hxxps://drive[.]google[.]com/file/d/1AUJi-R5ELmduZHgLe9LKCsZ9vuUDJuHk/view?usp=drive_link

Analysis

max time kernel
150s
max time network
149s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
15/08/2024, 14:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1AUJi-R5ELmduZHgLe9LKCsZ9vuUDJuHk/view?usp=drive_link

Score

6^/10

defense_evasion discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
1	drive.google.com
6	drive.google.com
7	drive.google.com

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\VEGAS_Pro_22.0.0.93_x64_RELEASE_DLV_DE-EN-FR-ES-BR_240723_08-58_22_0_0_93.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2227988167-2813779459-4240799794-1000\{D2351A81-FD85-405B-A2BC-6545253C4EE8}	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 833040.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\VEGAS_Pro_22.0.0.93_x64_RELEASE_DLV_DE-EN-FR-ES-BR_240723_08-58_22_0_0_93.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3356	msedge.exe
3356	msedge.exe
5084	msedge.exe
5084	msedge.exe
200	identity_helper.exe
200	identity_helper.exe
1192	msedge.exe
1192	msedge.exe
3500	msedge.exe
3500	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
5076	msedge.exe
5076	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs

pid	Process
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4352	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4352	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5084 wrote to memory of 4248	5084	msedge.exe	78
PID 5084 wrote to memory of 4248	5084	msedge.exe	78
PID 5084 wrote to memory of 2108	5084	msedge.exe	79
PID 5084 wrote to memory of 2108	5084	msedge.exe	79
PID 5084 wrote to memory of 2108	5084	msedge.exe	79
PID 5084 wrote to memory of 2108	5084	msedge.exe	79
PID 5084 wrote to memory of 2108	5084	msedge.exe	79
PID 5084 wrote to memory of 2108	5084	msedge.exe	79
PID 5084 wrote to memory of 2108	5084	msedge.exe	79
PID 5084 wrote to memory of 2108	5084	msedge.exe	79
PID 5084 wrote to memory of 2108	5084	msedge.exe	79
PID 5084 wrote to memory of 2108	5084	msedge.exe	79
PID 5084 wrote to memory of 2108	5084	msedge.exe	79
PID 5084 wrote to memory of 2108	5084	msedge.exe	79
PID 5084 wrote to memory of 2108	5084	msedge.exe	79
PID 5084 wrote to memory of 2108	5084	msedge.exe	79
PID 5084 wrote to memory of 2108	5084	msedge.exe	79
PID 5084 wrote to memory of 2108	5084	msedge.exe	79
PID 5084 wrote to memory of 2108	5084	msedge.exe	79
PID 5084 wrote to memory of 2108	5084	msedge.exe	79
PID 5084 wrote to memory of 2108	5084	msedge.exe	79
PID 5084 wrote to memory of 2108	5084	msedge.exe	79
PID 5084 wrote to memory of 2108	5084	msedge.exe	79
PID 5084 wrote to memory of 2108	5084	msedge.exe	79
PID 5084 wrote to memory of 2108	5084	msedge.exe	79
PID 5084 wrote to memory of 2108	5084	msedge.exe	79
PID 5084 wrote to memory of 2108	5084	msedge.exe	79
PID 5084 wrote to memory of 2108	5084	msedge.exe	79
PID 5084 wrote to memory of 2108	5084	msedge.exe	79
PID 5084 wrote to memory of 2108	5084	msedge.exe	79
PID 5084 wrote to memory of 2108	5084	msedge.exe	79
PID 5084 wrote to memory of 2108	5084	msedge.exe	79
PID 5084 wrote to memory of 2108	5084	msedge.exe	79
PID 5084 wrote to memory of 2108	5084	msedge.exe	79
PID 5084 wrote to memory of 2108	5084	msedge.exe	79
PID 5084 wrote to memory of 2108	5084	msedge.exe	79
PID 5084 wrote to memory of 2108	5084	msedge.exe	79
PID 5084 wrote to memory of 2108	5084	msedge.exe	79
PID 5084 wrote to memory of 2108	5084	msedge.exe	79
PID 5084 wrote to memory of 2108	5084	msedge.exe	79
PID 5084 wrote to memory of 2108	5084	msedge.exe	79
PID 5084 wrote to memory of 2108	5084	msedge.exe	79
PID 5084 wrote to memory of 3356	5084	msedge.exe	80
PID 5084 wrote to memory of 3356	5084	msedge.exe	80
PID 5084 wrote to memory of 3056	5084	msedge.exe	81
PID 5084 wrote to memory of 3056	5084	msedge.exe	81
PID 5084 wrote to memory of 3056	5084	msedge.exe	81
PID 5084 wrote to memory of 3056	5084	msedge.exe	81
PID 5084 wrote to memory of 3056	5084	msedge.exe	81
PID 5084 wrote to memory of 3056	5084	msedge.exe	81
PID 5084 wrote to memory of 3056	5084	msedge.exe	81
PID 5084 wrote to memory of 3056	5084	msedge.exe	81
PID 5084 wrote to memory of 3056	5084	msedge.exe	81
PID 5084 wrote to memory of 3056	5084	msedge.exe	81
PID 5084 wrote to memory of 3056	5084	msedge.exe	81
PID 5084 wrote to memory of 3056	5084	msedge.exe	81
PID 5084 wrote to memory of 3056	5084	msedge.exe	81
PID 5084 wrote to memory of 3056	5084	msedge.exe	81
PID 5084 wrote to memory of 3056	5084	msedge.exe	81
PID 5084 wrote to memory of 3056	5084	msedge.exe	81
PID 5084 wrote to memory of 3056	5084	msedge.exe	81
PID 5084 wrote to memory of 3056	5084	msedge.exe	81
PID 5084 wrote to memory of 3056	5084	msedge.exe	81
PID 5084 wrote to memory of 3056	5084	msedge.exe	81

