hxxps://drive[.]google[.]com/file/d/13pqDe1Ahb1Agz1aP697pOuqAIj4ahKs3/view?pli=1

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-09-2024 16:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/13pqDe1Ahb1Agz1aP697pOuqAIj4ahKs3/view?pli=1

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
9	drive.google.com
80	discord.com
87	discord.com
4	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1194130065-3471212556-1656947724-1000\{D98E2987-D83A-43F9-A923-11141C70778D}	msedge.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
4724	msedge.exe
4724	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
1372	identity_helper.exe
1372	identity_helper.exe
264	msedge.exe
264	msedge.exe
5148	msedge.exe
5148	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	5920	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5920	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe

Suspicious use of SendNotifyMessage 28 IoCs

pid	Process
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5116 wrote to memory of 3756	5116	msedge.exe	82
PID 5116 wrote to memory of 3756	5116	msedge.exe	82
PID 5116 wrote to memory of 4772	5116	msedge.exe	83
PID 5116 wrote to memory of 4772	5116	msedge.exe	83
PID 5116 wrote to memory of 4772	5116	msedge.exe	83
PID 5116 wrote to memory of 4772	5116	msedge.exe	83
PID 5116 wrote to memory of 4772	5116	msedge.exe	83
PID 5116 wrote to memory of 4772	5116	msedge.exe	83
PID 5116 wrote to memory of 4772	5116	msedge.exe	83
PID 5116 wrote to memory of 4772	5116	msedge.exe	83
PID 5116 wrote to memory of 4772	5116	msedge.exe	83
PID 5116 wrote to memory of 4772	5116	msedge.exe	83
PID 5116 wrote to memory of 4772	5116	msedge.exe	83
PID 5116 wrote to memory of 4772	5116	msedge.exe	83
PID 5116 wrote to memory of 4772	5116	msedge.exe	83
PID 5116 wrote to memory of 4772	5116	msedge.exe	83
PID 5116 wrote to memory of 4772	5116	msedge.exe	83
PID 5116 wrote to memory of 4772	5116	msedge.exe	83
PID 5116 wrote to memory of 4772	5116	msedge.exe	83
PID 5116 wrote to memory of 4772	5116	msedge.exe	83
PID 5116 wrote to memory of 4772	5116	msedge.exe	83
PID 5116 wrote to memory of 4772	5116	msedge.exe	83
PID 5116 wrote to memory of 4772	5116	msedge.exe	83
PID 5116 wrote to memory of 4772	5116	msedge.exe	83
PID 5116 wrote to memory of 4772	5116	msedge.exe	83
PID 5116 wrote to memory of 4772	5116	msedge.exe	83
PID 5116 wrote to memory of 4772	5116	msedge.exe	83
PID 5116 wrote to memory of 4772	5116	msedge.exe	83
PID 5116 wrote to memory of 4772	5116	msedge.exe	83
PID 5116 wrote to memory of 4772	5116	msedge.exe	83
PID 5116 wrote to memory of 4772	5116	msedge.exe	83
PID 5116 wrote to memory of 4772	5116	msedge.exe	83
PID 5116 wrote to memory of 4772	5116	msedge.exe	83
PID 5116 wrote to memory of 4772	5116	msedge.exe	83
PID 5116 wrote to memory of 4772	5116	msedge.exe	83
PID 5116 wrote to memory of 4772	5116	msedge.exe	83
PID 5116 wrote to memory of 4772	5116	msedge.exe	83
PID 5116 wrote to memory of 4772	5116	msedge.exe	83
PID 5116 wrote to memory of 4772	5116	msedge.exe	83
PID 5116 wrote to memory of 4772	5116	msedge.exe	83
PID 5116 wrote to memory of 4772	5116	msedge.exe	83
PID 5116 wrote to memory of 4772	5116	msedge.exe	83
PID 5116 wrote to memory of 4724	5116	msedge.exe	84
PID 5116 wrote to memory of 4724	5116	msedge.exe	84
PID 5116 wrote to memory of 3284	5116	msedge.exe	85
PID 5116 wrote to memory of 3284	5116	msedge.exe	85
PID 5116 wrote to memory of 3284	5116	msedge.exe	85
PID 5116 wrote to memory of 3284	5116	msedge.exe	85
PID 5116 wrote to memory of 3284	5116	msedge.exe	85
PID 5116 wrote to memory of 3284	5116	msedge.exe	85
PID 5116 wrote to memory of 3284	5116	msedge.exe	85
PID 5116 wrote to memory of 3284	5116	msedge.exe	85
PID 5116 wrote to memory of 3284	5116	msedge.exe	85
PID 5116 wrote to memory of 3284	5116	msedge.exe	85
PID 5116 wrote to memory of 3284	5116	msedge.exe	85
PID 5116 wrote to memory of 3284	5116	msedge.exe	85
PID 5116 wrote to memory of 3284	5116	msedge.exe	85
PID 5116 wrote to memory of 3284	5116	msedge.exe	85
PID 5116 wrote to memory of 3284	5116	msedge.exe	85
PID 5116 wrote to memory of 3284	5116	msedge.exe	85
PID 5116 wrote to memory of 3284	5116	msedge.exe	85
PID 5116 wrote to memory of 3284	5116	msedge.exe	85
PID 5116 wrote to memory of 3284	5116	msedge.exe	85
PID 5116 wrote to memory of 3284	5116	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/13pqDe1Ahb1Agz1aP697pOuqAIj4ahKs3/view?pli=1
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcc0da46f8,0x7ffcc0da4708,0x7ffcc0da4718
  2⤵
  PID:3756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,6323929446914762324,7608206817854498541,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
  2⤵
  PID:4772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,6323929446914762324,7608206817854498541,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,6323929446914762324,7608206817854498541,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2924 /prefetch:8
  2⤵
  PID:3284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,6323929446914762324,7608206817854498541,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:4852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,6323929446914762324,7608206817854498541,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:4912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,6323929446914762324,7608206817854498541,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:1
  2⤵
  PID:2236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,6323929446914762324,7608206817854498541,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
  2⤵
  PID:3496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,6323929446914762324,7608206817854498541,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4688 /prefetch:1
  2⤵
  PID:5020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,6323929446914762324,7608206817854498541,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
  2⤵
  PID:964
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,6323929446914762324,7608206817854498541,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5844 /prefetch:8
  2⤵
  PID:3372
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,6323929446914762324,7608206817854498541,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5844 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,6323929446914762324,7608206817854498541,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4160 /prefetch:1
  2⤵
  PID:3160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,6323929446914762324,7608206817854498541,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
  2⤵
  PID:4052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,6323929446914762324,7608206817854498541,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
  2⤵
  PID:4788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,6323929446914762324,7608206817854498541,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6084 /prefetch:1
  2⤵
  PID:3448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2088,6323929446914762324,7608206817854498541,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5008 /prefetch:8
  2⤵
  PID:3520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2088,6323929446914762324,7608206817854498541,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4176 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,6323929446914762324,7608206817854498541,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6180 /prefetch:1
  2⤵
  PID:1948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,6323929446914762324,7608206817854498541,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6252 /prefetch:1
  2⤵
  PID:3716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,6323929446914762324,7608206817854498541,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1
  2⤵
  PID:6140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2088,6323929446914762324,7608206817854498541,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6612 /prefetch:8
  2⤵
  PID:5184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,6323929446914762324,7608206817854498541,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6620 /prefetch:1
  2⤵
  PID:5156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,6323929446914762324,7608206817854498541,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6272 /prefetch:1
  2⤵
  PID:1324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,6323929446914762324,7608206817854498541,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
  2⤵
  PID:5880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,6323929446914762324,7608206817854498541,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6104 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,6323929446914762324,7608206817854498541,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5504 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1016

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3148

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1588

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x304 0x380
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ecf7ca53c80b5245e35839009d12f866

SHA1
a7af77cf31d410708ebd35a232a80bddfb0615bb

SHA256
882a513b71b26210ff251769b82b2c5d59a932f96d9ce606ca2fab6530a13687

SHA512
706722bd22ce27d854036b1b16e6a3cdb36284b66edc76238a79c2e11cee7d1307b121c898ad832eb1af73e4f08d991d64dc0bff529896ffb4ebe9b3dc381696

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4dd2754d1bea40445984d65abee82b21

SHA1
4b6a5658bae9a784a370a115fbb4a12e92bd3390

SHA256
183b8e82a0deaa83d04736553671cedb738adc909f483b3c5f822a0e6be7477d

SHA512
92d44ee372ad33f892b921efa6cabc78e91025e89f05a22830763217826fa98d51d55711f85c8970ac58abf9adc6c85cc40878032cd6d2589ab226cd099f99e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
df24a2c2acd13d6414e51260a28384df

SHA1
332b70f8c7a90549959332d0d6e9dc625596bdcd

SHA256
67c1218432f43d45a237ba1c01bf5f198db13af8d5fd7a9b3ad18cef2c448836

SHA512
c101e9b1e129e82d4ee81f130b8f3ce4c2e1c2fcf29e4cdbb81e56f38ea23246cf8d56584cc61c5571176839c995a25e09083ab3532ec16ae981f34c814916a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
988ca738fc5494519eaf9e8038e7298f

SHA1
b2c94753aecba51baa7a8d4077c39b69b9620182

SHA256
bc9448bb821e511fdb6679b622211171b36dc0bd0cc18789fea9d6cc4fe2b316

SHA512
43758e8d728c4861a4a6a8c7dcae0c2af65f572c4b01c42ba2a1a17c0aeb0c333ba105109d072c1b05509af7a0725b31e8454f715b4741c246c82bca8c3511dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
3f59e16f717fefeabe02b2414962f634

SHA1
dd7bbfb569f6dc55bb9bfdd702d596a6cc47ddbb

SHA256
e12dd3831b293aaff5d6c6fd32839c11c1f09729a62afc604e2c06302da6b8b1

SHA512
9e51dc0a8109077385b80f0138eb4f908483636d05e441df992d90f195c736df9fde336c644c97a071a7f24989d53f7adef88c4f7b9f88ce414169d29510a6bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c5e428ada2e552d71b73265a48717b9a

SHA1
a804b3b94de4bd805fbde4286f3f7925b1099e6e

SHA256
70ee9d5fea09e6e6fbae1957484aa8848c0c529b24ef32143b496a54253d4be1

SHA512
c58abe658b30938bf40db98aa6a1fbca0f6050fc2d0c94ee0fe94df8d422acdd88f4397b685f405ecb5a8df621653f1df7df376ca6662e13215b4b56264d1e0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
697e1dc145444070e2e2dc7139b4799e

SHA1
abc541e000e574887d504194201671b5c225622e

SHA256
7790d54e588597fbedfda8ac060422cce9575cbf95de4244bedda0c4c6fb3fd5

SHA512
931d24913a3b3e560595ba80b77f0ad5311c70f2e639dacc9d46a1a0045446c4e6ecbf4211b63104cfa665bb16ebac6c600929d0244991f26a1547a96f32671a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
dbcbca6a59823038a69bf40eab438001

SHA1
329b7f7500da12ef4df2c150cf7b7df5b64bb27f

SHA256
fb1070760b865c9366a2f130c8c1b0bcbd2f5fa76b41354a23f91fcc7c847223

SHA512
75464e621fd1f0a8d0c085e02ef649481f824c13b375c0b714dfcbce931c3042551e66d0dcda15298bca06e3eb2806b3021daaae7264b538a4a11b00848f3387

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
9fe15f38ba0b7f414c90bd18dc96181d

SHA1
1fa92b853372d1b7b88efee93bd5dc09de9c0223

SHA256
81148b657310f5ec7b5700559b58e7fb542d544024380f39f9a5351825f1db36

SHA512
63730e71022957f964f86fba1b4be4580896c4e5304feb6a3faddd9389c4480bfb9e873d373e3a9c195d8dcc0213a44f795dc44b61af55e8239ae8afebc0ff1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
678ba6a9d445f557f59def74487b3b02

SHA1
60f7be62956e5ce2e22766d410e5a5be4e9b0637

SHA256
b7c9f199db2550455c4d0effb82b053c430101e54278708e8104072f5c726229

SHA512
e8345def4f6da4cfa26359c7c8a2d4e7c5d79af2a86b243ac0776a456c4c7d7edd0b4e14b9322b480adc8f6f96d911197f984e47a545c4f347e84624d2c090b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
581ab7231818c61b3f560f653ef2e4aa

SHA1
e5b10943b85853a1220a9c34b572b59b2180e55d

SHA256
a68673b3cb8d1f8ec62551d75f95207f799aa48ebf6b078dcf1c78372efe9859

SHA512
a020515018c2f1988724909e37497d9c3598336667977bd0ed6d6007347ba31b2ac865aa5b8ef0b49c78d4d035f7c802993e8a8850bf711dc8ead50d4a6093c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f4558181d053cc9dde1379e498f0843f

SHA1
d1c0f816d3ae5b85785d0eafb46bb401666cc89e

SHA256
a651c74b3b32d74a6c0fa092c96a2ad3f16a199dafaf4db10ddf7aba72f208fc

SHA512
36c800eec76b6a2572295a0d4d48af927fdcca74833a5e87698f0afecf6bfd84bf4ea6e5569066bade800d8a7598d2b0b132b7b5d32632de6809c6459c938ecd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
cb2452785c702c50b2bbe4c616f526a7

SHA1
43e21842aaf19834e93f8d6f76e3a30cb04dc248

SHA256
4e66b0387f5fd7de9c27f5d7022ca3127dd815fb212c0813ee6b31e5b69478b5

SHA512
aba0fc3626466f3bb5d5b4ca5c6bc1578ff3bd93b0e94b6fefdeda9ccb9883fff5222742cef7d701094bc43db2d00b6b93c47f176905f44bf9b661c71b613c7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0e3532a46eaf57fdb48704cf120134d5

SHA1
a9046d6bbc429948b8e0a0712b8ac89082566119

SHA256
34d5ccfa437ab16d275277814cc52b3b3ed0bd0116c028db40d08f9d95604757

SHA512
eba7fe68266a9f6810b8627a1fec239953a6944f4ab6caa376bb046d9ea46bf0b0ec492aa7c6077f0140de44e7763f4b7fec16b27814c89d2434f1ff2be90826

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
046f4bb6be1b3fb6b0b15f894c10d706

SHA1
6a9cae05dd4f80ea4886cad34d3768ec0669be84

SHA256
2f65b91c5cac0a25edababa930aabfcd52d151a92efdea45b160463eaf949d32

SHA512
109a13164fe95cc2ea6c8b7577ddb63f36830cf8c2b4f05713c744f983069c6c5b6ea1af93ed73759378252764a0a9e54f0862be292809ee13519d9011f0d1a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57b3df.TMP

Filesize
1KB

MD5
0b15765b90673c98de9321c92abda617

SHA1
984eed8c6cb06d0cd6e38537e64dbf287a68e4db

SHA256
398e26bf2c3bfa9bc1fb862c5aa8fea3bbd1160bf19d162cacc767a602b4c670

SHA512
68e353424b2aeba3774bb047fddf34252424ffdbcdd879fe35c215c1cd86a91905fdc8d38ec90d43e0b1aa1363c57e345b62eeb99e2f21205c5c7f68ecaa99f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c56fe648aed89840fae07265fde29ea6

SHA1
f78576a17035c1d8587c70f9160095843127f926

SHA256
7c4eca8e9ab5164ba278f85265c22e0aaca86cdc421bff6189656e2c37fc1352

SHA512
826254a2f1c96194ffa017ce1557c541be843c208ac0d00b14ff62e0f8c9fe9ee203c31313943436268de5e93514faeb03556b8b3d4b9d34b2c1831203cf15ee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
14KB

MD5
5b5b77da821a66affff06de133993eab

SHA1
c5996caa9d7764f01c3c993bda6d546dead5fe82

SHA256
e2715ed0cbd662f36535e65c68f145f633d1b201f1eef8c9c33d5ee0b23b9da6

SHA512
262e2353b129e54fa5ed0426ca853d636168bccee6ec762449ec0ac14fdf5fbde6d35b1e42484a666b4b8f4e203da9aaa67cc717434003caa14343d6ad1fa03b

Download Submit