hxxps://drive[.]google[.]com/uc?id=1X9Uosg7pwmElYQDmori1rm3imKSUZXhN&export=zoomdes005

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-10-2024 19:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/uc?id=1X9Uosg7pwmElYQDmori1rm3imKSUZXhN&export=zoomdes005

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	drive.google.com
9	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4852	msedge.exe
4852	msedge.exe
2392	msedge.exe
2392	msedge.exe
2692	msedge.exe
2692	msedge.exe
1320	identity_helper.exe
1320	identity_helper.exe
5704	msedge.exe
5704	msedge.exe
5232	msedge.exe
5232	msedge.exe
5232	msedge.exe
5232	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs

pid	Process
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe

Suspicious use of FindShellTrayWindow 47 IoCs

pid	Process
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
6140	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 1248	2392	msedge.exe	84
PID 2392 wrote to memory of 1248	2392	msedge.exe	84
PID 2392 wrote to memory of 2920	2392	msedge.exe	85
PID 2392 wrote to memory of 2920	2392	msedge.exe	85
PID 2392 wrote to memory of 2920	2392	msedge.exe	85
PID 2392 wrote to memory of 2920	2392	msedge.exe	85
PID 2392 wrote to memory of 2920	2392	msedge.exe	85
PID 2392 wrote to memory of 2920	2392	msedge.exe	85
PID 2392 wrote to memory of 2920	2392	msedge.exe	85
PID 2392 wrote to memory of 2920	2392	msedge.exe	85
PID 2392 wrote to memory of 2920	2392	msedge.exe	85
PID 2392 wrote to memory of 2920	2392	msedge.exe	85
PID 2392 wrote to memory of 2920	2392	msedge.exe	85
PID 2392 wrote to memory of 2920	2392	msedge.exe	85
PID 2392 wrote to memory of 2920	2392	msedge.exe	85
PID 2392 wrote to memory of 2920	2392	msedge.exe	85
PID 2392 wrote to memory of 2920	2392	msedge.exe	85
PID 2392 wrote to memory of 2920	2392	msedge.exe	85
PID 2392 wrote to memory of 2920	2392	msedge.exe	85
PID 2392 wrote to memory of 2920	2392	msedge.exe	85
PID 2392 wrote to memory of 2920	2392	msedge.exe	85
PID 2392 wrote to memory of 2920	2392	msedge.exe	85
PID 2392 wrote to memory of 2920	2392	msedge.exe	85
PID 2392 wrote to memory of 2920	2392	msedge.exe	85
PID 2392 wrote to memory of 2920	2392	msedge.exe	85
PID 2392 wrote to memory of 2920	2392	msedge.exe	85
PID 2392 wrote to memory of 2920	2392	msedge.exe	85
PID 2392 wrote to memory of 2920	2392	msedge.exe	85
PID 2392 wrote to memory of 2920	2392	msedge.exe	85
PID 2392 wrote to memory of 2920	2392	msedge.exe	85
PID 2392 wrote to memory of 2920	2392	msedge.exe	85
PID 2392 wrote to memory of 2920	2392	msedge.exe	85
PID 2392 wrote to memory of 2920	2392	msedge.exe	85
PID 2392 wrote to memory of 2920	2392	msedge.exe	85
PID 2392 wrote to memory of 2920	2392	msedge.exe	85
PID 2392 wrote to memory of 2920	2392	msedge.exe	85
PID 2392 wrote to memory of 2920	2392	msedge.exe	85
PID 2392 wrote to memory of 2920	2392	msedge.exe	85
PID 2392 wrote to memory of 2920	2392	msedge.exe	85
PID 2392 wrote to memory of 2920	2392	msedge.exe	85
PID 2392 wrote to memory of 2920	2392	msedge.exe	85
PID 2392 wrote to memory of 2920	2392	msedge.exe	85
PID 2392 wrote to memory of 4852	2392	msedge.exe	86
PID 2392 wrote to memory of 4852	2392	msedge.exe	86
PID 2392 wrote to memory of 4956	2392	msedge.exe	87
PID 2392 wrote to memory of 4956	2392	msedge.exe	87
PID 2392 wrote to memory of 4956	2392	msedge.exe	87
PID 2392 wrote to memory of 4956	2392	msedge.exe	87
PID 2392 wrote to memory of 4956	2392	msedge.exe	87
PID 2392 wrote to memory of 4956	2392	msedge.exe	87
PID 2392 wrote to memory of 4956	2392	msedge.exe	87
PID 2392 wrote to memory of 4956	2392	msedge.exe	87
PID 2392 wrote to memory of 4956	2392	msedge.exe	87
PID 2392 wrote to memory of 4956	2392	msedge.exe	87
PID 2392 wrote to memory of 4956	2392	msedge.exe	87
PID 2392 wrote to memory of 4956	2392	msedge.exe	87
PID 2392 wrote to memory of 4956	2392	msedge.exe	87
PID 2392 wrote to memory of 4956	2392	msedge.exe	87
PID 2392 wrote to memory of 4956	2392	msedge.exe	87
PID 2392 wrote to memory of 4956	2392	msedge.exe	87
PID 2392 wrote to memory of 4956	2392	msedge.exe	87
PID 2392 wrote to memory of 4956	2392	msedge.exe	87
PID 2392 wrote to memory of 4956	2392	msedge.exe	87
PID 2392 wrote to memory of 4956	2392	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/uc?id=1X9Uosg7pwmElYQDmori1rm3imKSUZXhN&export=zoomdes005
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffde2f46f8,0x7fffde2f4708,0x7fffde2f4718
  2⤵
  PID:1248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,746575216394203400,855670452409683935,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
  2⤵
