hxxps://drive[.]google[.]com/file/d/1nmRFKQi2vm4vfHpmGZ4_Xitr_aTtZuGC/view

Analysis

max time kernel
159s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-10-2024 14:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1nmRFKQi2vm4vfHpmGZ4_Xitr_aTtZuGC/view

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
1692	winrar-x64-701.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	drive.google.com
8	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	OpenWith.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 995290.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4796	msedge.exe
4796	msedge.exe
1180	msedge.exe
1180	msedge.exe
2600	identity_helper.exe
2600	identity_helper.exe
5800	msedge.exe
5800	msedge.exe
3700	msedge.exe
3700	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

pid	Process
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe

Suspicious use of FindShellTrayWindow 46 IoCs

pid	Process
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4948	OpenWith.exe
4948	OpenWith.exe
4948	OpenWith.exe
1692	winrar-x64-701.exe
1692	winrar-x64-701.exe
1692	winrar-x64-701.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1180 wrote to memory of 1188	1180	msedge.exe	84
PID 1180 wrote to memory of 1188	1180	msedge.exe	84
PID 1180 wrote to memory of 1776	1180	msedge.exe	85
PID 1180 wrote to memory of 1776	1180	msedge.exe	85
PID 1180 wrote to memory of 1776	1180	msedge.exe	85
PID 1180 wrote to memory of 1776	1180	msedge.exe	85
PID 1180 wrote to memory of 1776	1180	msedge.exe	85
PID 1180 wrote to memory of 1776	1180	msedge.exe	85
PID 1180 wrote to memory of 1776	1180	msedge.exe	85
PID 1180 wrote to memory of 1776	1180	msedge.exe	85
PID 1180 wrote to memory of 1776	1180	msedge.exe	85
PID 1180 wrote to memory of 1776	1180	msedge.exe	85
PID 1180 wrote to memory of 1776	1180	msedge.exe	85
PID 1180 wrote to memory of 1776	1180	msedge.exe	85
PID 1180 wrote to memory of 1776	1180	msedge.exe	85
PID 1180 wrote to memory of 1776	1180	msedge.exe	85
PID 1180 wrote to memory of 1776	1180	msedge.exe	85
PID 1180 wrote to memory of 1776	1180	msedge.exe	85
PID 1180 wrote to memory of 1776	1180	msedge.exe	85
PID 1180 wrote to memory of 1776	1180	msedge.exe	85
PID 1180 wrote to memory of 1776	1180	msedge.exe	85
PID 1180 wrote to memory of 1776	1180	msedge.exe	85
PID 1180 wrote to memory of 1776	1180	msedge.exe	85
PID 1180 wrote to memory of 1776	1180	msedge.exe	85
PID 1180 wrote to memory of 1776	1180	msedge.exe	85
PID 1180 wrote to memory of 1776	1180	msedge.exe	85
PID 1180 wrote to memory of 1776	1180	msedge.exe	85
PID 1180 wrote to memory of 1776	1180	msedge.exe	85
PID 1180 wrote to memory of 1776	1180	msedge.exe	85
PID 1180 wrote to memory of 1776	1180	msedge.exe	85
PID 1180 wrote to memory of 1776	1180	msedge.exe	85
PID 1180 wrote to memory of 1776	1180	msedge.exe	85
PID 1180 wrote to memory of 1776	1180	msedge.exe	85
PID 1180 wrote to memory of 1776	1180	msedge.exe	85
PID 1180 wrote to memory of 1776	1180	msedge.exe	85
PID 1180 wrote to memory of 1776	1180	msedge.exe	85
PID 1180 wrote to memory of 1776	1180	msedge.exe	85
PID 1180 wrote to memory of 1776	1180	msedge.exe	85
PID 1180 wrote to memory of 1776	1180	msedge.exe	85
PID 1180 wrote to memory of 1776	1180	msedge.exe	85
PID 1180 wrote to memory of 1776	1180	msedge.exe	85
PID 1180 wrote to memory of 1776	1180	msedge.exe	85
PID 1180 wrote to memory of 4796	1180	msedge.exe	86
PID 1180 wrote to memory of 4796	1180	msedge.exe	86
PID 1180 wrote to memory of 4916	1180	msedge.exe	87
PID 1180 wrote to memory of 4916	1180	msedge.exe	87
PID 1180 wrote to memory of 4916	1180	msedge.exe	87
PID 1180 wrote to memory of 4916	1180	msedge.exe	87
PID 1180 wrote to memory of 4916	1180	msedge.exe	87
PID 1180 wrote to memory of 4916	1180	msedge.exe	87
PID 1180 wrote to memory of 4916	1180	msedge.exe	87
PID 1180 wrote to memory of 4916	1180	msedge.exe	87
PID 1180 wrote to memory of 4916	1180	msedge.exe	87
PID 1180 wrote to memory of 4916	1180	msedge.exe	87
PID 1180 wrote to memory of 4916	1180	msedge.exe	87
PID 1180 wrote to memory of 4916	1180	msedge.exe	87
PID 1180 wrote to memory of 4916	1180	msedge.exe	87
PID 1180 wrote to memory of 4916	1180	msedge.exe	87
PID 1180 wrote to memory of 4916	1180	msedge.exe	87
PID 1180 wrote to memory of 4916	1180	msedge.exe	87
PID 1180 wrote to memory of 4916	1180	msedge.exe	87
PID 1180 wrote to memory of 4916	1180	msedge.exe	87
PID 1180 wrote to memory of 4916	1180	msedge.exe	87
PID 1180 wrote to memory of 4916	1180	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://drive.google.com/file/d/1nmRFKQi2vm4vfHpmGZ4_Xitr_aTtZuGC/view
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd7eb846f8,0x7ffd7eb84708,0x7ffd7eb84718
  2⤵
  PID:1188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,9757630311342279011,4431881606672612845,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
  2⤵
  PID:1776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,9757630311342279011,4431881606672612845,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,9757630311342279011,4431881606672612845,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:8
