hxxps://drive[.]google[.]com/file/d/1IUIN7b0J2BXMj9NH11kKRrgwDBm8iUgM/view

Resubmissions

26/11/2023, 12:41

231126-pw37tahc8v 1

26/11/2023, 12:38

231126-pt8phshc59 6

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
26/11/2023, 12:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1IUIN7b0J2BXMj9NH11kKRrgwDBm8iUgM/view

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
336	msedge.exe
336	msedge.exe
4324	msedge.exe
4324	msedge.exe
1472	identity_helper.exe
1472	identity_helper.exe
528	msedge.exe
528	msedge.exe
528	msedge.exe
528	msedge.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3636	taskmgr.exe
Token: SeSystemProfilePrivilege	3636	taskmgr.exe
Token: SeCreateGlobalPrivilege	3636	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4324 wrote to memory of 964	4324	msedge.exe	49
PID 4324 wrote to memory of 964	4324	msedge.exe	49
PID 4324 wrote to memory of 3412	4324	msedge.exe	85
PID 4324 wrote to memory of 3412	4324	msedge.exe	85
PID 4324 wrote to memory of 3412	4324	msedge.exe	85
PID 4324 wrote to memory of 3412	4324	msedge.exe	85
PID 4324 wrote to memory of 3412	4324	msedge.exe	85
PID 4324 wrote to memory of 3412	4324	msedge.exe	85
PID 4324 wrote to memory of 3412	4324	msedge.exe	85
PID 4324 wrote to memory of 3412	4324	msedge.exe	85
PID 4324 wrote to memory of 3412	4324	msedge.exe	85
PID 4324 wrote to memory of 3412	4324	msedge.exe	85
PID 4324 wrote to memory of 3412	4324	msedge.exe	85
PID 4324 wrote to memory of 3412	4324	msedge.exe	85
PID 4324 wrote to memory of 3412	4324	msedge.exe	85
PID 4324 wrote to memory of 3412	4324	msedge.exe	85
PID 4324 wrote to memory of 3412	4324	msedge.exe	85
PID 4324 wrote to memory of 3412	4324	msedge.exe	85
PID 4324 wrote to memory of 3412	4324	msedge.exe	85
PID 4324 wrote to memory of 3412	4324	msedge.exe	85
PID 4324 wrote to memory of 3412	4324	msedge.exe	85
PID 4324 wrote to memory of 3412	4324	msedge.exe	85
PID 4324 wrote to memory of 3412	4324	msedge.exe	85
PID 4324 wrote to memory of 3412	4324	msedge.exe	85
PID 4324 wrote to memory of 3412	4324	msedge.exe	85
PID 4324 wrote to memory of 3412	4324	msedge.exe	85
PID 4324 wrote to memory of 3412	4324	msedge.exe	85
PID 4324 wrote to memory of 3412	4324	msedge.exe	85
PID 4324 wrote to memory of 3412	4324	msedge.exe	85
PID 4324 wrote to memory of 3412	4324	msedge.exe	85
PID 4324 wrote to memory of 3412	4324	msedge.exe	85
PID 4324 wrote to memory of 3412	4324	msedge.exe	85
PID 4324 wrote to memory of 3412	4324	msedge.exe	85
PID 4324 wrote to memory of 3412	4324	msedge.exe	85
PID 4324 wrote to memory of 3412	4324	msedge.exe	85
PID 4324 wrote to memory of 3412	4324	msedge.exe	85
PID 4324 wrote to memory of 3412	4324	msedge.exe	85
PID 4324 wrote to memory of 3412	4324	msedge.exe	85
PID 4324 wrote to memory of 3412	4324	msedge.exe	85
PID 4324 wrote to memory of 3412	4324	msedge.exe	85
PID 4324 wrote to memory of 3412	4324	msedge.exe	85
PID 4324 wrote to memory of 3412	4324	msedge.exe	85
PID 4324 wrote to memory of 336	4324	msedge.exe	84
PID 4324 wrote to memory of 336	4324	msedge.exe	84
PID 4324 wrote to memory of 4152	4324	msedge.exe	86
PID 4324 wrote to memory of 4152	4324	msedge.exe	86
PID 4324 wrote to memory of 4152	4324	msedge.exe	86
PID 4324 wrote to memory of 4152	4324	msedge.exe	86
PID 4324 wrote to memory of 4152	4324	msedge.exe	86
PID 4324 wrote to memory of 4152	4324	msedge.exe	86
PID 4324 wrote to memory of 4152	4324	msedge.exe	86
PID 4324 wrote to memory of 4152	4324	msedge.exe	86
PID 4324 wrote to memory of 4152	4324	msedge.exe	86
PID 4324 wrote to memory of 4152	4324	msedge.exe	86
PID 4324 wrote to memory of 4152	4324	msedge.exe	86
PID 4324 wrote to memory of 4152	4324	msedge.exe	86
PID 4324 wrote to memory of 4152	4324	msedge.exe	86
PID 4324 wrote to memory of 4152	4324	msedge.exe	86
PID 4324 wrote to memory of 4152	4324	msedge.exe	86
PID 4324 wrote to memory of 4152	4324	msedge.exe	86
PID 4324 wrote to memory of 4152	4324	msedge.exe	86
PID 4324 wrote to memory of 4152	4324	msedge.exe	86
PID 4324 wrote to memory of 4152	4324	msedge.exe	86
PID 4324 wrote to memory of 4152	4324	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/1IUIN7b0J2BXMj9NH11kKRrgwDBm8iUgM/view
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xfc,0x10c,0x7ff91c0f46f8,0x7ff91c0f4708,0x7ff91c0f4718
  2⤵
  PID:964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,5214405692092207360,6501725715084159935,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,5214405692092207360,6501725715084159935,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2244 /prefetch:2
  2⤵
  PID:3412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2188,5214405692092207360,6501725715084159935,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:8
  2⤵
  PID:4152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,5214405692092207360,6501725715084159935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
  2⤵
  PID:4192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,5214405692092207360,6501725715084159935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3592 /prefetch:1
  2⤵
  PID:4972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,5214405692092207360,6501725715084159935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1
  2⤵
  PID:3432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,5214405692092207360,6501725715084159935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
  2⤵
  PID:4696
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,5214405692092207360,6501725715084159935,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6000 /prefetch:8
  2⤵
  PID:1280
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,5214405692092207360,6501725715084159935,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6000 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,5214405692092207360,6501725715084159935,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:1
  2⤵
  PID:2264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,5214405692092207360,6501725715084159935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:1
  2⤵
  PID:4168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,5214405692092207360,6501725715084159935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:1
  2⤵
  PID:4576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2188,5214405692092207360,6501725715084159935,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5316 /prefetch:8
  2⤵
  PID:4768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,5214405692092207360,6501725715084159935,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:1
  2⤵
  PID:2712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,5214405692092207360,6501725715084159935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4848 /prefetch:1
  2⤵
  PID:2568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,5214405692092207360,6501725715084159935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
  2⤵
  PID:568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,5214405692092207360,6501725715084159935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2740 /prefetch:1
  2⤵
  PID:3036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,5214405692092207360,6501725715084159935,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4876 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,5214405692092207360,6501725715084159935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2996 /prefetch:1
  2⤵
  PID:2828

