hxxps://drive[.]google[.]com/uc?export=download&id=1OsxD9NBGbXIFd2q3eBy0xAcqMTkw3tTE

Analysis

max time kernel
80s
max time network
64s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24/09/2024, 08:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/uc?export=download&id=1OsxD9NBGbXIFd2q3eBy0xAcqMTkw3tTE

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	drive.google.com
5	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 8e46bffb11e5da01	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 20 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 2c0000000000000000000000ffffffffffffffffffffffffffffffff100100003c000000900300001c020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{1BAC5501-7A4C-11EF-B1C5-FA03B01A99D1} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\RepId	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{26AAF5F3-61F6-4374-9561-A993DD51D8F8}"	iexplore.exe

Modifies registry class 18 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\bin_auto_file\shell\open\CommandId = "IE.File"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Ref	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\i	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\i\ = "bin_auto_file"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\bin_auto_file\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" %1"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\bin_auto_file\shell\open\command\DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\.bin	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\bin_auto_file\shell\open	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\bin_auto_file\shell	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\.bin\ = "bin_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\bin_auto_file	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Ref\ = "bin_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\bin_auto_file\shell\open\command	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4040	msedge.exe
4040	msedge.exe
4588	msedge.exe
4588	msedge.exe
216	msedge.exe
216	msedge.exe
3800	identity_helper.exe
3800	identity_helper.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
5104	OpenWith.exe
1832	OpenWith.exe
1776	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeRestorePrivilege	3700	7zFM.exe
Token: 35	3700	7zFM.exe
Token: SeRestorePrivilege	2100	7zG.exe
Token: 35	2100	7zG.exe
Token: SeSecurityPrivilege	2100	7zG.exe
Token: SeSecurityPrivilege	2100	7zG.exe

Suspicious use of FindShellTrayWindow 39 IoCs

pid	Process
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4412	iexplore.exe
4412	iexplore.exe
4412	iexplore.exe
4412	iexplore.exe
3700	7zFM.exe
2100	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
5104	OpenWith.exe
5104	OpenWith.exe
5104	OpenWith.exe
5104	OpenWith.exe
5104	OpenWith.exe
5104	OpenWith.exe
5104	OpenWith.exe
5104	OpenWith.exe
5104	OpenWith.exe
5104	OpenWith.exe
5104	OpenWith.exe
5104	OpenWith.exe
5104	OpenWith.exe
5104	OpenWith.exe
5104	OpenWith.exe
5104	OpenWith.exe
5104	OpenWith.exe
5104	OpenWith.exe
5104	OpenWith.exe
5104	OpenWith.exe
5104	OpenWith.exe
5104	OpenWith.exe
5104	OpenWith.exe
5104	OpenWith.exe
5104	OpenWith.exe
5104	OpenWith.exe
5104	OpenWith.exe
5104	OpenWith.exe
5104	OpenWith.exe
5104	OpenWith.exe
5104	OpenWith.exe
5104	OpenWith.exe
5104	OpenWith.exe
5104	OpenWith.exe
5104	OpenWith.exe
5104	OpenWith.exe
5104	OpenWith.exe
5104	OpenWith.exe
5104	OpenWith.exe
5104	OpenWith.exe
5104	OpenWith.exe
5104	OpenWith.exe
5104	OpenWith.exe
5104	OpenWith.exe
5104	OpenWith.exe
5104	OpenWith.exe
5104	OpenWith.exe
5104	OpenWith.exe
5104	OpenWith.exe
5104	OpenWith.exe
5104	OpenWith.exe
5104	OpenWith.exe
5104	OpenWith.exe
5104	OpenWith.exe
5104	OpenWith.exe
5104	OpenWith.exe
5104	OpenWith.exe
5104	OpenWith.exe
5104	OpenWith.exe
5104	OpenWith.exe
5104	OpenWith.exe
5104	OpenWith.exe
5104	OpenWith.exe
5104	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4588 wrote to memory of 4468	4588	msedge.exe	83
PID 4588 wrote to memory of 4468	4588	msedge.exe	83
PID 4588 wrote to memory of 4948	4588	msedge.exe	85
PID 4588 wrote to memory of 4948	4588	msedge.exe	85
PID 4588 wrote to memory of 4948	4588	msedge.exe	85
PID 4588 wrote to memory of 4948	4588	msedge.exe	85
PID 4588 wrote to memory of 4948	4588	msedge.exe	85
PID 4588 wrote to memory of 4948	4588	msedge.exe	85
PID 4588 wrote to memory of 4948	4588	msedge.exe	85
PID 4588 wrote to memory of 4948	4588	msedge.exe	85
PID 4588 wrote to memory of 4948	4588	msedge.exe	85
PID 4588 wrote to memory of 4948	4588	msedge.exe	85
PID 4588 wrote to memory of 4948	4588	msedge.exe	85
PID 4588 wrote to memory of 4948	4588	msedge.exe	85
PID 4588 wrote to memory of 4948	4588	msedge.exe	85
PID 4588 wrote to memory of 4948	4588	msedge.exe	85
PID 4588 wrote to memory of 4948	4588	msedge.exe	85
PID 4588 wrote to memory of 4948	4588	msedge.exe	85
PID 4588 wrote to memory of 4948	4588	msedge.exe	85
PID 4588 wrote to memory of 4948	4588	msedge.exe	85
PID 4588 wrote to memory of 4948	4588	msedge.exe	85
PID 4588 wrote to memory of 4948	4588	msedge.exe	85
PID 4588 wrote to memory of 4948	4588	msedge.exe	85
PID 4588 wrote to memory of 4948	4588	msedge.exe	85
PID 4588 wrote to memory of 4948	4588	msedge.exe	85
PID 4588 wrote to memory of 4948	4588	msedge.exe	85
PID 4588 wrote to memory of 4948	4588	msedge.exe	85
PID 4588 wrote to memory of 4948	4588	msedge.exe	85
PID 4588 wrote to memory of 4948	4588	msedge.exe	85
PID 4588 wrote to memory of 4948	4588	msedge.exe	85
PID 4588 wrote to memory of 4948	4588	msedge.exe	85
PID 4588 wrote to memory of 4948	4588	msedge.exe	85
PID 4588 wrote to memory of 4948	4588	msedge.exe	85
PID 4588 wrote to memory of 4948	4588	msedge.exe	85
PID 4588 wrote to memory of 4948	4588	msedge.exe	85
PID 4588 wrote to memory of 4948	4588	msedge.exe	85
PID 4588 wrote to memory of 4948	4588	msedge.exe	85
PID 4588 wrote to memory of 4948	4588	msedge.exe	85
PID 4588 wrote to memory of 4948	4588	msedge.exe	85
PID 4588 wrote to memory of 4948	4588	msedge.exe	85
PID 4588 wrote to memory of 4948	4588	msedge.exe	85
PID 4588 wrote to memory of 4948	4588	msedge.exe	85
PID 4588 wrote to memory of 4040	4588	msedge.exe	86
PID 4588 wrote to memory of 4040	4588	msedge.exe	86
PID 4588 wrote to memory of 4136	4588	msedge.exe	87
PID 4588 wrote to memory of 4136	4588	msedge.exe	87
PID 4588 wrote to memory of 4136	4588	msedge.exe	87
PID 4588 wrote to memory of 4136	4588	msedge.exe	87
PID 4588 wrote to memory of 4136	4588	msedge.exe	87
PID 4588 wrote to memory of 4136	4588	msedge.exe	87
PID 4588 wrote to memory of 4136	4588	msedge.exe	87
PID 4588 wrote to memory of 4136	4588	msedge.exe	87
PID 4588 wrote to memory of 4136	4588	msedge.exe	87
PID 4588 wrote to memory of 4136	4588	msedge.exe	87
PID 4588 wrote to memory of 4136	4588	msedge.exe	87
PID 4588 wrote to memory of 4136	4588	msedge.exe	87
PID 4588 wrote to memory of 4136	4588	msedge.exe	87
PID 4588 wrote to memory of 4136	4588	msedge.exe	87
PID 4588 wrote to memory of 4136	4588	msedge.exe	87
PID 4588 wrote to memory of 4136	4588	msedge.exe	87
PID 4588 wrote to memory of 4136	4588	msedge.exe	87
PID 4588 wrote to memory of 4136	4588	msedge.exe	87
PID 4588 wrote to memory of 4136	4588	msedge.exe	87
PID 4588 wrote to memory of 4136	4588	msedge.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/uc?export=download&id=1OsxD9NBGbXIFd2q3eBy0xAcqMTkw3tTE
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbd21b46f8,0x7ffbd21b4708,0x7ffbd21b4718
  2⤵
  PID:4468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1964,3198801625329114872,13522687520513967700,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:2
  2⤵
  PID:4948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1964,3198801625329114872,13522687520513967700,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2476 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1964,3198801625329114872,13522687520513967700,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:8
  2⤵
  PID:4136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,3198801625329114872,13522687520513967700,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:3352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,3198801625329114872,13522687520513967700,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:4080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1964,3198801625329114872,13522687520513967700,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5296 /prefetch:8
  2⤵
  PID:3476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,3198801625329114872,13522687520513967700,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
  2⤵
  PID:4788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1964,3198801625329114872,13522687520513967700,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,3198801625329114872,13522687520513967700,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:1
  2⤵
  PID:3964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,3198801625329114872,13522687520513967700,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:1
  2⤵
  PID:3628
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1964,3198801625329114872,13522687520513967700,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6076 /prefetch:8
  2⤵
  PID:4352
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1964,3198801625329114872,13522687520513967700,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6076 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,3198801625329114872,13522687520513967700,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1
  2⤵
  PID:3432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,3198801625329114872,13522687520513967700,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1
  2⤵
  PID:1896