  PID:2920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,746575216394203400,855670452409683935,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,746575216394203400,855670452409683935,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2880 /prefetch:8
  2⤵
  PID:4956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,746575216394203400,855670452409683935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:2996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,746575216394203400,855670452409683935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:2104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2132,746575216394203400,855670452409683935,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=2216 /prefetch:8
  2⤵
  PID:704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,746575216394203400,855670452409683935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:1
  2⤵
  PID:1756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2132,746575216394203400,855670452409683935,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5544 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2692
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,746575216394203400,855670452409683935,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5684 /prefetch:8
  2⤵
  PID:432
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,746575216394203400,855670452409683935,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5684 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,746575216394203400,855670452409683935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
  2⤵
  PID:1688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,746575216394203400,855670452409683935,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
  2⤵
  PID:3520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,746575216394203400,855670452409683935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:1
  2⤵
  PID:5212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,746575216394203400,855670452409683935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:5312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,746575216394203400,855670452409683935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:1
  2⤵
  PID:5436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,746575216394203400,855670452409683935,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6168 /prefetch:1
  2⤵
  PID:5444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,746575216394203400,855670452409683935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
  2⤵
  PID:5688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2132,746575216394203400,855670452409683935,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5500 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,746575216394203400,855670452409683935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6392 /prefetch:1
  2⤵
  PID:2912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,746575216394203400,855670452409683935,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6644 /prefetch:1
  2⤵
  PID:5396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,746575216394203400,855670452409683935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:1
  2⤵
  PID:5384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,746575216394203400,855670452409683935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6376 /prefetch:1
  2⤵
  PID:3228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,746575216394203400,855670452409683935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6064 /prefetch:1
  2⤵
  PID:5716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,746575216394203400,855670452409683935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
  2⤵
  PID:6140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,746575216394203400,855670452409683935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1
  2⤵
  PID:6104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,746575216394203400,855670452409683935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:1
  2⤵
  PID:4980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,746575216394203400,855670452409683935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:1
  2⤵
  PID:5700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2132,746575216394203400,855670452409683935,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6364 /prefetch:8
  2⤵
  PID:2984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,746575216394203400,855670452409683935,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6648 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5232

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2692

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:948

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6140

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bffcefacce25cd03f3d5c9446ddb903d

SHA1
8923f84aa86db316d2f5c122fe3874bbe26f3bab

SHA256
23e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405

SHA512
761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d22073dea53e79d9b824f27ac5e9813e

SHA1
6d8a7281241248431a1571e6ddc55798b01fa961

SHA256
86713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6

SHA512
97152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
62KB

MD5
c3c0eb5e044497577bec91b5970f6d30

SHA1
d833f81cf21f68d43ba64a6c28892945adc317a6

SHA256
eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb

SHA512
83d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
70KB

MD5
4308671e9d218f479c8810d2c04ea6c6

SHA1
dd3686818bc62f93c6ab0190ed611031f97fdfcf

SHA256
5addbdd4fe74ff8afc4ca92f35eb60778af623e4f8b5911323ab58a9beed6a9a

SHA512
5936b6465140968acb7ad7f7486c50980081482766002c35d493f0bdd1cc648712eebf30225b6b7e29f6f3123458451d71e62d9328f7e0d9889028bff66e2ad2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
19KB

MD5
76a3f1e9a452564e0f8dce6c0ee111e8

SHA1
11c3d925cbc1a52d53584fd8606f8f713aa59114

SHA256
381396157ed5e8021dd8e660142b35eb71a63aecd33062a1103ce9c709c7632c

SHA512
a1156a907649d6f2c3f7256405d9d5c62a626b8d4cd717fa2f29d2fbe91092a2b3fdd0716f8f31e59708fe12274bc2dea6c9ae6a413ea290e70ddf921fe7f274

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000020

Filesize
215KB

MD5
0e3d96124ecfd1e2818dfd4d5f21352a

SHA1
098b1aa4b26d3c77d24dc2ffd335d2f3a7aeb5d7

SHA256
eef545efdb498b725fbabeedd5b80cec3c60357df9bc2943cfd7c8d5ae061dcc

SHA512
c02d65d901e26d0ed28600fa739f1aa42184e00b4e9919f1e4e9623fe9d07a2e2c35b0215d4f101afc1e32fc101a200ca4244eb1d9ca846065d387144451331c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
b9f5564c6bcac6b6c48c8d45b1dd56a2

SHA1
8504a06cc293960f94565420a97a39302979e1d6

SHA256
0d75df610d06da75c74fa6e2eb4a13eac7e38e968d70b4906385142f6c6d4636

SHA512
08714b8d77ea6a8484286e3d6979d1d44e90e463f7287ec51952add02f079382a44b8dcecf4bf3f97d5e7a515d8ab1810d16ec5613cfca81d2a8eb55213d7568

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
be23c1073732b07f2d1cf9030b07cde5

SHA1
6b34eedbac435b887619e85ddc2fd8ab6d8dc5a7

SHA256
3ebb1c7e614b1072ead564e675a8ef9f1f6f25a263d71778e2219d2d19e48bbc

SHA512
4827a9cd81b1aa7bb168c6e014fbc34a43ce822aa8157ae46fc32659e167bd7b5dbac0e04e59e38fce06ad6df1f2193b2e8763b170ae5e696d6fc6561bcd5ac9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
4d79701173149033b1cabc6e052bd0d9

SHA1
0f0415c8f4971bcfdaee51d675ad6f3b8eb4c8ce

SHA256
8d4c5587bb930e15ed272c5c6c775a831bd3e291ebffe35bef5ad50f5c99718a

SHA512
8e00233c64d9d564791d9d34f2018f863905eeed6ba760e124331baedfda37e0bbbed43eea773d6904bb0f123cc65328b52534e3d0503e843ee7077fa486797e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
53329865b675e7564f85cc86e5b0cc62

SHA1
12243b625708b32deeea1ffc8d2b6af555109b49

SHA256
0fdb66f946cbc5857f824d3716d7f7fc3345f2c216e7a8f227b5685307d43a8e

SHA512
27813a7b48c2e929afd2dcf9a0c66f5b254d5329388f9fa78e471ff556e08a820d33035f048b449d1abb7ba3e7542a344a26ae770dd59edb0ad0977d5cf6038c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
f89362742ba89366eeb3bb28de1c79f6

SHA1
dff378e05a51d381c57562657d686acc4511799a

SHA256
d7dcad204a59e2e45da5abd8d3d86a0afa1dc405675c411b3782fc5b027ae615

SHA512
c4d97b7723836d57a55608b5b8b8034272616c93a38613254ed853888edef22e16e5515de9cec5106698a35daaee1718169511f8915c78a2df53250d936dbb0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
563c76a7cebd52d032b33ba5a1c75023

SHA1
c1ad7e41fcdbedf362d3d62c744a80aa157322f6

SHA256
a73741e65f3ec44423f5518b79e41f6d67cefad20084b01e8710dbda416c67f6

SHA512
a657b2c965ed691c458d317c028f5c59198c5ec1fd50f63d531482e3a9798ca1a9fcbfb9ad028bcde3c6695fe72c36eae7107260d1984194493bc7a7e1da7501

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
821ee5eb41062278f7bea52faee3a92f

SHA1
c4a631df92f18387bf5783525b7f3bdf4a3756cb

SHA256
2978a36ff509376448b72442a0cefd7c0c3c4e765531f2faf4ddd8c6104c91e8

SHA512
4dcec67c4c023713650a0df782595e805c5f7b73be3b382ca9c117b4609608caa79488df6cd2b1f8e7df2d0b63e2e6aa27537e8be18554895e958e80f968b185

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2ad1bbaeb131ccad83a96775a3a9e170

SHA1
04fce146681fa3c20b796d4775db797358e8f878

SHA256
c26d9c5697d5262518fbbb20b3617c989206e0ed00fc248d08c175438885eaf2

SHA512
ea46a8a8d16c4786cb97a9e6248e053dcadff19821b010c1c385f2b97e0d45ff54c72c5cd5a93f44276adcf43a113ef4e214491c5ed0ec1491a52fa0e5c46d96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
f53d61485b167eb7d3f7c52bd873183f

SHA1
332e07e6018c87597cbc60b08e48dceba3b999d4

SHA256
28e1b52a3fe460e5911e25ceaf0fe7fb98543d1fb5215144a150a7e8588cb68a

SHA512
735ed56eeef1824a23cee46417575dfcfa46ff0846abe3793311f9c3979e2713fbaa039bce96b7741b9a8861016f6a1d8cc7c8be182b7ada7fb57ca705a81b94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe586702.TMP

Filesize
48B

MD5
88efc16445dc098bbf91f2d42f4dc4e3

SHA1
3c3513bd8aef29d88abce6cb03d972ae3c0b7b8d

SHA256
c68b2b1bb3efabb48e60485c907d06031d69362204e21dd6a8b0ca33ad9dcb7c

SHA512
fe28d0423b4c5c298c4f515162a6520882f8f183a87273cd9e7ac55ebf8448b83ecf8726b09c08be03b6dffea916e7517cd0030276334c955da5d21188d3f335

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
706B

MD5
b8a3a8e765d7779b771895b29eac0f15

SHA1
6b3ba18d87ec5535a926dde79d62df145d449ba4

SHA256
b2c860c30d67032fc6100875b3d0853dd89443e4b69fd5520c5c08ca22b11fc9

SHA512
170eddb110d5977f37062198ce4dce6326ad6c38fe9c9213ca865d0a6d9e6027fc1be6e215329fa7b7c946c43bc3d475ac70bacb1cc4822cd09e210c5805c7ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c631372b85b4d340b9fb823b947c9b74

SHA1
9b4405690a5fb8ecb48820833fe5808efd0b8d92

SHA256
0c8c2fc74c07b34a3e5a4d218455dde715536f1eb4a0e4a908f2a9521f815315

SHA512
de2b3b763a67b5fe7172f3ec1988721ba1b95b7b70927b84e5e9db34b7bd5cb3eb441909e940289be678788df93d9c93f77668748776ccb0018999aab7823109

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e966.TMP

Filesize
204B

MD5
568c18d965323581037735c99aa99807

SHA1
ab134f54d122841be7bfa9fa1f19ab1015eb8b39

SHA256
ecc368095bef1ec48139562a8a648f41787b947c0c17ef016c52fa54cda53592

SHA512
328be7eeffc85a32fd27c28074fb4cb53b4ce9f6b5b37abab2a211517ba83ceeb627e005fd3232e15d4fec527fe4cbafc128e6f3558b41d868f7d65f1403a971

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
68ad40fc7509e74bdb56069d8e346510

SHA1
391e7b772604ebf6fe3fc36f9308eda18907c200

SHA256
15e5ea2423cd857cafdfd5bffde3a93e161603f3ac88640d9b6210423fb9d0fb

SHA512
2195a62154ff52ea86558eff559b048484d4e48db5a806ded91b5c14a584508540a039ce436691b3157a6dd08a172a09bd6e0a9cbf96f45461769988ae753fc1

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 284883.crdownload

Filesize
18.0MB

MD5
2fb72fe2ccd20f845b866f61ff6ccbac

SHA1
91d969aa13f5fd959d01e196f86cea8c86dfc521

SHA256
adbb749d97bc5d46a9d46124053d93dfcde1908049e680b6662a5612c665b50b

SHA512
d5316f46a8bc6fb7626fc89a5394415c4b4a356b516763060a9ae2c243168c1c8a311539b1c7785f8a175d98c4341c4d9abab98a8130b44ffbd81ecafb0974c0

Download Submit