefetch:8
  2⤵
  PID:2112
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,3605541730111582218,3807725192727355086,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6916 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,3605541730111582218,3807725192727355086,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
  2⤵
  PID:5152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,3605541730111582218,3807725192727355086,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6252 /prefetch:1
  2⤵
  PID:5160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,3605541730111582218,3807725192727355086,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7036 /prefetch:1
  2⤵
  PID:5340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,3605541730111582218,3807725192727355086,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6416 /prefetch:1
  2⤵
  PID:5360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,3605541730111582218,3807725192727355086,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6492 /prefetch:1
  2⤵
  PID:5368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,3605541730111582218,3807725192727355086,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
  2⤵
  PID:5592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,3605541730111582218,3807725192727355086,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6160 /prefetch:1
  2⤵
  PID:5700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2088,3605541730111582218,3807725192727355086,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4104 /prefetch:8
  2⤵
  PID:5708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,3605541730111582218,3807725192727355086,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7140 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,3605541730111582218,3807725192727355086,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6396 /prefetch:1
  2⤵
  PID:5312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,3605541730111582218,3807725192727355086,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1860 /prefetch:1
  2⤵
  PID:5352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,3605541730111582218,3807725192727355086,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5832 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,3605541730111582218,3807725192727355086,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=7600 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5816

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2928

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4076

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4316

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap15440:194:7zEvent32450
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3596

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\uTorrent Pro 3.6.0 Build 46896 Stable RePack (& Portable) [FileCR]\" -spe -an -ai#7zMap6134:194:7zEvent2827
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f9664c896e19205022c094d725f820b6

SHA1
f8f1baf648df755ba64b412d512446baf88c0184

SHA256
7121d84202a850791c2320385eb59eda4d697310dc51b1fcd4d51264aba2434e

SHA512
3fa5d2c68a9e70e4a25eaac2095171d87c741eec2624c314c6a56f4fa390d6319633bf4c48b1a4af7e9a0451f346beced9693da88cfc7bcba8dfe209cbd1b3ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
847d47008dbea51cb1732d54861ba9c9

SHA1
f2099242027dccb88d6f05760b57f7c89d926c0d

SHA256
10292fa05d896a2952c1d602a72d761d34bc776b44d6a7df87e49b5b613a8ac1

SHA512
bd1526aa1cc1c016d95dfcc53a78b45b09dde4ce67357fc275ab835dbe1bb5b053ca386239f50cde95ad243a9c1bbb12f7505818577589beecc6084f7b94e83f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
507c81aa0bc9593f7a4157d2f3ab38a9

SHA1
8e8fe77342cdc48aef8b09e504e17cfc169379ec

SHA256
8302f0635213d25e1ecb845ac50030a17a68ae6e479f6fe3fd4e718a54bd77be

SHA512
1d56fdea9fb99f8277caf30efeaf0d9a56dfd63d496cf6cddccffd14762840adf680452d25ad7b3342283fabda7ddfe29eecd7033fe0fd1a49b86228f8217a44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
1bfe573857eb235d2eb6b67c676bbe89

SHA1
d206bc56a06a9cb10c9b68f704f690b89d497067

SHA256
345b9de4f93fdd5bc34cfe58c568be1a0a01d3bf1a2be65011ccd3977eb7750b

SHA512
1ab7cedf2c384e018703075e6001525370e1e3769432eda141e4aeb29c67682ae9dc04c62d0ae0f8ff810c80406d8bcf41221fb3b886e8c72913143db5777cf2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
7dfa639ac086848fbaa3a4166325fa9d

SHA1
6acd024cdb281cd471e92647c58e4227f3e6f2df

SHA256
f35714e301cd1f56828030bba09ab2b8e919332ab9e244428638600c5d25ea8d

SHA512
e7d4a46e06afc7fa484771cee1e4f0e80ce4cdbff2a977c0ee4c08478675043c1f672bad90520d93ae950060bcaf1c5b045e202d36962fc6be80fda97588b07c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
25e80e38d4270ec038883e3438319567

SHA1
b86e48a5b9ad3ca6b3172b2114f08c6c3071b342

SHA256
ba6a53765453bdbf8c552fe47e9252ea354224df9311e3f12e1bc086c125363e

SHA512
cb7d233e3c16bf9cdc5e4bb47053323ff2c991a61e452ba75ba8bfe9186b827a09b0f6e2ace413f93b9d2de23c3072e7018855f88b7651cd6afaa07203340eb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a9e60b60e5dd991c9b1a53e28d79f239

