hxxps://drive[.]google[.]com/uc?id=1lI-IL0gg8WoRTc-3cazYsUkFjjstyCRX&export=download

Analysis

max time kernel
205s
max time network
202s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
25-02-2024 05:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/uc?id=1lI-IL0gg8WoRTc-3cazYsUkFjjstyCRX&export=download

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1516	Setup.exe
1316	Setup.exe
2496	Setup.tmp
2100	Setup.tmp

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
8	drive.google.com
12	drive.google.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Adobe\Adobe After Effects 2022\Support Files\dvaaudiofilterhost.dll	Setup.tmp
File opened for modification	C:\Program Files\Adobe\Adobe After Effects 2022\Support Files\mc_enc_dv.dll	Setup.tmp
File opened for modification	C:\Program Files\Adobe\Adobe After Effects 2022\Support Files\AdobeXMPCompareAndMerge.dll	Setup.tmp
File opened for modification	C:\Program Files\Adobe\Adobe After Effects 2022\Support Files\boost_threads.dll	Setup.tmp
File opened for modification	C:\Program Files\Adobe\Adobe After Effects 2022\Support Files\REDOpenCL-x64.dll	Setup.tmp
File opened for modification	C:\Program Files\Adobe\Adobe After Effects 2022\Support Files\ArriGPU\cudart64_90.dll	Setup.tmp
File opened for modification	C:\Program Files\Adobe\Adobe After Effects 2022\Support Files\dvasystemcompatibilityreport.dll	Setup.tmp
File opened for modification	C:\Program Files\Adobe\Adobe After Effects 2022\Support Files\VideoFrame.dll	Setup.tmp
File opened for modification	C:\Program Files\Adobe\Adobe After Effects 2022\Support Files\MachineLearningUtilities.dll	Setup.tmp
File opened for modification	C:\Program Files\Adobe\Adobe After Effects 2022\Support Files\WRServices.dll	Setup.tmp
File opened for modification	C:\Program Files\Adobe\Adobe After Effects 2022\Support Files\Plug-ins\Effects\mochaAE\MochaAE.bundle\Contents\Win64\mochaui\bin\boost_regex.dll	Setup.tmp
File opened for modification	C:\Program Files\Adobe\Adobe After Effects 2022\Support Files\dvascriptingNAPI.dll	Setup.tmp
File opened for modification	C:\Program Files\Adobe\Adobe After Effects 2022\Support Files\REDCuda-x64.dll	Setup.tmp
File opened for modification	C:\Program Files\Adobe\Adobe After Effects 2022\Support Files\Plug-ins\Effects\mochaAE\MochaAE.bundle\Contents\Win64\mochaui\qml\QtQuick\LocalStorage\qmllocalstorageplugin.dll	Setup.tmp
File opened for modification	C:\Program Files\Adobe\Adobe After Effects 2022\Support Files\Plug-ins\Effects\mochaAE\MochaAE.bundle\Contents\Win64\mochaui\bin\Qt5Multimedia.dll	Setup.tmp
File opened for modification	C:\Program Files\Adobe\Adobe After Effects 2022\Support Files\Plug-ins\Effects\mochaAE\MochaAE.bundle\Contents\Win64\mochaui\bin\Qt5Quick.dll	Setup.tmp
File opened for modification	C:\Program Files\Adobe\Adobe After Effects 2022\Support Files\GPUAnalytics.dll	Setup.tmp
File opened for modification	C:\Program Files\Adobe\Adobe After Effects 2022\Support Files\Plug-ins\Effects\mochaAE\MochaAE.bundle\Contents\Win64\mochaui\qml\QtQuick\Controls.2\Imagine\qtquickcontrols2imaginestyleplugin.dll	Setup.tmp
File opened for modification	C:\Program Files\Adobe\Adobe After Effects 2022\Support Files\dynamic-torqnative.dll	Setup.tmp
File opened for modification	C:\Program Files\Adobe\Adobe After Effects 2022\Support Files\ErnstLib.dll	Setup.tmp
File opened for modification	C:\Program Files\Adobe\Adobe After Effects 2022\Support Files\SynKitLib.dll	Setup.tmp
File opened for modification	C:\Program Files\Adobe\Adobe After Effects 2022\Support Files\DirectML.dll	Setup.tmp
File opened for modification	C:\Program Files\Adobe\Adobe After Effects 2022\Support Files\aedisplay.dll	Setup.tmp
File opened for modification	C:\Program Files\Adobe\Adobe After Effects 2022\Support Files\boost_program_options.dll	Setup.tmp
File opened for modification	C:\Program Files\Adobe\Adobe After Effects 2022\Support Files\dvavirtualui.dll	Setup.tmp
File opened for modification	C:\Program Files\Adobe\Adobe After Effects 2022\Support Files\dynamiclink.dll	Setup.tmp
File opened for modification	C:\Program Files\Adobe\Adobe After Effects 2022\Support Files\PLUG.dll	Setup.tmp
File opened for modification	C:\Program Files\Adobe\Adobe After Effects 2022\Support Files\Plug-ins\Effects\mochaAE\MochaAE.bundle\Contents\Win64\mochaui\bin\Qt5WinExtras.dll	Setup.tmp
File opened for modification	C:\Program Files\Adobe\Adobe After Effects 2022\Support Files\AdobeOldGPU.dll	Setup.tmp