  2⤵
  PID:4916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9757630311342279011,4431881606672612845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:4008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9757630311342279011,4431881606672612845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:4180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9757630311342279011,4431881606672612845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
  2⤵
  PID:3340
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,9757630311342279011,4431881606672612845,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5268 /prefetch:8
  2⤵
  PID:2300
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,9757630311342279011,4431881606672612845,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5268 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9757630311342279011,4431881606672612845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1
  2⤵
  PID:1724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9757630311342279011,4431881606672612845,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:1
  2⤵
  PID:3184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9757630311342279011,4431881606672612845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:1
  2⤵
  PID:2296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9757630311342279011,4431881606672612845,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3900 /prefetch:1
  2⤵
  PID:4368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9757630311342279011,4431881606672612845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
  2⤵
  PID:5536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2132,9757630311342279011,4431881606672612845,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5540 /prefetch:8
  2⤵
  PID:5736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9757630311342279011,4431881606672612845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1
  2⤵
  PID:5744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2132,9757630311342279011,4431881606672612845,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6200 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9757630311342279011,4431881606672612845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6360 /prefetch:1
  2⤵
  PID:4304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9757630311342279011,4431881606672612845,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6452 /prefetch:1
  2⤵
  PID:2196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9757630311342279011,4431881606672612845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6060 /prefetch:1
  2⤵
  PID:1580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9757630311342279011,4431881606672612845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:1
  2⤵
  PID:5844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9757630311342279011,4431881606672612845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6740 /prefetch:1
  2⤵
  PID:5660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9757630311342279011,4431881606672612845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6152 /prefetch:1
  2⤵
  PID:4052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9757630311342279011,4431881606672612845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6376 /prefetch:1
  2⤵
  PID:6124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9757630311342279011,4431881606672612845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
  2⤵
  PID:2996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9757630311342279011,4431881606672612845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6708 /prefetch:1
  2⤵
  PID:5900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2132,9757630311342279011,4431881606672612845,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6924 /prefetch:8
  2⤵
  PID:5332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2132,9757630311342279011,4431881606672612845,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1732 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3700
- C:\Users\Admin\Downloads\winrar-x64-701.exe
  "C:\Users\Admin\Downloads\winrar-x64-701.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,9757630311342279011,4431881606672612845,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6924 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3184

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2036

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1868

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8749e21d9d0a17dac32d5aa2027f7a75

SHA1
a5d555f8b035c7938a4a864e89218c0402ab7cde

SHA256
915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304

SHA512
c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
34d2c4f40f47672ecdf6f66fea242f4a

SHA1
4bcad62542aeb44cae38a907d8b5a8604115ada2

SHA256
b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33

SHA512
50fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
29a3e95a0addd34d6bd27f6b17d9fc5f