SHA1
3248b345bf6545a41e15b25be3e04ffd2d64dd21

SHA256
a65fd9857c803db60df77fb588b59413ab0059e655ab4d55d370e9b3585b0091

SHA512
b8296aeadebf2604be5e37618c88388bab544846ab18fb8e5d69a0fbc8afc7a99ea08011d64035e559ac986385baa9f3eb323f880cf2235371b2bc13998ea9e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
151121e5a2ea90900c59e14cd4b91bc1

SHA1
5fae77d1a68a1915662207fc89eeabfb844f2368

SHA256
4a568f6729d35bb7d8bc5785d6f1bb634e1aabea266f3636ab6815cd8a8059fc

SHA512
30731e6318c0de8d915cd87256e6f60c05a87804954037136747fbb5b1daf54af0b078465483e90209bbcb6afd6d3d1b6d1ff2589a66014533d69719d5202d4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
fc79a083c3e984f6dcb6ce824108faa9

SHA1
ac515ef21187613be2640d03a5f514dfacdda965

SHA256
e8ab3a1acc707e4ec182e7dccae44e447ef53878a011a6b47b52fbc88ca21035

SHA512
fbe6ad1fb9487512c7885752e5149a99c69a41b2f1ea6d2866fe57eba2d1033745773a1dbf0c3db40942e6ddb14d34dcbe8207c5150e05749d3083706d439ecb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57c505.TMP

Filesize
48B

MD5
43e40496a2d7491d05503af6d2f6d091

SHA1
c96ea69ff2e6c223f3a10717da6643229bd43004

SHA256
a14518fa413d7a7deb6c68a83187fb984c546383a7c89d3f0d95e41f19533e1b

SHA512
1621825b0835905ab093525dce495f170e9ee357b030fa4c034e0b20508c3afe9605d21bcb2031bfca2c26d1457b0c99dcf568beb89dfa508ec20f4af50aa564

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000003

Filesize
20KB

MD5
e8e1f8273c10625d8b5e1541f8cab8fd

SHA1
18d7a3b3362fc592407e5b174a8fb60a128ce544

SHA256
45870d39eb491375c12251d35194e916ace795b1a67e02841e1bbcb14f1a0e44

SHA512
ca77d40ec247d16bc50302f8b13c79b37ab1fcf81c1f8ab50f2fc5430d4fabc74f5845c781bd11bb55840184e6765c2f18b28af72e1f7800fe0bb0b1f3f23b24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
52969c825c366fa1cf83f7251ee2de2c

SHA1
a074008b896cfbe119b9ba120472003807a37c8c

SHA256
1507190209e6a19aab047b352e1d6fd181c7bfe5bfdf38948109c302046adf68

SHA512
95789273f1cb5ce4c02655dd47789c58412d49bbf817cac7f6a4c499c2b6cd6f9f4a2100284ef989e911643362324ce7bd613dd380a43ec0e81ead1504cb9b3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e902c1e067337708a8b945f2b5a78d73

SHA1
c99f7fbd5149485142b4a9ab04c48cd32021c238

SHA256
1f403e34cd21489a633ae35e9b6db79488400108715efbe8282f4b62d5ffd4cd

SHA512
0bff1dba95c830e3fed79d6b7456df18b626828b34f3cdc98a151c648f0ef192d4d8fcc4c83ade440b25e5f7e560d9b680aa39794962bcbe59a5c9fe93862759

Download Submit
C:\Users\Admin\Downloads\d0ea6cd5-f339-4194-aa99-74aabe27b892.tmp

Filesize
3.3MB

MD5
81c5b9c98df7b57f19d6eb64f61db3d4

SHA1
ea55b718d5f39f6014227866104b7e1293c52888

SHA256
d3727747cc22f6dcdef80656e45c2a02bbe7b4dbe353313fc56ddf73335f815b

SHA512
f865e390916815783ef6e5afcd86074dd06aa5d62c2c31564109e76ccfad4bb07479cf5d27291a529b84ca2ffdc383c652bdd9ad4decd86aac172f3d1eff64ed

Download Submit
C:\Users\Admin\Downloads\uTorrent Pro 3.6.0 Build 46896 Stable RePack (& Portable) [FileCR].zip

Filesize
34.3MB

MD5
041f86236cefd8df33c0d6605bdc627e

SHA1
b82aad647743104b4c6a17d6d613f031bc21fb67

SHA256
96f22cc4282145ea9c8469f55bc44184734f0e91f6812c9bc4af5a3dd74c9906

SHA512
b894b57e32b0196c6ceb4b13a1ea65e545cd18fc2a250029f0028547635d4094a81126aa0d687c2b9dbb8569774cf4431e7b78c7ba3907ba448d9ec8bbc5d5f7

Download Submit