hxxps://drive[.]google[.]com/file/d/1TIPr9w62Ogql8RqPKykC3RMhbGkVG3f4/view?usp=sharing

Analysis

max time kernel
149s
max time network
152s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
10-08-2024 09:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1TIPr9w62Ogql8RqPKykC3RMhbGkVG3f4/view?usp=sharing

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	drive.google.com
4	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3761892313-3378554128-2287991803-1000\{CEDA9555-A836-49C0-B92D-450FE9465060}	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2148	msedge.exe
2148	msedge.exe
4916	msedge.exe
4916	msedge.exe
3416	msedge.exe
3416	msedge.exe
2336	identity_helper.exe
2336	identity_helper.exe
1200	msedge.exe
1200	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs

pid	Process
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4916 wrote to memory of 1132	4916	msedge.exe	79
PID 4916 wrote to memory of 1132	4916	msedge.exe	79
PID 4916 wrote to memory of 3100	4916	msedge.exe	80
PID 4916 wrote to memory of 3100	4916	msedge.exe	80
PID 4916 wrote to memory of 3100	4916	msedge.exe	80
PID 4916 wrote to memory of 3100	4916	msedge.exe	80
PID 4916 wrote to memory of 3100	4916	msedge.exe	80
PID 4916 wrote to memory of 3100	4916	msedge.exe	80
PID 4916 wrote to memory of 3100	4916	msedge.exe	80
PID 4916 wrote to memory of 3100	4916	msedge.exe	80
PID 4916 wrote to memory of 3100	4916	msedge.exe	80
PID 4916 wrote to memory of 3100	4916	msedge.exe	80
PID 4916 wrote to memory of 3100	4916	msedge.exe	80
PID 4916 wrote to memory of 3100	4916	msedge.exe	80
PID 4916 wrote to memory of 3100	4916	msedge.exe	80
PID 4916 wrote to memory of 3100	4916	msedge.exe	80
PID 4916 wrote to memory of 3100	4916	msedge.exe	80
PID 4916 wrote to memory of 3100	4916	msedge.exe	80
PID 4916 wrote to memory of 3100	4916	msedge.exe	80
PID 4916 wrote to memory of 3100	4916	msedge.exe	80
PID 4916 wrote to memory of 3100	4916	msedge.exe	80
PID 4916 wrote to memory of 3100	4916	msedge.exe	80
PID 4916 wrote to memory of 3100	4916	msedge.exe	80
PID 4916 wrote to memory of 3100	4916	msedge.exe	80
PID 4916 wrote to memory of 3100	4916	msedge.exe	80
PID 4916 wrote to memory of 3100	4916	msedge.exe	80
PID 4916 wrote to memory of 3100	4916	msedge.exe	80
PID 4916 wrote to memory of 3100	4916	msedge.exe	80
PID 4916 wrote to memory of 3100	4916	msedge.exe	80
PID 4916 wrote to memory of 3100	4916	msedge.exe	80
PID 4916 wrote to memory of 3100	4916	msedge.exe	80
PID 4916 wrote to memory of 3100	4916	msedge.exe	80
PID 4916 wrote to memory of 3100	4916	msedge.exe	80
PID 4916 wrote to memory of 3100	4916	msedge.exe	80
PID 4916 wrote to memory of 3100	4916	msedge.exe	80
PID 4916 wrote to memory of 3100	4916	msedge.exe	80
PID 4916 wrote to memory of 3100	4916	msedge.exe	80
PID 4916 wrote to memory of 3100	4916	msedge.exe	80
PID 4916 wrote to memory of 3100	4916	msedge.exe	80
PID 4916 wrote to memory of 3100	4916	msedge.exe	80
PID 4916 wrote to memory of 3100	4916	msedge.exe	80
PID 4916 wrote to memory of 3100	4916	msedge.exe	80
PID 4916 wrote to memory of 2148	4916	msedge.exe	81
PID 4916 wrote to memory of 2148	4916	msedge.exe	81
PID 4916 wrote to memory of 3700	4916	msedge.exe	82
PID 4916 wrote to memory of 3700	4916	msedge.exe	82
PID 4916 wrote to memory of 3700	4916	msedge.exe	82
PID 4916 wrote to memory of 3700	4916	msedge.exe	82
PID 4916 wrote to memory of 3700	4916	msedge.exe	82
PID 4916 wrote to memory of 3700	4916	msedge.exe	82
PID 4916 wrote to memory of 3700	4916	msedge.exe	82
PID 4916 wrote to memory of 3700	4916	msedge.exe	82
PID 4916 wrote to memory of 3700	4916	msedge.exe	82
PID 4916 wrote to memory of 3700	4916	msedge.exe	82
PID 4916 wrote to memory of 3700	4916	msedge.exe	82
PID 4916 wrote to memory of 3700	4916	msedge.exe	82
PID 4916 wrote to memory of 3700	4916	msedge.exe	82
PID 4916 wrote to memory of 3700	4916	msedge.exe	82
PID 4916 wrote to memory of 3700	4916	msedge.exe	82
PID 4916 wrote to memory of 3700	4916	msedge.exe	82
PID 4916 wrote to memory of 3700	4916	msedge.exe	82
PID 4916 wrote to memory of 3700	4916	msedge.exe	82
PID 4916 wrote to memory of 3700	4916	msedge.exe	82
PID 4916 wrote to memory of 3700	4916	msedge.exe	82

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/1TIPr9w62Ogql8RqPKykC3RMhbGkVG3f4/view?usp=sharing
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffab8fa3cb8,0x7ffab8fa3cc8,0x7ffab8fa3cd8
  2⤵
  PID:1132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1940,13822335775460735912,2696538223604825020,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1960 /prefetch:2
  2⤵
  PID:3100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1940,13822335775460735912,2696538223604825020,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2464 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1940,13822335775460735912,2696538223604825020,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:8
  2⤵
  PID:3700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,13822335775460735912,2696538223604825020,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:4892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,13822335775460735912,2696538223604825020,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:1868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,13822335775460735912,2696538223604825020,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:1
  2⤵
  PID:2144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,13822335775460735912,2696538223604825020,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1
  2⤵
  PID:1824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1940,13822335775460735912,2696538223604825020,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4640 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,13822335775460735912,2696538223604825020,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:1
  2⤵
  PID:3132
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1940,13822335775460735912,2696538223604825020,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4920 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,13822335775460735912,2696538223604825020,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:1
  2⤵
  PID:5044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,13822335775460735912,2696538223604825020,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:1
  2⤵
  PID:4948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,13822335775460735912,2696538223604825020,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:1
  2⤵
  PID:1112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,13822335775460735912,2696538223604825020,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
  2⤵
  PID:1464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,13822335775460735912,2696538223604825020,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
  2⤵
  PID:3748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,13822335775460735912,2696538223604825020,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
  2⤵
  PID:2556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1940,13822335775460735912,2696538223604825020,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5068 /prefetch:8
  2⤵
  PID:4296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1940,13822335775460735912,2696538223604825020,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5336 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:1200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,13822335775460735912,2696538223604825020,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:1
  2⤵
  PID:2936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,13822335775460735912,2696538223604825020,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6152 /prefetch:1
  2⤵
  PID:2060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,13822335775460735912,2696538223604825020,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
  2⤵
  PID:4252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,13822335775460735912,2696538223604825020,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
  2⤵
  PID:4836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,13822335775460735912,2696538223604825020,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
  2⤵
  PID:1128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,13822335775460735912,2696538223604825020,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6428 /prefetch:1
  2⤵
  PID:4596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,13822335775460735912,2696538223604825020,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6636 /prefetch:1
  2⤵
  PID:4572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,13822335775460735912,2696538223604825020,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6788 /prefetch:1
  2⤵
  PID:4116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1940,13822335775460735912,2696538223604825020,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=7036 /prefetch:8
  2⤵
  PID:4144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,13822335775460735912,2696538223604825020,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4636 /prefetch:1
  2⤵
  PID:3124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,13822335775460735912,2696538223604825020,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6884 /prefetch:1
  2⤵
  PID:3608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,13822335775460735912,2696538223604825020,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7928 /prefetch:1
  2⤵
  PID:1340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,13822335775460735912,2696538223604825020,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8140 /prefetch:1
  2⤵
  PID:2840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1940,13822335775460735912,2696538223604825020,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=8080 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4788

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4956

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4c3889d3f0d2246f800c495aec7c3f7c

SHA1
dd38e6bf74617bfcf9d6cceff2f746a094114220

SHA256
0a4781bca132edf11500537cbf95ff840c2b6fd33cd94809ca9929f00044bea4

SHA512
2d6cb23e2977c0890f69751a96daeb71e0f12089625f32b34b032615435408f21047b90c19de09f83ef99957681440fdc0c985e079bb196371881b5fdca68a37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c4a10f6df4922438ca68ada540730100

SHA1
4c7bfbe3e2358a28bf5b024c4be485fa6773629e

SHA256
f286c908fea67163f02532503b5555a939f894c6f2e683d80679b7e5726a7c02

SHA512
b4d407341989e0bbbe0cdd64f7757bea17f0141a89104301dd7ffe45e7511d3ea27c53306381a29c24df68bdb9677eb8c07d4d88874d86aba41bb6f0ce7a942c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002a

Filesize
210KB

MD5
48d2860dd3168b6f06a4f27c6791bcaa

SHA1
f5f803efed91cd45a36c3d6acdffaaf0e863bf8c

SHA256
04d7bf7a6586ef00516bdb3f7b96c65e0b9c6b940f4b145121ed00f6116bbb77

SHA512
172da615b5b97a0c17f80ddd8d7406e278cd26afd1eb45a052cde0cb55b92febe49773b1e02cf9e9adca2f34abbaa6d7b83eaad4e08c828ef4bf26f23b95584e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000039

Filesize
63KB

MD5
67e59a06ec50dcd4aebe11bb4a7e99a5

SHA1
5d073dbe75e1a8b4ff9c3120df0084f373768dae

SHA256
14be8f816315d26d4bc7f78088d502eff79dee045f9e6b239493a707758107fe

SHA512
6364515e92ed455f837dcc021cc5d7bbab8eac2a61140de17ff6a67dfdbbd8fbdded5ce739d001a0ba555b6693dafdb6af83424d6643ff6efddc46d391b21d95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003a

Filesize
60KB

MD5
845e1a3d0f8b316c2336250dc14628d0

SHA1
71fee07b3e73d3ef8f7f13012f6afa33497b7c85

SHA256
3652f51272e5dbe7fd76034923c754699ca0ad9b51f15045ebebe1e07eab8e4f

SHA512
612f8bb733828a8a6be340583976aea7d24654070039f772f227d3996c096739c1a41d5460df7c3a20d8bab12839e921fb756eac7063491f9c39b620da7969b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000043

Filesize
22KB

MD5
0fd99a427f2f6f0fb3f130ca700d49e4

SHA1
4cf3dbf1e7aca254076a284621b0baf9ab2de50a

SHA256
2823b103ffbb3a8e0bbe2e0817ecb059dbab09e3adeb08c04fd7ca6f2cc9e8ba

SHA512
db9d08fdbff0d781e325c2a62cede95a657d0f81dd351f2793e8620a625a87c8a1e23fb20619970502ddf38fe6b821ed7d7a6f87cd31ed1d52193879fb38f800

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000045

Filesize
20KB

MD5
631c4ff7d6e4024e5bdf8eb9fc2a2bcb

SHA1
c59d67b2bb027b438d05bd7c3ad9214393ef51c6

SHA256
27ccc7fad443790d6f9dc6fbb217fc2bc6e12f6a88e010e76d58cc33e1e99c82

SHA512
12517b3522fcc96cfafc031903de605609f91232a965d92473be5c1e7fc9ad4b1a46fa38c554e0613f0b1cfb02fd0a14122eaf77a0bbf3a06bd5868d31d0160e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004e

Filesize
24KB

MD5
c594a826934b9505d591d0f7a7df80b7

SHA1
c04b8637e686f71f3fc46a29a86346ba9b04ae18

SHA256
e664eef3d68ac6336a28be033165d4780e8a5ab28f0d90df1b148ef86babb610

SHA512
04a1dfdb8ee2f5fefa101d5e3ff36e87659fd774e96aa8c5941d3353ccc268a125822cf01533c74839e5f1c54725da9cc437d3d69b88e5bf3f99caccd4d75961

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
62ebae5fd39b37e60df6562b52dfe57c

SHA1
c8dfc6a1908d33449095433f24a40057af69a994

SHA256
4a42e4d5751c081ce5d0b533c41f049286314de11a17bacc289be3c42ca69b56

SHA512
7b20fe3fbd885092736c07c98e819ba0268bfc62981a3080e6058b8849c7ea682a9462da3dbc8402a6ceed213fe2cc873202f822169c722f0bb06f6dec7b9e50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
d5ac627abf082f2254ed974e5d6c9808

SHA1
446856718e1406194282e999c3d4c5538d5e4967

SHA256
ec59cb78f6fe86d0285887c740ca0d018b057916b17317e5d09339af7f2c0d7a

SHA512
5df2f096d82ab949627a5ff883b4130919d502bf10e99b7e95c2d280d0ceaf641da4d47d1ea43b1ef23e010e0ee856e5584539471c92bd523b26ca6f0e1e5d59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
263af238da0b65c44756efc707357342

SHA1
b28ac54eb9f5958fa17798598c8b9551f23a35e6

SHA256
85bb25007de3f53ac2ea142df230731e6d0bfcaeb56e85762b2e9ed6635f822c

SHA512
fe087bddb3dfa913921ba02850feeba8281180ee14ddbf671b367fe4f2b5a19075e781b01a8818c4067b04ab67cd8c1bba387e963f24419d273997e65ef2159e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
adfd38927523e832fbcab158862ef2f2

SHA1
ce51a4cd62bd8429fca7311d93d1a4d285dee110

SHA256
542352e16f10de364150ee4d85dad0a20e65c3c0b23edc8d673239c9e7b0a705

SHA512
2a702d68a17614f2322765bf56384c8c97efffb71e69a214560001d52849d64c8a613ecc4000f9bb1e5f7fce8a50f7bdea991f0270f6d25e05f5f260485f75b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
7KB

MD5
e953bc11aa5d0f12797661032b9a428d

SHA1
b3b4b87ba68650f00e18356e02229be775943721

SHA256
0768b606dbcb7a4bbf1b401a54f58b13742d8f784ade1ebcad55c9ef67dba24b

SHA512
b7cb6658a9a38bad8765a1f44703048124ad15acb9ce84e100ed952cb460a06e813e3397c9f62013db17e6986850c3d8111c4291fec8b15a6657d27e02b72a15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
94a8dd8dad03856e7a6e91d46014270a

SHA1
c96c75610fd9fff369beca5454068f0f58684198

SHA256
afcff8c254e062691e4ed543f44ef6eab717d0ffbe8bd4e43552e60e51f1b644

SHA512
f9f2b5335a81fb83508049a911c905fd518281d63575dc1f6003622349d4a017165ed19f1bacd96ea2c681df45513a9be4388bfbc93a86f879e806cb2dac7a9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
83abb80322dec1e119748971a0f69ae0

SHA1
e7d36786346c0dd94c3d823af2457748d1cb8931

SHA256
ce12c14a7f3813c953455c8b38d029a8146af0951ae15204f54b31704ce09066

SHA512
bdec37d1bc8481110a0909753a06a19e605e995ec493e8025537847d345d626f867b584c8df103e283a22aa3f47de10e9c0d69dd0041ca783cd2b4cf13f1361d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
fe453a667fd6e9c64dfa6db7a72acfd4

SHA1
11dff2b4aca49c8b655e171f2f7249cd751fd2f5

SHA256
a4ef870eef3b9c5c933a8ca49ec9efc7d3d4db5d6a59f7cd9bf0e8308b897029

SHA512
4123cbd4b9c739a5f271530837e030707909b06c90ae28c9e5d36b0d51597c78ed94e5817253309de530377d2f81308c01dd201f51811b102f32bc9c9bf44f2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
87555954c69fc3efde1dfd5f12ec8920

SHA1
d293dc818f7c573deb8785871ba90ef10a61cce2

SHA256
6d708ce905aea874ca8040575d8ccae86ba436b751f5e30f8a48aa4cd38789a8

SHA512
269d7070bd0fbb6142425f230e759a0e8c948544977b850e5973de4fab60a3e000a8b9710fd82942c37d757a3f81dba615103b30bbd9bdea374adce75e7ce830

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
28402ec0f94eccd8ecb98f81b4c03aa9

SHA1
e3ba421d0d81033ee7c3b637c1988a776477bbd4

SHA256
2787a48b7afd8582804c19207b67de96809d221a90a5b221eb6a3f5ae4519b1e

SHA512
fed70389894dc63ddb2578695100403ea7834479108df33d35bd62b331efc0f783338b630b5cec55f78d563145ee6ae41a676c520aa5672077334ab34b1ed1a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f05d9e8c99408a00f5ac4fd054c3fc4d

SHA1
9a3478e43fc63d130d9649e62e128985cc79d531

SHA256
3915c41360bca83e2b60825fea81ac48082805073a1cc5dfe6a1025014e0ea83

SHA512
ca0df922141ea7df8f41e972e2d444a86b19a5dd708ed286c8c83fe3829b38ab7454f290f15a083770eb271b870276495e8b859716e37d3be401735e39d9690c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b857116db9dedda7c5e2b763bdc63289

SHA1
0edf56e0e484c6ac0e156130f7415f6cd0d6af19

SHA256
d4bcfb265bff0c3d17f297ee99ebed196eec6cf29cf99ac7dc8641fe6cc73539

SHA512
f9e0eaa5e04242d209d15d9708c895d2f2901f12c89c73c2787495fc18311de636aeef36c00f97c2a72a98a743b46ac0dc8b661182328360f25ca4ae8d68c6f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
beed00b8639283f0c583bcc1737a36b1

SHA1
d4157620f11c8a88e9e2bc4ab6b64023240f2a91

SHA256
d7c21699348c7ecdc1c7fa3216117fa765651cdc1bf8063d60ae48108d637bd3

SHA512
d30c289b120884361091fc151cdf46aa87a062f18505c3ab55c3a4d12f683b859efc927019f74a4fb4822fe3474634eb195c208efc8bff542c7b7b5605f325d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
84fa63495bad66acd74c7b025e94d87e

SHA1
f528feb0af7c3500c7db67e48183efdfeefc9eaa

SHA256
714ef9911925468ee7e91ac3b91bd98b3b02219310231b891f64e1c82945fbe6

SHA512
ab6d032a11516b6af64669d8de9e3045f10a58b7e029b0706a340c92511668b04328be3beea219abc0b795dea9d71daaef6dd21cf5f61e95f27a465db0f37a6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5860f7.TMP

Filesize
1KB

MD5
b4cae1154a30776df3d5c4a362881cfe

SHA1
d012c847af73b603e82dc65713bfb1b9fdd1eee0

SHA256
0d3b348f2affc501a8e7bd3bad781adc0360085a17712ef0dd8e87a65414c490

SHA512
9ffa502946a253202e821ee73d4d0898ab29452ef80cf707de2b96a4cc2114acaec2c37a57e6100d89ef157efda4d7b4cdcf66764950638d81096669f68aa4b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
88bab81e798b89442b54df566eed685a

SHA1
56931fed1c8322c29402e5847e9cff9ded9c043d

SHA256
c07422bb304daacdb1d6bed3de88384a0d3fb1fda0c8311932a583aca24eeb6a

SHA512
3d1ac77997540edf960519a564bcefb4835b5759c64c304ec588412cec0d157244d2c2dcfadc06ded23b60d0171048ff851b6f04aec3545b36041d21a2698c0c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit