hxxps://drive[.]google[.]com/uc?id=1N8iuAcYfn6cFE9f-GWS8yh-odNEkmId-&export=download

Analysis

max time kernel
145s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13-08-2024 16:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/uc?id=1N8iuAcYfn6cFE9f-GWS8yh-odNEkmId-&export=download

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	drive.google.com
7	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks processor information in registry 2 TTPs 24 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2212	msedge.exe
2212	msedge.exe
4888	msedge.exe
4888	msedge.exe
4492	identity_helper.exe
4492	identity_helper.exe
3984	msedge.exe
3984	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2856	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4060	firefox.exe
Token: SeDebugPrivilege	4060	firefox.exe
Token: SeDebugPrivilege	4060	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4060	firefox.exe
4060	firefox.exe
4060	firefox.exe
4060	firefox.exe
4060	firefox.exe
4060	firefox.exe
4060	firefox.exe
4060	firefox.exe
4060	firefox.exe
4060	firefox.exe
4060	firefox.exe
4060	firefox.exe
4060	firefox.exe
4060	firefox.exe
4060	firefox.exe
4060	firefox.exe
4060	firefox.exe
4060	firefox.exe
4060	firefox.exe
4060	firefox.exe
4060	firefox.exe
4888	msedge.exe

Suspicious use of SendNotifyMessage 52 IoCs

pid	Process
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4060	firefox.exe
4060	firefox.exe
4060	firefox.exe
4060	firefox.exe
4060	firefox.exe
4060	firefox.exe
4060	firefox.exe
4060	firefox.exe
4060	firefox.exe
4060	firefox.exe
4060	firefox.exe
4060	firefox.exe
4060	firefox.exe
4060	firefox.exe
4060	firefox.exe
4060	firefox.exe
4060	firefox.exe
4060	firefox.exe
4060	firefox.exe
4060	firefox.exe

