hxxps://www[.]mediafire[.]com/file/v04wcs9dlfq5ke0/VanishRaider-main[.]rar/file

Resubmissions

25-01-2025 21:47

250125-1m6gcssqgm 8

25-01-2025 21:19

250125-z6jw2azrct 10

Analysis

max time kernel
125s
max time network
124s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
25-01-2025 21:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/file/v04wcs9dlfq5ke0/VanishRaider-main.rar/file

Score

8^/10

defense_evasion discovery

Malware Config

Signatures

Downloads MZ/PE file 1 IoCs

flow	pid	Process
85	2212	msedge.exe

Executes dropped EXE 1 IoCs

pid	Process
4392	winrar-x64-701.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\winrar-x64-701.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings	msedge.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\winrar-x64-701.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\VanishRaider-main.rar:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 519735.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2212	msedge.exe
2212	msedge.exe
2144	msedge.exe
2144	msedge.exe
1936	identity_helper.exe
1936	identity_helper.exe
4156	msedge.exe
4156	msedge.exe
4840	msedge.exe
4840	msedge.exe
3512	msedge.exe
3512	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

pid	Process
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe

Suspicious use of FindShellTrayWindow 58 IoCs

pid	Process
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
1516	OpenWith.exe
1516	OpenWith.exe
1516	OpenWith.exe
1516	OpenWith.exe
1516	OpenWith.exe
1516	OpenWith.exe
1516	OpenWith.exe
1516	OpenWith.exe
1516	OpenWith.exe
1516	OpenWith.exe
1516	OpenWith.exe
4392	winrar-x64-701.exe
4392	winrar-x64-701.exe
4392	winrar-x64-701.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2144 wrote to memory of 2024	2144	msedge.exe	77
PID 2144 wrote to memory of 2024	2144	msedge.exe	77
PID 2144 wrote to memory of 2500	2144	msedge.exe	78
PID 2144 wrote to memory of 2500	2144	msedge.exe	78
PID 2144 wrote to memory of 2500	2144	msedge.exe	78
PID 2144 wrote to memory of 2500	2144	msedge.exe	78
PID 2144 wrote to memory of 2500	2144	msedge.exe	78
PID 2144 wrote to memory of 2500	2144	msedge.exe	78
PID 2144 wrote to memory of 2500	2144	msedge.exe	78
PID 2144 wrote to memory of 2500	2144	msedge.exe	78
PID 2144 wrote to memory of 2500	2144	msedge.exe	78
PID 2144 wrote to memory of 2500	2144	msedge.exe	78
PID 2144 wrote to memory of 2500	2144	msedge.exe	78
PID 2144 wrote to memory of 2500	2144	msedge.exe	78
PID 2144 wrote to memory of 2500	2144	msedge.exe	78
PID 2144 wrote to memory of 2500	2144	msedge.exe	78
PID 2144 wrote to memory of 2500	2144	msedge.exe	78
PID 2144 wrote to memory of 2500	2144	msedge.exe	78
PID 2144 wrote to memory of 2500	2144	msedge.exe	78
PID 2144 wrote to memory of 2500	2144	msedge.exe	78
PID 2144 wrote to memory of 2500	2144	msedge.exe	78
PID 2144 wrote to memory of 2500	2144	msedge.exe	78
PID 2144 wrote to memory of 2500	2144	msedge.exe	78
PID 2144 wrote to memory of 2500	2144	msedge.exe	78
PID 2144 wrote to memory of 2500	2144	msedge.exe	78
PID 2144 wrote to memory of 2500	2144	msedge.exe	78
PID 2144 wrote to memory of 2500	2144	msedge.exe	78
PID 2144 wrote to memory of 2500	2144	msedge.exe	78
PID 2144 wrote to memory of 2500	2144	msedge.exe	78
PID 2144 wrote to memory of 2500	2144	msedge.exe	78
PID 2144 wrote to memory of 2500	2144	msedge.exe	78
PID 2144 wrote to memory of 2500	2144	msedge.exe	78
PID 2144 wrote to memory of 2500	2144	msedge.exe	78
PID 2144 wrote to memory of 2500	2144	msedge.exe	78
PID 2144 wrote to memory of 2500	2144	msedge.exe	78
PID 2144 wrote to memory of 2500	2144	msedge.exe	78
PID 2144 wrote to memory of 2500	2144	msedge.exe	78
PID 2144 wrote to memory of 2500	2144	msedge.exe	78
PID 2144 wrote to memory of 2500	2144	msedge.exe	78
PID 2144 wrote to memory of 2500	2144	msedge.exe	78
PID 2144 wrote to memory of 2500	2144	msedge.exe	78
PID 2144 wrote to memory of 2500	2144	msedge.exe	78
PID 2144 wrote to memory of 2212	2144	msedge.exe	79
PID 2144 wrote to memory of 2212	2144	msedge.exe	79
PID 2144 wrote to memory of 856	2144	msedge.exe	80
PID 2144 wrote to memory of 856	2144	msedge.exe	80
PID 2144 wrote to memory of 856	2144	msedge.exe	80
PID 2144 wrote to memory of 856	2144	msedge.exe	80
PID 2144 wrote to memory of 856	2144	msedge.exe	80
PID 2144 wrote to memory of 856	2144	msedge.exe	80
PID 2144 wrote to memory of 856	2144	msedge.exe	80
PID 2144 wrote to memory of 856	2144	msedge.exe	80
PID 2144 wrote to memory of 856	2144	msedge.exe	80
PID 2144 wrote to memory of 856	2144	msedge.exe	80
PID 2144 wrote to memory of 856	2144	msedge.exe	80
PID 2144 wrote to memory of 856	2144	msedge.exe	80
PID 2144 wrote to memory of 856	2144	msedge.exe	80
PID 2144 wrote to memory of 856	2144	msedge.exe	80
PID 2144 wrote to memory of 856	2144	msedge.exe	80
PID 2144 wrote to memory of 856	2144	msedge.exe	80
PID 2144 wrote to memory of 856	2144	msedge.exe	80
PID 2144 wrote to memory of 856	2144	msedge.exe	80
PID 2144 wrote to memory of 856	2144	msedge.exe	80
PID 2144 wrote to memory of 856	2144	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://www.mediafire.com/file/v04wcs9dlfq5ke0/VanishRaider-main.rar/file
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0xdc,0x110,0x7ffe9a0d3cb8,0x7ffe9a0d3cc8,0x7ffe9a0d3cd8
  2⤵
  PID:2024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,16698149587720386527,8683824092670149811,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1908 /prefetch:2
  2⤵
  PID:2500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1896,16698149587720386527,8683824092670149811,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  - Suspicious behavior: EnumeratesProcesses
  PID:2212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1896,16698149587720386527,8683824092670149811,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2592 /prefetch:8
  2⤵
  PID:856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,16698149587720386527,8683824092670149811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:3360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,16698149587720386527,8683824092670149811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:2916
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1896,16698149587720386527,8683824092670149811,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5644 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1896,16698149587720386527,8683824092670149811,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5448 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,16698149587720386527,8683824092670149811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
  2⤵
  PID:4124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,16698149587720386527,8683824092670149811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:1
  2⤵
  PID:2524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,16698149587720386527,8683824092670149811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1
  2⤵
  PID:1412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,16698149587720386527,8683824092670149811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
  2⤵
  PID:4892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,16698149587720386527,8683824092670149811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1
  2⤵
  PID:1444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1896,16698149587720386527,8683824092670149811,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3344 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,16698149587720386527,8683824092670149811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6552 /prefetch:1
  2⤵
  PID:1540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,16698149587720386527,8683824092670149811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
  2⤵
  PID:3968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,16698149587720386527,8683824092670149811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6436 /prefetch:1
  2⤵
  PID:5056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,16698149587720386527,8683824092670149811,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:1
  2⤵
  PID:4684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,16698149587720386527,8683824092670149811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6944 /prefetch:1
  2⤵
  PID:2196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,16698149587720386527,8683824092670149811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2520 /prefetch:1
  2⤵
  PID:2956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,16698149587720386527,8683824092670149811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6952 /prefetch:1
  2⤵
  PID:2524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,16698149587720386527,8683824092670149811,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:1
  2⤵
  PID:3740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,16698149587720386527,8683824092670149811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3716 /prefetch:1
  2⤵
  PID:2028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,16698149587720386527,8683824092670149811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7116 /prefetch:1
  2⤵
  PID:4056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,16698149587720386527,8683824092670149811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
  2⤵
  PID:1408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1896,16698149587720386527,8683824092670149811,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3536 /prefetch:8
  2⤵
  PID:3968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1896,16698149587720386527,8683824092670149811,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3432 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3512
- C:\Users\Admin\Downloads\winrar-x64-701.exe
  "C:\Users\Admin\Downloads\winrar-x64-701.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,16698149587720386527,8683824092670149811,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5192 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:408

