hxxps://drive[.]google[.]com/file/d/1jdKKVnjLNxBJ9_-K8KkAiBxb-c35gjmz/view

Resubmissions

13-11-2024 17:35

241113-v5ztmswgkk 6

16-10-2024 18:34

241016-w7666sygpp 8

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-10-2024 18:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1jdKKVnjLNxBJ9_-K8KkAiBxb-c35gjmz/view

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
5692	winrar-x64-701.exe
3916	winrar-x64-701.exe
4332	winrar-x64-701.exe
3536	winrar-x64-701.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	drive.google.com
6	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	OpenWith.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 534226.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4744	msedge.exe
4744	msedge.exe
2292	msedge.exe
2292	msedge.exe
4944	identity_helper.exe
4944	identity_helper.exe
5512	msedge.exe
5512	msedge.exe
3396	msedge.exe
3396	msedge.exe
5272	msedge.exe
5272	msedge.exe
5272	msedge.exe
5272	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1548	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 22 IoCs

pid	Process
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe

Suspicious use of SetWindowsHookEx 47 IoCs

pid	Process
5672	OpenWith.exe
5672	OpenWith.exe
5672	OpenWith.exe
5672	OpenWith.exe
5672	OpenWith.exe
5692	winrar-x64-701.exe
5692	winrar-x64-701.exe
5692	winrar-x64-701.exe
3916	winrar-x64-701.exe
3916	winrar-x64-701.exe
3916	winrar-x64-701.exe
4332	winrar-x64-701.exe
4332	winrar-x64-701.exe
4332	winrar-x64-701.exe
5612	OpenWith.exe
1548	OpenWith.exe
1548	OpenWith.exe
1548	OpenWith.exe
1548	OpenWith.exe
1548	OpenWith.exe
1548	OpenWith.exe
1548	OpenWith.exe
1548	OpenWith.exe
1548	OpenWith.exe
1548	OpenWith.exe
1548	OpenWith.exe
1548	OpenWith.exe
1548	OpenWith.exe
1548	OpenWith.exe
1548	OpenWith.exe
1548	OpenWith.exe
1548	OpenWith.exe
1548	OpenWith.exe
1548	OpenWith.exe
1548	OpenWith.exe
1548	OpenWith.exe
1548	OpenWith.exe
1548	OpenWith.exe
1548	OpenWith.exe
1548	OpenWith.exe
1548	OpenWith.exe
1548	OpenWith.exe
1548	OpenWith.exe
1548	OpenWith.exe
3536	winrar-x64-701.exe
3536	winrar-x64-701.exe
3536	winrar-x64-701.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 2364	2292	msedge.exe	84
PID 2292 wrote to memory of 2364	2292	msedge.exe	84
PID 2292 wrote to memory of 1136	2292	msedge.exe	85
PID 2292 wrote to memory of 1136	2292	msedge.exe	85
PID 2292 wrote to memory of 1136	2292	msedge.exe	85
PID 2292 wrote to memory of 1136	2292	msedge.exe	85
PID 2292 wrote to memory of 1136	2292	msedge.exe	85
PID 2292 wrote to memory of 1136	2292	msedge.exe	85
PID 2292 wrote to memory of 1136	2292	msedge.exe	85
PID 2292 wrote to memory of 1136	2292	msedge.exe	85
PID 2292 wrote to memory of 1136	2292	msedge.exe	85
PID 2292 wrote to memory of 1136	2292	msedge.exe	85
PID 2292 wrote to memory of 1136	2292	msedge.exe	85
PID 2292 wrote to memory of 1136	2292	msedge.exe	85
PID 2292 wrote to memory of 1136	2292	msedge.exe	85
PID 2292 wrote to memory of 1136	2292	msedge.exe	85
PID 2292 wrote to memory of 1136	2292	msedge.exe	85
PID 2292 wrote to memory of 1136	2292	msedge.exe	85
PID 2292 wrote to memory of 1136	2292	msedge.exe	85
PID 2292 wrote to memory of 1136	2292	msedge.exe	85
PID 2292 wrote to memory of 1136	2292	msedge.exe	85
PID 2292 wrote to memory of 1136	2292	msedge.exe	85
PID 2292 wrote to memory of 1136	2292	msedge.exe	85
PID 2292 wrote to memory of 1136	2292	msedge.exe	85
PID 2292 wrote to memory of 1136	2292	msedge.exe	85
PID 2292 wrote to memory of 1136	2292	msedge.exe	85
PID 2292 wrote to memory of 1136	2292	msedge.exe	85
PID 2292 wrote to memory of 1136	2292	msedge.exe	85
PID 2292 wrote to memory of 1136	2292	msedge.exe	85
PID 2292 wrote to memory of 1136	2292	msedge.exe	85
PID 2292 wrote to memory of 1136	2292	msedge.exe	85
PID 2292 wrote to memory of 1136	2292	msedge.exe	85
PID 2292 wrote to memory of 1136	2292	msedge.exe	85
