hxxps://drive[.]google[.]com/file/d/1a4t2PkfnccZnMtAZufQzwlooJiryJN4N/view

Analysis

max time kernel
145s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11-08-2024 15:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1a4t2PkfnccZnMtAZufQzwlooJiryJN4N/view

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
7	drive.google.com
10	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 42 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "664828745"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "657640902"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "657640902"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0b3ec2700ecda01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000074472bebe7af3a46942426e1e277b42a000000000200000000001066000000010000200000002c0aac9a97d777c4a894a86cda9c533804713fca1f9dfca861778b9955f4890a000000000e8000000002000020000000d15fe036e4c3f1ab846501623ed2c50e32e6f27aa7663b007cb7d373443749aa2000000062b12f0ed506b2323639e91f85a4b3b444805fded11d3995379fef60e3814c0140000000ebdc987afb2b8df63126d467228b6d58f9a6ab3ebb006964bee5a832970e4a3661d379dd40971465c803242303fdf7b20b6ad77dc24f63991d93b2ba3c4c78e9	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31124480"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0dff32700ecda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "430153779"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31124480"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{52D88773-57F3-11EF-9912-762C928CCA03} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31124480"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000074472bebe7af3a46942426e1e277b42a00000000020000000000106600000001000020000000fae9d0e8b4ac53da5989229be0b7d9fa523954f1f6d637375acfb83d71959168000000000e8000000002000020000000c93884800c205be4f08f040901d7239fef4437c5829945f1bb920551fe1b67d120000000e2135ccf317613cb39615a161bbd695409fc563b6dca250270a1533ef2089ff3400000000f9860f9ac98f435aa03f55eab4ffc30d562df7aa3a371a55f331100c44f2a192b08a735756d9a33ce945bd01c0db49ed0c234d3050ce272ad83afa42775755d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
5328	msedge.exe
5328	msedge.exe
1184	msedge.exe
1184	msedge.exe
2124	identity_helper.exe
2124	identity_helper.exe
2988	msedge.exe
2988	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe

Suspicious use of FindShellTrayWindow 43 IoCs

pid	Process
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
2784	iexplore.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2784	iexplore.exe
2784	iexplore.exe
5056	IEXPLORE.EXE
5056	IEXPLORE.EXE
5056	IEXPLORE.EXE
5056	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1184 wrote to memory of 5168	1184	msedge.exe	87
PID 1184 wrote to memory of 5168	1184	msedge.exe	87
PID 1184 wrote to memory of 4832	1184	msedge.exe	88
PID 1184 wrote to memory of 4832	1184	msedge.exe	88
PID 1184 wrote to memory of 4832	1184	msedge.exe	88
PID 1184 wrote to memory of 4832	1184	msedge.exe	88
PID 1184 wrote to memory of 4832	1184	msedge.exe	88
PID 1184 wrote to memory of 4832	1184	msedge.exe	88
PID 1184 wrote to memory of 4832	1184	msedge.exe	88
PID 1184 wrote to memory of 4832	1184	msedge.exe	88
PID 1184 wrote to memory of 4832	1184	msedge.exe	88
PID 1184 wrote to memory of 4832	1184	msedge.exe	88
PID 1184 wrote to memory of 4832	1184	msedge.exe	88
PID 1184 wrote to memory of 4832	1184	msedge.exe	88
PID 1184 wrote to memory of 4832	1184	msedge.exe	88
PID 1184 wrote to memory of 4832	1184	msedge.exe	88
PID 1184 wrote to memory of 4832	1184	msedge.exe	88
PID 1184 wrote to memory of 4832	1184	msedge.exe	88
PID 1184 wrote to memory of 4832	1184	msedge.exe	88
PID 1184 wrote to memory of 4832	1184	msedge.exe	88
PID 1184 wrote to memory of 4832	1184	msedge.exe	88
PID 1184 wrote to memory of 4832	1184	msedge.exe	88
PID 1184 wrote to memory of 4832	1184	msedge.exe	88
PID 1184 wrote to memory of 4832	1184	msedge.exe	88
PID 1184 wrote to memory of 4832	1184	msedge.exe	88
PID 1184 wrote to memory of 4832	1184	msedge.exe	88
PID 1184 wrote to memory of 4832	1184	msedge.exe	88
PID 1184 wrote to memory of 4832	1184	msedge.exe	88
PID 1184 wrote to memory of 4832	1184	msedge.exe	88
PID 1184 wrote to memory of 4832	1184	msedge.exe	88
PID 1184 wrote to memory of 4832	1184	msedge.exe	88
PID 1184 wrote to memory of 4832	1184	msedge.exe	88
PID 1184 wrote to memory of 4832	1184	msedge.exe	88
PID 1184 wrote to memory of 4832	1184	msedge.exe	88
PID 1184 wrote to memory of 4832	1184	msedge.exe	88
PID 1184 wrote to memory of 4832	1184	msedge.exe	88
PID 1184 wrote to memory of 4832	1184	msedge.exe	88
PID 1184 wrote to memory of 4832	1184	msedge.exe	88
PID 1184 wrote to memory of 4832	1184	msedge.exe	88
PID 1184 wrote to memory of 4832	1184	msedge.exe	88
PID 1184 wrote to memory of 4832	1184	msedge.exe	88
PID 1184 wrote to memory of 4832	1184	msedge.exe	88
PID 1184 wrote to memory of 5328	1184	msedge.exe	89
PID 1184 wrote to memory of 5328	1184	msedge.exe	89
PID 1184 wrote to memory of 5656	1184	msedge.exe	90
PID 1184 wrote to memory of 5656	1184	msedge.exe	90
PID 1184 wrote to memory of 5656	1184	msedge.exe	90
PID 1184 wrote to memory of 5656	1184	msedge.exe	90
PID 1184 wrote to memory of 5656	1184	msedge.exe	90
PID 1184 wrote to memory of 5656	1184	msedge.exe	90
PID 1184 wrote to memory of 5656	1184	msedge.exe	90
PID 1184 wrote to memory of 5656	1184	msedge.exe	90
PID 1184 wrote to memory of 5656	1184	msedge.exe	90
PID 1184 wrote to memory of 5656	1184	msedge.exe	90
PID 1184 wrote to memory of 5656	1184	msedge.exe	90
PID 1184 wrote to memory of 5656	1184	msedge.exe	90
PID 1184 wrote to memory of 5656	1184	msedge.exe	90
PID 1184 wrote to memory of 5656	1184	msedge.exe	90
PID 1184 wrote to memory of 5656	1184	msedge.exe	90
PID 1184 wrote to memory of 5656	1184	msedge.exe	90
PID 1184 wrote to memory of 5656	1184	msedge.exe	90
PID 1184 wrote to memory of 5656	1184	msedge.exe	90
PID 1184 wrote to memory of 5656	1184	msedge.exe	90
PID 1184 wrote to memory of 5656	1184	msedge.exe	90