File opened for modification	C:\Program Files\Adobe\Adobe After Effects 2022\Support Files\MPS.dll	Setup.tmp
File opened for modification	C:\Program Files\Adobe\Adobe After Effects 2022\Support Files\crxdec.dll	Setup.tmp
File opened for modification	C:\Program Files\Adobe\Adobe After Effects 2022\Support Files\mkl_core.dll	Setup.tmp
File opened for modification	C:\Program Files\Adobe\Adobe After Effects 2022\Support Files\cudart64_101.dll	Setup.tmp
File opened for modification	C:\Program Files\Adobe\Adobe After Effects 2022\Support Files\CFHDDecoder64.dll	Setup.tmp
File opened for modification	C:\Program Files\Adobe\Adobe After Effects 2022\Support Files\dynamiclinkUI.dll	Setup.tmp
File opened for modification	C:\Program Files\Adobe\Adobe After Effects 2022\Support Files\CloudMediaClient.dll	Setup.tmp
File opened for modification	C:\Program Files\Adobe\Adobe After Effects 2022\Support Files\DNxHR.dll	Setup.tmp
File opened for modification	C:\Program Files\Adobe\Adobe After Effects 2022\Support Files\LIST.dll	Setup.tmp
File opened for modification	C:\Program Files\Adobe\Adobe After Effects 2022\Support Files\ArriGPU\ARRIRAW_SDK.dll	Setup.tmp
File opened for modification	C:\Program Files\Adobe\Adobe After Effects 2022\Support Files\mkl_mc.dll	Setup.tmp
File opened for modification	C:\Program Files\Adobe\Adobe After Effects 2022\Support Files\Plug-ins\Effects\mochaAE\MochaAE.bundle\Contents\Win64\mochaui\bin\boost_chrono.dll	Setup.tmp
File opened for modification	C:\Program Files\Adobe\Adobe After Effects 2022\Support Files\concrt140.dll	Setup.tmp
File opened for modification	C:\Program Files\Adobe\Adobe After Effects 2022\Support Files\LUTManager.dll	Setup.tmp
File opened for modification	C:\Program Files\Adobe\Adobe After Effects 2022\Support Files\mc_trans_video_colorspace.dll	Setup.tmp
File opened for modification	C:\Program Files\Adobe\Adobe After Effects 2022\Support Files\MEE.dll	Setup.tmp
File opened for modification	C:\Program Files\Adobe\Adobe After Effects 2022\Support Files\RendererGPU.dll	Setup.tmp
File opened for modification	C:\Program Files\Adobe\Adobe After Effects 2022\Support Files\ATEWrapper.dll	Setup.tmp
File opened for modification	C:\Program Files\Adobe\Adobe After Effects 2022\Support Files\dvavulcansupport.dll	Setup.tmp
File opened for modification	C:\Program Files\Adobe\Adobe After Effects 2022\Support Files\eaurl.dll	Setup.tmp
File opened for modification	C:\Program Files\Adobe\Adobe After Effects 2022\Support Files\PF.dll	Setup.tmp
File opened for modification	C:\Program Files\Adobe\Adobe After Effects 2022\Support Files\ProjectSupport.dll	Setup.tmp
File opened for modification	C:\Program Files\Adobe\Adobe After Effects 2022\Support Files\ahclient.dll	Setup.tmp
File opened for modification	C:\Program Files\Adobe\Adobe After Effects 2022\Support Files\BIBUtils.dll	Setup.tmp
File opened for modification	C:\Program Files\Adobe\Adobe After Effects 2022\Support Files\QTParser.dll	Setup.tmp
File opened for modification	C:\Program Files\Adobe\Adobe After Effects 2022\Support Files\MBCProvider.dll	Setup.tmp
File opened for modification	C:\Program Files\Adobe\Adobe After Effects 2022\Support Files\CEPHtmlEngine\d3dcompiler_47.dll	Setup.tmp
File opened for modification	C:\Program Files\Adobe\Adobe After Effects 2022\Support Files\IPPMPEGDecoder.dll	Setup.tmp
File opened for modification	C:\Program Files\Adobe\Adobe After Effects 2022\Support Files\Plug-ins\Effects\mochaAE\MochaAE.bundle\Contents\Win64\mochaui\qml\QtMultimedia\declarative_multimedia.dll	Setup.tmp
File opened for modification	C:\Program Files\Adobe\Adobe After Effects 2022\Support Files\Plug-ins\Effects\mochaAE\MochaAE.bundle\Contents\Win64\mochaui\bin\Qt5QuickWidgets.dll	Setup.tmp
File opened for modification	C:\Program Files\Adobe\Adobe After Effects 2022\Support Files\AdobeSensorManager.dll	Setup.tmp
File opened for modification	C:\Program Files\Adobe\Adobe After Effects 2022\Support Files\COR.dll	Setup.tmp
File opened for modification	C:\Program Files\Adobe\Adobe After Effects 2022\Support Files\tbbmalloc.dll	Setup.tmp
File opened for modification	C:\Program Files\Adobe\Adobe After Effects 2022\Support Files\Plug-ins\Effects\mochaAE\MochaAE.bundle\Contents\Win64\mochaui\bin\boost_program_options.dll	Setup.tmp
File opened for modification	C:\Program Files\Adobe\Adobe After Effects 2022\Support Files\VideoFilterHost.dll	Setup.tmp

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1732	msedge.exe
1732	msedge.exe
1456	msedge.exe
1456	msedge.exe
3720	identity_helper.exe
3720	identity_helper.exe
4212	msedge.exe
4212	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
2496	Setup.tmp
2496	Setup.tmp
2784	7zFM.exe
2784	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2784	7zFM.exe
4708	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeRestorePrivilege	4432	7zFM.exe
Token: 35	4432	7zFM.exe
Token: SeRestorePrivilege	4708	7zFM.exe
Token: 35	4708	7zFM.exe
Token: SeRestorePrivilege	4928	7zFM.exe
Token: 35	4928	7zFM.exe
Token: SeRestorePrivilege	2096	7zFM.exe
Token: 35	2096	7zFM.exe
Token: SeRestorePrivilege	2784	7zFM.exe
Token: 35	2784	7zFM.exe
Token: SeSecurityPrivilege	2784	7zFM.exe
Token: SeSecurityPrivilege	2784	7zFM.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1456 wrote to memory of 3028	1456	msedge.exe	54
PID 1456 wrote to memory of 3028	1456	msedge.exe	54
PID 1456 wrote to memory of 1292	1456	msedge.exe	89
PID 1456 wrote to memory of 1292	1456	msedge.exe	89
PID 1456 wrote to memory of 1292	1456	msedge.exe	89
PID 1456 wrote to memory of 1292	1456	msedge.exe	89
PID 1456 wrote to memory of 1292	1456	msedge.exe	89
PID 1456 wrote to memory of 1292	1456	msedge.exe	89
PID 1456 wrote to memory of 1292	1456	msedge.exe	89
PID 1456 wrote to memory of 1292	1456	msedge.exe	89
PID 1456 wrote to memory of 1292	1456	msedge.exe	89
PID 1456 wrote to memory of 1292	1456	msedge.exe	89
PID 1456 wrote to memory of 1292	1456	msedge.exe	89
PID 1456 wrote to memory of 1292	1456	msedge.exe	89
PID 1456 wrote to memory of 1292	1456	msedge.exe	89
PID 1456 wrote to memory of 1292	1456	msedge.exe	89
PID 1456 wrote to memory of 1292	1456	msedge.exe	89
PID 1456 wrote to memory of 1292	1456	msedge.exe	89
PID 1456 wrote to memory of 1292	1456	msedge.exe	89
PID 1456 wrote to memory of 1292	1456	msedge.exe	89
PID 1456 wrote to memory of 1292	1456	msedge.exe	89
PID 1456 wrote to memory of 1292	1456	msedge.exe	89
PID 1456 wrote to memory of 1292	1456	msedge.exe	89
PID 1456 wrote to memory of 1292	1456	msedge.exe	89
PID 1456 wrote to memory of 1292	1456	msedge.exe	89
PID 1456 wrote to memory of 1292	1456	msedge.exe	89
PID 1456 wrote to memory of 1292	1456	msedge.exe	89
PID 1456 wrote to memory of 1292	1456	msedge.exe	89
PID 1456 wrote to memory of 1292	1456	msedge.exe	89
PID 1456 wrote to memory of 1292	1456	msedge.exe	89
PID 1456 wrote to memory of 1292	1456	msedge.exe	89
PID 1456 wrote to memory of 1292	1456	msedge.exe	89
PID 1456 wrote to memory of 1292	1456	msedge.exe	89
PID 1456 wrote to memory of 1292	1456	msedge.exe	89
PID 1456 wrote to memory of 1292	1456	msedge.exe	89
PID 1456 wrote to memory of 1292	1456	msedge.exe	89
PID 1456 wrote to memory of 1292	1456	msedge.exe	89
PID 1456 wrote to memory of 1292	1456	msedge.exe	89
PID 1456 wrote to memory of 1292	1456	msedge.exe	89
PID 1456 wrote to memory of 1292	1456	msedge.exe	89
PID 1456 wrote to memory of 1292	1456	msedge.exe	89
PID 1456 wrote to memory of 1292	1456	msedge.exe	89
PID 1456 wrote to memory of 1732	1456	msedge.exe	91
PID 1456 wrote to memory of 1732	1456	msedge.exe	91
PID 1456 wrote to memory of 3764	1456	msedge.exe	90
PID 1456 wrote to memory of 3764	1456	msedge.exe	90
PID 1456 wrote to memory of 3764	1456	msedge.exe	90
PID 1456 wrote to memory of 3764	1456	msedge.exe	90
PID 1456 wrote to memory of 3764	1456	msedge.exe	90
PID 1456 wrote to memory of 3764	1456	msedge.exe	90
PID 1456 wrote to memory of 3764	1456	msedge.exe	90
PID 1456 wrote to memory of 3764	1456	msedge.exe	90
PID 1456 wrote to memory of 3764	1456	msedge.exe	90
PID 1456 wrote to memory of 3764	1456	msedge.exe	90
PID 1456 wrote to memory of 3764	1456	msedge.exe	90
PID 1456 wrote to memory of 3764	1456	msedge.exe	90
PID 1456 wrote to memory of 3764	1456	msedge.exe	90
PID 1456 wrote to memory of 3764	1456	msedge.exe	90
PID 1456 wrote to memory of 3764	1456	msedge.exe	90
PID 1456 wrote to memory of 3764	1456	msedge.exe	90
PID 1456 wrote to memory of 3764	1456	msedge.exe	90
PID 1456 wrote to memory of 3764	1456	msedge.exe	90
PID 1456 wrote to memory of 3764	1456	msedge.exe	90
PID 1456 wrote to memory of 3764	1456	msedge.exe	90