SHA1
1045809b89411ebd38d7055a3f6535f3e9381ee9

SHA256
ad901cf431a2cea207a7f9014795f62114e59145f3f1641df4e5b5169792ef0a

SHA512
44de978c63b48c744f6ac2fdac026afc7ef40cf6e5003fa41eeebe137940c310250fcf7585ca3642a3a1f97b224ceb77457108c50d7c19d60d715926bd35612a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
e7ea0c7eef54b7f349725da544bfbfe5

SHA1
376b2b61bcd11c6acd80b2a522a45ac09db156ca

SHA256
13a7ddbbb29db41146472ac65ab8865fbfee53e50bcf8b623da8ffeef313e885

SHA512
431d319f88a21774051ea06104b2fd5b987713281ad5bb0a8a54f69d69004f68b0a2e9c64a6fb00a6dca2dff635a9c51d51c4db31c54e9623ec51499f572752b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
456B

MD5
6c37fd3a276fafc371a11cca91a68fd8

SHA1
06b5d96c0f4a493e3ae52da323a5c065b834c3d2

SHA256
9851295fce9ff194d2fe4978428cca890a521fc567b3e65beeeba53487fd3548

SHA512
5145df30f3de4defbdd6c7c195dfb767ebe7448f79fb75a0bc6b66e1fbd2c05409bdd4d37ca9c65dfe34110c39d7c3732d714da6f28526940f14fd37fd14b407

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
8f7419c75fbbc7f0aeb8c768d13dd89e

SHA1
c1224e0aaf1158fa759a2027fb2abfa1ea2dda2e

SHA256
a32c0465762c637e1145c2669fc49ac803ca3ad584778933c7c0f871792e1722

SHA512
8a5af35b29c540ba5cd81e114a55492b2e57e4529fbd2d62de733b0b365a7c144f052f7b582d29d8de92c69d50e3298fda0c9e0086b8d60687f398b9f5edbc87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
2f5c36ffdb995dc14b1e56cdc7f03c04

SHA1
be95a5276a0db978bf6c78fc221de48ea384637f

SHA256
fe02ea26f078627e3e0cd13f305bd5885ed5c6bb6bcaac1fd8ce12155c11597f

SHA512
94560922a471f43eccd6e5dd0f6045189003f19ae7f0f7fe29004e349808d6112237a0d15248b56bd5ddcb68927015cbf3be632c4301e1a764d7936e6b107be2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ad92806cde11271a4ff226d64eb040bb

SHA1
1d00cf6fd642e2a786b87eabde689059ba76c86d

SHA256
bfba3b46b8c9e02b6b61e9fa0a8b13f1c96e7aa7d61c11e6bcd5e5fb385c76c6

SHA512
5cd4cfbe2cc90945682e08a93a213ef7112f0219d3f02af84833c115c8fd7ea8fecc0607f07372f88342b7c348ef25274bb3b3e46316eb7303d03566bb92a0ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
296800637acc5632f6cb2d765b3c14f4

SHA1
8739c9c03e7a95d9a7ea075261f08d447c69bfa8

SHA256
06dde6b28355a8ba74284931480afe538f6490f858de0b5c6bbf664d2770de4e

SHA512
69c6c6c2b03cea6d63d21eebecb9474cb4a6620a3c09fc8bb49192ae7d4dbb4a6a8588a3c05eb94fd826adb32f115196f953cbc6c1a485a1ecdcf0476d903438

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
d746554515f28e11b3743a190c74d014

SHA1
4733c7629d3c6d7b91f010e66f261f935a75aced

SHA256
da61ab114504ea9e3b55dfba9218553601dfd5ff1762a1d7d9237ad06bc5a466

SHA512
fdda19279a59af5a07587adab8c3fa4a4b4aedf9deed197705887e58b7c2be0fac1dd11128a5215bf7e90d4473ad01b588d8ea7460e87a9a4e40689a8d9da9cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
56e7072cce29316db02f665e0f787424

SHA1
f97af1ff816699e1d1ae6c3bfdbe9c1f34704506

SHA256
b6d031cc08d1074c3410de4ee984b2e13116c5876ef86f48281c7e46bd6b4d14

SHA512
1529addbf2e0fbbb6b3d543c80805ea8f1d8744267fc8ab400dc21e8bb1938040cb0ee50e8fb30b04e02e72c340b915f7258977ac5a4c627c76429c1d212bc2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
6141e61b2e9827a1c7a1523cad4d95f5

