Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
15/08/2024, 14:57
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://drive.google.com/file/d/1AUJi-R5ELmduZHgLe9LKCsZ9vuUDJuHk/view?usp=drive_link
Resource
win11-20240802-en
General
-
Target
https://drive.google.com/file/d/1AUJi-R5ELmduZHgLe9LKCsZ9vuUDJuHk/view?usp=drive_link
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 1 drive.google.com 6 drive.google.com 7 drive.google.com -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File opened for modification C:\Users\Admin\Downloads\VEGAS_Pro_22.0.0.93_x64_RELEASE_DLV_DE-EN-FR-ES-BR_240723_08-58_22_0_0_93.exe:Zone.Identifier msedge.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2227988167-2813779459-4240799794-1000\{D2351A81-FD85-405B-A2BC-6545253C4EE8} msedge.exe -
NTFS ADS 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 833040.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\VEGAS_Pro_22.0.0.93_x64_RELEASE_DLV_DE-EN-FR-ES-BR_240723_08-58_22_0_0_93.exe:Zone.Identifier msedge.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 3356 msedge.exe 3356 msedge.exe 5084 msedge.exe 5084 msedge.exe 200 identity_helper.exe 200 identity_helper.exe 1192 msedge.exe 1192 msedge.exe 3500 msedge.exe 3500 msedge.exe 1348 msedge.exe 1348 msedge.exe 1348 msedge.exe 1348 msedge.exe 5076 msedge.exe 5076 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs
pid Process 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 4352 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4352 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5084 wrote to memory of 4248 5084 msedge.exe 78 PID 5084 wrote to memory of 4248 5084 msedge.exe 78 PID 5084 wrote to memory of 2108 5084 msedge.exe 79 PID 5084 wrote to memory of 2108 5084 msedge.exe 79 PID 5084 wrote to memory of 2108 5084 msedge.exe 79 PID 5084 wrote to memory of 2108 5084 msedge.exe 79 PID 5084 wrote to memory of 2108 5084 msedge.exe 79 PID 5084 wrote to memory of 2108 5084 msedge.exe 79 PID 5084 wrote to memory of 2108 5084 msedge.exe 79 PID 5084 wrote to memory of 2108 5084 msedge.exe 79 PID 5084 wrote to memory of 2108 5084 msedge.exe 79 PID 5084 wrote to memory of 2108 5084 msedge.exe 79 PID 5084 wrote to memory of 2108 5084 msedge.exe 79 PID 5084 wrote to memory of 2108 5084 msedge.exe 79 PID 5084 wrote to memory of 2108 5084 msedge.exe 79 PID 5084 wrote to memory of 2108 5084 msedge.exe 79 PID 5084 wrote to memory of 2108 5084 msedge.exe 79 PID 5084 wrote to memory of 2108 5084 msedge.exe 79 PID 5084 wrote to memory of 2108 5084 msedge.exe 79 PID 5084 wrote to memory of 2108 5084 msedge.exe 79 PID 5084 wrote to memory of 2108 5084 msedge.exe 79 PID 5084 wrote to memory of 2108 5084 msedge.exe 79 PID 5084 wrote to memory of 2108 5084 msedge.exe 79 PID 5084 wrote to memory of 2108 5084 msedge.exe 79 PID 5084 wrote to memory of 2108 5084 msedge.exe 79 PID 5084 wrote to memory of 2108 5084 msedge.exe 79 PID 5084 wrote to memory of 2108 5084 msedge.exe 79 PID 5084 wrote to memory of 2108 5084 msedge.exe 79 PID 5084 wrote to memory of 2108 5084 msedge.exe 79 PID 5084 wrote to memory of 2108 5084 msedge.exe 79 PID 5084 wrote to memory of 2108 5084 msedge.exe 79 PID 5084 wrote to memory of 2108 5084 msedge.exe 79 PID 5084 wrote to memory of 2108 5084 msedge.exe 79 PID 5084 wrote to memory of 2108 5084 msedge.exe 79 PID 5084 wrote to memory of 2108 5084 msedge.exe 79 PID 5084 wrote to memory of 2108 5084 msedge.exe 79 PID 5084 wrote to memory of 2108 5084 msedge.exe 79 PID 5084 wrote to memory of 2108 5084 msedge.exe 79 PID 5084 wrote to memory of 2108 5084 msedge.exe 79 PID 5084 wrote to memory of 2108 5084 msedge.exe 79 PID 5084 wrote to memory of 2108 5084 msedge.exe 79 PID 5084 wrote to memory of 2108 5084 msedge.exe 79 PID 5084 wrote to memory of 3356 5084 msedge.exe 80 PID 