hxxps://drive[.]google[.]com/file/d/148lJyKz1EcShROH8v75yMt_S8tNUqMVC/view?usp=sharing

Analysis

max time kernel
117s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-10-2024 11:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/148lJyKz1EcShROH8v75yMt_S8tNUqMVC/view?usp=sharing

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
4520	REVisionFX Effections OFX v24.10 CE.exe
1204	REVisionFX Effections OFX v24.10 CE.tmp
2720	REVisionFX Effections OFX v24.10 CE.exe
1212	REVisionFX Effections OFX v24.10 CE.tmp

Loads dropped DLL 2 IoCs

pid	Process
1204	REVisionFX Effections OFX v24.10 CE.tmp
1212	REVisionFX Effections OFX v24.10 CE.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	drive.google.com
7	drive.google.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\OFX\Plugins\Twixtor7OFX\clamp_time.ofx.bundle\Contents\Resources\is-AVA7B.tmp	REVisionFX Effections OFX v24.10 CE.tmp
File created	C:\Program Files\Common Files\OFX\Plugins\REZup1OFX\REZUPEnhance.ofx.bundle\Contents\Resources\is-A0APK.tmp	REVisionFX Effections OFX v24.10 CE.tmp
File created	C:\Program Files\REVisionEffects\Twixtor7OFX\Twixtor7OFXManual\Nuke\is-AHBP0.tmp	REVisionFX Effections OFX v24.10 CE.tmp
File created	C:\Program Files\Common Files\OFX\Plugins\DENoise3OFX\DENoise.ofx.bundle\Contents\is-KTOC8.tmp	REVisionFX Effections OFX v24.10 CE.tmp
File created	C:\Program Files\Common Files\OFX\Plugins\RELens2OFX\RELensReframe.ofx.bundle\Contents\Win64\is-DKRNH.tmp	REVisionFX Effections OFX v24.10 CE.tmp
File created	C:\Program Files\Common Files\OFX\Plugins\RELens2OFX\RELensToLatLong.ofx.bundle\Contents\Resources\is-KOEL2.tmp	REVisionFX Effections OFX v24.10 CE.tmp
File created	C:\Program Files\Common Files\OFX\Plugins\RELens2OFX\RELensFromLatLong.ofx.bundle\Contents\Win64\is-GT54O.tmp	REVisionFX Effections OFX v24.10 CE.tmp
File created	C:\Program Files\Common Files\OFX\Plugins\REMap4OFX\remap_transform.ofx.bundle\Contents\Resources\is-081SH.tmp	REVisionFX Effections OFX v24.10 CE.tmp
File created	C:\Program Files\Common Files\OFX\Plugins\REMatch2OFX\rematch_color.ofx.bundle\Contents\Resources\is-L1969.tmp	REVisionFX Effections OFX v24.10 CE.tmp
File created	C:\Program Files\Common Files\OFX\Plugins\Twixtor7OFX\clamp_time.ofx.bundle\Contents\Resources\is-5EV6J.tmp	REVisionFX Effections OFX v24.10 CE.tmp
File created	C:\Program Files\Common Files\OFX\Plugins\DEFlicker2OFX\DEFlickerRollingBands.ofx.bundle\Contents\is-KT6B7.tmp	REVisionFX Effections OFX v24.10 CE.tmp
File created	C:\Program Files\Common Files\OFX\Plugins\DEFlicker2OFX\DEFlickerTimelapse.ofx.bundle\Contents\Resources\is-00N78.tmp	REVisionFX Effections OFX v24.10 CE.tmp
File created	C:\Program Files\Common Files\OFX\Plugins\RELens2OFX\RELensFromLatLong.ofx.bundle\Contents\Resources\is-ABAAN.tmp	REVisionFX Effections OFX v24.10 CE.tmp
File created	C:\Program Files\Common Files\OFX\Plugins\REZup1OFX\REZUPEnhance.ofx.bundle\Contents\Resources\is-JBEGR.tmp	REVisionFX Effections OFX v24.10 CE.tmp
File created	C:\Program Files\REVisionEffects\REZup1OFX\REZup1OFXManual\is-N2IQO.tmp	REVisionFX Effections OFX v24.10 CE.tmp
File created	C:\Program Files\Common Files\OFX\Plugins\RSMB6OFX\rsmbvectors.ofx.bundle\Contents\is-O0SQF.tmp	REVisionFX Effections OFX v24.10 CE.tmp
File created	C:\Program Files\Common Files\OFX\Plugins\Twixtor7OFX\twixtor_vectors_in.ofx.bundle\Contents\is-5NQ9G.tmp	REVisionFX Effections OFX v24.10 CE.tmp
File created	C:\Program Files\Common Files\OFX\Plugins\Twixtor7OFX\twixtor_vectors_in.ofx.bundle\Contents\Win64\is-Q868I.tmp	REVisionFX Effections OFX v24.10 CE.tmp