PID 2292 wrote to memory of 1136	2292	msedge.exe	85
PID 2292 wrote to memory of 1136	2292	msedge.exe	85
PID 2292 wrote to memory of 1136	2292	msedge.exe	85
PID 2292 wrote to memory of 1136	2292	msedge.exe	85
PID 2292 wrote to memory of 1136	2292	msedge.exe	85
PID 2292 wrote to memory of 1136	2292	msedge.exe	85
PID 2292 wrote to memory of 1136	2292	msedge.exe	85
PID 2292 wrote to memory of 1136	2292	msedge.exe	85
PID 2292 wrote to memory of 1136	2292	msedge.exe	85
PID 2292 wrote to memory of 4744	2292	msedge.exe	86
PID 2292 wrote to memory of 4744	2292	msedge.exe	86
PID 2292 wrote to memory of 1996	2292	msedge.exe	87
PID 2292 wrote to memory of 1996	2292	msedge.exe	87
PID 2292 wrote to memory of 1996	2292	msedge.exe	87
PID 2292 wrote to memory of 1996	2292	msedge.exe	87
PID 2292 wrote to memory of 1996	2292	msedge.exe	87
PID 2292 wrote to memory of 1996	2292	msedge.exe	87
PID 2292 wrote to memory of 1996	2292	msedge.exe	87
PID 2292 wrote to memory of 1996	2292	msedge.exe	87
PID 2292 wrote to memory of 1996	2292	msedge.exe	87
PID 2292 wrote to memory of 1996	2292	msedge.exe	87
PID 2292 wrote to memory of 1996	2292	msedge.exe	87
PID 2292 wrote to memory of 1996	2292	msedge.exe	87
PID 2292 wrote to memory of 1996	2292	msedge.exe	87
PID 2292 wrote to memory of 1996	2292	msedge.exe	87
PID 2292 wrote to memory of 1996	2292	msedge.exe	87
PID 2292 wrote to memory of 1996	2292	msedge.exe	87
PID 2292 wrote to memory of 1996	2292	msedge.exe	87
PID 2292 wrote to memory of 1996	2292	msedge.exe	87
PID 2292 wrote to memory of 1996	2292	msedge.exe	87
PID 2292 wrote to memory of 1996	2292	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/1jdKKVnjLNxBJ9_-K8KkAiBxb-c35gjmz/view
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff5a9546f8,0x7fff5a954708,0x7fff5a954718
  2⤵
  PID:2364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,9362747208588070255,8580794161047714759,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
  2⤵
  PID:1136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,9362747208588070255,8580794161047714759,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,9362747208588070255,8580794161047714759,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:8
  2⤵
  PID:1996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,9362747208588070255,8580794161047714759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:5008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,9362747208588070255,8580794161047714759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:3464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,9362747208588070255,8580794161047714759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4076 /prefetch:1
  2⤵
  PID:4536
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,9362747208588070255,8580794161047714759,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5408 /prefetch:8
  2⤵
  PID:3480
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,9362747208588070255,8580794161047714759,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5408 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,9362747208588070255,8580794161047714759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
  2⤵
  PID:3540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,9362747208588070255,8580794161047714759,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
  2⤵
  PID:880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,9362747208588070255,8580794161047714759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4100 /prefetch:1
  2⤵
  PID:2088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,9362747208588070255,8580794161047714759,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:1
  2⤵
  PID:1744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,9362747208588070255,8580794161047714759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:1
  2⤵