Suspicious use of SetWindowsHookEx 43 IoCs

pid	Process
2856	OpenWith.exe
2856	OpenWith.exe
2856	OpenWith.exe
2856	OpenWith.exe
2856	OpenWith.exe
2856	OpenWith.exe
2856	OpenWith.exe
2856	OpenWith.exe
2856	OpenWith.exe
2856	OpenWith.exe
2856	OpenWith.exe
2856	OpenWith.exe
2856	OpenWith.exe
2856	OpenWith.exe
2856	OpenWith.exe
2856	OpenWith.exe
2856	OpenWith.exe
2856	OpenWith.exe
2856	OpenWith.exe
2856	OpenWith.exe
2856	OpenWith.exe
2856	OpenWith.exe
2856	OpenWith.exe
2856	OpenWith.exe
2856	OpenWith.exe
2856	OpenWith.exe
2856	OpenWith.exe
2856	OpenWith.exe
2856	OpenWith.exe
2856	OpenWith.exe
2856	OpenWith.exe
2856	OpenWith.exe
2856	OpenWith.exe
2856	OpenWith.exe
2856	OpenWith.exe
2856	OpenWith.exe
2856	OpenWith.exe
2856	OpenWith.exe
2856	OpenWith.exe
4060	firefox.exe
4060	firefox.exe
4060	firefox.exe
4060	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4888 wrote to memory of 5028	4888	msedge.exe	85
PID 4888 wrote to memory of 5028	4888	msedge.exe	85
PID 4888 wrote to memory of 4000	4888	msedge.exe	86
PID 4888 wrote to memory of 4000	4888	msedge.exe	86
PID 4888 wrote to memory of 4000	4888	msedge.exe	86
PID 4888 wrote to memory of 4000	4888	msedge.exe	86
PID 4888 wrote to memory of 4000	4888	msedge.exe	86
PID 4888 wrote to memory of 4000	4888	msedge.exe	86
PID 4888 wrote to memory of 4000	4888	msedge.exe	86
PID 4888 wrote to memory of 4000	4888	msedge.exe	86
PID 4888 wrote to memory of 4000	4888	msedge.exe	86
PID 4888 wrote to memory of 4000	4888	msedge.exe	86
PID 4888 wrote to memory of 4000	4888	msedge.exe	86
PID 4888 wrote to memory of 4000	4888	msedge.exe	86
PID 4888 wrote to memory of 4000	4888	msedge.exe	86
PID 4888 wrote to memory of 4000	4888	msedge.exe	86
PID 4888 wrote to memory of 4000	4888	msedge.exe	86
PID 4888 wrote to memory of 4000	4888	msedge.exe	86
PID 4888 wrote to memory of 4000	4888	msedge.exe	86
PID 4888 wrote to memory of 4000	4888	msedge.exe	86
PID 4888 wrote to memory of 4000	4888	msedge.exe	86
PID 4888 wrote to memory of 4000	4888	msedge.exe	86
PID 4888 wrote to memory of 4000	4888	msedge.exe	86
PID 4888 wrote to memory of 4000	4888	msedge.exe	86
PID 4888 wrote to memory of 4000	4888	msedge.exe	86
PID 4888 wrote to memory of 4000	4888	msedge.exe	86
PID 4888 wrote to memory of 4000	4888	msedge.exe	86
PID 4888 wrote to memory of 4000	4888	msedge.exe	86
PID 4888 wrote to memory of 4000	4888	msedge.exe	86
PID 4888 wrote to memory of 4000	4888	msedge.exe	86
PID 4888 wrote to memory of 4000	4888	msedge.exe	86
PID 4888 wrote to memory of 4000	4888	msedge.exe	86
PID 4888 wrote to memory of 4000	4888	msedge.exe	86
PID 4888 wrote to memory of 4000	4888	msedge.exe	86
PID 4888 wrote to memory of 4000	4888	msedge.exe	86
PID 4888 wrote to memory of 4000	4888	msedge.exe	86
PID 4888 wrote to memory of 4000	4888	msedge.exe	86
PID 4888 wrote to memory of 4000	4888	msedge.exe	86
PID 4888 wrote to memory of 4000	4888	msedge.exe	86
PID 4888 wrote to memory of 4000	4888	msedge.exe	86
PID 4888 wrote to memory of 4000	4888	msedge.exe	86
PID 4888 wrote to memory of 4000	4888	msedge.exe	86
PID 4888 wrote to memory of 2212	4888	msedge.exe	87
PID 4888 wrote to memory of 2212	4888	msedge.exe	87
PID 4888 wrote to memory of 4856	4888	msedge.exe	88
PID 4888 wrote to memory of 4856	4888	msedge.exe	88
PID 4888 wrote to memory of 4856	4888	msedge.exe	88
PID 4888 wrote to memory of 4856	4888	msedge.exe	88
PID 4888 wrote to memory of 4856	4888	msedge.exe	88
PID 4888 wrote to memory of 4856	4888	msedge.exe	88
PID 4888 wrote to memory of 4856	4888	msedge.exe	88
PID 4888 wrote to memory of 4856	4888	msedge.exe	88
PID 4888 wrote to memory of 4856	4888	msedge.exe	88
PID 4888 wrote to memory of 4856	4888	msedge.exe	88
PID 4888 wrote to memory of 4856	4888	msedge.exe	88
PID 4888 wrote to memory of 4856	4888	msedge.exe	88
PID 4888 wrote to memory of 4856	4888	msedge.exe	88
PID 4888 wrote to memory of 4856	4888	msedge.exe	88
PID 4888 wrote to memory of 4856	4888	msedge.exe	88
PID 4888 wrote to memory of 4856	4888	msedge.exe	88
PID 4888 wrote to memory of 4856	4888	msedge.exe	88
PID 4888 wrote to memory of 4856	4888	msedge.exe	88
PID 4888 wrote to memory of 4856	4888	msedge.exe	88
PID 4888 wrote to memory of 4856	4888	msedge.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/uc?id=1N8iuAcYfn6cFE9f-GWS8yh-odNEkmId-&export=download
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe1c1646f8,0x7ffe1c164708,0x7ffe1c164718
  2⤵
  PID:5028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,2561313257647280628,18300645290964612371,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:2
  2⤵
  PID:4000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,2561313257647280628,18300645290964612371,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,2561313257647280628,18300645290964612371,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:8
  2⤵
  PID:4856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,2561313257647280628,18300645290964612371,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:4484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,2561313257647280628,18300645290964612371,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:3952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,2561313257647280628,18300645290964612371,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1
  2⤵
  PID:1724
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,2561313257647280628,18300645290964612371,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 /prefetch:8
  2⤵
  PID:4468
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,2561313257647280628,18300645290964612371,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,2561313257647280628,18300645290964612371,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:1
  2⤵
  PID:1612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,2561313257647280628,18300645290964612371,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1
  2⤵
  PID:4008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,2561313257647280628,18300645290964612371,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6044 /prefetch:1
  2⤵
  PID:2808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,2561313257647280628,18300645290964612371,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:1
  2⤵
  PID:3832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2060,2561313257647280628,18300645290964612371,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5536 /prefetch:8
  2⤵
  PID:3232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,2561313257647280628,18300645290964612371,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1
  2⤵
  PID:4468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,2561313257647280628,18300645290964612371,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5400 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3984