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4524

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3000

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e1544690d41d950f9c1358068301cfb5

SHA1
ae3ff81363fcbe33c419e49cabef61fb6837bffa

SHA256
53d69c9cc3c8aaf2c8b58ea6a2aa47c49c9ec11167dd9414cd9f4192f9978724

SHA512
1e4f1fe2877f4f947d33490e65898752488e48de34d61e197e4448127d6b1926888de80b62349d5a88b96140eed0a5b952ef4dd7ca318689f76e12630c9029da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9314124f4f0ad9f845a0d7906fd8dfd8

SHA1
0d4f67fb1a11453551514f230941bdd7ef95693c

SHA256
cbd58fa358e4b1851c3da2d279023c29eba66fb4d438c6e87e7ce5169ffb910e

SHA512
87b9060ca4942974bd8f95b8998df7b2702a3f4aba88c53b2e3423a532a75407070368f813a5bbc0251864b4eae47e015274a839999514386d23c8a526d05d85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
dcd21c47a64b93196d2a35633d76027f

SHA1
166e2d2622326d2b2dafe6e1f98b26593b17f41d

SHA256
856997257ad87fd4af95cc3e9757ea3c9eb9069316862a16fbaf1068585856a0

SHA512
3d3a1c01d404e89caf7cb82c0c80fdb4abab8f4f32cba78e750e2f92aae45413db4e3386d674c4a99cfa37e824b3473823a3cb6310ef7f94d0468e4a5f23d507

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
75a4648fc2e26cf547e9045fcd67414a

SHA1
5f121a2b6852ae4502954a4118a996e25e81ab25

SHA256
64edefc5d6871e84a0df4d42e9e48c7d3ba6af503b7f657ffcbd56f8444ebf29

SHA512
ad18fc561826eb7a291bdd2469c4456839703097949c815960aa9ac3a294976d0478eeb64220c3b77a1ead07fbda30e6f75a53bba0c89b40fdd9f87d9ccc253f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
768B

MD5
39db622a214953c56e41c506da60aa71

SHA1
8dec3a09114c2a20328a415043a075b8c7a53e8a

SHA256
dd0d8124576899a354615a607fdf296feea08796aede206fb2609a304e5660e4

SHA512
1b924a24632b3ed28d6214b90aaf43884cd54585fe0950d50c3001817d728a141db36a1e9cb6c70f75cb56b99daa3e30e305d66949b38a8537b128334fe98dcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
8c2ff73bef8e757a2447b613ee2913e3

SHA1
e9560e3cde88142491928ba994948af62993117c

SHA256
c6369550825f49c42e749a389291e8a5201738b7ac4f06130eb6ceed5d0428d0

SHA512
99868f46b2d537af487c30bf11c57bc89ecec33cc82f98ec6aa4f041aff4be8172a42cc49e1f82482589892ef2301a2f926fd833da796d0cce21ad3803a3e230

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
1d42e518f05405c5facdc934bc24697e

SHA1
c4275acd4c88b5235af32d9482b5f36fc626daf6

SHA256
7394c34233023b0a4de6028119cabafa74bea6342992fabe5307d30412d8ef82

SHA512
12909514a409ad280c4071f37ea6cae8fe3229da1cbdaff5a2f689cbc859c11be947bd56d8b696daa89678c341dd07629596c78adf934d61c99cb6df62e4bc53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9f5139815e4062d57119e3cf112b6184