SHA1
56194d404a2025b638f31fea94adc453e9261258

SHA256
07fba753dc5e1220e382de2a3cd0c67386fb6d9ab872be4cd0a50ba9dc33ae9f

SHA512
3a5077a5b2bc2b2e9904b73656242a39a2a0e284ffbcd159a0eeb1c7fc9c6c0aeb1ee48ffe93227b71704b9e130e0128ab0829c754a76c620bda255526585e1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
9ff59e0d10a3bd563f8ee5c88c3cad74

SHA1
613429a7085eff3365d7ccbdd8d9bcc861a145d3

SHA256
27a3329cb0a509781acf543dfa0387c794e2d3b66303de42e24303ebc13658d8

SHA512
af95beb5f1c8b2701a41d77fd137fa0b7ecef1711826256e4bf309d90764ac1a1dca425d462948da7b28c1ab169363967698e36ff83e3d88b4e1bcc42fce4d1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a19310ce14081ad065af163e74796a71

SHA1
45eafa0758b98a3fc65c5a5d20c03dc399d58dec

SHA256
7ab5086d507eb1870cbe75ec61da0197bed2293c0b4703ac44da670a5cb33fe1

SHA512
1c276d57da997a38482f223f61ddce8b31df2602631ea53e70f0d8a6225f4f7d8e1dbe194f18b6a1ae681aaa234aa428d76a0e82da3b989752eb34a2376fd762

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f176d2fc53b4bd6bba02a08c64294e3e

SHA1
42894d51509e07ad0f5635ec1a6c65e82c932c34

SHA256
7186f16d4284062b5900bb85d9ebf2f767f952e61a23784315d60caeec1a866c

SHA512
d9b777175c6a3d0ea09d49efdf512297f301b78397b2f540d9fc15b2e5a545733ed88934a236093f3d90ecd00cbea0e955409d3a64bedec0a6f0beca20fc0773

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5885a6.TMP

Filesize
1KB

MD5
a87a5691bf08f0093c369b1713c20330

SHA1
478af7963ca253470bf4e49459c0050860756c40

SHA256
2ae2e2d6e1c5c0b9861f9d4aaca1f5314920bb9a12a9b1b4f4f132c063847b6a

SHA512
bc8a4ae8eeac86afd4be1790a94432b38f4608fb592e312b052a2211f1c2a94bfe4a30b20e53cc2c09c53bbcfcee88f958c0b698539ea8b84ce2ef70881f038f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
be345b8644e9829316891a54bc56619c

SHA1
d2b2928b320c6ddfdd187fbdc16e11041ff4ba02

SHA256
32e4e160aa682f7b2c6c1e44e82fa403d09ad3e08a4ef8fbbe9f5251e33f1ee7

SHA512
731529b61831e59c1fcf44e34ef0865df78daa82abfcac3a4a778dc6a072e6818a4ffd4a6b99dbe8dd93dc38c9118cdb1f59ebb2d188d2bc551e925e7da6b145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
f0f32c996a8a039cd61bc8abdd689a08

SHA1
4ff002473d7049032fb36c3c4c3389b8407e2efe

SHA256
338a9ae9d5326d6a862c588224e7ff9557f924d34c8ca1097794a93d1334fe87

SHA512
4a5211e9da586404dd6594f81650f3ad28c6a69072173d0e267bd5cd68c057ddb068df295da50093bcec306424454359edfca3ec364d74e1694fd0d01d447701

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 459306.crdownload

Filesize
229KB

MD5
441484a6ce387f25b38f7bb1a9a863f8

SHA1
5c5fdbf6169094b0706ded8ab5c2412991435a2f

SHA256
381532d324ea1e5b113cac2d6b92764a365911d69f103260dcc1a27baba5e959

SHA512
8f6a5c2c578cd8634efc80fb6bf5be824b3fa404872ba63427ee9c3d8e4363df37e1f2b2c9b428fab0beb84e06e20406ede864c1d65a80e957448c0f6067232c

Download Submit
C:\Users\Admin\Downloads\winrar-x64-701.exe

Filesize
3.7MB

MD5
3a2f16a044d8f6d2f9443dff6bd1c7d4

SHA1
48c6c0450af803b72a0caa7d5e3863c3f0240ef1

SHA256
31f7ba37180f820313b2d32e76252344598409cb932109dd84a071cd58b64aa6

SHA512
61daee2ce82c3b8e79f7598a79d72e337220ced7607e3ed878a3059ac03257542147dbd377e902cc95f04324e2fb7c5e07d1410f0a1815d5a05c5320e5715ef6

Download Submit