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1792

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2456

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1708

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2856
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\WannaCry.7z"
  2⤵
  PID:4584
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Downloads\WannaCry.7z
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:4060
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1992 -parentBuildID 20240401114208 -prefsHandle 1908 -prefMapHandle 1900 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cb6460d1-4af8-45a0-9d47-340fc244f9e5} 4060 "\\.\pipe\gecko-crash-server-pipe.4060" gpu
      4⤵
      PID:5244
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2460 -prefMapHandle 2448 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {915c1cb9-2a65-4794-95a5-982e488c9fa7} 4060 "\\.\pipe\gecko-crash-server-pipe.4060" socket
      4⤵
      Checks processor information in registry
      PID:5320
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2980 -childID 1 -isForBrowser -prefsHandle 2984 -prefMapHandle 3076 -prefsLen 24741 -prefMapSize 244658 -jsInitHandle 1188 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a399b741-31d2-4118-9fd8-5199a0a49506} 4060 "\\.\pipe\gecko-crash-server-pipe.4060" tab
      4⤵
      PID:5532
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3644 -childID 2 -isForBrowser -prefsHandle 3688 -prefMapHandle 3684 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1188 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a8d2697f-03d0-4850-9dbd-610e4c342070} 4060 "\\.\pipe\gecko-crash-server-pipe.4060" tab
      4⤵
      PID:5676
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4472 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4564 -prefMapHandle 4560 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a81f8f2-2ec9-494f-be23-958b612f0252} 4060 "\\.\pipe\gecko-crash-server-pipe.4060" utility
      4⤵
      Checks processor information in registry
      PID:6300
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5496 -childID 3 -isForBrowser -prefsHandle 5488 -prefMapHandle 5484 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1188 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8ec7a5e8-155f-4434-a3be-dbdbd9857bf2} 4060 "\\.\pipe\gecko-crash-server-pipe.4060" tab
      4⤵
      PID:6748
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5648 -childID 4 -isForBrowser -prefsHandle 5600 -prefMapHandle 5500 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1188 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {76bbc732-d527-49e9-a583-3b65519d17e5} 4060 "\\.\pipe\gecko-crash-server-pipe.4060" tab
      4⤵
      PID:6760
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5808 -childID 5 -isForBrowser -prefsHandle 5836 -prefMapHandle 5840 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1188 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {991a8e91-77cc-4fbb-aaa3-42c3b68cadc6} 4060 "\\.\pipe\gecko-crash-server-pipe.4060" tab
      4⤵
      PID:6772

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\WannaCry(1).7z"
1⤵
PID:6260
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Downloads\WannaCry(1).7z
  2⤵
  - Checks processor information in registry
  PID:5948

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\WannaCry(1).7z"
1⤵
PID:5952
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Downloads\WannaCry(1).7z
  2⤵
  - Checks processor information in registry
  PID:5932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eeaa8087eba2f63f31e599f6a7b46ef4

SHA1
f639519deee0766a39cfe258d2ac48e3a9d5ac03

SHA256
50fe80c9435f601c30517d10f6a8a0ca6ff8ca2add7584df377371b5a5dbe2d9

SHA512
eaabfad92c84f422267615c55a863af12823c5e791bdcb30cabe17f72025e07df7383cf6cf0f08e28aa18a31c2aac5985cf5281a403e22fbcc1fb5e61c49fc3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b9569e123772ae290f9bac07e0d31748

SHA1
5806ed9b301d4178a959b26d7b7ccf2c0abc6741

SHA256
20ab88e23fb88186b82047cd0d6dc3cfa23422e4fd2b8f3c8437546a2a842c2b

SHA512
cfad8ce716ac815b37e8cc0e30141bfb3ca7f0d4ef101289bddcf6ed3c579bc34d369f2ec2f2dab98707843015633988eb97f1e911728031dd897750b8587795

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
795B

MD5
e299243042440f4d3711a6100cbcc280

SHA1
88e37678be7154f9196080bd3615c24ffea2ffaf

SHA256
a8155a394edf9a0b79d2626e0df0f3101710be4e5c64c171c68679bd40c4d4cb

SHA512
1b444918c295becca207dabd9b1eaac47ef115c7489c37a47e9c684ca40efe1851a5e0163a8187b521d01d108218a5436b2d34bbdc6390c01e7c5d35c2048c71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b6a8f27daa25294b6148421b2aef1daa