SHA1
5e7348e4670541e35647c233a529b2ee5be09eb6

SHA256
b6812990a3c949f2b9cb610696bb890fccb0db177946865f8ac7228d0e94a371

SHA512
acb113fbccbfd57f0c3bcc936c41f81b58d197f1ca89adf750989fa524055a302927800cbe00167396a3c1740c720c4982ac966c87afdbe8d082e0ef3813f9c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b7de861cc6b0a8b41ff81f548d1f5e6c

SHA1
82bfe981bd08febc5c0fef53a5d0cb50ea3a0ad8

SHA256
bff860746d314e5916e1b07de4f5c53fa767c90e73bb5d80946395103eab9800

SHA512
2ae8dfb5d320d7c85d3b1d34c028acaf5094c738653947b67254bca6ca379399189123dc3196cd1176dc92dc251b9c256fe60e3e3f7c3148dca4b827abfd4174

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
970d99c894782e76bc7f3e59ef33c1c6

SHA1
54d8c8afef91c7f5318261962db70452e0c323af

SHA256
83a2eef6704a9a8761863b8bd5e0ecd4cccdc4d2d11c058718a31bfd9496903a

SHA512
7a58cf6a33a9035466d396b72050142588446c77b10fab67a836ab25c068532090433fee758317e076e9b14ec762de66c46be3714d9a20df7221efacad4aea62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
03a6d1b5bd465475f298b6913d2ad40d

SHA1
f767812fd5fe3d261d232cef777769367cea9804

SHA256
486f70ca32c5506d49e3553bdddf5ee4272a4df59e642a01c33206b95a477de1

SHA512
2a06e5f1c373d1494d4161faaf2c8a7b522ec831fdc36e1012d8263bfe1c0e4a04db1c7d388438de02e2b2bdd8128c4c3f77bb25baf20f470f1659b2dfca2594

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
436ed3ff805f4be1ac7ba8304d239c98

SHA1
57b7a8a29b375f00c8dea36ffeb8ce051322cdf0

SHA256
33d6217c2253a8f956398c11b232e929dbfeed659630c1984b103da1aac34703

SHA512
29d40f4c55bcffde87e96702eb39fccfe4569bffc14acf4c864de9540c37eb4bda902d2245a0e73ae6f9793113fe0ca5fbf01a10e25fcf16533c7113eba29290

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d8a8577cd1703343b79c96c3462d2e20

SHA1
046a2fea220b60f2e433046825a58fa70824689c

SHA256
a9f21a242c0b2fcdb3d6eac99224f4897ca5b854f96646b3eca2d2accf60043b

SHA512
d647cea5dc2967a71ee07f3199973198492d33c4a36d89f7126b6322deb9474b1067b39062b1e8eebd9625e672924e3309ccdd707704545afd3be4606b35f7c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8733801932a1273ab23dea3283997e7c

SHA1
9d2ff62c90bd10f18bf9e1afb532b9ac96849149

SHA256
872b41f5510afcf12efb5b68b0b157dbb02c9410ef006878422782d0c17168dd

SHA512
733f8577c04c443f041526016bb9485fada5c91b2db9e779ca5685f8beca2e30072fe9f8cafa5531b118fb9e0420fa97f34252d6dfd8675bf4719e54ea063808

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2265dfbc3d85de50317116dbdb98e503

SHA1
057c08d9c0c7ece5bfcc5a21176c5f9d5777df21

SHA256
743f0aa67d444db3e6ba96538a5bc2226ca49ea3766bf56f7779f614303c4310

SHA512
501bbf9c6a323072474b040a9398145799685a28ba9d62ccddbc067080ad671d1fdab5b0028df16b88f36b4427efec21efbdf5651c5eecaedcb545d372ffbb55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
538B

MD5
58ff03d25a1d05f8726ca8f07f41a457

SHA1
45a5f75e5af8c1377cf980d3b7647e43c1485c1f

SHA256
8972429c1d021db90f9015145d4ae22910c37518aae56910382046f76c3465b2

SHA512
e08f8dacb4c69241ca0c8a852d8826207d2ea21ee0f1277163c15619fec6c5d0344c905fa449f61bbe2b0e3ab4d8e9dd509cd53aebc4d37f85b938d7ae61a809

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
59e0123e8a508f35e92530ba0849355f

SHA1
a83bb96d3475b39e9f12c5857c0763dd1f140143

SHA256
f15c704abaa74b5b2922aba685cbfc2251c0f435d7eb8c1382db545ab6fd35b1

SHA512
4c4e574a9a8832e588d2b5f6a804c00412d169cd2debeed5f2a1a82ab55f5accd94ed609dbb14b4146f243de1e54096d146206705c2bf1f07b0e09076e16d505

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e04e.TMP

Filesize
538B

MD5
ad7e5ed786bab8a5fecf5de17e6c50d7

SHA1
494e6f5849170f643c22d403351d77c1303757b2

SHA256
1d208198811421ba8a79b31f40570c4ed24f9711d9f5bb85764143ac3ac33fd0

SHA512
ba7f9a2ad7d23476670d8d32ff563de6775a3cceed7f1c69b4f96843e07777a075a8a28d9c7aa7957f392794b28728b5caa89b1534b7cc1e90e495ff39b687f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
94dc3b81f88ef5508a83a19cb8545976

SHA1
d91fa2251952f71bab21e723c3420b163e40c513

SHA256
21a4a9300967c829635feafdea0199aa7a7a44260e75be1e46240d5a1517fdb5

SHA512
ea346c975e14d420cf83c25ff50d589cef852925f120c429ae41362b54c8537a32aff3736e10d416ea37d493762a6f6f1fbcac468bff14969dee6cd5da238083

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
223bc5b773c3251148199471bb726393

SHA1
3fdaf17f5ae5bc4518e90850ae6886869f59d1c1

SHA256
9668a59fbb24e8a94a61b4519a492b3b50389a5f35c3ac89b3a33c3aae174505

SHA512
df0b589d70214938d5aba78c8d69b42f760b10ea6108d74b587f78947ff32b601715899ea7e980228d8d819c07024f5ec6870f1211b8da1e04e3eac584011298

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ecd8b3f4b55e9a4ecb9bf07a38a477a3

SHA1
f1c44892e09cec5be935ab2582c639be7670b801

SHA256
6ba97211ecbe8f26c49d4901d6b2c38f02f0bbd5a171c1d2c5a23bcef3ce093b

SHA512
006fc44d089eaaa3309b0921c97f96c0e286000d12588d965a3f64740df6da75d8811d95798ed05c7a3b1dc9d64f247d93c2e339c8267d9b5f22b49e8c22f96f

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 519735.crdownload

Filesize
3.8MB

MD5
46c17c999744470b689331f41eab7df1

SHA1
b8a63127df6a87d333061c622220d6d70ed80f7c

SHA256
c5b5def1c8882b702b6b25cbd94461c737bc151366d2d9eba5006c04886bfc9a

SHA512
4b02a3e85b699f62df1b4fe752c4dee08cfabc9b8bb316bc39b854bd5187fc602943a95788ec680c7d3dc2c26ad882e69c0740294bd6cb3b32cdcd165a9441b6

Download Submit
C:\Users\Admin\Downloads\VanishRaider-main.rar

Filesize
61KB

MD5
3d15d9b5d05223d0b812f1f51eb05ecb

SHA1
7f0f19e7128f546193685be6efe39a2ec61d8175

SHA256
c39552926a046eca64dab7cafbc9002ae22d592cba749fa03b6416b4a299431d

SHA512
7c65b4fddf10687c119718d136e45c570c4a5f9bb2ddbb23731813b5975d79a91ec062d7722909ede8ced4ac5a6fdb654ca9f1780546f50400f5de095f088ef1

Download Submit
C:\Users\Admin\Downloads\winrar-x64-701.exe:Zone.Identifier

Filesize
86B

MD5
e681dcb3a6a2da5897ffc74eccb9e641

SHA1
5030136488dd0297ab7a98be6b70dddbbe317be2

SHA256
0c0890a6613faa8d3dd86f959a8b92b5cc4e8d9fca496d20fd31c776f1fb230d

SHA512
a9bd3158bdf46eaa45ffde3a974f0775619f4f856aac96b99f7356893e386e88097fe32894420c217b7f931657a95f41df3e682f71fc2dee36376632d49d911b

Download Submit