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/1a4t2PkfnccZnMtAZufQzwlooJiryJN4N/view
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8a8d346f8,0x7ff8a8d34708,0x7ff8a8d34718
  2⤵
  PID:5168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,9154190324991881515,2801358634155660322,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
  2⤵
  PID:4832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,9154190324991881515,2801358634155660322,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,9154190324991881515,2801358634155660322,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:8
  2⤵
  PID:5656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9154190324991881515,2801358634155660322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:1856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9154190324991881515,2801358634155660322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:1
  2⤵
  PID:6012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9154190324991881515,2801358634155660322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:1
  2⤵
  PID:2120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9154190324991881515,2801358634155660322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4796 /prefetch:1
  2⤵
  PID:4296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2148,9154190324991881515,2801358634155660322,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6064 /prefetch:8
  2⤵
  PID:3608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9154190324991881515,2801358634155660322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6088 /prefetch:1
  2⤵
  PID:732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9154190324991881515,2801358634155660322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6052 /prefetch:1
  2⤵
  PID:1532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9154190324991881515,2801358634155660322,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6424 /prefetch:1
  2⤵
  PID:1332
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,9154190324991881515,2801358634155660322,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6892 /prefetch:8
  2⤵
  PID:4236
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,9154190324991881515,2801358634155660322,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6892 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9154190324991881515,2801358634155660322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
  2⤵
  PID:5556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9154190324991881515,2801358634155660322,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
  2⤵
  PID:4764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2148,9154190324991881515,2801358634155660322,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5720 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,9154190324991881515,2801358634155660322,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3764 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1172

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5856

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5840

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5376

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\Temp1_ElectroXD GFX Pack 2.0.zip\Render\Warden.gif
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2784
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2784 CREDAT:17410 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:5056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7114a6cd851f9bf56cf771c37d664a2

SHA1
769c5d04fd83e583f15ab1ef659de8f883ecab8a

SHA256
d2c75c7d68c474d4b8847b4ba6cfd09fe90717f46dd398c86483d825a66e977e

SHA512
33bdae2305ae98e7c0de576de5a6600bd70a425e7b891d745cba9de992036df1b3d1df9572edb0f89f320e50962d06532dae9491985b6b57fd37d5f46f7a2ff8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
719923124ee00fb57378e0ebcbe894f7

SHA1
cc356a7d27b8b27dc33f21bd4990f286ee13a9f9

SHA256
aa22ab845fa08c786bd3366ec39f733d5be80e9ac933ed115ff048ff30090808

SHA512
a207b6646500d0d504cf70ee10f57948e58dab7f214ad2e7c4af0e7ca23ce1d37c8c745873137e6c55bdcf0f527031a66d9cc54805a0eac3678be6dd497a5bbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
3b88c0b07fc0104a25b4c4fd37acb9b2

SHA1
5000f199320d3a95327dddac9ad0470419872c70

SHA256
45728614ddc7a65a106cdc07fb8c1944522c95a03cda1d2c949511b269df8eb7

SHA512
fb6e04f73a07d46950ace2a2e98035c1d1f72851a4e2c00fe8182178343be02144c2c5a53cd99849b6d1e273bc2ef10d8062156543dc92081c511857e398b912

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
fe49e440de6c6f9d6506690c6431ff6b

SHA1
96c0823120b09405fc71c22eefa22cae7ffcf0da

SHA256
570d442359961575ca774bd1138df90632efeebeb03d6b3430fb254a04a53464

SHA512
bf1661f7fd97f2753488f5fd93c5df4d0ca2346fffe97db6be3a1b2311ca4270d399a2516a64ef10e99a3bde8143ba1e2b3f61b5adbf27115dfffed655a2eb57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
f5829b1e83d8d144748aea00327f3fbb

SHA1
bacb5a12f530f3208119eb15a25946d420c7f167

SHA256
3f0841c41fd95eae34e01b14968353751c417ba69797fb73e88e32b203f4cb5b

SHA512
09c44305e0d74ab5a3f7db6e312ed4be913ea665c82742d7ae14437554dec9340ef8ae40706145f9805ea29670e2b3ef0dce4a5791bab08fe1c775426715c4f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
63f2a6ffcb97133bc1d84fa99da53100

SHA1
ae1dddc8011b73f541955b6bf429858176f8dc93

SHA256
9e91a3aa7d9a9715fe1508a1376edbd798ef5e1223c5f6f4932ed6c1d34617cb

SHA512
b7951cc48a6a75031f77649e17389630b2f9794c205c843634bb8a636eaa4c54ec86915782ce092f076a99d885e04ae8b4e47be0054cf25c0a6c976415c695bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
5aafbe9ccb83b5ae5bcd4dac388355a5

SHA1
9f650bb1fa5e07955c3ab7a11326456c7f02feb8

SHA256
3b73c33993cf0f201cee366a8743c711a9500c07895f8bad68b3da4c043f946a

SHA512
5122d251d3fb9085580efe6b6f95aad0ca475963f581b8530e8b71a5edfe19628147d29efc78a3e643cebc06acfb746ad65cbf7bda41308e497ce3e5cd6ed159

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5925ba5cbdce120d945a80d898117cf3

SHA1
c2b4bac2c8c29e25f746cc6669bf538321e38f85

SHA256
4d71643208863e82d8a2987aeeab5eb0b9b233803b37bbfd4f65b6a07be8a1b7

SHA512
60485b80d6f8834e06dfea76d62cbb97d7e759fba3c105704f54215d682b0fe63a53bb512149d3255104ac231d1ec696bd7cb69a177c9e1b563323a76dcfb790

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5dbdfef6b9c74f07273bbd3f27438aac

SHA1
1da6262427c7b852a38923e73d19801849eddfe5

SHA256
b05bb63496ca71430b40993a956222ef0b2281b661ea179731b214bd82bf6376

SHA512
4b14f369df7bace8897392e3f58c46b7f6bf7dacdd369d9ef3530eb7fa41855a69a42c6ea50fa35da835cb3c231c9d9aa96da33383d4f11b70bba6c8dfef4748

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\4329235D\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\Downloads\ElectroXD GFX Pack 2.0.zip

Filesize
29.7MB

MD5
b2b99bef7c86fc05bf2dd6640dcc763b

SHA1
968100e9aad50ad20e31e9170b596a077635703f

SHA256
e56786b8c692b580bb6556374650d2e9b56a7e95f29a27e688b5c45afc5f0b86

SHA512
dc5e49875870dbd9a02eff8c5428cd335a3d91144c88810a3a69e88388f73d78f2acad1bbb9e825c09b905d0f49a6b9f313390721660f03eaa8a8db90e4ec5ed

Download Submit