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1604

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4984

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
d7ff3e462291b157719541a7874b92b5

SHA1
8e4620ef7ed1eff4ebece4be3876f648aa609e6a

SHA256
048140da2354195bdaa6a24b4369e003422cc67e8be6bdfd52366cd459119a94

SHA512
0842f980f0d064814ea60d6ffb2b334b6bc775bd4fcc33f4a4a58822d93000e754dc7039f0fcb46915f0829aab4f800fb52c672ea53f09748ee618ee84efdb4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
0a6cb58d5c66f90d1d4dea925f7ce404

SHA1
62ed6d4e2d7b0bf200b85c4bc07c3d8ef32ee6c8

SHA256
fab9b42a6b36ed559b1065b84b777a02e0d49cce9fd45886620978a379c7814b

SHA512
2ef50f6214e0795819169001e1541de18e81012fd964b7a2a18b7b86af725de69ee742203e583f232858ae845db232b08e9e46d1fe5f340b08e8bebf816e4def

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
a336f6c4c7488ea2f4bfa3bd82377f33

SHA1
f1b48e04e4ac10d25f9acbf1734e03194d55b50d

SHA256
511f46f5aa186c93030d627f23456ec9ccef29405975ecae051f71fdae28ba85

SHA512
4ea2193d7ffdff8a2892157d3012d004cb7a109317f9e58a13b395d00c1a3ea769df5655404bcb0d8e8bd6e98251418f8ff279f8628e3d4696d48fb7e808f599

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
007fe85d9ee6cef3bb986bc6fa328f53