5084 wrote to memory of 3356 5084 msedge.exe 80 PID 5084 wrote to memory of 3056 5084 msedge.exe 81 PID 5084 wrote to memory of 3056 5084 msedge.exe 81 PID 5084 wrote to memory of 3056 5084 msedge.exe 81 PID 5084 wrote to memory of 3056 5084 msedge.exe 81 PID 5084 wrote to memory of 3056 5084 msedge.exe 81 PID 5084 wrote to memory of 3056 5084 msedge.exe 81 PID 5084 wrote to memory of 3056 5084 msedge.exe 81 PID 5084 wrote to memory of 3056 5084 msedge.exe 81 PID 5084 wrote to memory of 3056 5084 msedge.exe 81 PID 5084 wrote to memory of 3056 5084 msedge.exe 81 PID 5084 wrote to memory of 3056 5084 msedge.exe 81 PID 5084 wrote to memory of 3056 5084 msedge.exe 81 PID 5084 wrote to memory of 3056 5084 msedge.exe 81 PID 5084 wrote to memory of 3056 5084 msedge.exe 81 PID 5084 wrote to memory of 3056 5084 msedge.exe 81 PID 5084 wrote to memory of 3056 5084 msedge.exe 81 PID 5084 wrote to memory of 3056 5084 msedge.exe 81 PID 5084 wrote to memory of 3056 5084 msedge.exe 81 PID 5084 wrote to memory of 3056 5084 msedge.exe 81 PID 5084 wrote to memory of 3056 5084 msedge.exe 81
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/1AUJi-R5ELmduZHgLe9LKCsZ9vuUDJuHk/view?usp=drive_link1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcef5f3cb8,0x7ffcef5f3cc8,0x7ffcef5f3cd82⤵PID:4248
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1404,6471136475628302978,9709364929502479735,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1960 /prefetch:22⤵PID:2108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1404,6471136475628302978,9709364929502479735,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3356
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1404,6471136475628302978,9709364929502479735,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2668 /prefetch:82⤵PID:3056
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1404,6471136475628302978,9709364929502479735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:12⤵PID:1584
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1404,6471136475628302978,9709364929502479735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:12⤵PID:2716
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1404,6471136475628302978,9709364929502479735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:12⤵PID:1504
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1404,6471136475628302978,9709364929502479735,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5340 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:200
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1404,6471136475628302978,9709364929502479735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:12⤵PID:4944
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1404,6471136475628302978,9709364929502479735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:12⤵PID:3312
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1404,6471136475628302978,9709364929502479735,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:12⤵PID:3976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1404,6471136475628302978,9709364929502479735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:12⤵PID:2816
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1404,6471136475628302978,9709364929502479735,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6348 /prefetch:82⤵PID:2432
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1404,6471136475628302978,9709364929502479735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6192 /prefetch:12⤵PID:2364
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1404,6471136475628302978,9709364929502479735,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:12⤵PID:1904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1404,6471136475628302978,9709364929502479735,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5288 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1192