  PID:4788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2076,9362747208588070255,8580794161047714759,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5640 /prefetch:8
  2⤵
  PID:4468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,9362747208588070255,8580794161047714759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3748 /prefetch:1
  2⤵
  PID:1432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2076,9362747208588070255,8580794161047714759,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6060 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,9362747208588070255,8580794161047714759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2764 /prefetch:1
  2⤵
  PID:5816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,9362747208588070255,8580794161047714759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:1
  2⤵
  PID:6028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,9362747208588070255,8580794161047714759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2760 /prefetch:1
  2⤵
  PID:5236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,9362747208588070255,8580794161047714759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6288 /prefetch:1
  2⤵
  PID:2036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,9362747208588070255,8580794161047714759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
  2⤵
  PID:5516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,9362747208588070255,8580794161047714759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6644 /prefetch:1
  2⤵
  PID:5744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2076,9362747208588070255,8580794161047714759,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5776 /prefetch:8
  2⤵
  PID:3540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,9362747208588070255,8580794161047714759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
  2⤵
  PID:3916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,9362747208588070255,8580794161047714759,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
  2⤵
  PID:3416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,9362747208588070255,8580794161047714759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6480 /prefetch:1
  2⤵
  PID:5976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,9362747208588070255,8580794161047714759,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6796 /prefetch:1
  2⤵
  PID:5984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,9362747208588070255,8580794161047714759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6640 /prefetch:1
  2⤵
  PID:4696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,9362747208588070255,8580794161047714759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6992 /prefetch:1
  2⤵
  PID:4608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2076,9362747208588070255,8580794161047714759,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7104 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3396
- C:\Users\Admin\Downloads\winrar-x64-701.exe
  "C:\Users\Admin\Downloads\winrar-x64-701.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5692
- C:\Users\Admin\Downloads\winrar-x64-701.exe
  "C:\Users\Admin\Downloads\winrar-x64-701.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3916
- C:\Users\Admin\Downloads\winrar-x64-701.exe
  "C:\Users\Admin\Downloads\winrar-x64-701.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,9362747208588070255,8580794161047714759,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=7020 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,9362747208588070255,8580794161047714759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2744 /prefetch:1
  2⤵
  PID:4796
- C:\Users\Admin\Downloads\winrar-x64-701.exe
  "C:\Users\Admin\Downloads\winrar-x64-701.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3536