SHA1
2d4cf2e60c27bacfafc0e67f6c84c9120b4285f2

SHA256
a96b49f691d79d1925592180bdcc520e97196a51ca392d2e50c2a91fa2e2cf03

SHA512
4250f45a89190f05696402fe4b412705efe9d5247bed7d911e92fd5fe4b339bd90f7b0ea6f9d1ee2ae47886d6060d26b226afb5979f5d40443887c68ee7080da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a28a3d09766c9d91b550dd3bf84fca02

SHA1
3451f796bc81ed296c6693780c0836e615dec306

SHA256
40ac8766dc23e4ee7dd9b424c7bf61081165a179db537bd02d4fe863b105745f

SHA512
37b1d8495c8234d06fc87873ff9640d6b649dda7a5d31f9bf6fc9e34b4a81141dc6c5f237fc51fc40c2e58d29bdede1e0da4f987a405810142bfae5554eb05fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b6be81ba14c3971101e3350a28ac9ec3

SHA1
8daece0f253a1ee2b99088f52f18a5cb3208c155

SHA256
dcf4f4fa062ffd6235abb21a4677abe66511bcb9c2498a2b5ce7c695b9b48a3d

SHA512
3bf1f6d0869ebf6f9ea7a93bd410b6cdf9e9bb17f00e53a4b1624282974b53d70e7439db9b36e1d2822f427d7319004d0c90ab4966bf394e2319937722ece4bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
536cb43c882c8ace764f0e01fa804c58

SHA1
1c25f02b8223ae3bf297903100837b5fc0949d10

SHA256
e13a59bc7c01a2a237ccf46f8e152d079fbb236bfc41070c922ba8387c556a6c

SHA512
4bdc057f9b6234ccacfce2ec4ec6dc14188dd1d9ba928f8f14c8b036cc3e78d9f12d038714417b83f8e2680362808f224b7bed91c4127534c9cb928bf0c0fce7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c52e87089ee5c5fd3b8b094e87bbd07a

SHA1
193c45246b2013287a1ede2848cbefa30868d844

SHA256
85900c560b1f443cca54080509588288725cf59cd7ab637643710a584e8beba1

SHA512
07b125fa59b382120051b6ab9921eaf3f28a38e16c93efb7103ef133ee46decb4997a24b3437395911b392dadf537067ff20b48b3d386bdb7658120a39045955

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
92a5294be18890b617fd9946b538835d

SHA1
dd2f44ba17352af2c49a19364651ec2de9d80385

SHA256
01c686acd46c1a08ecc7e104848382cb71a7c9792a6e65c31734afea8a6776b8

SHA512
deaec7978e46ec738f925f75aaecf03908a8a213f7776d4b8f0e89c29c127fb32972525c25511ddc0a57f233bb75bcbc43dffe50d3061e1625c4344ce5dd5bcb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
301932a6eaa9a31ad7e7a0af38e9b60b

SHA1
d357d3c3e612b09f8aec9eb27cd7de560abeec03

SHA256
36a0c72c07f1ac7f62d9bb164d51fbb2ff3fac09bfc1a8bc12b610d59e59d1e8

SHA512
127cddfe69abdbffd3689f6304f07556e893cc17f75884df8d7986bf7ab2f98dafb5d56d39b48ff86f006324eac57e0e2c9811206ca415a57f2c9a9948592f71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
e2565e589c9c038c551766400aefc665

SHA1
77893bb0d295c2737e31a3f539572367c946ab27

SHA256
172017da29bce2bfe0c8b4577a9b8e7a97a0585fd85697f51261f39b28877e80

SHA512
5a33ce3d048f2443c5d1aee3922693decc19c4d172aff0b059b31af3b56aa5e413902f9a9634e5ee874b046ae63a0531985b0361467b62e977dcff7fc9913c4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
05bceffce510ffb62e42c8803a5d191e

SHA1
77c3b23cd39c61d85b9f83d421d5939c4fbe8d96

SHA256
074943541623eea9bcda7501e8097558bc0e0c7b81b7f9ee2a4729ea6960fb0b

SHA512
6ba7ff6b92b115940131d289955916a004ba7f37d3fb59ae21587a28f02494726db834fa915f97acfb4bc17242d22c178b7d9596db47c25fa35a127ef4e9bef0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57ff30.TMP

Filesize
868B

MD5
9f1bd46000b449be0204d7c05005feab

SHA1
385247350465a7910c4ca2624ee965307ff393e9

SHA256
6f854357bdcf22970f42961bf557df856ba78eb5d9649526b12fd351ff013b21

SHA512
cfea363aef25d38d671a6c6f8e4dd213999cd95370cd7caf6c66d99dac9d2410d8b2f51b06cb39dbc97cac57ab714193465c690508ab1bb2d3aa731b4a6050bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
96a8c41f6690a459f014398789b836a5

SHA1
aab52c407587b1cfce9f56ae69fc0052a8462194

SHA256
9bf7a9233920b511765ed502acfea73ed0ff9f53ac1dcafe975d8296c68039ae

SHA512
680bfa0bd1ddb0c9cef2fd6a4fe4d9b0a03b1c1900e35c58af3346876fa018c014fde1017b8b6579441d3b91f44541a6378b2ac4c7916690bc253da8b8cbe598

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
5645cf31a531f93b9774da9966ae8696

SHA1
8288cb91fca15c78b8a5be17f27f882cad4bb178

SHA256
81b9273c4d38f0353a17665b9dad7acb242ef26ab1cd247176a185ce5e36ee16

SHA512
f70bd311743833f1ea71ac638a6804568cc7106cf8bf00ffcec059cf8b66387102c6fc06f383424af9b099d26442f61ebf5d032b73e232411d385693e829ca40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
d0fb1dbdfea116fb520690e2f396c040

SHA1
de17e02991816d823c52837082eae0729b49ac1f

SHA256
1919eba9b13b254b45e328c9fd8293b8a4651b9257c95e2f9deba47e7f584ebc

SHA512
e54a5359ed506b66e9c21d534dff456dc4fb169ed44c37d6b76d389968729eb0ca296548d6716bf6a9aead93e8f40d11fb708e43ad94a4a83b41961ac1254c56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5ac5fd3c7a2eb19b4920b92e769ba30e

SHA1
5523338b6b6bf81731fea600fd8b922cf0c75e50

SHA256
52ba650bfe52ea15bacd8c0ca8a5165bf9d99129e621e733ef4298d1ebe15816

SHA512
9132cc73790d1696c668225a0332ad803e38f32e987611d38ce05448175d0bbde2d59c78cad6f0a85da6fcbebed2f5434202bbd432be5fbb6b723685f0787ea8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3efacc92e568897642634918c7f0d964

SHA1
d39dd77eeb64f36333a7c5562e53d16ff504829a

SHA256
8a50976c37a21aa017a09069a29b7a0f7b0379af3b327e74072a1e5b9ba002cc

SHA512
e4e4bdc6812e22198d673c1b55d5cfc0370a08babc17ea51748e4b84b6944127bc96b4dd09023dc439b818c96b70c67b046aaede7c55a084589ae4df21242b53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
0ca68a46fc2d1efa75600f07be715b2a

SHA1
b7f496b6eddaf0248b9d070fd12f881a9de34f5c

SHA256
f84718ee918e5aeddd4e06d342971c59e4f21a64d4a45d8a73f342b9ed862346

SHA512
513539e3c74ce474bf27685c3c767dc4d974798bc15787131fbdf7ff5205a3c3a8a31db9553c0464bbc897c22cc1a07d93cabcf860f89b2f538a58e8281c026d

Download Submit
memory/3636-296-0x000001EA3A8B0000-0x000001EA3A8B1000-memory.dmp

Filesize
4KB

Download
memory/3636-295-0x000001EA3A8B0000-0x000001EA3A8B1000-memory.dmp

Filesize
4KB

Download
memory/3636-294-0x000001EA3A8B0000-0x000001EA3A8B1000-memory.dmp

Filesize
4KB

Download
memory/3636-300-0x000001EA3A8B0000-0x000001EA3A8B1000-memory.dmp

Filesize
4KB

Download
memory/3636-302-0x000001EA3A8B0000-0x000001EA3A8B1000-memory.dmp

Filesize
4KB

Download
memory/3636-301-0x000001EA3A8B0000-0x000001EA3A8B1000-memory.dmp

Filesize
4KB

Download
memory/3636-303-0x000001EA3A8B0000-0x000001EA3A8B1000-memory.dmp

Filesize
4KB

Download
memory/3636-305-0x000001EA3A8B0000-0x000001EA3A8B1000-memory.dmp

Filesize
4KB

Download
memory/3636-304-0x000001EA3A8B0000-0x000001EA3A8B1000-memory.dmp

Filesize
4KB

Download
memory/3636-306-0x000001EA3A8B0000-0x000001EA3A8B1000-memory.dmp

Filesize
4KB

Download