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1952

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2232

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5104

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:928

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:1832
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Downloads\rRWdRJF183.bin
  2⤵
  - Modifies Internet Explorer Phishing Filter
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  PID:4412
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4412 CREDAT:17410 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:3592
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Downloads\rRWdRJF183.bin
    3⤵
    - Modifies Internet Explorer settings
    PID:4788
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4412 CREDAT:17414 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:1556

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\rRWdRJF183.bin"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3700

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap20574:82:7zEvent18680
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2100

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:1776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e4f80e7950cbd3bb11257d2000cb885e

SHA1
10ac643904d539042d8f7aa4a312b13ec2106035

SHA256
1184ee8d32d0edecddd93403fb888fad6b3e2a710d37335c3989cc529bc08124

SHA512
2b92c9807fdcd937e514d4e7e1cc7c2d3e3aa162099b7289ceac2feea72d1a4afbadf1c09b3075d470efadf9a9edd63e07ea7e7a98d22243e45b3d53473fa4f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2dc1a9f2f3f8c3cfe51bb29b078166c5

SHA1
eaf3c3dad3c8dc6f18dc3e055b415da78b704402

SHA256
dcb76fa365c2d9ee213b224a91cdd806d30b1e8652d72a22f2371124fa4479fa

SHA512
682061d9cc86a6e5d99d022da776fb554350fc95efbf29cd84c1db4e2b7161b76cd1de48335bcc3a25633079fb0bd412e4f4795ed6291c65e9bc28d95330bb25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
512B

MD5
18dd44d390d17ec87fe3f03695aab6f2

SHA1
7dd6287a7e0751dba778dda050b249e4f9f397e7

SHA256
23e6d4074576fea8d1144e3a89e1950a1fc7d9c037abc447b8605715b6ad728a

SHA512
9c884d2cf1759780b20560568cd286f74116bc81c0813f3e25bb03e2deceaaea3b56d2633236f106634b36f4fdcb89afd681b4f65d2019aa2b5d1a432ce23c27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
09f99aa76f6caabce545b5af9b901275

SHA1
1a136fe2ddacabde089b42c595ab4991893cecc6

SHA256
60ea3ab01b1cb9e1924f8980a5ed531ed2e1ff17d22cc0cfabcda593f0f698a4

SHA512
943574170453641dce7cc0c9a58fd9de03ec0b2a7e49bdad196ef5e89149fca55abac760123ca64905355b9a33c0faf9031a09058242059cc18c12f78a8600a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9156202291db9f83b8a09ec253409103

SHA1
698fcef86de4ea3e34740e89dd773e981d511582

SHA256
6a596719ee97bda762ad607cd0a6097608419790b17ede74330c2192de352d61

SHA512
e8f06489fbd791102a8e51cf0981846c8298929cff3702335e9e14272784a7a9b43d18ca815da7d33795cc224df189bb4bf1fbc23b933557340f1ce42a66dec6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
99d06e362a8b0a78332d1f475a758a19

SHA1
fe7300745726291e42e4f4709cece7be0c874720

SHA256
2aa965efcc5c4ff39e4ad27c7da9b73d7d30d9a3b565b7d5d0af8454bf6e2245

SHA512
8feafaa7a378ce93d4dc066682265f4c0e39421f2978302b8f187edd13181227427b927555d3676aaf8418095c4beae67b6cd9eaf7fafbd7fabe6b10d523fec4

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 438445.crdownload

Filesize
234KB

MD5
2b1196a9d5430aed571fc2638d256825

SHA1
557e67540775b58bf3d2b3da244cfea6e0f9df83

SHA256
41127c608b2b7ab235987194fc4ee4e48081ab45a463efbd7d62988a81749160

SHA512
140074c78e5fff954125c2197edb31a09bb6b47ec3a8ecebd192b644b20a281d317ea052b83eb1afdf7bad5690d86985718b25e72941c80024b5a3c740191a79

Download Submit