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3528

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4556

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5672

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\53a42d6b011b4377a214eb9494385811 /t 5776 /p 4332
1⤵
PID:2728

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\2b8c101d493b442b983a9d4a34728347 /t 4060 /p 3916
1⤵
PID:4772

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\62d69a690e8c4c9a9892da6b46d098db /t 5696 /p 5692
1⤵
PID:5716

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5612

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8749e21d9d0a17dac32d5aa2027f7a75

SHA1
a5d555f8b035c7938a4a864e89218c0402ab7cde

SHA256
915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304

SHA512
c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
34d2c4f40f47672ecdf6f66fea242f4a

SHA1
4bcad62542aeb44cae38a907d8b5a8604115ada2

SHA256
b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33

SHA512
50fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
1KB

MD5
ada9dca9345826b7a7392cf9d77c6256

SHA1
9065b03367fd04bf439a01ecaadc2e53a060d600

SHA256
a05c0e4d0d53a49cdbc967c8b1ab53a057a12299608a819641bfd9105dc00b74

SHA512
3a044664a20120e800055f1e68c5f30d7f9727cf10e4773bcc23cc698ea570216707bb142694157f3f0d4130dad19f04a7f97b6d63b0fda8681e1e7e5300c154

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
83dc9ba0498de22ae1ff19a019deb9da

SHA1
3c4d7158aacc3d8abe863bd9183a9bd6b982fffd

SHA256
ee9ab1a33f47f95c77a2dc89552a388e5c86361bb3f2db2735c06630d41a8f4a

SHA512
c211921bf9dbb0fa57ba65bc2ad13a0f878edb593d06a42ec282a0df9729a90e767b51fce75ab45659b5928a96108ed08a22c8cd82f385a2e7e54298a2354db4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
8251d63f5471060bcc7c27a93f103bdc

SHA1
f5a7002468a84f30937e16b93da1efe6a9b21a02

SHA256
1287e04eb10b92d85f85b24407beb1233a27491e3809118bd9358f56e13bc81a

SHA512
38597d42fcf5461a2b9793be13a900de1a97c9023ebe654503188a95e609fa5c16f843bdc341fb2c7fb208d3524cffd8aa91b556ac03bc2f2cf7ae1fe29befc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
b5b0ea9e862c7d5075975fd7f5614b85

SHA1
b6aa149c2d74ea208878c6a08e9e2f84d5b33957

SHA256
89385e7aa524291f77e521abb298e88b1ba77eef028e1f84b53470c05d0b0720

SHA512
160ccd3632b0e34e9ad2ba73ed3fcad44151bb4c3ecd649459d4c196b390d9f62197a9a7b1a272d9591f6ee2ec59eda15f68758af40437690e4d7b313bc6857a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
098450292601d71f3edf43da6f045f5f

SHA1
5d436a9028a736dea5426968b5dd66c8820b3db1

SHA256
6019365b3b27a2a9fdae41e06f345d70cd083b16c5562d07808e912d8b6109da

SHA512
913c2767b801b7c3f546567660566c278966dfe7e121fbea36938b206d92e7080188bf0b5225c7393904392e15e215ccdd7b161b2e1ce4837339a6a9ca805b18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
8016207b3605ee94e827bd55d026ae76

SHA1
ef930fa8176ac5e9845b184a1eb6c1d119706010

SHA256
8ad58b89338c235c661f1376662f2025bb682320161db9910ccc47e113bee186

SHA512
a03f912797b9fe0a4cfe45bbb1220be40d207da227b01f672be0de2654c1e3a78ca1ca8dc0fe266f1ae8dd3e8307d74afdc503ad9bc040af731c8a8794fa5672

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
33ace2c51d11a99688e89780d0903896

SHA1
796ce50294460b53e38b566f4d913d70f6066540

SHA256
8d5bee7bafc681b8acf7d855230ce8a86033cadc40618a03854ead2de2378878

SHA512
dc0de4039bd4f44d479ff29c5cac8330ac464730338145c122ca05e6a02c9c963311d6d7686d999569a569b31be1e63d24ce2429e3b69053b8083c9e41329446

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ae6c64d8a4fedb8a2fb7dc5c2ee036c5

SHA1
608430bbe882c8de1811b4fd03acc8ab755cac42

SHA256
c2292adfc540ba3cb73934a5b67e257ef82a7b4efd5f4fdba573367ef618bec3

SHA512
d2350d50f9e39984abd2403e13f87088733583e7e4c76b2be9053ac3ed750a09807ef461cb4fadf91192039263daa27ccdbac6a8011278b725fc133f8619a45c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f2f279f68733f8530c4460bb0ea999a4