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1404,6471136475628302978,9709364929502479735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:12⤵PID:5036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1404,6471136475628302978,9709364929502479735,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:12⤵PID:3772
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1404,6471136475628302978,9709364929502479735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6640 /prefetch:12⤵PID:3916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1404,6471136475628302978,9709364929502479735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6720 /prefetch:12⤵PID:3100
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1404,6471136475628302978,9709364929502479735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6572 /prefetch:12⤵PID:4352
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1404,6471136475628302978,9709364929502479735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6860 /prefetch:12⤵PID:2092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1404,6471136475628302978,9709364929502479735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6888 /prefetch:12⤵PID:1792
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1404,6471136475628302978,9709364929502479735,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5568 /prefetch:82⤵PID:4064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1404,6471136475628302978,9709364929502479735,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6344 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3500
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1404,6471136475628302978,9709364929502479735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7000 /prefetch:12⤵PID:4836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1404,6471136475628302978,9709364929502479735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7160 /prefetch:12⤵PID:3128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1404,6471136475628302978,9709364929502479735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6644 /prefetch:12⤵PID:1544
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1404,6471136475628302978,9709364929502479735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7352 /prefetch:12⤵PID:1776
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1404,6471136475628302978,9709364929502479735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3556 /prefetch:12⤵PID:1724
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1404,6471136475628302978,9709364929502479735,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6788 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1348
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1404,6471136475628302978,9709364929502479735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:12⤵PID:4020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1404,6471136475628302978,9709364929502479735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6840 /prefetch:12⤵PID:720
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1404,6471136475628302978,9709364929502479735,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6900 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:5076
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3320
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2476
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004D0 0x00000000000004D41⤵
- Suspicious use of AdjustPrivilegeToken
PID:4352
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:760
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD53e2612636cf368bc811fdc8db09e037d
SHA1d69e34379f97e35083f4c4ea1249e6f1a5f51d56
SHA2562eecaacf3f2582e202689a16b0ac1715c628d32f54261671cf67ba6abbf6c9f9
SHA512b3cc3bf967d014f522e6811448c4792eed730e72547f83eb4974e832e958deb7e7f4c3ce8e0ed6f9c110525d0b12f7fe7ab80a914c2fe492e1f2d321ef47f96d
-
Filesize
152B
MD5e8115549491cca16e7bfdfec9db7f89a
SHA1d1eb5c8263cbe146cd88953bb9886c3aeb262742
SHA256dfa9a8b54936607a5250bec0ed3e2a24f96f4929ca550115a91d0d5d68e4d08e
SHA512851207c15de3531bd230baf02a8a96550b81649ccbdd44ad74875d97a700271ef96e8be6e1c95b2a0119561aee24729cb55c29eb0b3455473688ef9132ed7f54
-
Filesize
16KB
MD548c80c7c28b5b00a8b4ff94a22b72fe3
SHA1d57303c2ad2fd5cedc5cb20f264a6965a7819cee
SHA2566e9be773031b3234fb9c2d6cf3d9740db1208f4351beca325ec34f76fd38f356
SHA512c7381e462c72900fdbb82b5c365080efa009287273eb5109ef25c8d0a5df33dd07664fd1aed6eb0d132fa6a3cb6a3ff6b784bffeeca9a2313b1e6eb6e32ab658
-
Filesize
209KB
MD53e552d017d45f8fd93b94cfc86f842f2
SHA1dbeebe83854328e2575ff67259e3fb6704b17a47
SHA25627d9c4613df7a3c04da0b79c13217aa69992b441acb7e44bf2a7578ca87d97d6
SHA512e616436f2f15615429c7c5c37de3990c3e86c5e1da7d75a0f524fc458b75d44a5be1a3648a628d63e1cf8aa062e08b538f2f2bc9c6a0b42157beb24f82c571d9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize384B
MD508ada45ba0cc25d930e0652629fa4f1e
SHA187b2a7274a6c2aef59dd58136f56e8fc941ccff2
SHA256e3104baf83af992845ffac2ab42b023ded0834bd668e6b1e3629393391fae76a
SHA5125e25c60d7d4b0d79e700a6a971a150510848b96141a72d33f0a9ef6f3a63022b2b97879520b4d3087a7db5fab897e3b86a9a89c338c9222d180ceae40dd57350
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD588db889b39cf797ab0a99a78e6c6dc79
SHA1ed59c00d42025074778d019a9e8e803a885ca6a8
SHA256b9d03b57ca43b766b61bd0a5dc9b2dbaa7645aad2b22eb6edbe85ec23bc75c3f
SHA51233f5a24893d68def7b3a499500b4a2b9b42f46bc19da526f9040600556e163002916f0c740b19dea0e2cbae089a5ea2646f7196be3d17da4db59fc7f7276255a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD55bd97a192d27723b5d9388560f4a29a6
SHA107764be77465cb098a0ff8db70f1a715e84ce510
SHA256c9fcada5ba503adcc5b44cd7606438f9a900f559103715dae185b54b49a4c38a
SHA5127e49b1803d3cbe540b923bcd72c18071e723ed55e5e6cd10d6393c8edb3fd4aa235eb5c58fe138b862df75e783406cbfff10ab0c69c9011fb6f1f7007ba24c11
-
Filesize
5KB
MD5523a28b83a6c5d8376fddcddc3acc147
SHA16acbf6a9365a3882c0a0608bd560417266d4e5f7
SHA25674a203dd6f05672bef6f7ae65b666f65310b64d2342b2ae1e79777f6ada121e4
SHA5125adf9372f0ff66144873522796906a5da2901ecdc1e781732fabb06ad5f1f9f279ebd25da403b225ca80fb6dbe792f0164702cb161d3cb8b2b1b568dd3e8debb
-
Filesize
6KB
MD57a9742b738abb267f50c99473dc42d96
SHA1fb2b887515273a82e3893a4890042742127c2395
SHA256d14bae2dcfbbbdae406f4e04d6f1d04ab839ee4fb7643258f73ae33d1e120cb8
SHA512318ab16dd3a5a1971be6622e11b74af930a36ac2506bee1ab89036e1ae28619581bb1c797a3f95c3227922f495e19d41985eacc1374e50e433fca14266681a40
-
Filesize
5KB
MD599c7a91691a97bf9b98a0bca055fa878
SHA1a1dda1cc9b4711ecbfa8dae26f40b7dfaeea51f5
SHA25619e124dc99bab1fa8ceea9496a63ead60ccabd25e82fab11125192526b88c47c
SHA512a62247da7a772a90e5780535e2a7eec4a1ffa5b063be712db27773919a969abd0018d4bc1f0f8ec451bbf230d76d4aea78348647e1c7b5942c09b9448c87c750
-
Filesize
6KB
MD563f712e7b63d1ae0f0e95f2a7bf688a3
SHA10c92214773aff6a05bd32df2575648190fa38ee7
SHA25639278cf57a15be8e034ea7bfa9b206ffabb457943bf762ac98e2ade1e232a1ba
SHA512ff3f8cca8ff0c536402150229a122f6a3ac3f3eacd497c979f0d2e8bf0c3f0539e9893692bf02c77dfa079c50de1df7626684bbb456092418fd46022bc11e4cf
-
Filesize
7KB
MD5933cf7cb48ea4403c99e825b3b1692cd
SHA1f840f8dfd91d4f051e51e0dbd65538c6124e1910
SHA25627d32a1ecb83a4aa6555cb4729e815d007ea7d95cc218a67e6a7670aaff034ca
SHA512d598df21a89afa47c74e4dafb9ba17b17a2d8d9e8a8717e84ec68e2ef5189c337ea59612de9cb5b1f0b0a3464252572037bf89ea6e65632bb0d2b2bd372bb61a
-
Filesize
8KB
MD5b7f62c64bda2d4d0a23b74cef4673333
SHA11df181a39e0adeac7618d309dda057be259fbbb1
SHA25660d02d4f1b1431a8d03493fbcf7bb07d5b79fd51c3c80bc1fc9839b366373eec
SHA51216b9c2f60d1915dc02e6786b31cbc51ac8ad0aadb80df0801d9c9ebe0ff2f8f441ec9f50d95a9644e707f09d945eb27f3900f5dc44aafca73410c8ba743099bd
-
Filesize
6KB
MD5d96ad22e67cddc1944499168c4f2cc81
SHA15012ad37cb0e44a745122292cb38dd1ecbd88f9b
SHA256c47e056a6ba5baa2083c8c29c30321c55d2afb8fef43f054bf4b254daca6ebfe
SHA51202516912374e1c70ca7e61212988add5ecaab34d45369369fe5660bd2ba27b994c37c22dc5951cfbb07f88c90c9186e36445455dcb2ce438dfaac706cca69307
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\4cb013792b196a35_0
Filesize2KB
MD59ec33339d2d85e04e62e458007ed8ebf
SHA1c290d47e3591ed401fc6807097ce4aabb6fdaf04
SHA256b181f2be9305ac1f7158147bc203b180740d8db7efef556e19bec88e3233254d
SHA512619ef8456218cd5281b0cdb18f082545c46c4ab42306545d612d48b6d36d1b87edac2c7722b1730e0ad56cb17cc054cc91f339a80d701718b703b5bb030fc356
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize96B
MD5634784eb3f3b11843b7333e7b267bab6
SHA16d9ad91640220abc00de6b20f737955a0a05ba0a
SHA256fdce2c1c4089f8e61f5be6e2452f7e6ff9c556b3402276ea378af8e2c5aeca27
SHA512d85a59ee1d2a4f48c8989847468eccdaf374921ad90bf2f287f7cbadf0a9819d9f58efcab4a62d7ef1f58f5e87379e8b9f851aff07612fa26f879d90efcdb295
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe622610.TMP
Filesize48B
MD5bc2ba5d70a21a5bf69bd1e78d42208f5
SHA1c764a315322e413c9745d099b4ceeec9aea1ca6a
SHA2566e5a1b4d0e467a65ab87ee71912b3552bbc3432bea26f9131621126c3cf48dcf
SHA512c00083dd984503c74a1855029073c9733f76d63400579b89e9467b9054deb8365ba7829f1ec8e6dd93b7adb00d457aacf21ce3f257756a0ff97f7d5b338369b3
-
Filesize
1KB
MD5325bdd0f40ad0c78fdd2951179273561
SHA1286a76b8a68a5523148eadf09f7eb8f5fc40b03e
SHA256c52f77c3d80a6a7736e209a61b1cdd60a97dc0d66cae23bb30c0b79ce598a271
SHA5122bee457305032007797d5fefbff53cb6dbc33930eb83b1857effe62cae1324f9d306964963a860d9c0f67a08244b936040f9a663f91b6f45d087ecbb6072826a
-
Filesize
1KB
MD5f7fdb96b95f7d6e4260819a458b1bc80
SHA12e2082b1c7a0246bf8e61abe91ca7d232183f6a0
SHA2562098bf220e1ec8968812f70e1c975d65a4ea94d79851e0361f6e45e354e086c7
SHA5122ccd81dec35bc0f6ad0291813e10f4dee37fb2e7b34b98408d293d1ec7eaccf5d4c3499eb89014a4ebb3ef7a941fdb829a63834dcd78d270c41f09f09322fd8f
-
Filesize
2KB
MD520c4e164ec8f5032a487d789e4250741
SHA15de0756cf0b1ae793e468b61d50e3cba11d4a846
SHA2560bcf771d5e94703aa8ca212e02c19dd2b12d0b0ab2edada0e7de845fa8fb2721
SHA512b5282a02d91df62e31e1c602a1048cb4135102c3a97c01659d7f548ddcbb13f6e744194e61b6c75d9fcba74f021a9df63cf7d47bb70188dce1423bd4333598c4
-
Filesize
2KB
MD5f14b59f3cdf7a1ac648a9953ab84c445
SHA1352a613c0dd19b835548f668b0090261d82fd8db
SHA256fc3c01569e511531fa2d995adbfd2da03e2ad13d27efefbb1b58ca9865f961d5
SHA5129ea9d035ced50b0f652107ee78c62b7e5ecfae9a3854adf85af595418fb643aab6338c24e4f8339da82b6f82882e2b07e6b949421c4ef42714d609ecb174da10
-
Filesize
2KB
MD5c94f9a9912b542ad19e5c632f1e69307
SHA1a16dd6a5d88b96965fd7cad08d1da1cd4e694308
SHA2563c7e538fb70ad2f1707d4f8ce412e2211ec1652dde0a33ca63e2c9ffaedac22f
SHA512f101d32a96871791011babd7d72988cab888b73004fa2323e2c2ba7b23707776fe43b8abbab66471061bfa50d1c0c0510c6614d1be1665ead9b3e621cbf43402
-
Filesize
874B
MD5b0cedb78bcf0dc86b729d7e39eb1fc2c
SHA1324b3b82b21839e2d7099414f8c76d5149b9e054
SHA25670823d4ef601264746fbe9ca40c0bd8a2609f5f4d67b97ac917a2aae5daca855
SHA5127d5b9b926835fd149fd5907f4bc3b5f5c6f40d599e710631ff2bb7fe985d70013d724f0d6ecc9229bf7253b76be0aada29d28237df4a439975b27600d16b35a9
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD5fb5702714cae2c94e0b6903d0fbeaa97
SHA18628950f3e231363c285bc79647ee900038b50ea
SHA2569ef1e16c50bbccb4c3daa7b1a8659d5d1de332f5aa8dea80d110f18ba1ce0983
SHA5128364f8adc461bd59dba203a437698dbfb3af9e7ecd1b8e6b395c90477047ebd365f3efb15feee1132ba5dccefda1c9245a3279dc014c819a9b558efb9e6758ca
-
C:\Users\Admin\Downloads\VEGAS_Pro_22.0.0.93_x64_RELEASE_DLV_DE-EN-FR-ES-BR_240723_08-58_22_0_0_93.exe:Zone.Identifier
Filesize26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98