hxxps://drive[.]google[.]com/file/d/1rdvNFU8IqdeGQNgYqrrK9XtDtfCQlmz6/view

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-08-2024 05:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1rdvNFU8IqdeGQNgYqrrK9XtDtfCQlmz6/view

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	drive.google.com
4	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-786284298-625481688-3210388970-1000\{01187AFA-6F06-40E0-8D86-C98C1A1B1D2D}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
5404	msedge.exe
5404	msedge.exe
6136	msedge.exe
6136	msedge.exe
3676	identity_helper.exe
3676	identity_helper.exe
5316	msedge.exe
5316	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1692	msedge.exe
1692	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

pid	Process
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
5960	OpenWith.exe
5960	OpenWith.exe
5960	OpenWith.exe
5960	OpenWith.exe
5960	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 6136 wrote to memory of 6120	6136	msedge.exe	86
PID 6136 wrote to memory of 6120	6136	msedge.exe	86
PID 6136 wrote to memory of 4572	6136	msedge.exe	87
PID 6136 wrote to memory of 4572	6136	msedge.exe	87
PID 6136 wrote to memory of 4572	6136	msedge.exe	87
PID 6136 wrote to memory of 4572	6136	msedge.exe	87
PID 6136 wrote to memory of 4572	6136	msedge.exe	87
PID 6136 wrote to memory of 4572	6136	msedge.exe	87
PID 6136 wrote to memory of 4572	6136	msedge.exe	87
PID 6136 wrote to memory of 4572	6136	msedge.exe	87
PID 6136 wrote to memory of 4572	6136	msedge.exe	87
PID 6136 wrote to memory of 4572	6136	msedge.exe	87
PID 6136 wrote to memory of 4572	6136	msedge.exe	87
PID 6136 wrote to memory of 4572	6136	msedge.exe	87
PID 6136 wrote to memory of 4572	6136	msedge.exe	87
PID 6136 wrote to memory of 4572	6136	msedge.exe	87
PID 6136 wrote to memory of 4572	6136	msedge.exe	87
PID 6136 wrote to memory of 4572	6136	msedge.exe	87
PID 6136 wrote to memory of 4572	6136	msedge.exe	87
PID 6136 wrote to memory of 4572	6136	msedge.exe	87
PID 6136 wrote to memory of 4572	6136	msedge.exe	87
PID 6136 wrote to memory of 4572	6136	msedge.exe	87
PID 6136 wrote to memory of 4572	6136	msedge.exe	87
PID 6136 wrote to memory of 4572	6136	msedge.exe	87
PID 6136 wrote to memory of 4572	6136	msedge.exe	87
PID 6136 wrote to memory of 4572	6136	msedge.exe	87
PID 6136 wrote to memory of 4572	6136	msedge.exe	87
PID 6136 wrote to memory of 4572	6136	msedge.exe	87
PID 6136 wrote to memory of 4572	6136	msedge.exe	87
PID 6136 wrote to memory of 4572	6136	msedge.exe	87
PID 6136 wrote to memory of 4572	6136	msedge.exe	87
PID 6136 wrote to memory of 4572	6136	msedge.exe	87
PID 6136 wrote to memory of 4572	6136	msedge.exe	87
PID 6136 wrote to memory of 4572	6136	msedge.exe	87
PID 6136 wrote to memory of 4572	6136	msedge.exe	87
PID 6136 wrote to memory of 4572	6136	msedge.exe	87
PID 6136 wrote to memory of 4572	6136	msedge.exe	87
PID 6136 wrote to memory of 4572	6136	msedge.exe	87
PID 6136 wrote to memory of 4572	6136	msedge.exe	87
PID 6136 wrote to memory of 4572	6136	msedge.exe	87
PID 6136 wrote to memory of 4572	6136	msedge.exe	87
PID 6136 wrote to memory of 4572	6136	msedge.exe	87
PID 6136 wrote to memory of 5404	6136	msedge.exe	88
PID 6136 wrote to memory of 5404	6136	msedge.exe	88
PID 6136 wrote to memory of 5536	6136	msedge.exe	89
PID 6136 wrote to memory of 5536	6136	msedge.exe	89
PID 6136 wrote to memory of 5536	6136	msedge.exe	89
PID 6136 wrote to memory of 5536	6136	msedge.exe	89
PID 6136 wrote to memory of 5536	6136	msedge.exe	89
PID 6136 wrote to memory of 5536	6136	msedge.exe	89
PID 6136 wrote to memory of 5536	6136	msedge.exe	89
PID 6136 wrote to memory of 5536	6136	msedge.exe	89
PID 6136 wrote to memory of 5536	6136	msedge.exe	89
PID 6136 wrote to memory of 5536	6136	msedge.exe	89
PID 6136 wrote to memory of 5536	6136	msedge.exe	89
PID 6136 wrote to memory of 5536	6136	msedge.exe	89
PID 6136 wrote to memory of 5536	6136	msedge.exe	89
PID 6136 wrote to memory of 5536	6136	msedge.exe	89
PID 6136 wrote to memory of 5536	6136	msedge.exe	89
PID 6136 wrote to memory of 5536	6136	msedge.exe	89
PID 6136 wrote to memory of 5536	6136	msedge.exe	89
PID 6136 wrote to memory of 5536	6136	msedge.exe	89
PID 6136 wrote to memory of 5536	6136	msedge.exe	89
PID 6136 wrote to memory of 5536	6136	msedge.exe	89

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/1rdvNFU8IqdeGQNgYqrrK9XtDtfCQlmz6/view
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:6136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8a8d346f8,0x7ff8a8d34708,0x7ff8a8d34718
  2⤵
  PID:6120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,6844270649929769028,417721215095137234,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1820 /prefetch:2
  2⤵
  PID:4572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,6844270649929769028,417721215095137234,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,6844270649929769028,417721215095137234,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:8
  2⤵
  PID:5536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6844270649929769028,417721215095137234,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:2924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6844270649929769028,417721215095137234,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:6000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6844270649929769028,417721215095137234,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:1
  2⤵
  PID:5056
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,6844270649929769028,417721215095137234,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5364 /prefetch:8
  2⤵
  PID:5320
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,6844270649929769028,417721215095137234,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5364 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6844270649929769028,417721215095137234,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
  2⤵
  PID:4792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2084,6844270649929769028,417721215095137234,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5796 /prefetch:8
  2⤵
  PID:1116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6844270649929769028,417721215095137234,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
  2⤵
  PID:2896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6844270649929769028,417721215095137234,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6128 /prefetch:1
  2⤵
  PID:5572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6844270649929769028,417721215095137234,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
  2⤵
  PID:3216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6844270649929769028,417721215095137234,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6552 /prefetch:1
  2⤵
  PID:5040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6844270649929769028,417721215095137234,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6124 /prefetch:1
  2⤵
  PID:4872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6844270649929769028,417721215095137234,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
  2⤵
  PID:2024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6844270649929769028,417721215095137234,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:1
  2⤵
  PID:3216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6844270649929769028,417721215095137234,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6504 /prefetch:1
  2⤵
  PID:5464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6844270649929769028,417721215095137234,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6920 /prefetch:1
  2⤵
  PID:4232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6844270649929769028,417721215095137234,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6664 /prefetch:1
  2⤵
  PID:3612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6844270649929769028,417721215095137234,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6504 /prefetch:1
  2⤵
  PID:2988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2084,6844270649929769028,417721215095137234,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5928 /prefetch:8
  2⤵
  PID:5472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2084,6844270649929769028,417721215095137234,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6472 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:5316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6844270649929769028,417721215095137234,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6792 /prefetch:1
  2⤵
  PID:5172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6844270649929769028,417721215095137234,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6868 /prefetch:1
  2⤵
  PID:388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6844270649929769028,417721215095137234,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6108 /prefetch:1
  2⤵
  PID:1324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6844270649929769028,417721215095137234,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:1
  2⤵
  PID:1216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6844270649929769028,417721215095137234,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6548 /prefetch:1
  2⤵
  PID:1660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,6844270649929769028,417721215095137234,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1740 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,6844270649929769028,417721215095137234,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1156 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1692

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6096

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5900

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2456

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7114a6cd851f9bf56cf771c37d664a2

SHA1
769c5d04fd83e583f15ab1ef659de8f883ecab8a

SHA256
d2c75c7d68c474d4b8847b4ba6cfd09fe90717f46dd398c86483d825a66e977e

SHA512
33bdae2305ae98e7c0de576de5a6600bd70a425e7b891d745cba9de992036df1b3d1df9572edb0f89f320e50962d06532dae9491985b6b57fd37d5f46f7a2ff8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
719923124ee00fb57378e0ebcbe894f7

SHA1
cc356a7d27b8b27dc33f21bd4990f286ee13a9f9

SHA256
aa22ab845fa08c786bd3366ec39f733d5be80e9ac933ed115ff048ff30090808

SHA512
a207b6646500d0d504cf70ee10f57948e58dab7f214ad2e7c4af0e7ca23ce1d37c8c745873137e6c55bdcf0f527031a66d9cc54805a0eac3678be6dd497a5bbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
7f12e0c742c0e551f0152b8efecd71b6

SHA1
ea3a92edbe3ff144274cd8e2e9c4a556f69fe30b

SHA256
0b2bb50fa2427200a3c28903ad0b7cf7554b5fa624869d33c376f7fcac340f6f

SHA512
4e84f9ce8c12d8132662835851d476cdf7924a42448ba7ec1b11399899fc8962b3cdb99feaa03113883a7f1670a4890e2e0cc39645a08b67f0cd895685af0c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
ca798e11729a95238b68d75d873e0157

SHA1
a1c7ac72d2a27f50ac99b94a7d1b98c0fbd535bf

SHA256
06931fc2577dc61b2223bd792577aaa4f8ac6eccb62e2e02afae7792c1393b25

SHA512
730d28c9af6f8cc05b157f6231e2ad40da634990be1559a4b550d365ec512bc7d94cb7aaff34cde2ea2e2d0fd2d0e7ac108d3f931fcfe54af88a291ba41b2a3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
d455f4b814842313d0befdaf561c26a8

SHA1
c51b4210dc755c1dd7af280e2632f3953e252790

SHA256
0256c2ed6debf496c6c535c9bcc7a7b01498cd69412564b4d824f0d6988d27bb

SHA512
e221fdf417fdcc0b1bdcf54f3f6184f13508b5b98294d7661aaae1bb02e5bd5f823945d928b41f5be6107533ba323a6f8ea5a45b1f9af3a2180af82858f53942

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
202e3abd6482d02b010011998a38dc1f

SHA1
72cd96fad453065d3edf0de0a5dc53b9e187c06d

SHA256
0ff1b7e77d3946ed16eb6069fd485da7438240c22e802254b3d69f71be9654d9

SHA512
4763754c358f1d0586890a2b86f9b555c6b6667ae693aad15f30da7355846c3697a55c1488ad981d549213343080bbf2863088228a7bd1fac1e77388ba26b298

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
31025116ac408745a03e0da6ab5eee4b

SHA1
7641c03d229cc25fa87270d9a138c61ed7f08d19

SHA256
7451b573da783f3ed08d256f1c958955d3f639f3c07e3efd70560b7a0e74bce5

SHA512
a0f6cacfbde6bae4a3cfcd327bf4f525218470d8626446278d0e975da54018598d4cb81ea8b3ef7754c39c7c51c5336fc7272f6686380f322ad18946470cfe6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
df841af1f219872a83e222bca05dc32c

SHA1
cbf9bec94e242191c00eec0d36910fb53c56d73d

SHA256
8fc3b43e5ceb38698283f2e592efe80de3b19f1c747a3d5ee754cd4bcb9d7dd2

SHA512
b436edce5d90dd1db3a55c47c5193d83b6489a75b2ac97f460248fdd92fea5d8c8e99f816e8d1ab27eb84e3cdd709b257b4135202d7787d1e67ab237d1aef840

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0b0958248ded9bd4d86dbb7badedc6b2

SHA1
a8e04ece5f70e6f02ffc7f6687f79f274b88aed5

SHA256
60add4f2e264a994817332f1163af166fe6a1439782b865543f5d8e7ecf45600

SHA512
89499ecd3c9f598dbb5fe1cd18b95e44770dd20aa4680c0cccab502b4a3fad9cb046f139ba75fcf7540f51d1f7a39edf3183ed814229c27a22b1d412c4eb9069

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d4c4011e9e253527a3e248a49cc9ef34

SHA1
30917e450ecce5cb796b7d422bbae591fa33c75b

SHA256
0ebdde69173d3101fb7ce8ec3045edecb7db30c9618af18d0d690e4169ca78eb

SHA512
5fdcfba0d4bab250dcaf7fad8e6106bc7d0a7333b4936afb050bb3e276238a9d4a3eb635b61ab5611d3681d381314b096e2dd706d96f53fd4db6ac2addf8857e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a2a5877b90527a06659b5e666bf9d0ac

SHA1
99b54c7339c110b14c85f8f9185505a0f587cde2

SHA256
d3f5dddc17794508168a5c3f29f1099cbb47794f13b606722d0e90b838910c21

SHA512
ee948d767889ff17f0a3a0b85a7db63b83b7ff3b808ddc5cfacd167fb6240fedbe85b7867a3e0d3ce5478161544087bb5df5354f2b4a118728cd9da531c7b466

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
04e6981b74de9a8f08f2dd186deadbcd

SHA1
3936c8e40a61e9d88272a54cf0c4a06111a4eeb8

SHA256
985190f10f0224912755af3960382d5714e418094ef85c9d0dd96b89045ad659

SHA512
f6af3224967fda3228e860b29662247793419a2ad492b0a74603b8d6c8ecbd79ccb438509eba8f3407a700c0f236d3588d63d3e46accec8ee66271ae648c7d67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RF5170a.TMP

Filesize
1KB

MD5
4b5050b1f62b731d4d4d8e937cd68fb6

SHA1
2b9466a4e5c95bcdc1255b8e5b82186d7c59c252

SHA256
aa1d9b0c8e68cb969dab6012f96f49d932c86a710f96bc38d3a90ddfa9d4972e

SHA512
c852a9cef54ba36bd378c379d40a2c18476f2a65b03331a4463c948c5ec3b0c16f3572e5c1260c6597285ae115f8c7c364dec1542b5a8eaae9b2caf5813a53e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8010a263a24a7f87215ff43b2cabe5f6

SHA1
0ec8efa855ee6f1feab382462078502b931a7fcd

SHA256
fbbe5f714b7faa5d1e1ffb52a07d68f81690cbea82755a6a058bd93275a95f48

SHA512
6d64acf59ff0e6a3d833559bdbe76b6b0d09002d3bf0c58042aa6d76cc05b1e534f5b9996e2a02857a1e4e369e824ab9b3563e93767a0aff275fa3435d4781ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3c68e6598e8d49a5a12c47296a56176f

SHA1
25da4166c8915185a4a3d6d5ab8fd71686ea61ce

SHA256
ab069bb667177d044db5d930b19496f7690301ab81943ba3e8855f43682057fe

SHA512
0a0a62e61d015b6a364b53f623c8a2faa9f1ac2bef71f9fb90ba1f1a7f2f60c13c2b867493b73bbf2cf930e1157640f7dfe851e725b38a4f96f6aa662f24bf74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2e29b8ca381671b7b5f3d139bfa21bb0

SHA1
9b4a6d87ce67399e83da6190b83510b5ab01ca44

SHA256
60b967244a761167acfc0fee26e87e85ba65ab82c9a724f509265446121965ca

SHA512
f391c29d3894ad32e485f968fc5513deadd0962244e1ddde74fddbf1a9d39219fbfafb283575ac450c2d9b21db577f52e7629270698bd55b730f1831c5a8aa3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9e08cb2e9b79d46b604e110788f754da

SHA1
2301f01ad7f4329685b2c9d6fbdbc2b854d05260

SHA256
ccafef82b3ac7c8b7277b5f7eaee64b16e491b3d3be58ed0b084757970bc09f6

SHA512
c6bf1d80349673d459b66a01bd454e1bc429cb9fdcdbed1177ff055d7efe4ab6d33e48921906d2a427197daf860391984dcda313c78bdf0c3f33d13820dc97a5

Download Submit