SHA1
ffcfe5b88890fa0d1f76e2f2e56553fef9cae001

SHA256
489b21f2c2beaa2a4c9bd8701a79bd44c1c64448aa1b3450defa7db58c54d1f7

SHA512
eaa11d4346c78b67502e22e4083a6b960eee76b6da0a97586138ef62b2d33326c765effe05f99ba2c3ed95baca1c88554657edc99d86448fb978593cf88c2110

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4ac1b2f1ae0e56ccb96c8084d1eac6b5

SHA1
1ae28938a73eca313a4c056b1ed2fe057437d764

SHA256
5ff80eed1a5a981aca60f5888bb6c023cee64511c695dd84d7dfc44f06cd90d3

SHA512
ee09f1e84f9a5216bb12635075bf46ed65521a48a19188fb14bdaea60220a4dc87fb7d0dd666c05c907b7e597b0dc0c530d0695a99b75dffb245c359c657427e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a237e1e3cd0ca93880e3a76afead3520

SHA1
cff4e4d58e45e15adb164dcb455cf7cd4e8cf7d1

SHA256
f54df23806e25d47eff8cae8ddaf3da1ba93ac06cad1a69c6981a8b18085d0e5

SHA512
93e1ffe5597c747ffa6c51067dae0b210cb3c847078884d82fd311512f7266ee478b60bd410dad7da925b33ee177047173698bd31bef476d6ee397b3ac76d046

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5838ed.TMP

Filesize
1KB

MD5
661838a14315c48251d220732ffd7215

SHA1
1973fc51b33541ac3b61dcdbe106de9eea58b640

SHA256
bcbda7d3edeab3019b3a7d4fdb7f2a38c5f89a2a8c7f0b122bb0f25462d7f9eb

SHA512
b256c135f8b83d4d672f598f149e3547c1b6fd66cc721d7c14ed2ddbc68769a572a92aa2484662f9762e2f84b5b83261cdab9c64751cc0178f32424e1350c0a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
fe7debc548f09fcccd7820af1897aac7

SHA1
764b9afaf3245e6e1444483f4b8d116d94791093

SHA256
06dc6d8c9c79cee3708a6333dae284185aab92d83dfd7af8d6693b531be5e077

SHA512
fa2a1df60fc89b9f3cfcfbedbb8d9d26da4dda62e814e9d6153c6f36b5fb5fedf7d16bc8d36dc35a0fb3358b6c62ce078234422aad2b53bfae94557fc33f3f7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
017f85e04195c415817482abe38d14a2

SHA1
d8e9fd99e6363389fc5733c9df214238b56c2404

SHA256
7dd31f78061b24c80dae646d6c318f5ce0cbfba76b982715ec3a5e9ab84a2474

SHA512
ff3016bdd7e6b40f9c6829a239a5d0c99606329d9564749cbdabe6b6eefb8ec5b12ef9a50ec82a311d8a07a4af0d0588fcd9a503df38b8cc2a85e8f5c093ac8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
34bd49ce89121b61c1d1f0f5bd1375e6

SHA1
8cc8735158e7de65c7b0566e54ac444867443f26

SHA256
374b4c5951acba960743cf11f4b5739c429efc8a562eafa2aac5e8baf91df269

SHA512
703b1cf2da0615c3ea9cee9ed88fb254ae7ca4a94321c9ffbff5e6a14a05df9ebdd027b685705beb862f1e003afc1a80bfdcfb51ee2d698c51592673b83dde04

Download Submit
C:\Users\Admin\Downloads\winrar-x64-701.exe

Filesize
3.7MB

MD5
3a2f16a044d8f6d2f9443dff6bd1c7d4

SHA1
48c6c0450af803b72a0caa7d5e3863c3f0240ef1

SHA256
31f7ba37180f820313b2d32e76252344598409cb932109dd84a071cd58b64aa6

SHA512
61daee2ce82c3b8e79f7598a79d72e337220ced7607e3ed878a3059ac03257542147dbd377e902cc95f04324e2fb7c5e07d1410f0a1815d5a05c5320e5715ef6

Download Submit