hxxps://drive[.]google[.]com/file/d/1oCGtzrzqZsju5x6hv9lEAIXSo_k_Q2E8/view

Analysis

max time kernel
33s
max time network
48s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-01-2025 03:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1oCGtzrzqZsju5x6hv9lEAIXSo_k_Q2E8/view

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
7	drive.google.com
10	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 5c022479d218db01	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 17 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\RepId	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{07089834-2C8C-401F-8977-788487B9152B}"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{66B8C9CC-D613-11EF-9361-DEEFF298442C} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe

Modifies registry class 11 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\.ahk\ = "ahk_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\ahk_auto_file\shell\open	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\ahk_auto_file\shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\ahk_auto_file\shell\open\command	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\ahk_auto_file\shell\open\command\DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\ahk_auto_file\shell\open\CommandId = "IE.File"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\.ahk	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\ahk_auto_file	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\ahk_auto_file\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" %1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3996	msedge.exe
3996	msedge.exe
4376	msedge.exe
4376	msedge.exe
4176	identity_helper.exe
4176	identity_helper.exe
4408	msedge.exe
4408	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3180	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
5308	iexplore.exe
5308	iexplore.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe

Suspicious use of SetWindowsHookEx 37 IoCs

pid	Process
3180	OpenWith.exe
3180	OpenWith.exe
3180	OpenWith.exe
3180	OpenWith.exe
3180	OpenWith.exe
3180	OpenWith.exe
3180	OpenWith.exe
3180	OpenWith.exe
3180	OpenWith.exe
3180	OpenWith.exe
3180	OpenWith.exe
3180	OpenWith.exe
3180	OpenWith.exe
3180	OpenWith.exe
3180	OpenWith.exe
3180	OpenWith.exe
3180	OpenWith.exe
3180	OpenWith.exe
3180	OpenWith.exe
3180	OpenWith.exe
3180	OpenWith.exe
3180	OpenWith.exe
3180	OpenWith.exe
3180	OpenWith.exe
3180	OpenWith.exe
3180	OpenWith.exe
3180	OpenWith.exe
3180	OpenWith.exe
3180	OpenWith.exe
3180	OpenWith.exe
3180	OpenWith.exe
3180	OpenWith.exe
3180	OpenWith.exe
5308	iexplore.exe
5308	iexplore.exe
5512	IEXPLORE.EXE
5512	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4376 wrote to memory of 772	4376	msedge.exe	82
PID 4376 wrote to memory of 772	4376	msedge.exe	82
PID 4376 wrote to memory of 968	4376	msedge.exe	83
PID 4376 wrote to memory of 968	4376	msedge.exe	83
PID 4376 wrote to memory of 968	4376	msedge.exe	83
PID 4376 wrote to memory of 968	4376	msedge.exe	83
PID 4376 wrote to memory of 968	4376	msedge.exe	83
PID 4376 wrote to memory of 968	4376	msedge.exe	83
PID 4376 wrote to memory of 968	4376	msedge.exe	83
PID 4376 wrote to memory of 968	4376	msedge.exe	83
PID 4376 wrote to memory of 968	4376	msedge.exe	83
PID 4376 wrote to memory of 968	4376	msedge.exe	83
PID 4376 wrote to memory of 968	4376	msedge.exe	83
PID 4376 wrote to memory of 968	4376	msedge.exe	83
PID 4376 wrote to memory of 968	4376	msedge.exe	83
PID 4376 wrote to memory of 968	4376	msedge.exe	83
PID 4376 wrote to memory of 968	4376	msedge.exe	83
PID 4376 wrote to memory of 968	4376	msedge.exe	83
PID 4376 wrote to memory of 968	4376	msedge.exe	83
PID 4376 wrote to memory of 968	4376	msedge.exe	83
PID 4376 wrote to memory of 968	4376	msedge.exe	83
PID 4376 wrote to memory of 968	4376	msedge.exe	83
PID 4376 wrote to memory of 968	4376	msedge.exe	83
PID 4376 wrote to memory of 968	4376	msedge.exe	83
PID 4376 wrote to memory of 968	4376	msedge.exe	83
PID 4376 wrote to memory of 968	4376	msedge.exe	83
PID 4376 wrote to memory of 968	4376	msedge.exe	83
PID 4376 wrote to memory of 968	4376	msedge.exe	83
PID 4376 wrote to memory of 968	4376	msedge.exe	83
PID 4376 wrote to memory of 968	4376	msedge.exe	83
PID 4376 wrote to memory of 968	4376	msedge.exe	83
PID 4376 wrote to memory of 968	4376	msedge.exe	83
PID 4376 wrote to memory of 968	4376	msedge.exe	83
PID 4376 wrote to memory of 968	4376	msedge.exe	83
PID 4376 wrote to memory of 968	4376	msedge.exe	83
PID 4376 wrote to memory of 968	4376	msedge.exe	83
PID 4376 wrote to memory of 968	4376	msedge.exe	83
PID 4376 wrote to memory of 968	4376	msedge.exe	83
PID 4376 wrote to memory of 968	4376	msedge.exe	83
PID 4376 wrote to memory of 968	4376	msedge.exe	83
PID 4376 wrote to memory of 968	4376	msedge.exe	83
PID 4376 wrote to memory of 968	4376	msedge.exe	83
PID 4376 wrote to memory of 3996	4376	msedge.exe	84
PID 4376 wrote to memory of 3996	4376	msedge.exe	84
PID 4376 wrote to memory of 2484	4376	msedge.exe	85
PID 4376 wrote to memory of 2484	4376	msedge.exe	85
PID 4376 wrote to memory of 2484	4376	msedge.exe	85
PID 4376 wrote to memory of 2484	4376	msedge.exe	85
PID 4376 wrote to memory of 2484	4376	msedge.exe	85
PID 4376 wrote to memory of 2484	4376	msedge.exe	85
PID 4376 wrote to memory of 2484	4376	msedge.exe	85
PID 4376 wrote to memory of 2484	4376	msedge.exe	85
PID 4376 wrote to memory of 2484	4376	msedge.exe	85
PID 4376 wrote to memory of 2484	4376	msedge.exe	85
PID 4376 wrote to memory of 2484	4376	msedge.exe	85
PID 4376 wrote to memory of 2484	4376	msedge.exe	85
PID 4376 wrote to memory of 2484	4376	msedge.exe	85
PID 4376 wrote to memory of 2484	4376	msedge.exe	85
PID 4376 wrote to memory of 2484	4376	msedge.exe	85
PID 4376 wrote to memory of 2484	4376	msedge.exe	85
PID 4376 wrote to memory of 2484	4376	msedge.exe	85
PID 4376 wrote to memory of 2484	4376	msedge.exe	85
PID 4376 wrote to memory of 2484	4376	msedge.exe	85
PID 4376 wrote to memory of 2484	4376	msedge.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://drive.google.com/file/d/1oCGtzrzqZsju5x6hv9lEAIXSo_k_Q2E8/view
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x40,0x108,0x7fff054246f8,0x7fff05424708,0x7fff05424718
  2⤵
  PID:772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,10604275212359182446,3631216131183376426,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
  2⤵
  PID:968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,10604275212359182446,3631216131183376426,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2348 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,10604275212359182446,3631216131183376426,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8
  2⤵
  PID:2484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,10604275212359182446,3631216131183376426,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:4676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,10604275212359182446,3631216131183376426,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,10604275212359182446,3631216131183376426,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:1
  2⤵
  PID:3308
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,10604275212359182446,3631216131183376426,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5116 /prefetch:8
  2⤵
  PID:1676
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,10604275212359182446,3631216131183376426,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5116 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,10604275212359182446,3631216131183376426,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
  2⤵
  PID:4180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,10604275212359182446,3631216131183376426,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
  2⤵
  PID:4164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,10604275212359182446,3631216131183376426,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
  2⤵
  PID:3916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,10604275212359182446,3631216131183376426,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:1
  2⤵
  PID:3504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,10604275212359182446,3631216131183376426,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6008 /prefetch:8
  2⤵
  PID:1580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,10604275212359182446,3631216131183376426,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1
  2⤵
  PID:4912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,10604275212359182446,3631216131183376426,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5316 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4408

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3080

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2124

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3180
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Downloads\Fisch Macro V11.ahk
  2⤵
  - Modifies Internet Explorer Phishing Filter
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:5308
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5308 CREDAT:17410 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:5512
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Downloads\Fisch Macro V11.ahk
    3⤵
    PID:5760
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5308 CREDAT:17414 /prefetch:2
    3⤵
    PID:5792
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Downloads\Fisch Macro V11.ahk
    3⤵
    PID:5880
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5308 CREDAT:82956 /prefetch:2
    3⤵
    PID:5912
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Downloads\Fisch Macro V11.ahk
    3⤵
    PID:5988
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5308 CREDAT:17426 /prefetch:2
    3⤵
    PID:6020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b8880802fc2bb880a7a869faa01315b0

SHA1
51d1a3fa2c272f094515675d82150bfce08ee8d3

SHA256
467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812

SHA512
e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ba6ef346187b40694d493da98d5da979

SHA1
643c15bec043f8673943885199bb06cd1652ee37

SHA256
d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73

SHA512
2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
456B

MD5
6fe2475f7a3a08bf3eb0c4c30c7ffd90

SHA1
0748920b8498060235747b7bbb214350162a941a

SHA256
68ac08de16f48e834f2d3b6ddb8437a8cc0573192ae320472db6b873bde94de2

SHA512
8668586cb51b212a73901e45717245fb448631fffb4047e820581bf97499574df15b765d590c1f2d3cd6dd83faf256a8bc4f412d107765d44d44ba1d71d65eb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f25184be031285a4a5736a43d8be71ab

SHA1
2503747ea0df58faf13f3c6b8793d0b3922a38af

SHA256
9834f46da6c5095fdd78c1236dbe4f599bc924b57412c32656091c6868140948

SHA512
5da99bb8149fad5d65d07950176ccefd11ab9c49c5589e6287bd2e17aad9f15ecb1138a7446f932b90c92a03f542d0fe1e8473a975adfea08402a1c790acfb13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
39acaa3132632030e0a2a86ee78f6f8a

SHA1
81181383ca6cdfe9b9e142f8add4f639058db460

SHA256
dc21f4e35f50d3f45f928dd9bec3d6953bfb718ae9d41914c9065b69dc83c879

SHA512
bb5b998610e625bbf957e01448f3f7a900646530da2c9eb99c6d89422d26e62c1222f55e7342f28f96667adc9bd8fdb30c6f30d43efb506d3cbd23f6b39086a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8e0a9d788a0170e862069fbc15267273

SHA1
ca9aaadc05dac52ef7b13594a962fc1dcc45c747

SHA256
c45b64966f1a27c5c86d73f05ac1eed46b24172c0507422da89f2b3df4b7bbe9

SHA512
1fb0457c105d78c6c1fbab41ce96807715ebddfb677ffc36c497546f687845ebde204742177123920af5d4b02ac792175665d57b7641c8d37cf64902010a16c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8125a72bd91b3f947e6403f6fdd3b52b

SHA1
93c09f2f721b8585bf02877813753a8b96145ab1

SHA256
a02657b4f57ee4ce936e032132b5e7534277d9f9ec32bfd589eb09686cd137ac

SHA512
4a364874f155892d7465de063035f459cdfe9fd4ef3ac9a20310fc6efa0db70b86d15aff2a6c6f19690bbbab95eeb812ea6099a1faa3c30773638efc89290394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
9fbe8613e15b39ebd28f6ca93581bbb1

SHA1
f244a303abcbf7e4d7ca6bb70a0be8da6a1e1fc6

SHA256
9d213178438095416daf21fa8a4ec13c24834a17bb95d27b5249ccc7571348b0

SHA512
7a41a595a3c15b0413c23ee2e90437bfa37557c4621cef27885e3ea337f0541c29802beb1dd3f41fa7451c50b6b33f1fcae67d902e6894f354e3c22b2cf4eefa

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 701016.crdownload

Filesize
25KB

MD5
36ddfbe29f2fd3366ca298b350a6cb19

SHA1
0b5c4d270dc47b4ae1b1f59f85b8617bf8a7b036

SHA256
4acb8e96da33a31d5f8384635cc994bebac071f16093ae6ed7f909f6a3bf7218

SHA512
54760d5e130e90a07c238fceee800da27d567671a22bdf6ab7f6f21a148f072e7b2f07d7e74e55f32d7d8e4c52779882ae6681a0653e2fcd564a7dafc94593ae

Download Submit