hxxps://drive[.]google[.]com/file/d/1Mzn6o3n5xIhN6nueBAl3YTzyb27ZgMrD/view?usp=sharing

Analysis

max time kernel
162s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
24-07-2024 01:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1Mzn6o3n5xIhN6nueBAl3YTzyb27ZgMrD/view?usp=sharing

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	drive.google.com
3	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-47134698-4092160662-1261813102-1000\{9ED5829A-B515-436D-BEC5-82C16C8708DD}	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4928	msedge.exe
4928	msedge.exe
4884	msedge.exe
4884	msedge.exe
4616	identity_helper.exe
4616	identity_helper.exe
4300	msedge.exe
4300	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs

pid	Process
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4884 wrote to memory of 3380	4884	msedge.exe	84
PID 4884 wrote to memory of 3380	4884	msedge.exe	84
PID 4884 wrote to memory of 1532	4884	msedge.exe	86
PID 4884 wrote to memory of 1532	4884	msedge.exe	86
PID 4884 wrote to memory of 1532	4884	msedge.exe	86
PID 4884 wrote to memory of 1532	4884	msedge.exe	86
PID 4884 wrote to memory of 1532	4884	msedge.exe	86
PID 4884 wrote to memory of 1532	4884	msedge.exe	86
PID 4884 wrote to memory of 1532	4884	msedge.exe	86
PID 4884 wrote to memory of 1532	4884	msedge.exe	86
PID 4884 wrote to memory of 1532	4884	msedge.exe	86
PID 4884 wrote to memory of 1532	4884	msedge.exe	86
PID 4884 wrote to memory of 1532	4884	msedge.exe	86
PID 4884 wrote to memory of 1532	4884	msedge.exe	86
PID 4884 wrote to memory of 1532	4884	msedge.exe	86
PID 4884 wrote to memory of 1532	4884	msedge.exe	86
PID 4884 wrote to memory of 1532	4884	msedge.exe	86
PID 4884 wrote to memory of 1532	4884	msedge.exe	86
PID 4884 wrote to memory of 1532	4884	msedge.exe	86
PID 4884 wrote to memory of 1532	4884	msedge.exe	86
PID 4884 wrote to memory of 1532	4884	msedge.exe	86
PID 4884 wrote to memory of 1532	4884	msedge.exe	86
PID 4884 wrote to memory of 1532	4884	msedge.exe	86
PID 4884 wrote to memory of 1532	4884	msedge.exe	86
PID 4884 wrote to memory of 1532	4884	msedge.exe	86
PID 4884 wrote to memory of 1532	4884	msedge.exe	86
PID 4884 wrote to memory of 1532	4884	msedge.exe	86
PID 4884 wrote to memory of 1532	4884	msedge.exe	86
PID 4884 wrote to memory of 1532	4884	msedge.exe	86
PID 4884 wrote to memory of 1532	4884	msedge.exe	86
PID 4884 wrote to memory of 1532	4884	msedge.exe	86
PID 4884 wrote to memory of 1532	4884	msedge.exe	86
PID 4884 wrote to memory of 1532	4884	msedge.exe	86
PID 4884 wrote to memory of 1532	4884	msedge.exe	86
PID 4884 wrote to memory of 1532	4884	msedge.exe	86
PID 4884 wrote to memory of 1532	4884	msedge.exe	86
PID 4884 wrote to memory of 1532	4884	msedge.exe	86
PID 4884 wrote to memory of 1532	4884	msedge.exe	86
PID 4884 wrote to memory of 1532	4884	msedge.exe	86
PID 4884 wrote to memory of 1532	4884	msedge.exe	86
PID 4884 wrote to memory of 1532	4884	msedge.exe	86
PID 4884 wrote to memory of 1532	4884	msedge.exe	86
PID 4884 wrote to memory of 4928	4884	msedge.exe	87
PID 4884 wrote to memory of 4928	4884	msedge.exe	87
PID 4884 wrote to memory of 924	4884	msedge.exe	88
PID 4884 wrote to memory of 924	4884	msedge.exe	88
PID 4884 wrote to memory of 924	4884	msedge.exe	88
PID 4884 wrote to memory of 924	4884	msedge.exe	88
PID 4884 wrote to memory of 924	4884	msedge.exe	88
PID 4884 wrote to memory of 924	4884	msedge.exe	88
PID 4884 wrote to memory of 924	4884	msedge.exe	88
PID 4884 wrote to memory of 924	4884	msedge.exe	88
PID 4884 wrote to memory of 924	4884	msedge.exe	88
PID 4884 wrote to memory of 924	4884	msedge.exe	88
PID 4884 wrote to memory of 924	4884	msedge.exe	88
PID 4884 wrote to memory of 924	4884	msedge.exe	88
PID 4884 wrote to memory of 924	4884	msedge.exe	88
PID 4884 wrote to memory of 924	4884	msedge.exe	88
PID 4884 wrote to memory of 924	4884	msedge.exe	88
PID 4884 wrote to memory of 924	4884	msedge.exe	88
PID 4884 wrote to memory of 924	4884	msedge.exe	88
PID 4884 wrote to memory of 924	4884	msedge.exe	88
PID 4884 wrote to memory of 924	4884	msedge.exe	88
PID 4884 wrote to memory of 924	4884	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/1Mzn6o3n5xIhN6nueBAl3YTzyb27ZgMrD/view?usp=sharing
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe324046f8,0x7ffe32404708,0x7ffe32404718
  2⤵
  PID:3380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,12520676768990066886,1661109885286592871,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
  2⤵
  PID:1532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,12520676768990066886,1661109885286592871,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,12520676768990066886,1661109885286592871,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2844 /prefetch:8