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/uc?id=1lI-IL0gg8WoRTc-3cazYsUkFjjstyCRX&export=download
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd794b46f8,0x7ffd794b4708,0x7ffd794b4718
  2⤵
  PID:3028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,15697115459036606027,13704414556675678733,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
  2⤵
  PID:1292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,15697115459036606027,13704414556675678733,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2424 /prefetch:8
  2⤵
  PID:3764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,15697115459036606027,13704414556675678733,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,15697115459036606027,13704414556675678733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,15697115459036606027,13704414556675678733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:1848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,15697115459036606027,13704414556675678733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:1
  2⤵
  PID:3396
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,15697115459036606027,13704414556675678733,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3828 /prefetch:8
  2⤵
  PID:220
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,15697115459036606027,13704414556675678733,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3828 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2176,15697115459036606027,13704414556675678733,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5344 /prefetch:8
  2⤵
  PID:4380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,15697115459036606027,13704414556675678733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
  2⤵
  PID:4368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,15697115459036606027,13704414556675678733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1
  2⤵
  PID:2796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,15697115459036606027,13704414556675678733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:1
  2⤵
  PID:1404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,15697115459036606027,13704414556675678733,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1
  2⤵
  PID:384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,15697115459036606027,13704414556675678733,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
  2⤵
  PID:2916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,15697115459036606027,13704414556675678733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1
  2⤵
  PID:3732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2176,15697115459036606027,13704414556675678733,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4940 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4212
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\AfterEffects 2022 (1).rar"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4432
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\AfterEffects 2022 (1).rar"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4928
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\AfterEffects 2022 (1).rar"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:4708
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\AfterEffects 2022 (1).rar"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2096
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\AfterEffects 2022 (1).rar"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:2784
- - C:\Users\Admin\AppData\Local\Temp\7zO0EA77DF8\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0EA77DF8\Setup.exe"
    3⤵
    - Executes dropped EXE
    PID:1516
  - - C:\Users\Admin\AppData\Local\Temp\is-JOG7D.tmp\Setup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-JOG7D.tmp\Setup.tmp" /SL5="$40290,882176,0,C:\Users\Admin\AppData\Local\Temp\7zO0EA77DF8\Setup.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      PID:2496
- - C:\Users\Admin\AppData\Local\Temp\7zO0EA62EF8\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0EA62EF8\Setup.exe"
    3⤵
    - Executes dropped EXE
    PID:1316
  - - C:\Users\Admin\AppData\Local\Temp\is-QKJR5.tmp\Setup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-QKJR5.tmp\Setup.tmp" /SL5="$A006A,882176,0,C:\Users\Admin\AppData\Local\Temp\7zO0EA62EF8\Setup.exe"
      4⤵
      Executes dropped EXE
      PID:2100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,15697115459036606027,13704414556675678733,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5672 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3076

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4020

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e189354a800c436e6cec7c07e6c0feea

SHA1
5c84fbda33c9276736ff3cb01d30ff34b032f781

SHA256
826adca1e688de79a3ec5b91c75990927fb2a33ae717f474608c68336053f427

SHA512
ceb069a5e83a634503e253846fa17b8bf7aaa539c3353ce61251633d69068e24c5eadd1b496f43058790d2b513e65d2c0b0213730813d0b58bb82a00596e05e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b9e3e150cfe464e9ebf0a6db1aa5e7a2

SHA1
3cb184e2781c07ac000661bf82e3857a83601813

SHA256
2325a6292907263d1fb089a09f22fbcc6bad56f4961d427efdef1abaef097bcc

SHA512
f5eb1e76eb9441cf5000d8d4db9296077b61714ead5012779c084b37f4bba07614055738f5dce69b13b25975d9b7c03eab049b7685eee09b23fd8d4a7d71a039

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
766B

MD5
d26f6d8c4442f969fb81b5ac718bd537

SHA1
832d024f2860ffdcda489538a93fd827357c0bd1

SHA256
bc88edee2e9dc793cce6ec9bb247e0cb9d81775e3d3a849c57cdb1e579ba1d84

SHA512
be98e52b7ad750ba279798ec86cf1f509e0a9076af2f90a271ed8797b033fadb653d3e52e922ac1548fa9a0d35714d6c772281a1064b730c6b49eb5f9cfecd03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
797B

MD5
248b550498722a70ec98de5a25d2a176

SHA1
108bbe06e622e1fbc0d8a618ef46d3d43250320b

SHA256
4853b076aeb3bf001a120f725f9a1c784c2807c3691bf3f29e79aee70ac7ea4d

SHA512
e157e91b3931d939055ad4ccbe149efc3b4daee54f95238d9df162faeb15eb7a647af6ec9157da6ce3e8147489a32413f5c68cb2ed62a16efcb20470f064196e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7f0550c6eb579205e49ebf92809b4bd5

SHA1
ac802b92d4026d809bc75ed40a5cd7cf2bd129aa

SHA256
4f953c51dcc18d1c4fef8cb386cebf8637df70a1422d4373f49db75f178eb41c

SHA512
ea3cedf746d67aec48214d949447e7aac4cd62939819272e7efb2a6ca5ce181c8648564ba80401d3524299055ab58f98da52ef44dee236f1d26fe89369017b50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
fd3e2a480bee35040b0a23201c85189c

SHA1
a02a3d2471400da38018f3c2cd61ca53862b4c37

SHA256
33eeae24874d724ad3f94024256fe725a1a9dc4ae42fa3b18a23d23d5d6b6df9

SHA512
ef4feddc1ece16efe869cd7e776ec5b78af8b116a40902c0fdd5c72333f92eca487f2fda744d248b901c4796bf4cf4a4e9e8c4dac4f7b58a399cf656e4fecbe1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
cb1ce9ad6b3778d0e7922d0fd9301861

SHA1
11f527016602a37c7f00a21bc34c845a6d388f72

SHA256
ff72b0f04ff1b68e99609c1a92ae1f3ffc8b8d79173030e8376b2ce50d79ddf3

SHA512
8858c01730156c8d8f743f6ebba32a152d6f1eef7ad2386f76d8e57ab1c8d10c3a291661ed335b2eaef3093f964dd503bbedd08a321b3231e8f77405a8b43d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c9fe6f7beb0d089fd23450e575634ae9

SHA1
30450b2927dc9b68d59ab769188b3d97d19166d7

SHA256
d823eff330c8095e66d4ce65c912019a6dee1da7a56c87a2dea820a70661266f

SHA512
15695629d5950bc3423df8f43437dbbc268ff903ccd062afec03a2db3b89f82709e92baed65807d32d59438639cebbbed85a1c4a5ec8b9a5bf82df17608d3c4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO0EA77DF8\Setup.exe

Filesize
2.1MB

MD5
6c1620e5ff6fe39252348b0a314586c5

SHA1
caf8b8b2cc7a95762ee9413b825d6b7d80b90e0b

SHA256
d0ca0c9b434c6d2c468548d4add127e83114bf0eb2afb3d2beb6777791798ff7

SHA512
05c0ab98043cb4ef7c76b424d04b497ba6aef79e0029ee111cd62d738df3ae6ad1bee324bc22f7b6433e21b26d72d93a155a8065663aed284be8a4b237810317

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JOG7D.tmp\Setup.tmp

Filesize
3.1MB

MD5
f3b4d096d4cee3df1d9c8a1c45da95b5

SHA1
c61c6d61b77554dfb37b0ae84b1eb7f142888bbb

SHA256
9cea3c44bf11f95583b35b6f69085f9105168eb69bb6cb0cbd64fe21420bce1d

SHA512
04493cef582c86ec54badfaeac7abd595010025f3c92e1fe23e6a2b8d2441f2ab256a754be2b02954364c2de080a15bee37b5a653a62c1ce6b16b967a13efb50

Download Submit
C:\Users\Admin\Downloads\AfterEffects 2022 (1).rar

Filesize
242.8MB

MD5
f2b8ac16e8487bd851df664f8624c80f

SHA1
71c3b6e06bd87e08986092e29cfefb1800d24240

SHA256
eb00378ff1d3b43ce17f043573c462464c6f843360c5b12ec5b8ac6699bd5d87

SHA512
b1b94931c56fcdd22ccdc04369ecee93c10879389d7f5feefbb7da36db8ab2efdb978e576751100d7efa3cefdbdddfcedfbe36212e7cfd22cea6fc33501acdd2

Download Submit
C:\Users\Admin\Downloads\AfterEffects 2022 (1).rar

Filesize
34.6MB

MD5
acbdf854064360bf7b10a5bf80c4c0dc

SHA1
2d45ae524a61006bf1a05bf1a60c27aaf2c8a573

SHA256
a0864b3eb4f1b394079a89c3fbf372346c6e978a0fe3bcb7bf09fa4052d22024

SHA512
7daff465bfa7d98de647984f8bbe9829b2c71efe871d5c7c1f19629eda7a0781157fcab3bd98fa7e4978c960fd051da51925392cc3427113060d36522111a50c

Download Submit
memory/1316-168-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/1316-183-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/1516-153-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/1516-182-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/1516-221-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/2100-193-0x00000000026D0000-0x00000000026D1000-memory.dmp

Filesize
4KB

Download
memory/2100-178-0x00000000026D0000-0x00000000026D1000-memory.dmp

Filesize
4KB

Download
memory/2100-231-0x0000000000400000-0x000000000071E000-memory.dmp

Filesize
3.1MB

Download
memory/2100-185-0x0000000000400000-0x000000000071E000-memory.dmp

Filesize
3.1MB

Download
memory/2496-173-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/2496-217-0x0000000000400000-0x000000000071E000-memory.dmp

Filesize
3.1MB

Download
memory/2496-219-0x0000000000400000-0x000000000071E000-memory.dmp

Filesize
3.1MB

Download
memory/2496-192-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/2496-190-0x0000000000400000-0x000000000071E000-memory.dmp

Filesize
3.1MB

Download
memory/2496-184-0x0000000000400000-0x000000000071E000-memory.dmp

Filesize
3.1MB

Download