hxxps://drive[.]google[.]com/uc?id=1fXKrR1x6lZNFzv599XDdm4AEAb8plA5g&export=download&authuser=0

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22-08-2024 17:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/uc?id=1fXKrR1x6lZNFzv599XDdm4AEAb8plA5g&export=download&authuser=0

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	drive.google.com
3	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\7-Zip.cab\shell\open\command	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\7-Zip.tbz\shell	7zFM.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\7-Zip.gz	7zFM.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\7-Zip.tgz	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\7-Zip.taz\DefaultIcon	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\7-Zip.apfs\shell\open	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\7-Zip.bzip2	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\7-Zip.bzip2\shell\open\command	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\7-Zip.dmg\DefaultIcon	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\7-Zip.rar\shell\open	7zFM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\7-Zip.gz\ = "gz Archive"	7zFM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\7-Zip.taz\shell\	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\7-Zip.tgz\DefaultIcon	7zFM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\.deb\ = "7-Zip.deb"	7zFM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\7-Zip.bzip2\shell\	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\7-Zip.fat	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\7-Zip.fat\shell\open\command	7zFM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\7-Zip.squashfs\shell\open\command\ = "\"C:\\Program Files\\7-Zip\\7zFM.exe\" \"%1\""	7zFM.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_CLASSES\7-ZIP.BZ2\SHELL\OPEN\COMMAND	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\7-Zip.esd\shell\open\command	7zFM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\7-Zip.cab\shell\open\	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\7-Zip.cpio\DefaultIcon	7zFM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\7-Zip.bz2\shell\open\	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\.z	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\7-Zip.z\shell\open	7zFM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\7-Zip.vhdx\ = "vhdx Archive"	7zFM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\.esd\ = "7-Zip.esd"	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\7-Zip.tar\DefaultIcon	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\7-Zip.rar\DefaultIcon	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\7-Zip.tbz	7zFM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\7-Zip.tpz\ = "tpz Archive"	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\.vhd	7zFM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\7-Zip.lha\DefaultIcon\ = "C:\\Program Files\\7-Zip\\7z.dll,6"	7zFM.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_CLASSES\7-ZIP.RAR\SHELL\OPEN\COMMAND	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\7-Zip.lzma\shell	7zFM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\7-Zip.bzip2\shell\open\command\ = "\"C:\\Program Files\\7-Zip\\7zFM.exe\" \"%1\""	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\7-Zip.tbz2\shell	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\7-Zip.tgz\shell\open\command	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\7-Zip.tpz	7zFM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\7-Zip.lzh\shell\open\	7zFM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\7-Zip.vhdx\shell\open\command\ = "\"C:\\Program Files\\7-Zip\\7zFM.exe\" \"%1\""	7zFM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\7-Zip.dmg\shell\open\command\ = "\"C:\\Program Files\\7-Zip\\7zFM.exe\" \"%1\""	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\7-Zip.zip\DefaultIcon	7zFM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\7-Zip.gzip\ = "gzip Archive"	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\7-Zip.lha\shell	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\7-Zip.rpm\DefaultIcon	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\7-Zip.tar\shell\open\command	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\7-Zip.hfs\shell\open	7zFM.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\7-Zip.bz2\shell	7zFM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\7-Zip.001\shell\	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\7-Zip.bzip2\shell\open	7zFM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\7-Zip.tbz\shell\open\	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\7-Zip.z	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\7-Zip.squashfs	7zFM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\7-Zip.squashfs\shell\open\	7zFM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\7-Zip.cab\ = "cab Archive"	7zFM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\7-Zip.rpm\shell\open\	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\7-Zip.ntfs\shell\open\command	7zFM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\7-Zip.zip\ = "zip Archive"	7zFM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\7-Zip.rar\shell\open\	7zFM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\.tbz2\ = "7-Zip.tbz2"	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\.gz	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\7-Zip.tpz\shell\open	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\7-Zip.lha\shell\open\command	7zFM.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2348	msedge.exe
2348	msedge.exe
4184	msedge.exe
4184	msedge.exe
4500	identity_helper.exe
4500	identity_helper.exe
1908	msedge.exe
1908	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3068	7zFM.exe
4836	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	3068	7zFM.exe
Token: 35	3068	7zFM.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe

Suspicious use of SetWindowsHookEx 22 IoCs

pid	Process
5212	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe
4836	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4184 wrote to memory of 3980	4184	msedge.exe	84
PID 4184 wrote to memory of 3980	4184	msedge.exe	84
PID 4184 wrote to memory of 976	4184	msedge.exe	85
PID 4184 wrote to memory of 976	4184	msedge.exe	85
PID 4184 wrote to memory of 976	4184	msedge.exe	85
PID 4184 wrote to memory of 976	4184	msedge.exe	85
PID 4184 wrote to memory of 976	4184	msedge.exe	85
PID 4184 wrote to memory of 976	4184	msedge.exe	85
PID 4184 wrote to memory of 976	4184	msedge.exe	85
PID 4184 wrote to memory of 976	4184	msedge.exe	85
PID 4184 wrote to memory of 976	4184	msedge.exe	85
PID 4184 wrote to memory of 976	4184	msedge.exe	85
PID 4184 wrote to memory of 976	4184	msedge.exe	85
PID 4184 wrote to memory of 976	4184	msedge.exe	85
PID 4184 wrote to memory of 976	4184	msedge.exe	85
PID 4184 wrote to memory of 976	4184	msedge.exe	85
PID 4184 wrote to memory of 976	4184	msedge.exe	85
PID 4184 wrote to memory of 976	4184	msedge.exe	85
PID 4184 wrote to memory of 976	4184	msedge.exe	85
PID 4184 wrote to memory of 976	4184	msedge.exe	85
PID 4184 wrote to memory of 976	4184	msedge.exe	85
PID 4184 wrote to memory of 976	4184	msedge.exe	85
PID 4184 wrote to memory of 976	4184	msedge.exe	85
PID 4184 wrote to memory of 976	4184	msedge.exe	85
PID 4184 wrote to memory of 976	4184	msedge.exe	85
PID 4184 wrote to memory of 976	4184	msedge.exe	85
PID 4184 wrote to memory of 976	4184	msedge.exe	85
PID 4184 wrote to memory of 976	4184	msedge.exe	85
PID 4184 wrote to memory of 976	4184	msedge.exe	85
PID 4184 wrote to memory of 976	4184	msedge.exe	85
PID 4184 wrote to memory of 976	4184	msedge.exe	85
PID 4184 wrote to memory of 976	4184	msedge.exe	85
PID 4184 wrote to memory of 976	4184	msedge.exe	85
PID 4184 wrote to memory of 976	4184	msedge.exe	85
PID 4184 wrote to memory of 976	4184	msedge.exe	85
PID 4184 wrote to memory of 976	4184	msedge.exe	85
PID 4184 wrote to memory of 976	4184	msedge.exe	85
PID 4184 wrote to memory of 976	4184	msedge.exe	85
PID 4184 wrote to memory of 976	4184	msedge.exe	85
PID 4184 wrote to memory of 976	4184	msedge.exe	85
PID 4184 wrote to memory of 976	4184	msedge.exe	85
PID 4184 wrote to memory of 976	4184	msedge.exe	85
PID 4184 wrote to memory of 2348	4184	msedge.exe	86
PID 4184 wrote to memory of 2348	4184	msedge.exe	86
PID 4184 wrote to memory of 5088	4184	msedge.exe	87
PID 4184 wrote to memory of 5088	4184	msedge.exe	87
PID 4184 wrote to memory of 5088	4184	msedge.exe	87
PID 4184 wrote to memory of 5088	4184	msedge.exe	87
PID 4184 wrote to memory of 5088	4184	msedge.exe	87
PID 4184 wrote to memory of 5088	4184	msedge.exe	87
PID 4184 wrote to memory of 5088	4184	msedge.exe	87
PID 4184 wrote to memory of 5088	4184	msedge.exe	87
PID 4184 wrote to memory of 5088	4184	msedge.exe	87
PID 4184 wrote to memory of 5088	4184	msedge.exe	87
PID 4184 wrote to memory of 5088	4184	msedge.exe	87
PID 4184 wrote to memory of 5088	4184	msedge.exe	87
PID 4184 wrote to memory of 5088	4184	msedge.exe	87
PID 4184 wrote to memory of 5088	4184	msedge.exe	87
PID 4184 wrote to memory of 5088	4184	msedge.exe	87
PID 4184 wrote to memory of 5088	4184	msedge.exe	87
PID 4184 wrote to memory of 5088	4184	msedge.exe	87
PID 4184 wrote to memory of 5088	4184	msedge.exe	87
PID 4184 wrote to memory of 5088	4184	msedge.exe	87
PID 4184 wrote to memory of 5088	4184	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/uc?id=1fXKrR1x6lZNFzv599XDdm4AEAb8plA5g&export=download&authuser=0
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa62ab46f8,0x7ffa62ab4708,0x7ffa62ab4718
  2⤵
  PID:3980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,17911942204191717976,13937663110001880787,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
  2⤵
  PID:976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,17911942204191717976,13937663110001880787,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,17911942204191717976,13937663110001880787,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2880 /prefetch:8
  2⤵
  PID:5088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17911942204191717976,13937663110001880787,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:4428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17911942204191717976,13937663110001880787,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:4924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17911942204191717976,13937663110001880787,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:1
  2⤵
  PID:4988
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,17911942204191717976,13937663110001880787,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 /prefetch:8
  2⤵
  PID:4672
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,17911942204191717976,13937663110001880787,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17911942204191717976,13937663110001880787,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:1
  2⤵
  PID:3600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17911942204191717976,13937663110001880787,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:1
  2⤵
  PID:3924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17911942204191717976,13937663110001880787,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2436 /prefetch:1
  2⤵
  PID:2556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17911942204191717976,13937663110001880787,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
  2⤵
  PID:2692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2104,17911942204191717976,13937663110001880787,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5512 /prefetch:8
  2⤵
  PID:1592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17911942204191717976,13937663110001880787,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
  2⤵
  PID:3428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2104,17911942204191717976,13937663110001880787,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4012 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1908
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\REQUERIMIENTO SUGERIDO DIAN COMUNICADO- DECLARACION DE IMPUESTO EN MORA RAD.REV
  2⤵
  PID:4644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,17911942204191717976,13937663110001880787,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4644 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3260

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4968

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:836

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5212

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5444

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3068

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4836
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\REQUERIMIENTO SUGERIDO DIAN COMUNICADO- DECLARACION DE IMPUESTO EN MORA RAD.REV
  2⤵
  PID:4916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ab8ce148cb7d44f709fb1c460d03e1b0

SHA1
44d15744015155f3e74580c93317e12d2cc0f859

SHA256
014006a90e43ea9a1903b08b843a5aab8ad3823d22e26e5b113fad5f9fa620ff

SHA512
f685423b1eaee18a2a06030b4b2977335f62499c0041c142a92f6e6f846c2b9ce54324b6ae94efbbb303282dcda70e2b1597c748fddc251c0b3122a412c2d7c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
38f59a47b777f2fc52088e96ffb2baaf

SHA1
267224482588b41a96d813f6d9e9d924867062db

SHA256
13569c5681c71dc42ab57d34879f5a567d7b94afe0e8f6d7c6f6c1314fb0087b

SHA512
4657d13e1bb7cdd7e83f5f2562f5598cca12edf839626ae96da43e943b5550fab46a14b9018f1bec90de88cc714f637605531ccda99deb9e537908ddb826113b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
796B

MD5
023300073c23c3e4bfb967b0581ebb59

SHA1
37a086d409507213eb54e87e19e06ec2aad74ac8

SHA256
7394a210258533eb12ee3950767f310e9b655898d276e222860fa409accf3c46

SHA512
6fad2c491a526ccb77e48fb1e55bc14a88f882d5d31a30c5c4b4d08fe7a35f41964531056961b6548645452a11837b729d220554f5897474b8ebc079f4cef4e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d1a10d6e3ba305f2fe8ac655ad247f76

SHA1
6555ce86d7e19d9c79a942e8a08a5ed4c442b510

SHA256
b44831e78270bd83f1d637f8edd6adb17d63efb37e72537c1f4766a521f2a0e6

SHA512
7200fa518f14e528e13ac9d58025e86648d8f5205180e31881fab9c661e929cc0acc5b55d919bf5731d10c1c5482ab19efc930873e5b4eea28995b90c85b14b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
874bc4381b0a53451642ff147c6831c1

SHA1
7f0290c86eaf2695408b0b1840d3ab4a868bd23e

SHA256
3be87428cdc48b23bffadec37a6b0ef8503076e917173e6d63f46aee3703c01d

SHA512
a6642f2c163889c797f171750ad77b9550db193403bbaca605a00660269edc6f7edb283592411bd14ee15089ebce980317929120a27089db69284957555dfaee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ea27c4cc5304d0ad04cc88fa90f12eb0

SHA1
eec82dba97397fad42bd8b0d7fcd6f8accec7805

SHA256
adefc0be933c16ef37d1438b15c2b42559a324111fc0b4830ab07079ba3d651c

SHA512
16610923984d85feee79b6695b5b088179940f17d3cedc4af06d47dbf0f4ce278e5016fdb59cfe7e3ac55bd5c684b16210639d89408050cffbd78ffc6bd0ef87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f611bb309e61142fdaeed97d93f0d932

SHA1
dd77c70b9a9194d935336c2684315a1d4c90d995

SHA256
21cb871094455b5484b23794668d5605e3c6ebe5202afca1fc3dcb7d09185570

SHA512
e983375c5326210d53b1c16d8d009221f47fcd8ce4977556a4878f8632007deb1d41d2a5b8e09bcebf015cf56d03130c3c35099044ac05a3f58441e1db03aa30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0f26dc9f2166422aff645bcfdf18bc7d

SHA1
dab3c997d2b5c84522cb227da61603f8d5fe183a

SHA256
6ce830bd4da4ee4cc598e6ed715796f6e56351534d3bf27e939f2a60abd88258

SHA512
dc009a94aaeaf2cb0bf5307224cba149c9f2262fc4669b7c32c17b05a33b77af25752fa14acc2c5f20a15f4048b266741903d3ad5de360e4532c785e0e5e20ff

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 23525.crdownload

Filesize
1.1MB

MD5
a809788472d7e3c21f52ce615afb7d72

SHA1
904d89b34d862e68a6e53a4c3f447fb539371276

SHA256
c5bf99bcb6789904419781dbf906a65c81850cf1fe6733e35c130cd41abe6bc5

SHA512
d4bdb0273fbf0d93ca7fa2b25c98a3d9724c1431052c3b6e7e119b31332b6cd5d79612b815aac0e06b614e5c61ab254a3a46bf782d0577a175de433c1d4e5c59

Download Submit