  2⤵
  PID:924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12520676768990066886,1661109885286592871,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:4036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12520676768990066886,1661109885286592871,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:2664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12520676768990066886,1661109885286592871,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4112 /prefetch:1
  2⤵
  PID:3068
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,12520676768990066886,1661109885286592871,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 /prefetch:8
  2⤵
  PID:2100
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,12520676768990066886,1661109885286592871,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12520676768990066886,1661109885286592871,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
  2⤵
  PID:4660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12520676768990066886,1661109885286592871,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:1
  2⤵
  PID:5196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12520676768990066886,1661109885286592871,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:1
  2⤵
  PID:5204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12520676768990066886,1661109885286592871,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4044 /prefetch:1
  2⤵
  PID:5408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12520676768990066886,1661109885286592871,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:1
  2⤵
  PID:5716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12520676768990066886,1661109885286592871,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
  2⤵
  PID:5728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12520676768990066886,1661109885286592871,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1
  2⤵
  PID:5736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2116,12520676768990066886,1661109885286592871,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6072 /prefetch:8
  2⤵
  PID:1968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2116,12520676768990066886,1661109885286592871,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6092 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12520676768990066886,1661109885286592871,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6408 /prefetch:1
  2⤵
  PID:6092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12520676768990066886,1661109885286592871,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6464 /prefetch:1
  2⤵
  PID:5780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12520676768990066886,1661109885286592871,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6228 /prefetch:1
  2⤵
  PID:5796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12520676768990066886,1661109885286592871,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:1
  2⤵
  PID:6064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12520676768990066886,1661109885286592871,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4564 /prefetch:1
  2⤵
  PID:5516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12520676768990066886,1661109885286592871,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
  2⤵
  PID:5984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12520676768990066886,1661109885286592871,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6528 /prefetch:1
  2⤵
  PID:5748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12520676768990066886,1661109885286592871,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6628 /prefetch:1
  2⤵
  PID:5804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,12520676768990066886,1661109885286592871,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5172 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12520676768990066886,1661109885286592871,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5944 /prefetch:1
  2⤵
  PID:5508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12520676768990066886,1661109885286592871,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6996 /prefetch:1
  2⤵
  PID:6044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12520676768990066886,1661109885286592871,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6228 /prefetch:1
  2⤵
  PID:880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12520676768990066886,1661109885286592871,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7200 /prefetch:1
  2⤵
  PID:4160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12520676768990066886,1661109885286592871,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7420 /prefetch:1
  2⤵
  PID:60

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:376

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
328B

MD5
b6c0d2f544580ab607e6972b8f2be86e

SHA1
5a7937dbeb1df1957edb79c36cd5503e5a2b118f

SHA256
1eb2a86eb21293127fa5b63e208efb01922e86862bb6477e42c7ebf0956b7d81

SHA512
ef702857673da4e4b37b381450f2fd75a1a16df75855d16527dac27484cdbd722b8413caab5a76e9a58980e3b80b179b6a95dc39124851b4701d5aaa2847afc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6c86c838cf1dc704d2be375f04e1e6c6

SHA1
ad2911a13a3addc86cc46d4329b2b1621cbe7e35

SHA256
dff0886331bb45ec7711af92ab10be76291fde729dff23ca3270c86fb6e606bb

SHA512
a120248263919c687f09615fed56c7cac825c8c93c104488632cebc1abfa338c39ebdc191e5f0c45ff30f054f08d4c02d12b013de6322490197606ce0c0b4f37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
27f3335bf37563e4537db3624ee378da

SHA1
57543abc3d97c2a2b251b446820894f4b0111aeb

SHA256
494425284ba12ee2fb07890e268be7890b258e1b1e5ecfa4a4dbc3411ab93b1a

SHA512
2bef861f9d2d916272f6014110fdee84afced515710c9d69b3c310f6bf41728d1b2d41fee3c86441ff96c08c7d474f9326e992b9164b9a3f13627f7d24d0c485

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\358b49df-51b9-4522-bd0b-f6fd68147d74.tmp

Filesize
8KB

MD5
f06caff88b386f125d543ecdbeb94843

SHA1
f79f0f92089a1060b39cef95ca135d01e901e9b3

SHA256
22ef15f8fd8da3f0d35998f5e33ed722a270e381c7e7113c08d1c54339a0119e

SHA512
72c64825ee65382760a5ac997aee3b1fd4c35c4f167a2185d9177184d26bbb452d381b495b2f88245a82c524bc77110de4bac537016e774ac5b7bcdfb65f917d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

Filesize
28KB

MD5
bfb4ad144233248db8f0b493c9f53943

SHA1
75f204ac49008ca945d35db03568db5ffa2ee27d

SHA256
57819395af403b8697d446c0ef64388fd0f4b33af5647bf8a79d0616cd903393

SHA512
0f5f4ffdc046a81da203998f22ce0f156036b3c14646faa1b1c30d6bd0cf5138b70b3d5ac60b2b6eed36d2beadc108b78119f757bea84705ac71a8f1b3d4dd6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000048

Filesize
16KB

MD5
36e579528fadf051d765bd2bd639bc60

SHA1
9e15a39a1165ec69c48771845fbc0c2bb7695670

SHA256
239f22bc967c880b1a4f7144ea070fae586b94cce025ef18140d5d91d16be81e

SHA512
f9d4b328c18b7082f471385d3274e2bc37f2c6140e03ffe69824850bcd04388393056a9068a3a396bb2fbce567103b328181820f04e2335bd6284d7f78b38e0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
e13a935efd0087a9ebfb3d2827a24903

SHA1
d424eb2dd44b43cdfe103441d3daffae60a5a7a7

SHA256
ef9442186bb196c0c0e6925ad11c5f75d7f59c445abcfb1b3db147165bf5b553

SHA512
7cbbfb0d70aacc782dc2647beb6451ff9d6b92f94f182434fd57755d6c03e70b4cc26dc6116b6663dd1cca2720b28f560f2235affc4334299bca139075679a8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
88fefabc2feb77d7f768472aea06f159

SHA1
0003cffe79e18ee1393455c62a1eb5d28eb230a6

SHA256
dc75baf366c95239992ededf0689cbdcb2312bf9f49b9d1619d03b06430ba869

SHA512
88280c4d235f8a88c8e09b3e4efe27a684edf4dd9e1d926bdc73960848f36a3251b74a124f8ecdd519804c6c969a450562c8646f5215a21b258cb62512a212ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.g2a.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
6KB

MD5
b5a63e121dd2bdb32c231d54e09034a1

SHA1
7ab7c0d66ad7da8c24ccadd8d47bf2000ae350a4

SHA256
7ddceb0cc69e986e99ac2b6c68956255378234807a6365f5137c83ef60b61c37

SHA512
2f01165bbec6e3a42b70914aa7f4b5ba2e626757d4389acf4c45ae6c3060b0ba14911f0c3a54adb316e1ee1322355d82916540a883c8d72854e5f4d2fcb9cf8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
6KB

MD5
35a71235ac729bba2c8e3709a683bd11

SHA1
9efd94a67bbe9d159d9eb796ddeaf4967484332a

SHA256
2dbfe37a14657cf5e1c4a02619eb65120384bd783db3e73853d90aeff0733dfb

SHA512
947ba1873719aac7a6f2cb981b627dd43088a0bd48befcbdf92d0fd8828ac4445a70d1668b02c05eb67961fbfbdcd76f0063c949bc1f5da2c0d0effe629001d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
10a5e473704ef5f3c2b3fd41b9c94b20

SHA1
af45546c74463e93350b22b47e3aea153fa29397

SHA256
63d2c222d14e595ded762c7afb1e98e5c04afd5269343665a4a283570905c59b

SHA512
b9b9d03529cca1ee79b08891084417ca38b53bcef0e517d1e83ef8b516e76590229ac4fdcebaf724abca95fd6c52e47cf5463fd177a00057803e022182f3e204

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4760d6e16029c11e7d9894d9d1217ba8

SHA1
372ae1d5c9863b118b1ebadbb073d5e8f1da3b23

SHA256
a3d6916f218abe96ecf07fda38625d1666e76d19964db6c6862e1476a1df9a44

SHA512
4447f9135f4093adff0b5c2e1677ac0f4827acae1b2c97f6ca32d0b25d80b3190a35005eadc90db7fa885e1d73b22c085e114cbf8b1575c8e748bd0aecc6ebd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
dc9e127ab5b7d988e46c620ec080fa09

SHA1
c7b551687ba5509bea29db20534c3e5b5bd61028

SHA256
cbc2ee8d936f2c45d1009494c004297096c94536e0390ff8a7f1ed68e9cb5b7e

SHA512
5532265c5ceb8bc272d0eca529d16fea7f23e22fef000ad7cf01571535abb68f65c9913e6788bcba210c42754cfc56795afd7e5986a44e5b399d13f634ef0f0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
be328d4d2ef995db0d58fc412c8c8520

SHA1
50ed0dc6626532c65df96637022ad03ee508506d

SHA256
4542ddd2985ac525d5710f3a445d12194e0bd803b99179a2cd77c50da06a358a

SHA512
ccee9f48ce716c35f9cbabe25de22888a66d427380f55cc1969b682139846899b46d4743a39c2eb4994b17fc2815946bc283fd8068812a8b5ab27d67d3ec7481

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
84ba5121cd628eb4d7c1157f6d81228b

SHA1
4fec44ee7ae8a75647e7a7c3bba0f8b16c50f784

SHA256
8dce0db1b491ebf9f1ea33908e560e7c8695ddbbc0b62ecc200df2586e10c367

SHA512
eb47c60774c113bb80f282706adb46565b14afa30e87c1fdd85f8c4c8f56ab798b98eac440ea27bb5e46a47f85a7a692a0e9b74a560bd266d905b9ab1c6c3b9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe586b48.TMP

Filesize
48B

MD5
eede2c74ee4e6133a484edf113f87bc4

SHA1
764bf2b7c50b3c952b19fbe38b2e1f9b299d4b93

SHA256
14873ada079ef691095495e40220be116694a761a111c97f8b139980a17f4fe1

SHA512
0b3f6098f8e936d47dac74eb8fb40919ef5fe69ac9997d01f72066fc4f77e2da67298d21169ee7ce5c4b4cf0e501cf98b9edb6e9ba70147ae248f43bc85848ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
9c8dc09ca9ea525c84bd9ad2f880dd02

SHA1
024f927a8b46a02eb48f0de1deef37de145f5d95

SHA256
802e86d64d796160d2b227da931e4fd55a197b08bb731593af59e418a9baea86

SHA512
29f67513668f2d97174a77ad36d384c58b0fc9f5de20d3d4f8c179569072083e384ebd5055a77abbed8c3d997bd27907f6779f49210d28d3f99d2a0bebdec2f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
f8a99f454c5030a20e680723ad910678

SHA1
b89ff265349ea37b9bf64d3e9646a470ec84395d

SHA256
c8edaceec79bbf8652ea0a0acf4739549130fa4d1e4d60d201b30c66daf9b723

SHA512
6b80995e51e1d12f734ac3fad99d7bd7365e57242341b769979fcb66f746578e36e033f5dee4cb9281a9fd617812019db9b9278a3200b022e6a06b7c93831853

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
ecf836b35d972dbb3ab68101c977c079

SHA1
b975b7f018677a8bdcef9c969c2a08ddbaf70b14

SHA256
4138177692ed14df7aa4a40c64cf23e20485f9fa968a439e3ac5edfb90e00597

SHA512
249edcfdf1516ef91db2adae33339cd979c6fbd170eb5bc1038d1a460c53a9a2f16b1b3e84ccdfd647bc5539450d6a9aa2f6c48566b575393f155344168f5063

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
42a1bff8d440475fc8cf282eb183bfc4

SHA1
dbb0a2c098c4fa54e24f4400b745fb51ab80e461

SHA256
54c15a3cc9616db4d2b1dfd4da66db26f767f5f261c95ce937bd461392f2d264

SHA512
a73333ddede4b6443908729f91394fd48c9f24b0f9294fb242f36ec5c2f9d9693eba7721aadd0ef1f47a956f70632c0eaa77c1c4e366faa0c342650364277703

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
94f7a933bd751f02f6a3edc8edd46ac1

SHA1
c1d0b6618f159da007c0aa566f6c16b7b603f9b2

SHA256
6a310708e7a537ca74ba50fe33071ca5ad2f78af57eca316413b1f1d73154a9f

SHA512
0260540000d04d38f566c7c9666e7f1fe2d690299f557901d56a751e336121488ea40410217472edda89819d82c0033f6cbf442a4225e569aac03315bb3709e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
75e92fe7a24f097b3d13c558af50080a

SHA1
f728dad4e6ab2a4424d7b9b45dab72a0d01c38a2

SHA256
fd491509270f7d0672c0dd90f38adcd3b85ddd62728d6e87048105150b03d2ba

SHA512
05d8b9b68981b9563dab10cf357daa3b60dff717efb23204fc9b141057a20009dee180e5b10bddf7677a2adb7ef46a4f927cdbb50d6fbcb18b97beedd996e80a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
517e1ba686974b71e8ad1be96bbabecc

SHA1
1dcc9e990c317519b79d2236f9b524c9219db0e0

SHA256
90f1aa2f0df1fe01477b0904a022c820cc634f82528c093bfe38a1f3f385bb44

SHA512
cb79edd7a18cd146665e6e3f9db2a0a12e03b8b9c238dc34e5f435c4d1aaf2e050eb70fc30e6ac5b202125bbde73c2381c96e589653c5a9817e4e17da571daaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
9a4d1e3508d375c4e230a5dbc0260ce9

SHA1
e43d74b5031e568d86f308cec20683c83a598b01

SHA256
898c263855880d94f17f47cbc520a9b26b4fc95b39faa69eff23cc523e345283

SHA512
610f3cda724067921be1a0414fb0f3bec85fafe27f1de58282c6eb6d2e69b25391591de46ecc85106877f9ae75b050e6d7d9284c9ded570261d4cb2d3c28e855

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe581df3.TMP

Filesize
1KB

MD5
17fd86fa9b46dd530405df6c10fa8ae4

SHA1
5578f87c7d216a7fd8eac3dc29933a819c7bdad1

SHA256
538973fe4bd185a5998d0f98de434190a28798333c86163747c003265b682733

SHA512
4eebd568b3883dfc75ceb9414ecff55dc4229093f465f411e41a74b8ab80774e70f1cd97f5493721f880d068c485998ef0dc45c69cf0009702586c2cb4e4e1b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f8f4ef5faed76f1125415c037c83e5a0

SHA1
6e111e8535a23ea105c36ede7c2ac83baa6186df

SHA256
b5dd39a4f6805139cceee3ede358c1d2e8c70ce62e05b17cad86f33345bb79e9

SHA512
de7a00e990d5b94b93333f0bee18d53448ca810c1d207e1901c6ce4d7c562dfa058995989c0afb14fd50ff77f092537686891cc095183ceb72ecb38caf514d8d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit