Analysis
-
max time kernel
1008s -
max time network
1010s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2024 16:28
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://drive.google.com/drive/folders/15ZGOiDThXakdJERgwp77IHAPEh_WiCuZ
Resource
win10v2004-20241007-en
General
-
Target
https://drive.google.com/drive/folders/15ZGOiDThXakdJERgwp77IHAPEh_WiCuZ
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4936 ReShade_Setup_5.9.2.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 10 drive.google.com 6 drive.google.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 34 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257" ReShade_Setup_5.9.2.exe Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff ReShade_Setup_5.9.2.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" ReShade_Setup_5.9.2.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}" ReShade_Setup_5.9.2.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 ReShade_Setup_5.9.2.exe Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e8005398e082303024b98265d99428e115f0000 ReShade_Setup_5.9.2.exe Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff ReShade_Setup_5.9.2.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 ReShade_Setup_5.9.2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ ReShade_Setup_5.9.2.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ ReShade_Setup_5.9.2.exe Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots ReShade_Setup_5.9.2.exe Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff ReShade_Setup_5.9.2.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1" ReShade_Setup_5.9.2.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16" ReShade_Setup_5.9.2.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}" ReShade_Setup_5.9.2.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg ReShade_Setup_5.9.2.exe Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 ReShade_Setup_5.9.2.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU ReShade_Setup_5.9.2.exe Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 ReShade_Setup_5.9.2.exe Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff ReShade_Setup_5.9.2.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags ReShade_Setup_5.9.2.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14" ReShade_Setup_5.9.2.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings ReShade_Setup_5.9.2.exe Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff ReShade_Setup_5.9.2.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Downloads" ReShade_Setup_5.9.2.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295" ReShade_Setup_5.9.2.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 ReShade_Setup_5.9.2.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295" ReShade_Setup_5.9.2.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1" ReShade_Setup_5.9.2.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell ReShade_Setup_5.9.2.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259} ReShade_Setup_5.9.2.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4" ReShade_Setup_5.9.2.exe Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 ReShade_Setup_5.9.2.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell ReShade_Setup_5.9.2.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 671033.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 3128 msedge.exe 3128 msedge.exe 1600 msedge.exe 1600 msedge.exe 776 identity_helper.exe 776 identity_helper.exe 3108 msedge.exe 3108 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
pid Process 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4936 ReShade_Setup_5.9.2.exe -
Suspicious use of FindShellTrayWindow 36 IoCs
pid Process 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4936 ReShade_Setup_5.9.2.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1600 wrote to memory of 460 1600 msedge.exe 82 PID 1600 wrote to memory of 460 1600 msedge.exe 82 PID 1600 wrote to memory of 3304 1600 msedge.exe 83 PID 1600 wrote to memory of 3304 1600 msedge.exe 83 PID 1600 wrote to memory of 3304 1600 msedge.exe 83 PID 1600 wrote to memory of 3304 1600 msedge.exe 83 PID 1600 wrote to memory of 3304 1600 msedge.exe 83 PID 1600 wrote to memory of 3304 1600 msedge.exe 83 PID 1600 wrote to memory of 3304 1600 msedge.exe 83 PID 1600 wrote to memory of 3304 1600 msedge.exe 83 PID 1600 wrote to memory of 3304 1600 msedge.exe 83 PID 1600 wrote to memory of 3304 1600 msedge.exe 83 PID 1600 wrote to memory of 3304 1600 msedge.exe 83 PID 1600 wrote to memory of 3304 1600 msedge.exe 83 PID 1600 wrote to memory of 3304 1600 msedge.exe 83 PID 1600 wrote to memory of 3304 1600 msedge.exe 83 PID 1600 wrote to memory of 3304 1600 msedge.exe 83 PID 1600 wrote to memory of 3304 1600 msedge.exe 83 PID 1600 wrote to memory of 3304 1600 msedge.exe 83 PID 1600 wrote to memory of 3304 1600 msedge.exe 83 PID 1600 wrote to memory of 3304 1600 msedge.exe 83 PID 1600 wrote to memory of 3304 1600 msedge.exe 83 PID 1600 wrote to memory of 3304 1600 msedge.exe 83 PID 1600 wrote to memory of 3304 1600 msedge.exe 83 PID 1600 wrote to memory of 3304 1600 msedge.exe 83 PID 1600 wrote to memory of 3304 1600 msedge.exe 83 PID 1600 wrote to memory of 3304 1600 msedge.exe 83 PID 1600 wrote to memory of 3304 1600 msedge.exe 83 PID 1600 wrote to memory of 3304 1600 msedge.exe 83 PID 1600 wrote to memory of 3304 1600 msedge.exe 83 PID 1600 wrote to memory of 3304 1600 msedge.exe 83 PID 1600 wrote to memory of 3304 1600 msedge.exe 83 PID 1600 wrote to memory of 3304 1600 msedge.exe 83 PID 1600 wrote to memory of 3304 1600 msedge.exe 83 PID 1600 wrote to memory of 3304 1600 msedge.exe 83 PID 1600 wrote to memory of 3304 1600 msedge.exe 83 PID 1600 wrote to memory of 3304 1600 msedge.exe 83 PID 1600 wrote to memory of 3304 1600 msedge.exe 83 PID 1600 wrote to memory of 3304 1600 msedge.exe 83 PID 1600 wrote to memory of 3304 1600 msedge.exe 83 PID 1600 wrote to memory of 3304 1600 msedge.exe 83 PID 1600 wrote to memory of 3304 1600 msedge.exe 83 PID 1600 wrote to memory of 3128 1600 msedge.exe 84 PID 1600 wrote to memory of 3128 1600 msedge.exe 84 PID 1600 wrote to memory of 4896 1600 msedge.exe 85 PID 1600 wrote to memory of 4896 1600 msedge.exe 85 PID 1600 wrote to memory of 4896 1600 msedge.exe 85 PID 1600 wrote to memory of 4896 1600 msedge.exe 85 PID 1600 wrote to memory of 4896 1600 msedge.exe 85 PID 1600 wrote to memory of 4896 1600 msedge.exe 85 PID 1600 wrote to memory of 4896 1600 msedge.exe 85 PID 1600 wrote to memory of 4896 1600 msedge.exe 85 PID 1600 wrote to memory of 4896 1600 msedge.exe 85 PID 1600 wrote to memory of 4896 1600 msedge.exe 85 PID 1600 wrote to memory of 4896 1600 msedge.exe 85 PID 1600 wrote to memory of 4896 1600 msedge.exe 85 PID 1600 wrote to memory of 4896 1600 msedge.exe 85 PID 1600 wrote to memory of 4896 1600 msedge.exe 85 PID 1600 wrote to memory of 4896 1600 msedge.exe 85 PID 1600 wrote to memory of 4896 1600 msedge.exe 85 PID 1600 wrote to memory of 4896 1600 msedge.exe 85 PID 1600 wrote to memory of 4896 1600 msedge.exe 85 PID 1600 wrote to memory of 4896 1600 msedge.exe 85 PID 1600 wrote to memory of 4896 1600 msedge.exe 85
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://drive.google.com/drive/folders/15ZGOiDThXakdJERgwp77IHAPEh_WiCuZ1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa3a5946f8,0x7ffa3a594708,0x7ffa3a5947182⤵PID:460
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,17214510233719186709,14416191328696029089,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:22⤵PID:3304
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,17214510233719186709,14416191328696029089,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,17214510233719186709,14416191328696029089,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2948 /prefetch:82⤵PID:4896
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17214510233719186709,14416191328696029089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:12⤵PID:2832
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17214510233719186709,14416191328696029089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:12⤵PID:1020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17214510233719186709,14416191328696029089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:12⤵PID:1092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,17214510233719186709,14416191328696029089,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5476 /prefetch:82⤵PID:1376
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,17214510233719186709,14416191328696029089,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5476 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:776
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17214510233719186709,14416191328696029089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:12⤵PID:2676
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17214510233719186709,14416191328696029089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4204 /prefetch:12⤵PID:3564
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17214510233719186709,14416191328696029089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:12⤵PID:1836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17214510233719186709,14416191328696029089,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4848 /prefetch:12⤵PID:1560
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17214510233719186709,14416191328696029089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:12⤵PID:3536
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17214510233719186709,14416191328696029089,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:12⤵PID:3024
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2060,17214510233719186709,14416191328696029089,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=2288 /prefetch:82⤵PID:3816
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17214510233719186709,14416191328696029089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:12⤵PID:4944
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2060,17214510233719186709,14416191328696029089,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4836 /prefetch:82⤵PID:3704
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,17214510233719186709,14416191328696029089,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4836 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3108
-
-
C:\Users\Admin\Downloads\ReShade_Setup_5.9.2.exe"C:\Users\Admin\Downloads\ReShade_Setup_5.9.2.exe"2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4936
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,17214510233719186709,14416191328696029089,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4860 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:3228
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:232
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4828
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD56960857d16aadfa79d36df8ebbf0e423
SHA1e1db43bd478274366621a8c6497e270d46c6ed4f
SHA256f40b812ce44e391423eb66602ac0af138a1e948aa8c4116045fef671ef21cd32
SHA5126deb2a63055a643759dd0ae125fb2f68ec04a443dbf8b066a812b42352bbcfa4517382ed0910c190c986a864559c3453c772e153ee2e9432fb2de2e1e49ca7fe
-
Filesize
152B
MD5f426165d1e5f7df1b7a3758c306cd4ae
SHA159ef728fbbb5c4197600f61daec48556fec651c1
SHA256b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841
SHA5128d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD576f3effd851d8dbe5fe9299173f7dd74
SHA1a2d345735194b10dc6180b84627ec21356f9b271
SHA256c36c9f13d179224a6f8722d71babf6bebb465aff445c2facf26d329dd668593c
SHA51238b60c71911299c6ed75a676d33c0305ebeceaf8f9003fcf97812723cea25f545d5bb39d6589894a2e19eeec712d0dc6bce8eeb6133d9fb7f62796810a0b40b1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5be016df8e93840f16d6bb53146a0c3ed
SHA1751a74a002aea10833eb9eeca53103896ef80e4b
SHA256cf6d22e481baf95f6521db1e21bac5a8f27b7ba395318a24e3023f4c55f373ff
SHA51254864001f070e50f24b1b62e45a6a711ea19944f41df069619432c9964631f46cad766a847631094fa9a0f2b663527d767d18b03f0273a2c8c0b07cd1ef96bdb
-
Filesize
4KB
MD584a3104cecac93de2dcaf0c1f400d0a9
SHA16ed1c296a761deed6ecb1eeef60d8545dbcfc5b0
SHA2568044b92c3c71754de642817c1241f73071430d5a1eafde175175e383e278a9d2
SHA512535bdb8fe161bcd852df27f178c8df0000abd39aa9a08e6ac070e8aac9fe967f7d99f1624c0a9dda3d462be909ccbbc60bbe41ab473c991717a3a22f7a3af0f9
-
Filesize
4KB
MD5b9863bb49869d3d0827422c6dd25a640
SHA167b389508253c1eca483b7ea1c7e8519be45a893
SHA25630e6a2cfb57d04940a397879fb5ac9084a79171088e32f240b14f6ac5c22de35
SHA512a1f357144116fa8cb9b58dbcfcf22baa16919b4a09aa0bd5ed610feb1d4053a9c41e92833c250447ab802208d37f2d19d761482e79a048c9667ea608986e52fd
-
Filesize
7KB
MD507705d4474fad08ae6e07f8ea420cfa4
SHA14729d31180a8fd9164c93bbf63a01be9f6ffd089
SHA256e2f8a92ee89e99c6446b5ea010e73d2ea595a94a608c76eadd46f846b8124313
SHA5121501b7abc7e54eeb818df1a7a3f68707300985802c5b435c344da018fc7f48fb670cc9305c65400fadea6451971e65491b2e1ffda30a49970ffda4e8ad66e21a
-
Filesize
6KB
MD596c1ee4fe69f6ece7bd2c37cd0184952
SHA16c65372d255798cac9b4d176e478a4497088ee76
SHA2567ba4d4e6d0dff4e034d9c94b385122e432c92bc5e9c1074965c5a6c239384b70
SHA5129a9d0ab51ee3ad93f509b31577a03807edfe0b04eb81826458a35f586308386df37dec1f0fbc7d48e90a97284c21d37c8752d9675524aac81e697f147a24efbb
-
Filesize
5KB
MD50f98350cc2831858764806bd74ef3c41
SHA1f548f47dd4eb0536d0022356b7ef7ed8f59cf430
SHA2567c8be902c06e4aa5f0252a0d8f7dc95da99a63c0790dee7a9db62be0ef6b9bff
SHA512fe82fa6fec502360e63b311583f35852947b0bb62ef30766193b85235ea8f4688b289b8e71a728e4a1cf8b1942495dc3a53477f72f6ac5d8204da5b5b9788bcd
-
Filesize
7KB
MD5bc2aecc62b7bb6ed54c991a90f67d9b3
SHA1a01ff61d730707def3d80684aa0258bafaf21cdf
SHA2562f7498aabea5899f7f2f322391d3d1466b496ade3ea644022b9e7ff96e29f8d1
SHA512199c7085f79cec644368ffdfa228df40c7d10a9f19f5e98a0e4d1ec8d1150771286dbab5d9f057e2473cfe81ce89aeaeb9b4af3a9c291d8a624b633db9d87434
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD5e784c2eafea62b8dba481949c50d37bb
SHA1e15833f89b1c703aefbd98c19d2f5eb6a892ecc6
SHA2566f9c2f12745d6c11dd4cec013f9f93e5c47a49a93f9100797f8d1d02698552ac
SHA512aa1bbeb25927a530d2384bf1838f908277911beae2d70e78ea23fc249ab4eae5ae308253e4023947f2b7c387dd8f8743c07c7bf643d92fda3202eac76930e24b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57eea6.TMP
Filesize48B
MD58399db60008743173a4e63ae43a0a5de
SHA10de4baf6ecf0fd810f7123a35a4602ba1a5d23c8
SHA25602634046b42239ef533d099a50d1cc881b2c02faccb33a99b8f63fe5722dea04
SHA512498326a45769af187014d49457d0ec769ff729b4fe70c1cab97a4ea7d54d19eab43c6795dc5b0285043cc8d066cd793e4d00ce53a3b45ab511c5b1a79692d76e
-
Filesize
1KB
MD5f292c4c5337b39e2c370e510ec67e38b
SHA19981a263bb9c7200b6a2647bc958d27607989c6f
SHA256caf4c0dad87f9b04f5aae24a9df11861d55d1aade9a6238c7f8136ae7a5626c0
SHA5125b4dd6aab500b9ce6662d71244073bc57ada7ef25ffb3e14a6de1292a7d93ff9ffa408503c85a6de58b8056502b4eecbc6d930f48c412e7eb2b37807d5f0b4fa
-
Filesize
1KB
MD51fac43e8dd4be3782e29b9ad77109765
SHA1a430d940b4de34b38f70289bdbfd1d33106b1f69
SHA2563d3ffd34ce442fec69746ed5f617a13506e838dfb4c984aeeae427f646ee4573
SHA51203ad04563e7fa825f886a1dfb3f5b76cdc4f63e8316182b13279638f9369d93b92a23827fa46e41e9ab8a9094cff47151418b6b3faca1163f7f652855364c924
-
Filesize
1KB
MD5952c8204c082b91833b638f64404583c
SHA17ea4f2cb16f99bc45c5391aa322e8badcbd30a32
SHA256ccf85ffcd8b7e8138edcb5e80714a28f4f3cb32425e3de7bcde568ff191039c7
SHA512827fa76dcb81f6fd0ed49b437c08653888b5358f734165adda9d55b84aa04d33302bad0cf03eab01e2ff936df43eab11e44d454c392c18397680d937a5721a69
-
Filesize
1KB
MD5cded73760ed5ae54bf98f5e4d585436a
SHA1ff1abbcaa564c5d5e312127bf8ee5f37e90a5a2f
SHA256d2214d4ccfecde80d3f72ddb26790c3377dbacd90b59b82985e98a0d81c18465
SHA512d3fa3a219bd3d15df2ac9ca5dc4df6a8e163c045b938834724bc1208e40adadfc02f32393b28f28ba5a44ab1284804bf4f12c826917afd647f4ff69c2af9c2b2
-
Filesize
1KB
MD56e87c14722336326e606b61eb6b992e0
SHA1b15f03a994077e2f442deac97218795e78f503de
SHA2563ca3cac247b34a5b4fd7f4dce533d9e819445835238399f1f325b941d7836a4c
SHA51243e34cd7f512e5ed4bb8a3f5d59d95f6a80547b586b738b3cabeb31d587a1fd5fadbac4b8e15a9b0bb6f2d5f5ec4e03e21e086cc1ae474be8006fa82d4f745c9
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5f21d8e0f1f5323114ae84b2099fd0150
SHA1266241814ef54355310ac945d87fc50f40605cc1
SHA25637aca3c8f29d512276f89db1add97929b5c5f1b09b92cf1ef56accb85a46dbd0
SHA5124a206daefee4787b3e3bbefffd3839e08a4f10d2f410d1aedd5a03b538c5f91aac39caa4f58140e4cff040fda8a67a275be99a4fd75d44c9cf0c215ae6281a80
-
Filesize
10KB
MD50d929c4bcf568c0297998739b2a698cc
SHA1a45dd387fd13f3eb3274c1e96d0572b35f1b062f
SHA2565c37d1f03d46587d26a11f6f9fe22ea0cb273d7bae0eae3245f768be5657dd8e
SHA5129b238c813b025ce40312c8ddd886d26b22cf0e362e1dfe3711f60bd4647a44148d478f41a769af4e5229d9f34294a3b7b98bcd459f67e5547d2d9f8b72f2938c
-
Filesize
3.3MB
MD52c942eed7aba999ba5b5afa5be21aa6b
SHA1be23cd0706daef313daefdec55a71c5965236b69
SHA256ec5e9d128d4460e212ca859cb257c95bba3776d412fe7859c4c8c91633e3c9dd
SHA5122299f76b0c522a2dc01c3ec11b8d912b5a0016c4a2787622095369436211b6c584fff0552047ddd73ec2419cae6dd9a228c304166a354092fcddbaf2f6b221c3