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/1AUJi-R5ELmduZHgLe9LKCsZ9vuUDJuHk/view?usp=drive_link
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcef5f3cb8,0x7ffcef5f3cc8,0x7ffcef5f3cd8
  2⤵
  PID:4248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1404,6471136475628302978,9709364929502479735,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1960 /prefetch:2
  2⤵
  PID:2108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1404,6471136475628302978,9709364929502479735,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1404,6471136475628302978,9709364929502479735,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2668 /prefetch:8
  2⤵
  PID:3056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1404,6471136475628302978,9709364929502479735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:1
  2⤵
  PID:1584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1404,6471136475628302978,9709364929502479735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:2716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1404,6471136475628302978,9709364929502479735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:1
  2⤵
  PID:1504
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1404,6471136475628302978,9709364929502479735,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5340 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1404,6471136475628302978,9709364929502479735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
  2⤵
  PID:4944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1404,6471136475628302978,9709364929502479735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
  2⤵
  PID:3312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1404,6471136475628302978,9709364929502479735,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
  2⤵
  PID:3976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1404,6471136475628302978,9709364929502479735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:1
  2⤵
  PID:2816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1404,6471136475628302978,9709364929502479735,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6348 /prefetch:8
  2⤵
  PID:2432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1404,6471136475628302978,9709364929502479735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6192 /prefetch:1
  2⤵
  PID:2364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1404,6471136475628302978,9709364929502479735,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
  2⤵
  PID:1904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1404,6471136475628302978,9709364929502479735,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5288 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1404,6471136475628302978,9709364929502479735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:1
  2⤵
  PID:5036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1404,6471136475628302978,9709364929502479735,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1
  2⤵
  PID:3772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1404,6471136475628302978,9709364929502479735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6640 /prefetch:1
  2⤵
  PID:3916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1404,6471136475628302978,9709364929502479735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6720 /prefetch:1
  2⤵
  PID:3100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1404,6471136475628302978,9709364929502479735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6572 /prefetch:1
  2⤵
  PID:4352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1404,6471136475628302978,9709364929502479735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6860 /prefetch:1
  2⤵
  PID:2092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1404,6471136475628302978,9709364929502479735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6888 /prefetch:1
  2⤵
  PID:1792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1404,6471136475628302978,9709364929502479735,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5568 /prefetch:8
  2⤵
  PID:4064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1404,6471136475628302978,9709364929502479735,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6344 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:3500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1404,6471136475628302978,9709364929502479735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7000 /prefetch:1
  2⤵
  PID:4836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1404,6471136475628302978,9709364929502479735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7160 /prefetch:1
  2⤵
  PID:3128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1404,6471136475628302978,9709364929502479735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6644 /prefetch:1
  2⤵
  PID:1544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1404,6471136475628302978,9709364929502479735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7352 /prefetch:1
  2⤵
  PID:1776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1404,6471136475628302978,9709364929502479735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3556 /prefetch:1
  2⤵
  PID:1724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1404,6471136475628302978,9709364929502479735,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6788 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1404,6471136475628302978,9709364929502479735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
  2⤵
  PID:4020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1404,6471136475628302978,9709364929502479735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6840 /prefetch:1
  2⤵
  PID:720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1404,6471136475628302978,9709364929502479735,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6900 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:5076