SHA1
78777a1205fa828d88ef10304fdc47fbe582221d

SHA256
fdcc0074b18bdff2b77971abaf6b1d1e02b448dd3822d2ae6f1cbd96897ea058

SHA512
f334a6ba20db6c3461f5986de6ce018264a5dad090bc543ed5e1eb686a717125284fc45637ef5041a8b6decb5f5fa9eeb169323bf64d4fda3a35af9473abb1d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
36eb6522f0033428121ee7a6dcd153b5

SHA1
383bc778135eba4a7e2e582bf67031c61c568063

SHA256
e6ce3348d1b760847699fb94ec6fb9acd3e1df2f5768a64838f6896aa143e061

SHA512
1886f98f0497ba7b6f5f2ae75826559b6dd774def8918d980402c349c5253a8d5460fbb051738cd58d706c16e21b44e9670713a30b84fa1b217d912a47d9f4ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
149d7e48b58fcda50683e81d5e4ed920

SHA1
ef77d513c46b21dd3f5ccd5f76ff21cf4b68a3a5

SHA256
93c7ea8c9b5effaf137baa184a11d1e545da5bcbc855918f4e5f0040b8134cdb

SHA512
30fcf1181bcecfe8ea1b06dc09cbf899461ad6e331e141da5f745d63b5f147b42c5fd297f9ba0ab6c829a423d456e4c8b00c781279cd8dc97d2f0a1aec4f84a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
0b95259e33e1dac5a00efca4a10b62c6

SHA1
fe9ca13d0b17f4db4c13a20fd3cd3edcf01829cc

SHA256
b2290c14fb564c74eec8a895760f5d6cb5d454ca3c53fb470a78001f9a7d15f2

SHA512
e5ebd98759afb86172299bf01ebde5b49399af403200edd3133de4880d5f26b92f47b948cccac5e490963e7937c77483b8b893205782573201018c5d684b3483

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7be1ab4795dd8bc19f4da5ed264ab144

SHA1
b715ad354457b646bdd9e79fd8f308fffd2a6156

SHA256
9fb7ffa81c54276ed34589979b2f8c18d72f3f8ad1bcb1aa03ae7ae435c8cb05

SHA512
e22fb106230e3c29bde28aa09701af9f33ea0f2f67d6b0d4e482172ef4170ab527efd5f9cfc3906125e478d3c542b9e617a28f318a38ccf21b9682f1e6b7ca59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0fa2a1057b5a9d6be2f28615e1c7b4df

SHA1
27d6c5b02534383e714fd6202e9579342abf3661

SHA256
75369d02dd5363642d68a583621ea6f8406ca4e222d4863e867071235729b5e3

SHA512
5fda53dd897d3a91b63798ab995a7134d40aeccf5e524f1ebea8b4947e11a82424336797f1b83df6fc6e2c2e0f06e5aab18a43ad7707ff9765cd8ff4ac379caa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
487f6221d6fdc49c86e6b49e0a8f238a

SHA1
0ea2a9bc9b36e53a8f19b1fc003216378d937a2c

SHA256
361e694d8488a7606dd6c625c31fa4f71951997723526cdc8df93cbbe01aa033

SHA512
b51c66cefcab3c06cfa63829b2f7d8d9c1271a98929a82f4b523981cc1e51a8888936b747c115837b81e5b475f0576686b052b260161f55f6e0239481af172c7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\illkw0pr.default-release\activity-stream.discovery_stream.json

Filesize
42KB

MD5
46b713199700bcd01a9436451dc8eaa9

SHA1
c8b4f3fac19d9caa2ac91e1bcbbe1240bbcaf6fb

SHA256
09d81b5354e57c9144fcc1dc46dc41948c6c03fc5b4a8ad1e8f6d053614a8032

SHA512
7c006ef831601cbbfb6fc276bf02998bddc16bd06d679c45c249a9bad1cd50a983ac930faf77cc3a0e69f64d4fb1b6c3fb7370ea644be3b1a1afb2c536472134

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
12f5d0c81ee1b0d983502cc992a707dc

SHA1
3270d77e4defc224222ada852f55e6c3000c5398

SHA256
7b53e2ae769f205cb7f36d4d56501378301b993ff75d9e0cc51ebc0e3bf25898

SHA512
2d82f02929385c7f9083593a92196e99a6bc1b25b61e8dae61847b3410a57230580a39dadfd6fb2731d44ef5c7101f7923f1e96a0202dab5538e385b10becc63

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
0e8668b9b8d854b9a3f635b5b5d3b4d2

SHA1
e65028baf26654971561e7ba31b9b52eb0c071ed

SHA256
c8766d7bfce7b0fa6fa61c7d1b41b19d001001c162062a1b34a3af75673ad5ac

SHA512
f6c5618a794e6e16374f37aca08d3132614fd2fadcf7284ca0311d8f841bf43324b9a9ea3a5fb71e58891f5f1693e65bc1b51972d60577b3cd28b1c11d5d81e2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\datareporting\glean\pending_pings\0e594a74-33e6-4ba0-a35e-0e06b67b20be

Filesize
982B

MD5
b20bd39eec8eeb150b53a6d9409c4000

SHA1
190728359490bfb35c9a1d1883668d5fadb25241

SHA256
5ced30778714fee1c6e08566dd4ab62727c1082128e5941c14ebc58e6193214d

SHA512
b7d8a1aa9bc703a299c1cdd47e71762bb75216b6b4c82a6c22a5f6e9370bb0b2629d229a184ed594fe8641f7c2c8d1a7fbffe6fffec3cd84412b18dc852fb9ec

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\datareporting\glean\pending_pings\c295d6a0-cb81-4a87-8d34-812367d4d4d4

Filesize
671B

MD5
04915a39bac0655ed8d23a963363bec5

SHA1
764dafe9d30742d99fe56ebc0a06b65644f195ab

SHA256
ff8ad2a19b0781407dc0955f71cd3cf9fb57c7047950749cd0de0a574415a9ae

SHA512
579f56a413676e0c7d90d35b57624dde112b8da37d8fe2990da961ec15883792a3c74fb84bddbf598af88eaf8c4a9446bd7cc190e6a593787a79f8fdc5d17a86

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\datareporting\glean\pending_pings\ea7e808a-efdd-4ce8-84a1-f27aacc6d6a7

Filesize
25KB

MD5
76a3d68b35063f8c1ff4d0e41335199e

SHA1
96e1416cc629091d953d8bb51026ff9152aefd4e

SHA256
01808088781e7e1875da01431d983fdced7847a4536597fdc381103a493a335b

SHA512
a4c6520aa3a3d7259725e275722aad1a92985b93645d28b747bb468cef2dbcd376514505db7f397a198c799ecc8b6561e07aeb51bf18fe92048f3a3cc69fcb13

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\prefs-1.js

Filesize
11KB

MD5
c7219ebb78267bed6dcb731a5c575898

SHA1
6514d54a6eaf04e0eeaa3940adc91368a21fe8a3

SHA256
ab230280df9bcef0f90691e2959709fe576eeb3d1afba59c425fa5ba423f0538

SHA512
9688256929b63b3ccdd0189e8fa4793a3059aa188312744161bc91ae2098c97938969fd0b426937217f3cb7a42f1b71658adff990d6ab05f566d6b4cc78afbf1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\prefs.js

Filesize
11KB

MD5
e9d0cee7955184fba79625ed939532a0

SHA1
d66568f3cd00445a935b93ba686643187679a773

SHA256
45296dab42d4acde11706ea08e460838bdf45b4f7d4017fb54e163257a7cb506

SHA512
af4ffd1489d3729c825bd34050aba7ab7b9829849cfafb7186a87660cb5346bc439dce320051cb58b5693afcc71603b62eb3f07f60d69b6ff97e84ef664bada5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\sessionCheckpoints.json

Filesize
259B

MD5
e6c20f53d6714067f2b49d0e9ba8030e

SHA1
f516dc1084cdd8302b3e7f7167b905e603b6f04f

SHA256
50a670fb78ff2712aae2c16d9499e01c15fddf24e229330d02a69b0527a38092

SHA512
462415b8295c1cdcac0a7cb16bb8a027ef36ae2ce0b061071074ac3209332a7eae71de843af4b96bbbd6158ca8fd5c18147bf9a79b8a7768a9a35edce8b784bf

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 267150.crdownload

Filesize
3.3MB

MD5
3d578d30f8947a0e4ca0b6e340c6f9d7

SHA1
d581d6caec9ebe4aef2e0d365c8163116d18383d

SHA256
6d8e3047582dfcece9e3284538ff46a16e1809de18b1a7543e2082ad0a009237

SHA512
ccca55db5214f271d94a6d24596f74ae08e0d5ab053b9fedce6670d817ca0cf9065a5db76216362045e0133e6644139e73c72129c165c337898594c5d385da37

Download Submit