hxxps://drive[.]google[.]com/file/d/1c7SczBKtnNsfr8dhRMBmo8961IRT1AQm/view?usp=sharing

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-10-2024 17:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1c7SczBKtnNsfr8dhRMBmo8961IRT1AQm/view?usp=sharing

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
5732	winrar-x64-701.exe
2248	winrar-x64-701.exe
6016	winrar-x64-701.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
5	drive.google.com
6	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	OpenWith.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 481852.crdownload:SmartScreen	msedge.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3772	vlc.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2308	msedge.exe
2308	msedge.exe
1276	msedge.exe
1276	msedge.exe
3544	identity_helper.exe
3544	identity_helper.exe
5872	msedge.exe
5872	msedge.exe
5724	msedge.exe
5724	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3772	vlc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

pid	Process
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe

Suspicious use of SendNotifyMessage 40 IoCs

pid	Process
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
3772	vlc.exe
3772	vlc.exe
3772	vlc.exe
3772	vlc.exe
3772	vlc.exe
3772	vlc.exe
3772	vlc.exe
3772	vlc.exe
3772	vlc.exe
3772	vlc.exe
3772	vlc.exe
3772	vlc.exe
3772	vlc.exe
3772	vlc.exe
3772	vlc.exe
3772	vlc.exe

Suspicious use of SetWindowsHookEx 43 IoCs

pid	Process
5960	OpenWith.exe
6040	OpenWith.exe
6040	OpenWith.exe
6040	OpenWith.exe
6040	OpenWith.exe
6040	OpenWith.exe
6040	OpenWith.exe
6040	OpenWith.exe
6040	OpenWith.exe
6040	OpenWith.exe
5732	winrar-x64-701.exe
5732	winrar-x64-701.exe
5732	winrar-x64-701.exe
5216	OpenWith.exe
5216	OpenWith.exe
5216	OpenWith.exe
5216	OpenWith.exe
5216	OpenWith.exe
5216	OpenWith.exe
5216	OpenWith.exe
5216	OpenWith.exe
5216	OpenWith.exe
5216	OpenWith.exe
5216	OpenWith.exe
5216	OpenWith.exe
5216	OpenWith.exe
5216	OpenWith.exe
5216	OpenWith.exe
5216	OpenWith.exe
5216	OpenWith.exe
5216	OpenWith.exe
5216	OpenWith.exe
5216	OpenWith.exe
5216	OpenWith.exe
5216	OpenWith.exe
5216	OpenWith.exe
3772	vlc.exe
2248	winrar-x64-701.exe
2248	winrar-x64-701.exe
2248	winrar-x64-701.exe
6016	winrar-x64-701.exe
6016	winrar-x64-701.exe
6016	winrar-x64-701.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1276 wrote to memory of 2188	1276	msedge.exe	84
PID 1276 wrote to memory of 2188	1276	msedge.exe	84
PID 1276 wrote to memory of 2168	1276	msedge.exe	85
PID 1276 wrote to memory of 2168	1276	msedge.exe	85
PID 1276 wrote to memory of 2168	1276	msedge.exe	85
PID 1276 wrote to memory of 2168	1276	msedge.exe	85
PID 1276 wrote to memory of 2168	1276	msedge.exe	85
PID 1276 wrote to memory of 2168	1276	msedge.exe	85
PID 1276 wrote to memory of 2168	1276	msedge.exe	85
PID 1276 wrote to memory of 2168	1276	msedge.exe	85
PID 1276 wrote to memory of 2168	1276	msedge.exe	85
PID 1276 wrote to memory of 2168	1276	msedge.exe	85
PID 1276 wrote to memory of 2168	1276	msedge.exe	85
PID 1276 wrote to memory of 2168	1276	msedge.exe	85
PID 1276 wrote to memory of 2168	1276	msedge.exe	85
PID 1276 wrote to memory of 2168	1276	msedge.exe	85
PID 1276 wrote to memory of 2168	1276	msedge.exe	85
PID 1276 wrote to memory of 2168	1276	msedge.exe	85
PID 1276 wrote to memory of 2168	1276	msedge.exe	85
PID 1276 wrote to memory of 2168	1276	msedge.exe	85
PID 1276 wrote to memory of 2168	1276	msedge.exe	85
PID 1276 wrote to memory of 2168	1276	msedge.exe	85
PID 1276 wrote to memory of 2168	1276	msedge.exe	85
PID 1276 wrote to memory of 2168	1276	msedge.exe	85
PID 1276 wrote to memory of 2168	1276	msedge.exe	85
PID 1276 wrote to memory of 2168	1276	msedge.exe	85
PID 1276 wrote to memory of 2168	1276	msedge.exe	85
PID 1276 wrote to memory of 2168	1276	msedge.exe	85
PID 1276 wrote to memory of 2168	1276	msedge.exe	85
PID 1276 wrote to memory of 2168	1276	msedge.exe	85
PID 1276 wrote to memory of 2168	1276	msedge.exe	85
PID 1276 wrote to memory of 2168	1276	msedge.exe	85
PID 1276 wrote to memory of 2168	1276	msedge.exe	85
PID 1276 wrote to memory of 2168	1276	msedge.exe	85
PID 1276 wrote to memory of 2168	1276	msedge.exe	85
PID 1276 wrote to memory of 2168	1276	msedge.exe	85
PID 1276 wrote to memory of 2168	1276	msedge.exe	85
PID 1276 wrote to memory of 2168	1276	msedge.exe	85
PID 1276 wrote to memory of 2168	1276	msedge.exe	85
PID 1276 wrote to memory of 2168	1276	msedge.exe	85
PID 1276 wrote to memory of 2168	1276	msedge.exe	85
PID 1276 wrote to memory of 2168	1276	msedge.exe	85
PID 1276 wrote to memory of 2308	1276	msedge.exe	86
PID 1276 wrote to memory of 2308	1276	msedge.exe	86
PID 1276 wrote to memory of 2292	1276	msedge.exe	87
PID 1276 wrote to memory of 2292	1276	msedge.exe	87
PID 1276 wrote to memory of 2292	1276	msedge.exe	87
PID 1276 wrote to memory of 2292	1276	msedge.exe	87
PID 1276 wrote to memory of 2292	1276	msedge.exe	87
PID 1276 wrote to memory of 2292	1276	msedge.exe	87
PID 1276 wrote to memory of 2292	1276	msedge.exe	87
PID 1276 wrote to memory of 2292	1276	msedge.exe	87
PID 1276 wrote to memory of 2292	1276	msedge.exe	87
PID 1276 wrote to memory of 2292	1276	msedge.exe	87
PID 1276 wrote to memory of 2292	1276	msedge.exe	87
PID 1276 wrote to memory of 2292	1276	msedge.exe	87
PID 1276 wrote to memory of 2292	1276	msedge.exe	87
PID 1276 wrote to memory of 2292	1276	msedge.exe	87
PID 1276 wrote to memory of 2292	1276	msedge.exe	87
PID 1276 wrote to memory of 2292	1276	msedge.exe	87
PID 1276 wrote to memory of 2292	1276	msedge.exe	87
PID 1276 wrote to memory of 2292	1276	msedge.exe	87
PID 1276 wrote to memory of 2292	1276	msedge.exe	87
PID 1276 wrote to memory of 2292	1276	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://drive.google.com/file/d/1c7SczBKtnNsfr8dhRMBmo8961IRT1AQm/view?usp=sharing
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff99b7b46f8,0x7ff99b7b4708,0x7ff99b7b4718
  2⤵
  PID:2188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2240,2189471880360859835,8578846445371916386,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2248 /prefetch:2
  2⤵
  PID:2168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2240,2189471880360859835,8578846445371916386,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2240,2189471880360859835,8578846445371916386,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2880 /prefetch:8
  2⤵
  PID:2292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,2189471880360859835,8578846445371916386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,2189471880360859835,8578846445371916386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
  2⤵
  PID:2892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,2189471880360859835,8578846445371916386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4196 /prefetch:1
  2⤵
  PID:212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,2189471880360859835,8578846445371916386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3768 /prefetch:1
  2⤵
  PID:3564
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2240,2189471880360859835,8578846445371916386,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5820 /prefetch:8
  2⤵
  PID:2592
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2240,2189471880360859835,8578846445371916386,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5820 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2240,2189471880360859835,8578846445371916386,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5408 /prefetch:8
  2⤵
  PID:3196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,2189471880360859835,8578846445371916386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
  2⤵
  PID:3316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,2189471880360859835,8578846445371916386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1
  2⤵
  PID:5140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,2189471880360859835,8578846445371916386,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6124 /prefetch:1
  2⤵
  PID:5148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,2189471880360859835,8578846445371916386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:1
  2⤵
  PID:5564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,2189471880360859835,8578846445371916386,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6772 /prefetch:1
  2⤵
  PID:5572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2240,2189471880360859835,8578846445371916386,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5528 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,2189471880360859835,8578846445371916386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:1
  2⤵
  PID:4224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,2189471880360859835,8578846445371916386,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6288 /prefetch:1
  2⤵
  PID:3560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,2189471880360859835,8578846445371916386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6128 /prefetch:1
  2⤵
  PID:5220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,2189471880360859835,8578846445371916386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
  2⤵
  PID:5788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,2189471880360859835,8578846445371916386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4200 /prefetch:1
  2⤵
  PID:6064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,2189471880360859835,8578846445371916386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4780 /prefetch:1
  2⤵
  PID:5744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,2189471880360859835,8578846445371916386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:1
  2⤵
  PID:3248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,2189471880360859835,8578846445371916386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:1
  2⤵
  PID:4360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,2189471880360859835,8578846445371916386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6808 /prefetch:1
  2⤵
  PID:1596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2240,2189471880360859835,8578846445371916386,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6940 /prefetch:8
  2⤵
  PID:3548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2240,2189471880360859835,8578846445371916386,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3200 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5724
- C:\Users\Admin\Downloads\winrar-x64-701.exe
  "C:\Users\Admin\Downloads\winrar-x64-701.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5732
- C:\Users\Admin\Downloads\winrar-x64-701.exe
  "C:\Users\Admin\Downloads\winrar-x64-701.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2248
- C:\Users\Admin\Downloads\winrar-x64-701.exe
  "C:\Users\Admin\Downloads\winrar-x64-701.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:6016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2240,2189471880360859835,8578846445371916386,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5828 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,2189471880360859835,8578846445371916386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1212 /prefetch:1
  2⤵
  PID:2772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,2189471880360859835,8578846445371916386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:1
  2⤵
  PID:5536

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2176

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4900

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5960

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6040

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\da66809c865946f0bc56c8028340ba3d /t 5560 /p 5732
1⤵
PID:3796

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5216
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\CrosshairX-AN7HON2.rar"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3772

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\6504dfe2e92b424a9cf122e00be91f2b /t 4964 /p 2248
1⤵
PID:1892

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\31b3561c-301f-41eb-92a6-f85899226b81.tmp

Filesize
12KB

MD5
03fbcb0f142f168ff2fc1ad63806fa2c

SHA1
da4aa47086d41081b3809d387d332e0a53417b45

SHA256
46fc2377b3c9bc0cda5a753e94c5a11a31bb1bfe0b06bbf39786aeea6c3ca974

SHA512
a5bf99dd198485a464edc4922b648e9ce741b7c91d985abf9a0b8e4bb48ba399ea1ddeeffda5968fc2df0503174eb9c178432cbc83ecf0ecf3af7550c3760778

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8749e21d9d0a17dac32d5aa2027f7a75

SHA1
a5d555f8b035c7938a4a864e89218c0402ab7cde

SHA256
915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304

SHA512
c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
34d2c4f40f47672ecdf6f66fea242f4a

SHA1
4bcad62542aeb44cae38a907d8b5a8604115ada2

SHA256
b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33

SHA512
50fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
b29dc45e0769bdae92e7d74bcabf16d4

SHA1
3669675e0dc63612217d9b4062536c7d093437b3

SHA256
5d863c13da78352bc31a8bd4da5b36ebd6c411c6cfb27baaa9ebc8a154206cf8

SHA512
a2d98157ef9963a672029fa2710f710b17a5d6c2926759d2ae3de4dfccf0b0d441bcc615e548dde4bbaba30b0ac5631013563fcbae763b0e63f64724831c5456

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
480B

MD5
694478ae24ed2258c577d73b33331a29

SHA1
82736eb6520a0e10028415ba880149bd9883f297

SHA256
03d0db4adfe170e14ffa8963c8395a68c26e12c8d0e8118a3b8431cca3a51502

SHA512
8d447ebae34ba52b347f818b622b76ce39a5d0dd35ecdd62e0b162a3c9b61cffa11823ff9ab9bb08fa0b74d19a1783bb484cb33427e3d9450030bc0e3de56d15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
ed6e90059bea3566fe54424910e9d893

SHA1
0b21a6cdb2dcfbef01b8a0ddb9920f66b76f8c10

SHA256
319a765e9234f08836b8bb25cfc1f6d714b1ade9600e7e76769043638602ef45

SHA512
27f25329b93adf42b48c9652760c6e2defb6575aeb158a0b6868df0ce8da616a46430cccce4f81050f334e4b0e4684443f04388d3b662acb3da1412546b9cd3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
5650538ec313f652b577fd20afc4603b

SHA1
a398683bee19a8ecdc24cc88078c50b2e8cb7ddb

SHA256
204734fb69a747e7df6d73e16ca7f81a6869a7ed78dc818d19888463395d5a5d

SHA512
50860bc77601c146077c83b9747973faafcc0d6ec3803ba88f21efd52312479c5dbabd0c54843adf260f37a9324b110af9fc8a8c5caef3777b0fbace21bca990

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ba7e4bf6058a1d5a6cbfb8ea1f301045

SHA1
619f0141e329dbf7ee31769565d6b113bf884d90

SHA256
860e09b7e156e05a6fc6ccb6760df5cc64f2906b35d2097636c1512297acfd91

SHA512
2956b1aaeb2f5db9fa447a47624a07b9744030f45bf88553a90063f9719ceb97f99fb3582244d10e48a8435466ced0296ccb68ac7904dd603c353e90742a40c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
be0f2a628d0b2e085971cea97ef5d9c0

SHA1
4e69600dfda07d25b92477a90c7f4db68a19e01e

SHA256
cc4fec6d15cf621a1d874fe35a7bb2d8fca0c461402e40e886aa3bd0e2f32dfe

SHA512
a20e1eaa27f6c845ef3de31db9423a98eabe7ce00f05a8016cc00c916647f061c089a9961c21884bb6e62fd88fce4037872583dbb2094a0cb7978c9f713ad856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
be5bafffa132b204a1f4416b8b38d644

SHA1
b1a89326c46619c41e0f074f0842be48aa50b687

SHA256
ac01ec79e1cc33a12fb482dd89db60845064964cc33d8c3d68ffb438663fc4af

SHA512
2cfe30a3370447b83b4e6c4b61af5604a3d80c27b68742f76a519b253d5df1300d6758f863054eb21541c84a6843d289822c29642c353a1d4bce94e1f2f8789d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8e65a091e7b3ea808a0b52e09a7e0290

SHA1
ce26f3fdc16455683268a7622d4256e6493eb917

SHA256
a6126ad1114d56d4ee91c44b2b4564ce063688c30680cac521cd1f90ecb5095b

SHA512
5b443602a763bc064f17d1cc8ca09d7e03125dcbfa0eab5c7345fcdaa7bc908dc9cb52deb6bd790448562b8086e960169f64d50937c8f1bed6d493c8f1d6e464

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
25d4b5e1705a248ecce97f6eb018b478

SHA1
12f38bcfddbff7050ff3d28e2a9479e49ef3b0e8

SHA256
e52f353abc8712c0de07bbf74f70ec4f394e28372597ffa0eef65b9c2e062aad

SHA512
c6e43a343639871a3818b6e50314b67cd0f87b28d6c24d85626cb447b5c25412912fa737d268ad27c83e610099cca9736fac88ca40e4210afed40a0beffe710c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a817bb0875ca1090a8bb9e2faf223365

SHA1
7dacb13d91bea01372dacff29c4494e9ab48c985

SHA256
4fb6515d747ec6b7d387cb4c41312f63b80c365c6ed2d77f66c03c9b6fc1c279

SHA512
a64d7dc3cb24d64e634c9b67d333cc73cafec915482f3e841971b07709e8a42b33ceb78474abca407b5730b2b0a11e4e1ee5ea8bb8687954a163a6a678440661

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
541bbffbe05f3766e9dd5b90b59e54af

SHA1
14476ada33a541cbb6f1122bc66a83aa4e19489e

SHA256
0d7de34dc3f87bd5e254e4d5eae06fcc662a2fc81734918b0401ae74387cc32c

SHA512
80ec4327973b09cda0542006766a77413d63c59d5efb3ef83837b9a725c4cb14fbe023d4a10691bbc5b429bc787d70470ca431a2a3be901617ea0eefb4ef7cb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5847f1.TMP

Filesize
1KB

MD5
c594cae249f400bf5fb0d1c66077ba41

SHA1
541f81c5c3b5657c1613128da787ac6f6ff5ce5a

SHA256
67b8dd3585c6d09802bf17dd52606a039e2aae4d5aea64a5136e5f5b5447fcbd

SHA512
8cdbc8fc4cb19f2ad3eb8d054c6b56534c61435834e83fb143b269223a37defecdbe062300a5663f8e87b0ddb7cd8d3dd91ec63a0a1665b807386ceac2a95f38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5b0de13fb155f00f02dda2848bbbbe65

SHA1
af167ee5ba319e3abcf699bd801e05f4b063236e

SHA256
7ee6063ef3c2a21e53fa0b4b521714e8ffa38cfe88ebbf03af2704f434b53c2a

SHA512
b10a2b7acb4d7477df59f18897f9e2d6c6996a9a174ffa620c46d5150c3e93c194e82b671e1299b18dfe27d4f1700d17d49c6de53906bfd5a4c547f5c35e28cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
266a4312138406551ff5453d6bcf9fb1

SHA1
34a17f7bbf19a0880640fb85b48710ad05c60287

SHA256
6631a37c1cb002253f3b8b71054bddfca5618cc246e22d8ae01f8182eb2997d4

SHA512
986e9039139979c2bac79a9fe8188eecdc25c1c0ce1f44afaad28464dee875bc24e6859f7df4a0816ae699fcb87053306b60eb6026591837792750e4b4a0aef8

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini

Filesize
86B

MD5
c9a8ec100f79ad687c98ce8eaa53e807

SHA1
c3c276a7a7cad09d0401d3244a7d3cedfbfc87cc

SHA256
2c7ccd980e84fd628dbc8a8d302db3347a3ac4e18f1f67cd6ca3fce7080bca8d

SHA512
469fe02b7ce67f8cbf418713eec78b57b03bcfe047e05af64bac5843ccf6e2e5517c82be20675dbe891274c2c8c7891fa5342fe92d7e22282b3d5e09b672f59f

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 481852.crdownload

Filesize
3.8MB

MD5
46c17c999744470b689331f41eab7df1

SHA1
b8a63127df6a87d333061c622220d6d70ed80f7c

SHA256
c5b5def1c8882b702b6b25cbd94461c737bc151366d2d9eba5006c04886bfc9a

SHA512
4b02a3e85b699f62df1b4fe752c4dee08cfabc9b8bb316bc39b854bd5187fc602943a95788ec680c7d3dc2c26ad882e69c0740294bd6cb3b32cdcd165a9441b6

Download Submit
memory/3772-440-0x00007FF99BEB0000-0x00007FF99BEE4000-memory.dmp

Filesize
208KB

Download
memory/3772-439-0x00007FF67C8A0000-0x00007FF67C998000-memory.dmp

Filesize
992KB

Download
memory/3772-441-0x00007FF989E70000-0x00007FF98A126000-memory.dmp

Filesize
2.7MB

Download
memory/3772-442-0x000001B127990000-0x000001B128A40000-memory.dmp

Filesize
16.7MB

Download