File created	C:\Program Files\Common Files\OFX\Plugins\ColorGenius1OFX\ColorGenius.ofx.bundle\Contents\Win64\is-T0IJN.tmp	REVisionFX Effections OFX v24.10 CE.tmp
File created	C:\Program Files\Common Files\OFX\Plugins\ColorGenius1OFX\ColorGenius.ofx.bundle\Contents\Win64\is-DMFE9.tmp	REVisionFX Effections OFX v24.10 CE.tmp
File created	C:\Program Files\Common Files\OFX\Plugins\DENoise3OFX\DENoiseFrameAvg.ofx.bundle\Contents\is-MQI45.tmp	REVisionFX Effections OFX v24.10 CE.tmp
File created	C:\Program Files\Common Files\OFX\Plugins\RELens2OFX\RELensSuperfish.ofx.bundle\Contents\Resources\is-AATMR.tmp	REVisionFX Effections OFX v24.10 CE.tmp
File created	C:\Program Files\Common Files\OFX\Plugins\REMatch2OFX\rematch_colorplus.ofx.bundle\Contents\is-MK8AN.tmp	REVisionFX Effections OFX v24.10 CE.tmp
File created	C:\Program Files\REVisionEffects\REMap4OFX\REMap4OFXManual\is-SU8RF.tmp	REVisionFX Effections OFX v24.10 CE.tmp
File created	C:\Program Files\Common Files\OFX\Plugins\REZup1OFX\REZUPResize.ofx.bundle\Contents\Resources\is-QM27O.tmp	REVisionFX Effections OFX v24.10 CE.tmp
File created	C:\Program Files\REVisionEffects\RSMB6OFX\RSMB6OFXManual\is-4HP66.tmp	REVisionFX Effections OFX v24.10 CE.tmp
File created	C:\Program Files\Common Files\OFX\Plugins\REMap4OFX\remap_uv.ofx.bundle\Contents\is-DS5Q1.tmp	REVisionFX Effections OFX v24.10 CE.tmp
File created	C:\Program Files\Common Files\OFX\Plugins\RSMB6OFX\rsmb.ofx.bundle\Contents\Win64\is-5P4RN.tmp	REVisionFX Effections OFX v24.10 CE.tmp
File created	C:\Program Files\Common Files\OFX\Plugins\RSMB6OFX\rsmbregular.ofx.bundle\Contents\is-IIT10.tmp	REVisionFX Effections OFX v24.10 CE.tmp
File created	C:\Program Files\Common Files\OFX\Plugins\RELens2OFX\RELensToLatLong.ofx.bundle\Contents\Win64\is-T8V1G.tmp	REVisionFX Effections OFX v24.10 CE.tmp
File created	C:\Program Files\Common Files\OFX\Plugins\REMap4OFX\remap_cornerpin.ofx.bundle\Contents\Resources\is-EN650.tmp	REVisionFX Effections OFX v24.10 CE.tmp
File created	C:\Program Files\Common Files\OFX\Plugins\REMap4OFX\remap_displace.ofx.bundle\Contents\Resources\is-JFI5V.tmp	REVisionFX Effections OFX v24.10 CE.tmp
File created	C:\Program Files\Common Files\OFX\Plugins\REMap4OFX\remap_displace.ofx.bundle\Contents\Resources\is-GP7BP.tmp	REVisionFX Effections OFX v24.10 CE.tmp
File created	C:\Program Files\Common Files\OFX\Plugins\REMatch2OFX\rematch_stereo.ofx.bundle\Contents\Resources\is-PHBPN.tmp	REVisionFX Effections OFX v24.10 CE.tmp
File created	C:\Program Files\Common Files\OFX\Plugins\RELens2OFX\RELensDefish.ofx.bundle\Contents\Resources\is-TETQ4.tmp	REVisionFX Effections OFX v24.10 CE.tmp
File created	C:\Program Files\Common Files\OFX\Plugins\RELens2OFX\RELensReframe.ofx.bundle\Contents\Resources\is-IAPBB.tmp	REVisionFX Effections OFX v24.10 CE.tmp
File created	C:\Program Files\Common Files\OFX\Plugins\RELens2OFX\RELensSuperfish.ofx.bundle\Contents\Win64\is-BNGT6.tmp	REVisionFX Effections OFX v24.10 CE.tmp
File created	C:\Program Files\Common Files\OFX\Plugins\REZup1OFX\REZUPEnhance.ofx.bundle\Contents\is-BK38K.tmp	REVisionFX Effections OFX v24.10 CE.tmp
File created	C:\Program Files\Common Files\OFX\Plugins\Twixtor8OFX\twixtor.ofx.bundle\Contents\Win64\is-ARBS2.tmp	REVisionFX Effections OFX v24.10 CE.tmp
File created	C:\Program Files\Common Files\OFX\Plugins\RSMB6OFX\rsmbvectors.ofx.bundle\Contents\Resources\is-PAF3C.tmp	REVisionFX Effections OFX v24.10 CE.tmp
File created	C:\Program Files\Common Files\OFX\Plugins\ColorGenius1OFX\ColorGenius.ofx.bundle\Contents\Resources\is-H75CM.tmp	REVisionFX Effections OFX v24.10 CE.tmp
File created	C:\Program Files\REVisionEffects\DEFlicker2OFX\DEFlicker2OFXManual\is-7N2ME.tmp	REVisionFX Effections OFX v24.10 CE.tmp
File created	C:\Program Files\REVisionEffects\Twixtor7OFX\Twixtor7OFXManual\Catalyst\is-EPII0.tmp	REVisionFX Effections OFX v24.10 CE.tmp
File created	C:\Program Files\REVisionEffects\Twixtor7OFX\Twixtor7OFXManual\Nuke\is-MDA08.tmp	REVisionFX Effections OFX v24.10 CE.tmp
File created	C:\Program Files\Common Files\OFX\Plugins\RELens2OFX\RELensDefish.ofx.bundle\Contents\Resources\is-T2CMJ.tmp	REVisionFX Effections OFX v24.10 CE.tmp
File created	C:\Program Files\Common Files\OFX\Plugins\RELens2OFX\RELensToLatLong.ofx.bundle\Contents\Resources\is-TMRQK.tmp	REVisionFX Effections OFX v24.10 CE.tmp
File created	C:\Program Files\Common Files\OFX\Plugins\REMap4OFX\remap_displace.ofx.bundle\Contents\Win64\is-S5791.tmp	REVisionFX Effections OFX v24.10 CE.tmp
File created	C:\Program Files\Common Files\OFX\Plugins\Twixtor7OFX\twixtor_pro.ofx.bundle\Contents\Resources\is-GQORG.tmp	REVisionFX Effections OFX v24.10 CE.tmp
File created	C:\Program Files\Common Files\OFX\Plugins\DEFlicker2OFX\DEFlickerAutoLevels.ofx.bundle\Contents\Resources\is-BMHDC.tmp	REVisionFX Effections OFX v24.10 CE.tmp
File created	C:\Program Files\Common Files\OFX\Plugins\RELens2OFX\RELensDefish.ofx.bundle\Contents\Win64\is-EMPT3.tmp	REVisionFX Effections OFX v24.10 CE.tmp
File created	C:\Program Files\Common Files\OFX\Plugins\RELens2OFX\RELensSuperfish.ofx.bundle\Contents\Resources\is-PKOB6.tmp	REVisionFX Effections OFX v24.10 CE.tmp
File created	C:\Program Files\Common Files\OFX\Plugins\ColorGenius1OFX\ColorGenius.ofx.bundle\Contents\is-SR9B8.tmp	REVisionFX Effections OFX v24.10 CE.tmp
File created	C:\Program Files\Common Files\OFX\Plugins\REMap4OFX\remap_distort.ofx.bundle\Contents\Win64\is-GQ7NP.tmp	REVisionFX Effections OFX v24.10 CE.tmp
File created	C:\Program Files\Common Files\OFX\Plugins\REMatch2OFX\rematch_colorbasic.ofx.bundle\Contents\Resources\is-CUBSC.tmp	REVisionFX Effections OFX v24.10 CE.tmp
File created	C:\Program Files\Common Files\OFX\Plugins\Twixtor7OFX\motion_vectors_create.ofx.bundle\Contents\Resources\is-8MM93.tmp	REVisionFX Effections OFX v24.10 CE.tmp
File created	C:\Program Files\REVisionEffects\RELens2OFX\RELens2OFXManual\is-GC0BN.tmp	REVisionFX Effections OFX v24.10 CE.tmp
File created	C:\Program Files\REVisionEffects\Twixtor7OFX\Twixtor7OFXManual\Scratch\is-VU9PL.tmp	REVisionFX Effections OFX v24.10 CE.tmp
File created	C:\Program Files\REVisionEffects\ColorGenius1OFX\ColorGenius1OFXManual\is-LQ7DF.tmp	REVisionFX Effections OFX v24.10 CE.tmp
File created	C:\Program Files\Common Files\OFX\Plugins\DENoise3OFX\DENoiseFrameAvg.ofx.bundle\Contents\Resources\is-9TRCH.tmp	REVisionFX Effections OFX v24.10 CE.tmp
File created	C:\Program Files\Common Files\OFX\Plugins\RELens2OFX\RELensChroma.ofx.bundle\Contents\Win64\is-D8848.tmp	REVisionFX Effections OFX v24.10 CE.tmp
File created	C:\Program Files\Common Files\OFX\Plugins\REMap4OFX\remap_inverseuv.ofx.bundle\Contents\Resources\is-1RG4P.tmp	REVisionFX Effections OFX v24.10 CE.tmp
File created	C:\Program Files\Common Files\OFX\Plugins\REMatch2OFX\rematch_colorbasic.ofx.bundle\Contents\is-A559H.tmp	REVisionFX Effections OFX v24.10 CE.tmp
File created	C:\Program Files\Common Files\OFX\Plugins\RELens2OFX\RELensReframe.ofx.bundle\Contents\Resources\is-TKRAL.tmp	REVisionFX Effections OFX v24.10 CE.tmp
File created	C:\Program Files\Common Files\OFX\Plugins\REMatch2OFX\rematch_color.ofx.bundle\Contents\is-GUKNI.tmp	REVisionFX Effections OFX v24.10 CE.tmp

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REVisionFX Effections OFX v24.10 CE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REVisionFX Effections OFX v24.10 CE.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REVisionFX Effections OFX v24.10 CE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REVisionFX Effections OFX v24.10 CE.tmp

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1832	msedge.exe
1832	msedge.exe
3828	msedge.exe
3828	msedge.exe
5476	msedge.exe
5476	msedge.exe
1204	REVisionFX Effections OFX v24.10 CE.tmp
1204	REVisionFX Effections OFX v24.10 CE.tmp

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs

pid	Process
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeRestorePrivilege	6100	7zG.exe
Token: 35	6100	7zG.exe
Token: SeSecurityPrivilege	6100	7zG.exe
Token: SeSecurityPrivilege	6100	7zG.exe
Token: 33	800	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	800	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 48 IoCs

pid	Process
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
6100	7zG.exe
1832	msedge.exe
1832	msedge.exe
1204	REVisionFX Effections OFX v24.10 CE.tmp

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1832 wrote to memory of 3472	1832	msedge.exe	84
PID 1832 wrote to memory of 3472	1832	msedge.exe	84
PID 1832 wrote to memory of 4032	1832	msedge.exe	85
PID 1832 wrote to memory of 4032	1832	msedge.exe	85
PID 1832 wrote to memory of 4032	1832	msedge.exe	85
PID 1832 wrote to memory of 4032	1832	msedge.exe	85
PID 1832 wrote to memory of 4032	1832	msedge.exe	85
PID 1832 wrote to memory of 4032	1832	msedge.exe	85
PID 1832 wrote to memory of 4032	1832	msedge.exe	85
PID 1832 wrote to memory of 4032	1832	msedge.exe	85
PID 1832 wrote to memory of 4032	1832	msedge.exe	85
PID 1832 wrote to memory of 4032	1832	msedge.exe	85
PID 1832 wrote to memory of 4032	1832	msedge.exe	85
PID 1832 wrote to memory of 4032	1832	msedge.exe	85
PID 1832 wrote to memory of 4032	1832	msedge.exe	85
PID 1832 wrote to memory of 4032	1832	msedge.exe	85
PID 1832 wrote to memory of 4032	1832	msedge.exe	85
PID 1832 wrote to memory of 4032	1832	msedge.exe	85
PID 1832 wrote to memory of 4032	1832	msedge.exe	85
PID 1832 wrote to memory of 4032	1832	msedge.exe	85
PID 1832 wrote to memory of 4032	1832	msedge.exe	85
PID 1832 wrote to memory of 4032	1832	msedge.exe	85
PID 1832 wrote to memory of 4032	1832	msedge.exe	85
PID 1832 wrote to memory of 4032	1832	msedge.exe	85
PID 1832 wrote to memory of 4032	1832	msedge.exe	85
PID 1832 wrote to memory of 4032	1832	msedge.exe	85
PID 1832 wrote to memory of 4032	1832	msedge.exe	85
PID 1832 wrote to memory of 4032	1832	msedge.exe	85
PID 1832 wrote to memory of 4032	1832	msedge.exe	85
PID 1832 wrote to memory of 4032	1832	msedge.exe	85
PID 1832 wrote to memory of 4032	1832	msedge.exe	85
PID 1832 wrote to memory of 4032	1832	msedge.exe	85
PID 1832 wrote to memory of 4032	1832	msedge.exe	85
PID 1832 wrote to memory of 4032	1832	msedge.exe	85
PID 1832 wrote to memory of 4032	1832	msedge.exe	85
PID 1832 wrote to memory of 4032	1832	msedge.exe	85
PID 1832 wrote to memory of 4032	1832	msedge.exe	85
PID 1832 wrote to memory of 4032	1832	msedge.exe	85
PID 1832 wrote to memory of 4032	1832	msedge.exe	85
PID 1832 wrote to memory of 4032	1832	msedge.exe	85
PID 1832 wrote to memory of 4032	1832	msedge.exe	85
PID 1832 wrote to memory of 4032	1832	msedge.exe	85
PID 1832 wrote to memory of 3828	1832	msedge.exe	86
PID 1832 wrote to memory of 3828	1832	msedge.exe	86
PID 1832 wrote to memory of 3780	1832	msedge.exe	87
PID 1832 wrote to memory of 3780	1832	msedge.exe	87
PID 1832 wrote to memory of 3780	1832	msedge.exe	87
PID 1832 wrote to memory of 3780	1832	msedge.exe	87
PID 1832 wrote to memory of 3780	1832	msedge.exe	87
PID 1832 wrote to memory of 3780	1832	msedge.exe	87
PID 1832 wrote to memory of 3780	1832	msedge.exe	87
PID 1832 wrote to memory of 3780	1832	msedge.exe	87
PID 1832 wrote to memory of 3780	1832	msedge.exe	87
PID 1832 wrote to memory of 3780	1832	msedge.exe	87
PID 1832 wrote to memory of 3780	1832	msedge.exe	87
PID 1832 wrote to memory of 3780	1832	msedge.exe	87
PID 1832 wrote to memory of 3780	1832	msedge.exe	87
PID 1832 wrote to memory of 3780	1832	msedge.exe	87
PID 1832 wrote to memory of 3780	1832	msedge.exe	87
PID 1832 wrote to memory of 3780	1832	msedge.exe	87
PID 1832 wrote to memory of 3780	1832	msedge.exe	87
PID 1832 wrote to memory of 3780	1832	msedge.exe	87
PID 1832 wrote to memory of 3780	1832	msedge.exe	87
PID 1832 wrote to memory of 3780	1832	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://drive.google.com/file/d/148lJyKz1EcShROH8v75yMt_S8tNUqMVC/view?usp=sharing
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb5ee046f8,0x7ffb5ee04708,0x7ffb5ee04718
  2⤵
  PID:3472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,11060606054123570248,3319540766010940250,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
  2⤵
  PID:4032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,11060606054123570248,3319540766010940250,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,11060606054123570248,3319540766010940250,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:8
  2⤵
  PID:3780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11060606054123570248,3319540766010940250,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:2072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11060606054123570248,3319540766010940250,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:2796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11060606054123570248,3319540766010940250,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:1
  2⤵
  PID:2724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11060606054123570248,3319540766010940250,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
  2⤵
  PID:1624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2068,11060606054123570248,3319540766010940250,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6136 /prefetch:8
  2⤵
  PID:4332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11060606054123570248,3319540766010940250,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:1
  2⤵
  PID:4296
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,11060606054123570248,3319540766010940250,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6496 /prefetch:8
  2⤵
  PID:3380
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,11060606054123570248,3319540766010940250,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6496 /prefetch:8
  2⤵
  PID:912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11060606054123570248,3319540766010940250,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1
  2⤵
  PID:5292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11060606054123570248,3319540766010940250,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6404 /prefetch:1
  2⤵
  PID:5300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2068,11060606054123570248,3319540766010940250,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6396 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11060606054123570248,3319540766010940250,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:1
  2⤵
  PID:5576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11060606054123570248,3319540766010940250,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
  2⤵
  PID:5584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11060606054123570248,3319540766010940250,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4164 /prefetch:1
  2⤵
  PID:5524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11060606054123570248,3319540766010940250,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3624 /prefetch:1
  2⤵
  PID:5808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11060606054123570248,3319540766010940250,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5908 /prefetch:1
  2⤵
  PID:2172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11060606054123570248,3319540766010940250,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6760 /prefetch:1
  2⤵
  PID:5904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11060606054123570248,3319540766010940250,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1828 /prefetch:1
  2⤵
  PID:396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11060606054123570248,3319540766010940250,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6868 /prefetch:1
  2⤵
  PID:2680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2068,11060606054123570248,3319540766010940250,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5372 /prefetch:8
  2⤵
  PID:2376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11060606054123570248,3319540766010940250,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6988 /prefetch:1
  2⤵
  PID:6100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11060606054123570248,3319540766010940250,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6964 /prefetch:1
  2⤵
  PID:5468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11060606054123570248,3319540766010940250,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
  2⤵
  PID:1464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11060606054123570248,3319540766010940250,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6204 /prefetch:1
  2⤵
  PID:5724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11060606054123570248,3319540766010940250,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3164 /prefetch:1
  2⤵
  PID:4416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11060606054123570248,3319540766010940250,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7532 /prefetch:1
  2⤵
  PID:864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11060606054123570248,3319540766010940250,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7356 /prefetch:1
  2⤵
  PID:4548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11060606054123570248,3319540766010940250,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7676 /prefetch:1
  2⤵
  PID:3116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2068,11060606054123570248,3319540766010940250,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=7616 /prefetch:8
  2⤵
  PID:4148

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5040

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4116

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5792

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap5571:140:7zEvent15808
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:6100

C:\Users\Admin\Downloads\RevisionFX Effections Plus 24.10 (x64) for OFX\REVisionFX Effections OFX v24.10 CE.exe
"C:\Users\Admin\Downloads\RevisionFX Effections Plus 24.10 (x64) for OFX\REVisionFX Effections OFX v24.10 CE.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4520
- C:\Users\Admin\AppData\Local\Temp\is-G861V.tmp\REVisionFX Effections OFX v24.10 CE.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-G861V.tmp\REVisionFX Effections OFX v24.10 CE.tmp" /SL5="$2037C,65939081,867328,C:\Users\Admin\Downloads\RevisionFX Effections Plus 24.10 (x64) for OFX\REVisionFX Effections OFX v24.10 CE.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  PID:1204

C:\Users\Admin\Downloads\RevisionFX Effections Plus 24.10 (x64) for OFX\REVisionFX Effections OFX v24.10 CE.exe
"C:\Users\Admin\Downloads\RevisionFX Effections Plus 24.10 (x64) for OFX\REVisionFX Effections OFX v24.10 CE.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2720
- C:\Users\Admin\AppData\Local\Temp\is-CIEOM.tmp\REVisionFX Effections OFX v24.10 CE.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-CIEOM.tmp\REVisionFX Effections OFX v24.10 CE.tmp" /SL5="$3037C,65939081,867328,C:\Users\Admin\Downloads\RevisionFX Effections Plus 24.10 (x64) for OFX\REVisionFX Effections OFX v24.10 CE.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1212
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://revisionfx.com/products/effections/resolve
    3⤵
    PID:5316
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb5ee046f8,0x7ffb5ee04708,0x7ffb5ee04718
      4⤵
      PID:3424

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5656

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f4 0x4e4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\OFX\Plugins\DEFlicker2OFX\DEFlickerRollingBands.ofx.bundle\Contents\Resources\is-0OC47.tmp

Filesize
3KB

MD5
06dcc7da83283025c5ed1ccb462a3e4e

SHA1
ae34bd962d357133e72a097c15a7a0607e324fdd

SHA256
8acaa4825752d535bfcdbad228de9dc4bdea04313e2c7cdd2fdaaf440e83fe6f

SHA512
c59309853796868fd05f61848267e5dec8411b52e98a1968eaded1a373971197348dd17b982d77e671b874a856e599823d056a95560bd48a42204153edcaed80

Download Submit
C:\Program Files\Common Files\OFX\Plugins\DEFlicker2OFX\DEFlickerRollingBands.ofx.bundle\Contents\Resources\is-8JHER.tmp

Filesize
8KB

MD5
096d04234c6e9b3f5bb4853a0c468b3d

SHA1
32794b2f0cfdab1a8232c9ee7ef323f5cc4ad2aa

SHA256
992f524ff7c23f0cd5a9bf61ec7978d768178b64f54df7aab96187f861826d4a

SHA512
f69043ebdbaea34013777522082717d822615307174c787ae582e69da6e71ef14a492311d30b0f8b2de5b67577d58277d6b5858e1bc6fb7a2159abbd283982ba

Download Submit
C:\Program Files\Common Files\OFX\Plugins\DEFlicker2OFX\DEFlickerTimelapse.ofx.bundle\Contents\is-A5MNG.tmp

Filesize
1KB

MD5
b22a29d22e010c44845585adb84007bb

SHA1
87b417956a15206370e9b8efadb57cbc6c02f679

SHA256
0bfd7cb7a355439c9e76be5162061ae3644f0aad320cef48961273fcda509106

SHA512
5b75df22c88299194701f907e4a5dace124b926ca7febc5a00ee405e3f610e7e5f2161c1a64e5ee806554124a26333d907303ea26e13e6c40765f0c37609146c

Download Submit
C:\Program Files\Common Files\OFX\Plugins\RELens2OFX\RELensDefish.ofx.bundle\Contents\Resources\is-TETQ4.tmp

Filesize
40KB

MD5
81a1202a5377fba03e6a3ea50f370f86

SHA1
0f5232864a43e2964eee98ad1b48b8bd360ba147

SHA256
14836a3ec45adefd8e79ec148ebaa3c14c8f407cc67b3d9d5839911b1ec82539

SHA512
f77232816597f5bc5a0e3beb28222812215abf178be7398c847498e1a3d05a92dcb13fa225e640200c5b1198e5880ea1b6c8b7de44b597e91b16f0e7a00e1c46

Download Submit
C:\Program Files\Common Files\OFX\Plugins\RELens2OFX\RELensDefish.ofx.bundle\Contents\is-9L8MM.tmp

Filesize
1KB

MD5
25527e8f68d9c3022b7e454052d35e93

SHA1
2f136a2682037766793fdd8970be91e5cd25d82a

SHA256
5f39d285e0286ca0f88d8bd595406393b0da0ef7629bd456297a6200ce97c852

SHA512
5e990c27e5df34a190be671ef9e9c858adb95f05a5e547ba16cec47da2e07d8c430c8bf76422403dd50c774922c4461c162159e15136ebb06ba0e163bc040259

Download Submit
C:\Program Files\Common Files\OFX\Plugins\REMap4OFX\remap_distort.ofx.bundle\Contents\Resources\is-L3V51.tmp

Filesize
15KB

MD5
d6aa22d10b2e3565afb76f99c99c6f3a

SHA1
57158ffc237bef707fda86c858f20434cbe15b2c

SHA256
e8eeab32e525a13c518928e33edbc70ef92e97eb66e3ae17aa7e02495d3d1571

SHA512
b8a75d2ddc35cf440781be32ae9a5507b318befef190a2e3904b7b54ef86a6333cccdd580b03958a9a1424cb273a58d3e317813674e5b081178bb887af7a00b1

Download Submit
C:\Program Files\Common Files\OFX\Plugins\REMap4OFX\remap_distort.ofx.bundle\Contents\is-BJSSL.tmp

Filesize
1KB

MD5
7242b703b411bb74dbc70fb4a79fe8ac

SHA1
2dce375ee7a57f782f68009e87b9db8dc0867075

SHA256
d989fa3dcc1fe9bbd20cb8c5b8e46f3b0d41e6f1154ee9bdffcff30bda750cf4

SHA512
12f613e84c00983e8ee9fd26d1e1a9958e6233affa0770e1950978da2b5458ea085ea1adbb2f70de812dbd9c4ede19cc9ea691d8a80b1bf97ed44c90a391fa62

Download Submit
C:\Program Files\Common Files\OFX\Plugins\REMatch2OFX\rematch_colorplus.ofx.bundle\Contents\Resources\is-EEBT9.tmp

Filesize
9KB

MD5
efe2e7c7635a61dd68ec67a70d30c9a7

SHA1
d667d8170037cfaae92a978fd9e5e49cd6afb63b

SHA256
89c581aa7b6adce42ac99a2dbae84f0a06edc884a05ddaadc064df82f3515d36

SHA512
3bd644662a69b3198b45fd0e854627bac13db6236492d0647c78739613d7e77a8459956faffba2b187888b3ba91d81edd916b05be92e275a3322f78f88b5df38

Download Submit
C:\Program Files\Common Files\OFX\Plugins\REMatch2OFX\rematch_colorplus.ofx.bundle\Contents\is-MK8AN.tmp

Filesize
1KB

MD5
079a68e506591fd3810f77e33d8fdc58

SHA1
dfb44a6077bcb66ad87f071198b2ef850b0aad1d

SHA256
f2c1668a486596acc1758f014f59380e6c93b3f6e073aaca3d1b3fa0507100ba

SHA512
123996d9d13d6c4aebdfd7e8624bd35d0f1768064ba9f686dded7a4e1aeaa88cb71f3f08cca056851ae83b7b54ac579f03400210c5e16142563c8ca19dc845cc

Download Submit
C:\Program Files\Common Files\OFX\Plugins\RSMB6OFX\rsmbvectors.ofx.bundle\Contents\Resources\is-5RMO3.tmp

Filesize
9KB

MD5
a14cb684ae1906177cf7eba3d640bcd3

SHA1
77ae957fcdb0c3361ad90393f36fd6b891e930c6

SHA256
f9242582d369544092c336a6140b3799f31eca67527b19619d56c078369526a1

SHA512
b5ac7c4bc46cc49f698dd090dc77c0ec8f2da3e1370af44c2af169476f16161c8f873948e64cc29ae08980461d4b6bfff9df2ab161467dae7128f3145434d581

Download Submit
C:\Program Files\Common Files\OFX\Plugins\RSMB6OFX\rsmbvectors.ofx.bundle\Contents\is-O0SQF.tmp

Filesize
1KB

MD5
cfba8a9c43fb14d9fc2bfd91294e7850

SHA1
fce10e3cd3ff074dd63d842c138b1eea30ca2a99

SHA256
e872c357b85af6398565b59c92a31b52c883179412f8bfb70dcf7c5ebc306460

SHA512
ae7b040ba5f27747d30684b88f9464d7598c1ec1a88dcf169263c11bac136c51e3ab96b7bb4c26702c7f11543e193bf85c9cd1bc8bda9351f945cff3ac617c52

Download Submit
C:\Program Files\Common Files\OFX\Plugins\Twixtor7OFX\twixtor_pro.ofx.bundle\Contents\Resources\is-JKTV4.tmp

Filesize
10KB

MD5
b3c789384d4e957523450f57e1af743e

SHA1
f2e993c6a14ff4b829b34af0a4a91fa3b1476b4b

SHA256
55d1bc602993215b997a36cc5b6122965c0c5fc56fe5203a1755e32283aa95fc

SHA512
9b86e244cac6584d9f55ce15a3f9246b7d12691eb6dc928b273fcb1a424a41a35fa6ea2da5e5fe089f3991a60bcd97028f26df6c88e397f0eb1d5da722117414

Download Submit
C:\Program Files\Common Files\OFX\Plugins\Twixtor7OFX\twixtor_vectors_in.ofx.bundle\Contents\is-5NQ9G.tmp

Filesize
1KB

MD5
9d7a354ab9e6c14633a98c73e5ef2201

SHA1
766fe1c77e9e7215efd50e7bdae000c660f8682c

SHA256
82061e9d1f518375c5766d7efd62c24ba513bb3e00d95b0e656bc643de5322b7

SHA512
1a9f1694b7cdc85a94a9db43c0aba7405dd31383379040ae347cdca3470813f234a9e531cd3c3e06bcbe6f1072c30791091638b1fa4fe178bf6113750e0f89a6

Download Submit
C:\Program Files\REVisionEffects\Twixtor7OFX\Twixtor7OFXManual\Scratch\is-8AS2U.tmp

Filesize
389KB

MD5
0f9b8075af3212d04f9599b1d6daa9b2

SHA1
a813619c07bd4ca28a23238f38b8ca6884a19d15

SHA256
bf3a89ff4ff9c982df03d40290ef4b3e027bcdb8a70672ce628bb33d3f1dccae

SHA512
ae147b55a400aa0c95f2d6ac4dfb8064592ca86678a0cc3dca99349c570baee9d6509907f43c5f4d8434eb3cf0463c51776a3d0198c7a553385adb8ee72239dd

Download Submit
C:\Program Files\REVisionEffects\Twixtor7OFX\Twixtor7OFXManual\Scratch\is-VU9PL.tmp

Filesize
2.1MB

MD5
30bc46377b633b363bd6687ad7fd398c

SHA1
bbee652b3374750163cbd6efde81583f8432651e

SHA256
5ab1dedd531bd502bfdb35d3491bfc4f130bc81884631b4c3985dc33a3e941cf

SHA512
97ebf95a3aaca31e552e2df582867630656cf9ada1d6aca44eee8431c43853661e15669d80efa7e57cb6f8f08d8c34934c670dbc4d54c2c630dfd7508a8012fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8749e21d9d0a17dac32d5aa2027f7a75

SHA1
a5d555f8b035c7938a4a864e89218c0402ab7cde

SHA256
915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304

SHA512
c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
34d2c4f40f47672ecdf6f66fea242f4a

SHA1
4bcad62542aeb44cae38a907d8b5a8604115ada2

SHA256
b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33

SHA512
50fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000020

Filesize
215KB

MD5
e579aca9a74ae76669750d8879e16bf3

SHA1
0b8f462b46ec2b2dbaa728bea79d611411bae752

SHA256
6e51c7866705bf0098febfaf05cf4652f96e69ac806c837bfb1199b6e21e6aaf

SHA512
df22f1dff74631bc14433499d1f61609de71e425410067fd08ec193d100b70d98672228906081c309a06bcba03c097ace885240a3ce71e0da4fdb8a022fc9640

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
480B

MD5
99482afc2157321d5c711d928e9f8769

SHA1
b273fec737be718915f815b43b1470181e27e8d9

SHA256
ab1727b02ec1ce5e672d7784db21ba4c1bc2482d6455365842b7019e02c3a00c

SHA512
a421bac06ef1203987f6faafa1d176930d0738315383c1dfd643eb89946cc3322f1467ab332c38ceca8ac74169866aa247c7437a18fd8f7a71dbb02767eb0100

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
e6bf8d665f5855896b89526196c5afe2

SHA1
05f3fb7c9b034cddd2e570c780b2909a58d08d12

SHA256
8fef370a2123194d3792750be2a3ea7d36c8e85e585ddc55bae33d6f4c3853fe

SHA512
4492fdc8742d822616c291c70c2e4f98d739ae27df22b50186afbc0c11a6e474f6ae5a0a38587971224e7a00c05ef55a1056057ec65c71147f536c7d065a66ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
3815f0a2494cf0c8353e66eeff4ad023

SHA1
3078aff691281f0e11953600a4b6e69c9b6855b9

SHA256
1644bda0545299d67df4be43076b23397fea902f0de328fae8c2a97bd2d995c2

SHA512
908d501c35ec711b38d24c88a235e535f088b8d652dc89f416d73f3b679eb34f796ad7c23e99151f2428829a5db2f881ca38ec85e796150555c03364b4f91877

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
eb1d95da5425a4e4a0ef13680e500d18

SHA1
2c2c0a2692a376df2b81dbc1fca85cf0531842e1

SHA256
303b3738c162ccf0555b7a42066f8094f0d6d8e9eefb9272c0bea2f137802dc1

SHA512
bd13a589c748633754193f856f0cf9bdb5272141de731e7a5c00517af208f668d041b19e837e086e0c6697534330ee11f4f2ec1e4b9d0e749a2b517d2207f88b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
45eb99094b16a5d80bc2ebaaade2e938

SHA1
4ecaee30437ff5f2575c378468bf2de4313f2d60

SHA256
a080a55a39b22fb8b6a2634a86b1bbc74bf76422eb870f910d4f76099c2343f9

SHA512
567285dadf2828d01789c8ace1914609d0411efe0351ef625496ba40b2b2afa8d4276b92a42d92c9d5aa91a6a121f4b3f76909ed3c251cf725e62ee770919ffb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
4e361e594e89fa9ec883daa786232c54

SHA1
4df21d66c2309e0b8f5f5b60749c202f7877f4db

SHA256
d1d215f67b086feae2bf1a95e8a5b27f396e448a61eda9fb5270a5972a384470

SHA512
1bdb54ae2aec46cd9ff60218b0af045d08fe109da7ede052f922c7e093420b886a00f52d2ef9232ddc9f0f152e577c639d60257c3fa1bc9900bb6ccf3324a6d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8b00afc325a207bb9cf9cdc0fa72abc5

SHA1
b4ddfbd62227531364f3536835082f74f9d8bf5c

SHA256
a538b304ebcb6953e8d1437e5714f366b9512b522331e6e8cea5889ba3bbe745

SHA512
7177c956f75f3cafd4d3fc52032f964f990313b950bd409328f3e25f1d381f3759057ed7d216dcfa2960071c392aae2080abc5dd853b4c37c4dd6dea5e97c9b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
c1fa33c328d7c9f81a5d09c546199d4a

SHA1
35a020076a67b5ba0c482f09231787007c3794f7

SHA256
b5058d2c68c8a384ffd98e75cdfb896ef68c94127d8ad1ae4a1344134c94ecb0

SHA512
5440752fdf7e0f4b7af5225dd6350b53a78504307c2514b8f0271c318a04a43ecc7c514f3ba34d454ecbd308262b72fe1b6f8f7d3dc31bd7e8797db0e6fb86b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
84afb5b6321d9c1cdfbb8ddd559f1775

SHA1
f4dae3e5bb502db4c770ab8a16157dfd98600263

SHA256
90b9d2b884a19b2b9e793159ace244c76793581d64e985e3ab84e2847407120c

SHA512
140d18842fc265fc07a3c4a4388dd42378b2139a76b5fc24c28415633447e6416ae2f48f3c25f153f98838a42730b057fd551c549d69efb1af7ffcb3c24144a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe588930.TMP

Filesize
48B

MD5
f2510e6adc8a994b5c8986bfea27c2c8

SHA1
9a3c4f1f69187176d68614aa9ca2c232a86917ae

SHA256
91448adf229d923a5326d49dacab8173d622169f63037da8f3f2239457d81866

SHA512
017ebc0c8645aa7a8302cabd817fac1a993d97015d85fa353d8500e0401aca24b9306c865504743a2f57446f5b29d4b3c2092a152b80c2e04a3686ce1b1d9017

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b6601f5630220d0f70e8adfb49625889

SHA1
b797c148ed698d77a3db0853c5da33635152b248

SHA256
705347d838c0d4266669d7688c3bf2f42bb701466707c9734f131e8222174712

SHA512
4f35fb7c021f379e3f76c08ce56312a92fae3c923cd5246d1ff3a2f05dabbb3c03a758c8f71f467e4a8ad3c8c57dafe96306d7530ba9e338463541317f5a06ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f6aceef12cca62cad0bffa3458c08b8c

SHA1
e50e59da54b74a77ea54e05e0623515d6cbc534d

SHA256
5e9763ca59899e971045ceae9fbd29e2321a9b3317d6997fdb8f6b88354658c6

SHA512
cbd72ad33248c489d2f8daafbf441c19306eaa650ec52dcbc72365dbbd0fface0a77d0c2e8d08333d5b7b57deedb3a4e33d6c57e4ecc9eed5c42beb158abcdf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe584c56.TMP

Filesize
1KB

MD5
d5235322ac37a7fd28683b5c030b05b3

SHA1
819ae02d780ed6a9adb3d1900e9cfaa3d51a2d8b

SHA256
bcd2fe5e65ce2331da97b01e1cfcb8da1c1495a8b42ffeb3231e37ec83ad6948

SHA512
3dbbe9dc3cef7522e132abae18f72eef980002c633c7b44cc52a3c43ad012babe293c78bb13dc53ed998f24dc3aab70f62a11bc94e0bc4baa1fe18ac798f8941

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a3073194c0edb832fe4fe6e58463aa62

SHA1
63930168e4592cbf68d011baf1db399986ee9a05

SHA256
a0c898449ef7d54245da1d9c34cfd23de5887b77e8c522f84fbfe4c8b486ee36

SHA512
78f36ab395bc9485b2254705419c91da321987e57ea44c3db70a5ac50dd5e5e0c9a5ea36d6338964ead9a3ef8c15c615ad457aa4f1e2c8c94f948727098d15de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
5f0cb2cf1910533701b8bd185fadd8d2

SHA1
2f40c13e330b1915581d11c816980441dc72394a

SHA256
bd125b8f0a1ed6f98d82ec62a5d59eaf3a6579ca7b7df7d89c7105793edd4c43

SHA512
3047f951022ff4924153a392dd4d2aeb768c8c1f639daeabe436f7dd205e8bde7796f351fa67245278c13126d814ae7f2849321424e788f4591b8058a7148390

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0ec60422e158fc671b5133a97b2ac362

SHA1
0dd28e72783f81c2901fd213b21f91890ed38055

SHA256
07d1e4e9e15d952a9a23f7d11a4f731eef933ca5f8992973e10c171a0d284530

SHA512
b89359496e71bfe0495ae0f99f0835c5046ea78f7f6aa30b4d964f70fd5a009d5b8656aa7b77cb910df342829a428b2fe9fb137d7e5f9361da41d386db27ec58

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-AKU1U.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-G861V.tmp\REVisionFX Effections OFX v24.10 CE.tmp

Filesize
3.2MB

MD5
871d3b5be6b01305c82e29663fc9f0cb

SHA1
a21c765afb3e5e048fd300fb90ac517bab6f59d1

SHA256
eff0bca86d15a7723e24a01538fa683065c560b944522110a0cd319ce03dbb41

SHA512
fa63ca68d72b66c3ac9ce25a6fce6dea426b0772d040ccae6c6846c068c6ffef45407deabe55cdade0ef05ce81043f02b024890750db8b52142f1f7446ff602c

Download Submit
memory/1204-843-0x0000000000400000-0x000000000073F000-memory.dmp

Filesize
3.2MB

Download
memory/1204-846-0x0000000000400000-0x000000000073F000-memory.dmp

Filesize
3.2MB

Download
memory/1204-574-0x0000000000400000-0x000000000073F000-memory.dmp

Filesize
3.2MB

Download
memory/1212-911-0x0000000000400000-0x000000000073F000-memory.dmp

Filesize
3.2MB

Download
memory/2720-849-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/2720-910-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/4520-443-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/4520-847-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/4520-573-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download