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3320

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2476

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D0 0x00000000000004D4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4352

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3e2612636cf368bc811fdc8db09e037d

SHA1
d69e34379f97e35083f4c4ea1249e6f1a5f51d56

SHA256
2eecaacf3f2582e202689a16b0ac1715c628d32f54261671cf67ba6abbf6c9f9

SHA512
b3cc3bf967d014f522e6811448c4792eed730e72547f83eb4974e832e958deb7e7f4c3ce8e0ed6f9c110525d0b12f7fe7ab80a914c2fe492e1f2d321ef47f96d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e8115549491cca16e7bfdfec9db7f89a

SHA1
d1eb5c8263cbe146cd88953bb9886c3aeb262742

SHA256
dfa9a8b54936607a5250bec0ed3e2a24f96f4929ca550115a91d0d5d68e4d08e

SHA512
851207c15de3531bd230baf02a8a96550b81649ccbdd44ad74875d97a700271ef96e8be6e1c95b2a0119561aee24729cb55c29eb0b3455473688ef9132ed7f54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000032

Filesize
16KB

MD5
48c80c7c28b5b00a8b4ff94a22b72fe3

SHA1
d57303c2ad2fd5cedc5cb20f264a6965a7819cee

SHA256
6e9be773031b3234fb9c2d6cf3d9740db1208f4351beca325ec34f76fd38f356

SHA512
c7381e462c72900fdbb82b5c365080efa009287273eb5109ef25c8d0a5df33dd07664fd1aed6eb0d132fa6a3cb6a3ff6b784bffeeca9a2313b1e6eb6e32ab658

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00006b

Filesize
209KB

MD5
3e552d017d45f8fd93b94cfc86f842f2

SHA1
dbeebe83854328e2575ff67259e3fb6704b17a47

SHA256
27d9c4613df7a3c04da0b79c13217aa69992b441acb7e44bf2a7578ca87d97d6

SHA512
e616436f2f15615429c7c5c37de3990c3e86c5e1da7d75a0f524fc458b75d44a5be1a3648a628d63e1cf8aa062e08b538f2f2bc9c6a0b42157beb24f82c571d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
384B

MD5
08ada45ba0cc25d930e0652629fa4f1e

SHA1
87b2a7274a6c2aef59dd58136f56e8fc941ccff2

SHA256
e3104baf83af992845ffac2ab42b023ded0834bd668e6b1e3629393391fae76a

SHA512
5e25c60d7d4b0d79e700a6a971a150510848b96141a72d33f0a9ef6f3a63022b2b97879520b4d3087a7db5fab897e3b86a9a89c338c9222d180ceae40dd57350

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
88db889b39cf797ab0a99a78e6c6dc79

SHA1
ed59c00d42025074778d019a9e8e803a885ca6a8

SHA256
b9d03b57ca43b766b61bd0a5dc9b2dbaa7645aad2b22eb6edbe85ec23bc75c3f

SHA512
33f5a24893d68def7b3a499500b4a2b9b42f46bc19da526f9040600556e163002916f0c740b19dea0e2cbae089a5ea2646f7196be3d17da4db59fc7f7276255a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
5bd97a192d27723b5d9388560f4a29a6

SHA1
07764be77465cb098a0ff8db70f1a715e84ce510

SHA256
c9fcada5ba503adcc5b44cd7606438f9a900f559103715dae185b54b49a4c38a

SHA512
7e49b1803d3cbe540b923bcd72c18071e723ed55e5e6cd10d6393c8edb3fd4aa235eb5c58fe138b862df75e783406cbfff10ab0c69c9011fb6f1f7007ba24c11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
523a28b83a6c5d8376fddcddc3acc147

SHA1
6acbf6a9365a3882c0a0608bd560417266d4e5f7

SHA256
74a203dd6f05672bef6f7ae65b666f65310b64d2342b2ae1e79777f6ada121e4

SHA512
5adf9372f0ff66144873522796906a5da2901ecdc1e781732fabb06ad5f1f9f279ebd25da403b225ca80fb6dbe792f0164702cb161d3cb8b2b1b568dd3e8debb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
6KB

MD5
7a9742b738abb267f50c99473dc42d96

SHA1
fb2b887515273a82e3893a4890042742127c2395

SHA256
d14bae2dcfbbbdae406f4e04d6f1d04ab839ee4fb7643258f73ae33d1e120cb8

SHA512
318ab16dd3a5a1971be6622e11b74af930a36ac2506bee1ab89036e1ae28619581bb1c797a3f95c3227922f495e19d41985eacc1374e50e433fca14266681a40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
99c7a91691a97bf9b98a0bca055fa878

SHA1
a1dda1cc9b4711ecbfa8dae26f40b7dfaeea51f5

SHA256
19e124dc99bab1fa8ceea9496a63ead60ccabd25e82fab11125192526b88c47c

SHA512
a62247da7a772a90e5780535e2a7eec4a1ffa5b063be712db27773919a969abd0018d4bc1f0f8ec451bbf230d76d4aea78348647e1c7b5942c09b9448c87c750

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
63f712e7b63d1ae0f0e95f2a7bf688a3

SHA1
0c92214773aff6a05bd32df2575648190fa38ee7

SHA256
39278cf57a15be8e034ea7bfa9b206ffabb457943bf762ac98e2ade1e232a1ba

SHA512
ff3f8cca8ff0c536402150229a122f6a3ac3f3eacd497c979f0d2e8bf0c3f0539e9893692bf02c77dfa079c50de1df7626684bbb456092418fd46022bc11e4cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
933cf7cb48ea4403c99e825b3b1692cd

SHA1
f840f8dfd91d4f051e51e0dbd65538c6124e1910

SHA256
27d32a1ecb83a4aa6555cb4729e815d007ea7d95cc218a67e6a7670aaff034ca

SHA512
d598df21a89afa47c74e4dafb9ba17b17a2d8d9e8a8717e84ec68e2ef5189c337ea59612de9cb5b1f0b0a3464252572037bf89ea6e65632bb0d2b2bd372bb61a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
b7f62c64bda2d4d0a23b74cef4673333

SHA1
1df181a39e0adeac7618d309dda057be259fbbb1

SHA256
60d02d4f1b1431a8d03493fbcf7bb07d5b79fd51c3c80bc1fc9839b366373eec

SHA512
16b9c2f60d1915dc02e6786b31cbc51ac8ad0aadb80df0801d9c9ebe0ff2f8f441ec9f50d95a9644e707f09d945eb27f3900f5dc44aafca73410c8ba743099bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d96ad22e67cddc1944499168c4f2cc81

SHA1
5012ad37cb0e44a745122292cb38dd1ecbd88f9b

SHA256
c47e056a6ba5baa2083c8c29c30321c55d2afb8fef43f054bf4b254daca6ebfe

SHA512
02516912374e1c70ca7e61212988add5ecaab34d45369369fe5660bd2ba27b994c37c22dc5951cfbb07f88c90c9186e36445455dcb2ce438dfaac706cca69307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\4cb013792b196a35_0

Filesize
2KB

MD5
9ec33339d2d85e04e62e458007ed8ebf

SHA1
c290d47e3591ed401fc6807097ce4aabb6fdaf04

SHA256
b181f2be9305ac1f7158147bc203b180740d8db7efef556e19bec88e3233254d

SHA512
619ef8456218cd5281b0cdb18f082545c46c4ab42306545d612d48b6d36d1b87edac2c7722b1730e0ad56cb17cc054cc91f339a80d701718b703b5bb030fc356

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
634784eb3f3b11843b7333e7b267bab6

SHA1
6d9ad91640220abc00de6b20f737955a0a05ba0a

SHA256
fdce2c1c4089f8e61f5be6e2452f7e6ff9c556b3402276ea378af8e2c5aeca27

SHA512
d85a59ee1d2a4f48c8989847468eccdaf374921ad90bf2f287f7cbadf0a9819d9f58efcab4a62d7ef1f58f5e87379e8b9f851aff07612fa26f879d90efcdb295

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe622610.TMP

Filesize
48B

MD5
bc2ba5d70a21a5bf69bd1e78d42208f5

SHA1
c764a315322e413c9745d099b4ceeec9aea1ca6a

SHA256
6e5a1b4d0e467a65ab87ee71912b3552bbc3432bea26f9131621126c3cf48dcf

SHA512
c00083dd984503c74a1855029073c9733f76d63400579b89e9467b9054deb8365ba7829f1ec8e6dd93b7adb00d457aacf21ce3f257756a0ff97f7d5b338369b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
325bdd0f40ad0c78fdd2951179273561

SHA1
286a76b8a68a5523148eadf09f7eb8f5fc40b03e

SHA256
c52f77c3d80a6a7736e209a61b1cdd60a97dc0d66cae23bb30c0b79ce598a271

SHA512
2bee457305032007797d5fefbff53cb6dbc33930eb83b1857effe62cae1324f9d306964963a860d9c0f67a08244b936040f9a663f91b6f45d087ecbb6072826a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f7fdb96b95f7d6e4260819a458b1bc80

SHA1
2e2082b1c7a0246bf8e61abe91ca7d232183f6a0

SHA256
2098bf220e1ec8968812f70e1c975d65a4ea94d79851e0361f6e45e354e086c7

SHA512
2ccd81dec35bc0f6ad0291813e10f4dee37fb2e7b34b98408d293d1ec7eaccf5d4c3499eb89014a4ebb3ef7a941fdb829a63834dcd78d270c41f09f09322fd8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
20c4e164ec8f5032a487d789e4250741

SHA1
5de0756cf0b1ae793e468b61d50e3cba11d4a846

SHA256
0bcf771d5e94703aa8ca212e02c19dd2b12d0b0ab2edada0e7de845fa8fb2721

SHA512
b5282a02d91df62e31e1c602a1048cb4135102c3a97c01659d7f548ddcbb13f6e744194e61b6c75d9fcba74f021a9df63cf7d47bb70188dce1423bd4333598c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
f14b59f3cdf7a1ac648a9953ab84c445

SHA1
352a613c0dd19b835548f668b0090261d82fd8db

SHA256
fc3c01569e511531fa2d995adbfd2da03e2ad13d27efefbb1b58ca9865f961d5

SHA512
9ea9d035ced50b0f652107ee78c62b7e5ecfae9a3854adf85af595418fb643aab6338c24e4f8339da82b6f82882e2b07e6b949421c4ef42714d609ecb174da10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
c94f9a9912b542ad19e5c632f1e69307

SHA1
a16dd6a5d88b96965fd7cad08d1da1cd4e694308

SHA256
3c7e538fb70ad2f1707d4f8ce412e2211ec1652dde0a33ca63e2c9ffaedac22f

SHA512
f101d32a96871791011babd7d72988cab888b73004fa2323e2c2ba7b23707776fe43b8abbab66471061bfa50d1c0c0510c6614d1be1665ead9b3e621cbf43402

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe61d12a.TMP

Filesize
874B

MD5
b0cedb78bcf0dc86b729d7e39eb1fc2c

SHA1
324b3b82b21839e2d7099414f8c76d5149b9e054

SHA256
70823d4ef601264746fbe9ca40c0bd8a2609f5f4d67b97ac917a2aae5daca855

SHA512
7d5b9b926835fd149fd5907f4bc3b5f5c6f40d599e710631ff2bb7fe985d70013d724f0d6ecc9229bf7253b76be0aada29d28237df4a439975b27600d16b35a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fb5702714cae2c94e0b6903d0fbeaa97

SHA1
8628950f3e231363c285bc79647ee900038b50ea

SHA256
9ef1e16c50bbccb4c3daa7b1a8659d5d1de332f5aa8dea80d110f18ba1ce0983

SHA512
8364f8adc461bd59dba203a437698dbfb3af9e7ecd1b8e6b395c90477047ebd365f3efb15feee1132ba5dccefda1c9245a3279dc014c819a9b558efb9e6758ca

Download Submit
C:\Users\Admin\Downloads\VEGAS_Pro_22.0.0.93_x64_RELEASE_DLV_DE-EN-FR-ES-BR_240723_08-58_22_0_0_93.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit