hxxps://drive[.]google[.]com/file/d/1d-AcYI1SvRj8B-iwa3CP7iaGyuSrBE28/view?usp=sharing

Analysis

max time kernel
147s
max time network
149s
platform
windows11-21h2_x64
resource
win11-20240730-en
resource tags

arch:x64arch:x86image:win11-20240730-enlocale:en-usos:windows11-21h2-x64system
submitted
31-07-2024 07:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1d-AcYI1SvRj8B-iwa3CP7iaGyuSrBE28/view?usp=sharing

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	drive.google.com
4	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2326217578-3761199233-1872589011-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2326217578-3761199233-1872589011-1000\{9A5E0F72-AFC3-4CEC-B8DF-DD9DAC571DAF}	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Downloads.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4324	msedge.exe
4324	msedge.exe
5092	msedge.exe
5092	msedge.exe
4700	identity_helper.exe
4700	identity_helper.exe
2108	msedge.exe
2108	msedge.exe
3840	msedge.exe
3840	msedge.exe
4516	msedge.exe
4516	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe

Suspicious use of FindShellTrayWindow 48 IoCs

pid	Process
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5092 wrote to memory of 2960	5092	msedge.exe	80
PID 5092 wrote to memory of 2960	5092	msedge.exe	80
PID 5092 wrote to memory of 3932	5092	msedge.exe	81
PID 5092 wrote to memory of 3932	5092	msedge.exe	81
PID 5092 wrote to memory of 3932	5092	msedge.exe	81
PID 5092 wrote to memory of 3932	5092	msedge.exe	81
PID 5092 wrote to memory of 3932	5092	msedge.exe	81
PID 5092 wrote to memory of 3932	5092	msedge.exe	81
PID 5092 wrote to memory of 3932	5092	msedge.exe	81
PID 5092 wrote to memory of 3932	5092	msedge.exe	81
PID 5092 wrote to memory of 3932	5092	msedge.exe	81
PID 5092 wrote to memory of 3932	5092	msedge.exe	81
PID 5092 wrote to memory of 3932	5092	msedge.exe	81
PID 5092 wrote to memory of 3932	5092	msedge.exe	81
PID 5092 wrote to memory of 3932	5092	msedge.exe	81
PID 5092 wrote to memory of 3932	5092	msedge.exe	81
PID 5092 wrote to memory of 3932	5092	msedge.exe	81
PID 5092 wrote to memory of 3932	5092	msedge.exe	81
PID 5092 wrote to memory of 3932	5092	msedge.exe	81
PID 5092 wrote to memory of 3932	5092	msedge.exe	81
PID 5092 wrote to memory of 3932	5092	msedge.exe	81
PID 5092 wrote to memory of 3932	5092	msedge.exe	81
PID 5092 wrote to memory of 3932	5092	msedge.exe	81
PID 5092 wrote to memory of 3932	5092	msedge.exe	81
PID 5092 wrote to memory of 3932	5092	msedge.exe	81
PID 5092 wrote to memory of 3932	5092	msedge.exe	81
PID 5092 wrote to memory of 3932	5092	msedge.exe	81
PID 5092 wrote to memory of 3932	5092	msedge.exe	81
PID 5092 wrote to memory of 3932	5092	msedge.exe	81
PID 5092 wrote to memory of 3932	5092	msedge.exe	81
PID 5092 wrote to memory of 3932	5092	msedge.exe	81
PID 5092 wrote to memory of 3932	5092	msedge.exe	81
PID 5092 wrote to memory of 3932	5092	msedge.exe	81
PID 5092 wrote to memory of 3932	5092	msedge.exe	81
PID 5092 wrote to memory of 3932	5092	msedge.exe	81
PID 5092 wrote to memory of 3932	5092	msedge.exe	81
PID 5092 wrote to memory of 3932	5092	msedge.exe	81
PID 5092 wrote to memory of 3932	5092	msedge.exe	81
PID 5092 wrote to memory of 3932	5092	msedge.exe	81
PID 5092 wrote to memory of 3932	5092	msedge.exe	81
PID 5092 wrote to memory of 3932	5092	msedge.exe	81
PID 5092 wrote to memory of 3932	5092	msedge.exe	81
PID 5092 wrote to memory of 4324	5092	msedge.exe	82
PID 5092 wrote to memory of 4324	5092	msedge.exe	82
PID 5092 wrote to memory of 4008	5092	msedge.exe	83
PID 5092 wrote to memory of 4008	5092	msedge.exe	83
PID 5092 wrote to memory of 4008	5092	msedge.exe	83
PID 5092 wrote to memory of 4008	5092	msedge.exe	83
PID 5092 wrote to memory of 4008	5092	msedge.exe	83
PID 5092 wrote to memory of 4008	5092	msedge.exe	83
PID 5092 wrote to memory of 4008	5092	msedge.exe	83
PID 5092 wrote to memory of 4008	5092	msedge.exe	83
PID 5092 wrote to memory of 4008	5092	msedge.exe	83
PID 5092 wrote to memory of 4008	5092	msedge.exe	83
PID 5092 wrote to memory of 4008	5092	msedge.exe	83
PID 5092 wrote to memory of 4008	5092	msedge.exe	83
PID 5092 wrote to memory of 4008	5092	msedge.exe	83
PID 5092 wrote to memory of 4008	5092	msedge.exe	83
PID 5092 wrote to memory of 4008	5092	msedge.exe	83
PID 5092 wrote to memory of 4008	5092	msedge.exe	83
PID 5092 wrote to memory of 4008	5092	msedge.exe	83
PID 5092 wrote to memory of 4008	5092	msedge.exe	83
PID 5092 wrote to memory of 4008	5092	msedge.exe	83
PID 5092 wrote to memory of 4008	5092	msedge.exe	83

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/1d-AcYI1SvRj8B-iwa3CP7iaGyuSrBE28/view?usp=sharing
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd295f3cb8,0x7ffd295f3cc8,0x7ffd295f3cd8
  2⤵
  PID:2960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,12819100502267941519,9951720015071239402,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2032 /prefetch:2
  2⤵
  PID:3932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2020,12819100502267941519,9951720015071239402,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2072 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2020,12819100502267941519,9951720015071239402,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:8
  2⤵
  PID:4008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,12819100502267941519,9951720015071239402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:1116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,12819100502267941519,9951720015071239402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:1468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,12819100502267941519,9951720015071239402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
  2⤵
  PID:1352
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,12819100502267941519,9951720015071239402,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4680 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,12819100502267941519,9951720015071239402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
  2⤵
  PID:1388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2020,12819100502267941519,9951720015071239402,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5820 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,12819100502267941519,9951720015071239402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:1
  2⤵
  PID:3168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2020,12819100502267941519,9951720015071239402,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6200 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,12819100502267941519,9951720015071239402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1704 /prefetch:1
  2⤵
  PID:3208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,12819100502267941519,9951720015071239402,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2988 /prefetch:1
  2⤵
  PID:4388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,12819100502267941519,9951720015071239402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:1
  2⤵
  PID:4984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,12819100502267941519,9951720015071239402,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:1
  2⤵
  PID:2916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,12819100502267941519,9951720015071239402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6544 /prefetch:1
  2⤵
  PID:1500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,12819100502267941519,9951720015071239402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6788 /prefetch:1
  2⤵
  PID:4964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,12819100502267941519,9951720015071239402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6272 /prefetch:1
  2⤵
  PID:4912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,12819100502267941519,9951720015071239402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6496 /prefetch:1
  2⤵
  PID:484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,12819100502267941519,9951720015071239402,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6564 /prefetch:1
  2⤵
  PID:1796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2020,12819100502267941519,9951720015071239402,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6900 /prefetch:8
  2⤵
  PID:792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2020,12819100502267941519,9951720015071239402,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6224 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,12819100502267941519,9951720015071239402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6476 /prefetch:1
  2⤵
  PID:3996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,12819100502267941519,9951720015071239402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6480 /prefetch:1
  2⤵
  PID:4460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,12819100502267941519,9951720015071239402,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6796 /prefetch:1
  2⤵
  PID:1832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,12819100502267941519,9951720015071239402,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1020 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3796

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1396

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:564

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
87fed7c1b9a95ae9ea9cee05e1b225d2

SHA1
9f178046148c82c04cd1cff275bcf6cea4cdbf68

SHA256
7d05154011bf0c5bc132acf7dcb43dc5f1976a96a52537f4c8ee8ac767f29cf4

SHA512
e370724c56192b0918e5f8ccd618be2d25f322e9c5a00e5fd4b28018f6983ccfc360c58df2e7e0a6eb9bbb3807bfbde6146a2347c2926c0103dcae90363eeb63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
11ea5cccf354760abd587eb0ca739bf9

SHA1
3aac11e2afa2f15e89ad3c75859c3d721971a5e6

SHA256
25a4cf1c4536f3e66ff1b4d6c1289f3b3103aac0fd1ac6eb60c794ceff4291e0

SHA512
46b4177061d2aa17251c9e4e80e686eeab7228e25d884fbe0e415ed0a06d839dfb58f04ae6e4b57e51c02458ff93af29619d224fbcdf0906297d27d3b014599c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\00bc6b7e-70b9-418e-8ac0-b04d97586220.tmp

Filesize
5KB

MD5
ece1cc81c80ab12d4494d2e5142fd972

SHA1
da57b7405dddb0d16357acb356171d6cdd2b9950

SHA256
c2fce5cf9ca889e010e6eef7bf6ba3871c8b6d35dd73b90ea22e25099d9f9f30

SHA512
e6640018013e29c5728c4665d43b5a070a58f5aa4d9c6f54eadcc9d2f00a691b17f3a591e3d469f04c2b3feccd30f9cd42f60feeecbfce6ebded79104c3f5aff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
3b9f2ab094a5a7b56ea3bdaebeb7f670

SHA1
a3d71865876349821448e268cf7875f71f1ac527

SHA256
572b411e989c5eb6aec266e2a732800c281b4ef6f56eea5ed100652ec9cb6796

SHA512
9ec4f3b07eabfd323342778df7a236a15c63125ceaada30b6d48964b8974ceb55ee98dfc2b13e2c4daa3ad499c80720b87de9b8036eca1c88dfe4c6dd3630a02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
d264950753d6b6ecfd3e71f858b13669

SHA1
abcc5240151c6353b364f168357927cdc8a5cda5

SHA256
55bc7d3c6f9db7626739916a76be7c912071147ca689d2f93219daed4fcdf596

SHA512
155ec7dbca5cc9e04e7f9c11045e5f48549c5e17bebec23f97aa6d17a993037c7997ca1177cc096d9a1333f5143c738cc7efb1b881ca0631d454e1c725739af5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
dca1d9ecdf2e346a2b8558ac64b50dd5

SHA1
e0c6333ee3235cc21585d3aac5e9b891fa43418f

SHA256
d8891de678a9a7b37a0f59ed373daabfcf9968d060d9298642ad6fbae384b68b

SHA512
7b1a9f5c95136199737ab80fa30d714d9717c7467efb98cf14315437669c574855a96562b3e641a336200efe31fcea9e24c79b941cde66a968175b0ceaafd003

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
05c273295b958f100d5f3682e4c83ec7

SHA1
91f2767deb0d1bf928fd0c3568e6af6eb78159f7

SHA256
3b39d45e40f840fdafefe4554dc7e4b093dc1688c60c5511918db41b6e24180a

SHA512
8251e18d51f520b4a02505d361487373b386acb968ea3c409d56cc7161ff9a060be45109342d89451874f024c8ed0db195e857bddff9510ce4031fd2cded93bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
686246cb5c495000c1b48c7ac4f1f88e

SHA1
d1b85ef61452c559b7bd643e6e26d3e63ea0eddc

SHA256
66807825f54b7564a2217d4a25f8bee5a1349917eec7325d83b078fcc5525675

SHA512
c032b2667a91a5f5cd86fe2d981afe271971b762a70b5a5f08fd820c0a1311c8bd2c2857f10f85edc6295459242f832bf7bfb8f2558faa67e5bf37629d9c08e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
49ccc60631430f60325b132528351f60

SHA1
a110ee4573924cbd1ac883563a7f55ffd9f01826

SHA256
295c78d4a2f29b7de5ebe3e492f6ef2675ccdde3ebdc9655310d420e0b1d7b09

SHA512
343b4e57a10a7e81e053df7d3d273a3b10d895274d8f6d833da648ce9f5e17b480c7f9e375a5c61bf35fca49c866f8e8fc8dd0b33afab5e884b016280fd490c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9e7bd46d3bfac347984807efa5d19ade

SHA1
3392f2bd02b4e19038be9f76bce74860420b4902

SHA256
41a3f67fcbcdb842772ea9aa7b1e781c4a377da375956db9fc07eabd20402ff4

SHA512
06e069a71991b7f4a5c609f4db50a7f80f7ee46145157a169e1fa56dd3d8b22c3b5720e17a337f31bb4d37002fba40e50795a3f9c0f6c7c595fbc093ea665d9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58c435.TMP

Filesize
1KB

MD5
24eecc8dc2b098d8779a7c43433100dc

SHA1
33c0ff4badcd06161f7da5eafbc4f7968b08cfef

SHA256
b6794f152ebbaf710a6b0f42eaa3ee71f306a8427f246d2f04a60bc4d16b39c3

SHA512
3c2e8d252f368b0d883e681e7f70de16491dd17893f8489825da4ff46c312cba30ede2a4acb702c75c6167d26178e82453ae34f7305649bd25bb01904af3aa76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fd03070436367055aa73d47921f01f2a

SHA1
c1d2e4a73e7755313aeed48ebd78effe6f8c5b5f

SHA256
53327d43830714ea73db72341b50770e10fef06142d5a969ed2c65c6f31c3d65

SHA512
229a6bfe07c2c0a4caa3b7407448edb0e2029a6e2429285b90a4df2548de24551cc8a2b3fb76e4d8e4ec7059f088a934ab0f9f31c9ccb9c0903b84d026ffef7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6080b3a1a65c26dd74a76b4e846048a4

SHA1
a109c78a7ce6e750d827716ff3672fda043324ce

SHA256
648738a384f5d37526edb40dfe5703028829d9a0e28c6ce523aaa60b369e2997

SHA512
bcad8969ff42d3eb345c9d95fe66c446a0811ff95e8f39dda1772799781733be02a67e3b85c5e9df4de6746853dd543ed5b987d8ca961e6fd85383d04747c3c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
86d23724109f4703787b9c65326cd0c0

SHA1
5dcf639d5abc0d19bb55c130103a2f00d0c10e5b

SHA256
d68f61ad06a255658355cd513d64e0afc412085cd10d2fa6423182c76a83aa5f

SHA512
a5d887aef11e84c41b57ffc41cf3c776250786c38d7ce01b2ba397d7e4fa937808cfaaa7c76dbe304e5e18b16e7716b82f59475b44856c80655ad9487227a52e

Download Submit
C:\Users\Admin\Downloads\Downloads.zip

Filesize
27.3MB

MD5
0c4a484570940bd4ccd59b89b42f2744

SHA1
c3c05c5b60a5923a087ea28e9ddb6d3091083c6c

SHA256
ecf6bd50affd1daf6fbe5334b8ab5adcf27503ea26d73a5031803a33b8ffe6be

SHA512
a45202cabec55adb024d30d8f657f87412d9499fc1837ec8985522f434e4e9c5daa1566b42db26d778c443b2c4be416855fc44aa72ccfcf6e2d97c50c08f71f6

Download Submit
C:\Users\Admin\Downloads\Downloads.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit