hxxps://drive[.]google[.]com/file/d/1GKDJfJAlGmLAPVZKtqjldwXWvMrIew1v/view

Analysis

max time kernel
112s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05/01/2025, 15:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1GKDJfJAlGmLAPVZKtqjldwXWvMrIew1v/view

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
5	drive.google.com
9	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 29 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48"	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\NodeSlot = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe10000000136e39709918db0156dd24e09f18db0129c218c6835fdb0114000000	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616193"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
212	msedge.exe
212	msedge.exe
520	msedge.exe
520	msedge.exe
5016	identity_helper.exe
5016	identity_helper.exe
860	msedge.exe
860	msedge.exe
4036	msedge.exe
4036	msedge.exe
5264	msedge.exe
5264	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	5688	7zG.exe
Token: 35	5688	7zG.exe
Token: SeSecurityPrivilege	5688	7zG.exe
Token: SeSecurityPrivilege	5688	7zG.exe

Suspicious use of FindShellTrayWindow 54 IoCs

pid	Process
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
5688	7zG.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe

Suspicious use of SendNotifyMessage 30 IoCs

pid	Process
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe
520	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4036	msedge.exe
5984	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 520 wrote to memory of 3312	520	msedge.exe	84
PID 520 wrote to memory of 3312	520	msedge.exe	84
PID 520 wrote to memory of 2692	520	msedge.exe	85
PID 520 wrote to memory of 2692	520	msedge.exe	85
PID 520 wrote to memory of 2692	520	msedge.exe	85
PID 520 wrote to memory of 2692	520	msedge.exe	85
PID 520 wrote to memory of 2692	520	msedge.exe	85
PID 520 wrote to memory of 2692	520	msedge.exe	85
PID 520 wrote to memory of 2692	520	msedge.exe	85
PID 520 wrote to memory of 2692	520	msedge.exe	85
PID 520 wrote to memory of 2692	520	msedge.exe	85
PID 520 wrote to memory of 2692	520	msedge.exe	85
PID 520 wrote to memory of 2692	520	msedge.exe	85
PID 520 wrote to memory of 2692	520	msedge.exe	85
PID 520 wrote to memory of 2692	520	msedge.exe	85
PID 520 wrote to memory of 2692	520	msedge.exe	85
PID 520 wrote to memory of 2692	520	msedge.exe	85
PID 520 wrote to memory of 2692	520	msedge.exe	85
PID 520 wrote to memory of 2692	520	msedge.exe	85
PID 520 wrote to memory of 2692	520	msedge.exe	85
PID 520 wrote to memory of 2692	520	msedge.exe	85
PID 520 wrote to memory of 2692	520	msedge.exe	85
PID 520 wrote to memory of 2692	520	msedge.exe	85
PID 520 wrote to memory of 2692	520	msedge.exe	85
PID 520 wrote to memory of 2692	520	msedge.exe	85
PID 520 wrote to memory of 2692	520	msedge.exe	85
PID 520 wrote to memory of 2692	520	msedge.exe	85
PID 520 wrote to memory of 2692	520	msedge.exe	85
PID 520 wrote to memory of 2692	520	msedge.exe	85
PID 520 wrote to memory of 2692	520	msedge.exe	85
PID 520 wrote to memory of 2692	520	msedge.exe	85
PID 520 wrote to memory of 2692	520	msedge.exe	85
PID 520 wrote to memory of 2692	520	msedge.exe	85
PID 520 wrote to memory of 2692	520	msedge.exe	85
PID 520 wrote to memory of 2692	520	msedge.exe	85
PID 520 wrote to memory of 2692	520	msedge.exe	85
PID 520 wrote to memory of 2692	520	msedge.exe	85
PID 520 wrote to memory of 2692	520	msedge.exe	85
PID 520 wrote to memory of 2692	520	msedge.exe	85
PID 520 wrote to memory of 2692	520	msedge.exe	85
PID 520 wrote to memory of 2692	520	msedge.exe	85
PID 520 wrote to memory of 2692	520	msedge.exe	85
PID 520 wrote to memory of 212	520	msedge.exe	86
PID 520 wrote to memory of 212	520	msedge.exe	86
PID 520 wrote to memory of 1604	520	msedge.exe	87
PID 520 wrote to memory of 1604	520	msedge.exe	87
PID 520 wrote to memory of 1604	520	msedge.exe	87
PID 520 wrote to memory of 1604	520	msedge.exe	87
PID 520 wrote to memory of 1604	520	msedge.exe	87
PID 520 wrote to memory of 1604	520	msedge.exe	87
PID 520 wrote to memory of 1604	520	msedge.exe	87
PID 520 wrote to memory of 1604	520	msedge.exe	87
PID 520 wrote to memory of 1604	520	msedge.exe	87
PID 520 wrote to memory of 1604	520	msedge.exe	87
PID 520 wrote to memory of 1604	520	msedge.exe	87
PID 520 wrote to memory of 1604	520	msedge.exe	87
PID 520 wrote to memory of 1604	520	msedge.exe	87
PID 520 wrote to memory of 1604	520	msedge.exe	87
PID 520 wrote to memory of 1604	520	msedge.exe	87
PID 520 wrote to memory of 1604	520	msedge.exe	87
PID 520 wrote to memory of 1604	520	msedge.exe	87
PID 520 wrote to memory of 1604	520	msedge.exe	87
PID 520 wrote to memory of 1604	520	msedge.exe	87
PID 520 wrote to memory of 1604	520	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://drive.google.com/file/d/1GKDJfJAlGmLAPVZKtqjldwXWvMrIew1v/view
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9b18146f8,0x7ff9b1814708,0x7ff9b1814718
  2⤵
  PID:3312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,11256750122086103356,17077850932878607307,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
  2⤵
  PID:2692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,11256750122086103356,17077850932878607307,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2456 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,11256750122086103356,17077850932878607307,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8
  2⤵
  PID:1604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,11256750122086103356,17077850932878607307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:4260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,11256750122086103356,17077850932878607307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,11256750122086103356,17077850932878607307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:1
  2⤵
  PID:4108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,11256750122086103356,17077850932878607307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:1
  2⤵
  PID:1840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2084,11256750122086103356,17077850932878607307,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6112 /prefetch:8
  2⤵
  PID:4772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,11256750122086103356,17077850932878607307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:1
  2⤵
  PID:2936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,11256750122086103356,17077850932878607307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:1
  2⤵
  PID:1060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,11256750122086103356,17077850932878607307,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6420 /prefetch:1
  2⤵
  PID:436
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,11256750122086103356,17077850932878607307,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6848 /prefetch:8
  2⤵
  PID:4620
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,11256750122086103356,17077850932878607307,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6848 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,11256750122086103356,17077850932878607307,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6380 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,11256750122086103356,17077850932878607307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3944 /prefetch:1
  2⤵
  PID:936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,11256750122086103356,17077850932878607307,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1
  2⤵
  PID:4432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,11256750122086103356,17077850932878607307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4132 /prefetch:1
  2⤵
  PID:3268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,11256750122086103356,17077850932878607307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1
  2⤵
  PID:2936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,11256750122086103356,17077850932878607307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
  2⤵
  PID:392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,11256750122086103356,17077850932878607307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:1
  2⤵
  PID:3256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,11256750122086103356,17077850932878607307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
  2⤵
  PID:3808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2084,11256750122086103356,17077850932878607307,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6436 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,11256750122086103356,17077850932878607307,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5704 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5264

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5024

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3348

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5592

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Revo Uninstaller Pro 5.3.4 Multilingual\" -ad -an -ai#7zMap19132:140:7zEvent1178
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5688

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e55832d7cd7e868a2c087c4c73678018

SHA1
ed7a2f6d6437e907218ffba9128802eaf414a0eb

SHA256
a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574

SHA512
897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c2d9eeb3fdd75834f0ac3f9767de8d6f

SHA1
4d16a7e82190f8490a00008bd53d85fb92e379b0

SHA256
1e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66

SHA512
d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
744B

MD5
7d71dc0b7d0fe0c463146ebf85c16c59

SHA1
575c70054bd0b0e4f59436649f913c9e65ca1b21

SHA256
c4e4de0fb67a1b5effa5e9e9bcb25feaa6978e7e3715d6120b27feb9a4643eb8

SHA512
989b721036de9689fa9220b3628b38d07e3e8de61e96efea2085484e23b9810e005859692d45304ec29f6951206099c4b9aa6be64aa87288d4b93482e2926ac7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
720B

MD5
c24eee4746773370305d76d9f1dac3b4

SHA1
c145116ffe966eaa707dbc13458afa5b47fd2db3

SHA256
4fc79c68afa6efaa6810b1d33b0c9cda5bbbae06e9e62a1f33f3570a857278f0

SHA512
8505b57ff907e87897a84e3012f5630740ece33318fb45c69e3e83c571e9ea9952ff025de1523fa3a0a8a38622b35125ac42d88d7c13a07678ed1a7b9da753eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
e8c856d5227226904d8caab1e11a313d

SHA1
20b9845ebc848720a1112847620d58da504af970

SHA256
989c9b53989e74f52f52d2c31aec5ea0336f1237946e95e6990eae24df7a8ba2

SHA512
9c9850a7473342066766e4c0caf7b7c8040f45cfeeb56de4aaff21b2cf5165bf462ef04c7da562a21e14c8965ace6e89d78a3d5e679b2337cea9930843b18377

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
528e3ec61e489634b9e39f6de9889193

SHA1
a602fb5da71e7e8e12d9350c9a0974362b3c6ca3

SHA256
a2197694f45048059d3fe6ae8709dc32c9cf122db53f92770bc7235e8b536663

SHA512
0842664d8fe207d7892a570d04e192c6b5180eb79e24fd1959efa023ca2d15c0a171a92ef1405838a4bab3a49ad31bd16104ce901c6b487e18bc99ab0f39f424

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
99769b61bf9ed7acd6b02b16271232c1

SHA1
182220c87d10ff847c2868af181cc39582a039a3

SHA256
28018b795ed1637812b1d26bc4c0be14109bd1ac1f4c87ffbb91e5d7d2fa4c36

SHA512
21176d33508787795e426cfd7347cec1d9c6e5ed56044b063048ec568840f71eb8fe936be5d1f0dc7ad96ec6acca95d41ed1b972d262469fc0267711b10ef9a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
37d6a8a65e4955105c963bd479adbdfc

SHA1
8f399322b0fdd9e162c28b2cc8f21b437c4f4441

SHA256
1de51339766887a93c79541f041eb9d503db6dc44df22cf2493624f2f70542fb

SHA512
42f4ef5a432821c48d48cf715c82c704fb8e89d237f6d03b81c7e33c4faaee09b1f5dcaa206e680c1d32c915b87dc4369975ced46c22e0938e148c58758bb92b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
9f6cabd8a00f51ae150511c897658e85

SHA1
b98d897968b8fbf78b493017785c62b91fb75627

SHA256
318521f051589f1bc54ae3cc33117f2b65e2b966ea8c396f15d3b7bbc898989b

SHA512
838464d894b953578eb7bc254049f4be84d4314137e35f52386b7533cc4ca877399417f7c9a7fb453c21cb297b50436a3950aa78b8273a3f57d08671cb1bf0e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
bfd00a634185ef30aa50c9e4079df005

SHA1
6a131b418433fbb4610e2cf8b3cab7d71274c95d

SHA256
d60499a0abf0491d2268268178b3e5f6c9c230f0a5f7b9b38df8927756e0ee93

SHA512
e2b9f1206cb0930e78845186d7fcf2c221c11f5e883ecf32b663e447905375ebb1facae574691fec5b981e4389dd732fdf702f9a29cae17e9d0a04e48365c341

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a2e77e3c0256821ea094699ab90cdeda

SHA1
d9a9e21ea3c31e3aa41b1e7760a68557392770b2

SHA256
0d70ebfbfba9688240d5e242f753ab4deba125fca4fe99ca5a9e518e6536b27f

SHA512
8d2fb82f14d33b16c150d26a2cec4da82dfd4714be9c8c71f82e17d186b36a0cb8540bff8ba9bb623b351ea1bc2487744c826f3c44ba764e876ec7f01b4198a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57f01d.TMP

Filesize
1KB

MD5
b0e60074ea4a504bce397ec9744ca28d

SHA1
d35d4e6540b685777a7e1d4aabef10196c28be76

SHA256
0c11bb66ac85db48498c8bc02551bfd15388d68e147107702e120070747d9d54

SHA512
f9671009d8a7f3f37461875b70989e7fb64159594a9b521bc10cb43be64c2fa66c44972ee668aa8e03cde94432592f99261865d1da069c6e6c223a2a48135492

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f5ff9dd8f3c03f6cb3954ad299589b96

SHA1
85fc1caab22bd3bc22428a5ec44ff4727737a7c3

SHA256
66609d9382457483e9dbedec0aa9e8335033d65a3978512606f63e21d1da6151

SHA512
acfa23f3b869b2f76e5f5cf844368389815d201e40c23a9740968c293f8254c5771274fb6a5c0acceee0142c20855b2cff61044640f6842e701eeb619bea0c8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
835514b545c46fc060b7697f5c02be50

SHA1
e38fdb0e9d6805e3a0427be927adac3b630e799e

SHA256
eb9dd0d404da079de2cecde03035f3f61097f7660c73a4f46b29984a4c2812ba

SHA512
5b86fdc1af4c36ae15f10a907daa117038d7be4cfc93ec86744f803dda932c5d504275580a74ae214e3f3884e69f0258cc7ee0d4ddf5febdfed6edee2399998b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Downloads\Revo Uninstaller Pro 5.3.4 Multilingual\Revo Uninstaller Pro 5.3.4 Multilingual\License\revouninstallerpro5.lic

Filesize
64KB

MD5
8462a9b69c76a9603a4143d51fbc201e

SHA1
4473590f93f94f22c340a354516191c3c0ba6532

SHA256
fe4bcb4251f77375119a936c80fb36221af0c5105e840e2e115d47f96cb437c8

SHA512
2f02ecdb06760a093f4d8e6f04c97138695b064db8cb2dcc4af9b47c829852f38b77be9425eb2f3e3e36f85da181c116c829921fa35ae68afc57c728d5393570

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 441635.crdownload

Filesize
17.3MB

MD5
3263ed81c1808b388d587af325e6e8aa

SHA1
eea43062083172020810e8b111cf233d9bd034f4

SHA256
2404f0ee02484810760b42fbdbaacb606299d4d5f5c286a6f1d7141176fe7991

SHA512
73005a58e4b852187e9467f0f580612f5e5bc2c68fdb2b750a74bfc2703c338bd01337c5499703c990a07e28617a7430134bec270d555f8422ab7ff8e11c20c4

Download Submit