hxxps://drive[.]google[.]com/file/d/19QAaGHBnkqEn3BXhZSfRA2oQaIlNZRXC/view?pli=1

Analysis

max time kernel
325s
max time network
313s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-11-2024 17:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/19QAaGHBnkqEn3BXhZSfRA2oQaIlNZRXC/view?pli=1

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
3	drive.google.com
14	drive.google.com
15	drive.google.com

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3350944739-639801879-157714471-1000\{75104AA5-887A-4993-B91E-E6C414F8E134}	OpenWith.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3350944739-639801879-157714471-1000\{95046C6A-B48F-4478-A538-38391F755FA5}	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2940	msedge.exe
2940	msedge.exe
404	msedge.exe
404	msedge.exe
4980	identity_helper.exe
4980	identity_helper.exe
5888	msedge.exe
5888	msedge.exe
1572	mspaint.exe
1572	mspaint.exe
5328	msedge.exe
5328	msedge.exe
5328	msedge.exe
5328	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
6064	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe

Suspicious use of FindShellTrayWindow 43 IoCs

pid	Process
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
6064	OpenWith.exe
6064	OpenWith.exe
6064	OpenWith.exe
6064	OpenWith.exe
6064	OpenWith.exe
1572	mspaint.exe
1572	mspaint.exe
1572	mspaint.exe
1572	mspaint.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 404 wrote to memory of 548	404	msedge.exe	84
PID 404 wrote to memory of 548	404	msedge.exe	84
PID 404 wrote to memory of 324	404	msedge.exe	85
PID 404 wrote to memory of 324	404	msedge.exe	85
PID 404 wrote to memory of 324	404	msedge.exe	85
PID 404 wrote to memory of 324	404	msedge.exe	85
PID 404 wrote to memory of 324	404	msedge.exe	85
PID 404 wrote to memory of 324	404	msedge.exe	85
PID 404 wrote to memory of 324	404	msedge.exe	85
PID 404 wrote to memory of 324	404	msedge.exe	85
PID 404 wrote to memory of 324	404	msedge.exe	85
PID 404 wrote to memory of 324	404	msedge.exe	85
PID 404 wrote to memory of 324	404	msedge.exe	85
PID 404 wrote to memory of 324	404	msedge.exe	85
PID 404 wrote to memory of 324	404	msedge.exe	85
PID 404 wrote to memory of 324	404	msedge.exe	85
PID 404 wrote to memory of 324	404	msedge.exe	85
PID 404 wrote to memory of 324	404	msedge.exe	85
PID 404 wrote to memory of 324	404	msedge.exe	85
PID 404 wrote to memory of 324	404	msedge.exe	85
PID 404 wrote to memory of 324	404	msedge.exe	85
PID 404 wrote to memory of 324	404	msedge.exe	85
PID 404 wrote to memory of 324	404	msedge.exe	85
PID 404 wrote to memory of 324	404	msedge.exe	85
PID 404 wrote to memory of 324	404	msedge.exe	85
PID 404 wrote to memory of 324	404	msedge.exe	85
PID 404 wrote to memory of 324	404	msedge.exe	85
PID 404 wrote to memory of 324	404	msedge.exe	85
PID 404 wrote to memory of 324	404	msedge.exe	85
PID 404 wrote to memory of 324	404	msedge.exe	85
PID 404 wrote to memory of 324	404	msedge.exe	85
PID 404 wrote to memory of 324	404	msedge.exe	85
PID 404 wrote to memory of 324	404	msedge.exe	85
PID 404 wrote to memory of 324	404	msedge.exe	85
PID 404 wrote to memory of 324	404	msedge.exe	85
PID 404 wrote to memory of 324	404	msedge.exe	85
PID 404 wrote to memory of 324	404	msedge.exe	85
PID 404 wrote to memory of 324	404	msedge.exe	85
PID 404 wrote to memory of 324	404	msedge.exe	85
PID 404 wrote to memory of 324	404	msedge.exe	85
PID 404 wrote to memory of 324	404	msedge.exe	85
PID 404 wrote to memory of 324	404	msedge.exe	85
PID 404 wrote to memory of 2940	404	msedge.exe	86
PID 404 wrote to memory of 2940	404	msedge.exe	86
PID 404 wrote to memory of 752	404	msedge.exe	87
PID 404 wrote to memory of 752	404	msedge.exe	87
PID 404 wrote to memory of 752	404	msedge.exe	87
PID 404 wrote to memory of 752	404	msedge.exe	87
PID 404 wrote to memory of 752	404	msedge.exe	87
PID 404 wrote to memory of 752	404	msedge.exe	87
PID 404 wrote to memory of 752	404	msedge.exe	87
PID 404 wrote to memory of 752	404	msedge.exe	87
PID 404 wrote to memory of 752	404	msedge.exe	87
PID 404 wrote to memory of 752	404	msedge.exe	87
PID 404 wrote to memory of 752	404	msedge.exe	87
PID 404 wrote to memory of 752	404	msedge.exe	87
PID 404 wrote to memory of 752	404	msedge.exe	87
PID 404 wrote to memory of 752	404	msedge.exe	87
PID 404 wrote to memory of 752	404	msedge.exe	87
PID 404 wrote to memory of 752	404	msedge.exe	87
PID 404 wrote to memory of 752	404	msedge.exe	87
PID 404 wrote to memory of 752	404	msedge.exe	87
PID 404 wrote to memory of 752	404	msedge.exe	87
PID 404 wrote to memory of 752	404	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://drive.google.com/file/d/19QAaGHBnkqEn3BXhZSfRA2oQaIlNZRXC/view?pli=1
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffa3aa46f8,0x7fffa3aa4708,0x7fffa3aa4718
  2⤵
  PID:548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,9382970266947628929,5626248023029284784,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
  2⤵
  PID:324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,9382970266947628929,5626248023029284784,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2396 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,9382970266947628929,5626248023029284784,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2576 /prefetch:8
  2⤵
  PID:752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9382970266947628929,5626248023029284784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:4852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9382970266947628929,5626248023029284784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
  2⤵
  PID:3116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9382970266947628929,5626248023029284784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
  2⤵
  PID:1852
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,9382970266947628929,5626248023029284784,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5624 /prefetch:8
  2⤵
  PID:4912
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,9382970266947628929,5626248023029284784,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5624 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9382970266947628929,5626248023029284784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1
  2⤵
  PID:4016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9382970266947628929,5626248023029284784,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1
  2⤵
  PID:1572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9382970266947628929,5626248023029284784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1
  2⤵
  PID:4816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9382970266947628929,5626248023029284784,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1
  2⤵
  PID:4216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9382970266947628929,5626248023029284784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1148 /prefetch:1
  2⤵
  PID:5500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2160,9382970266947628929,5626248023029284784,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1852 /prefetch:8
  2⤵
  PID:5656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9382970266947628929,5626248023029284784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6092 /prefetch:1
  2⤵
  PID:5664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2160,9382970266947628929,5626248023029284784,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6120 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,9382970266947628929,5626248023029284784,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4848 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9382970266947628929,5626248023029284784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4872 /prefetch:1
  2⤵
  PID:5444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9382970266947628929,5626248023029284784,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:1
  2⤵
  PID:5428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9382970266947628929,5626248023029284784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2976 /prefetch:1
  2⤵
  PID:5748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9382970266947628929,5626248023029284784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1012 /prefetch:1
  2⤵
  PID:1684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9382970266947628929,5626248023029284784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1848 /prefetch:1
  2⤵
  PID:5136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9382970266947628929,5626248023029284784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
  2⤵
  PID:2824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9382970266947628929,5626248023029284784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:1
  2⤵
  PID:3916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9382970266947628929,5626248023029284784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6700 /prefetch:1
  2⤵
  PID:2168

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:436

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4308

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6020

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:6064
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_Release Forms.zip\Release Forms\IMG_3134 2.HEIC"
  2⤵
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1572

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:5296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
85ba073d7015b6ce7da19235a275f6da

SHA1
a23c8c2125e45a0788bac14423ae1f3eab92cf00

SHA256
5ad04b8c19bf43b550ad725202f79086168ecccabe791100fba203d9aa27e617

SHA512
eb4fd72d7030ea1a25af2b59769b671a5760735fb95d18145f036a8d9e6f42c903b34a7e606046c740c644fab0bb9f5b7335c1869b098f121579e71f10f5a9c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7de1bbdc1f9cf1a58ae1de4951ce8cb9

SHA1
010da169e15457c25bd80ef02d76a940c1210301

SHA256
6e390bbc0d03a652516705775e8e9a7b7936312a8a5bea407f9d7d9fa99d957e

SHA512
e4a33f2128883e71ab41e803e8b55d0ac17cbc51be3bde42bed157df24f10f34ad264f74ef3254dbe30d253aca03158fde21518c2b78aaa05dae8308b1c5f30c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

Filesize
67KB

MD5
fb2f02c107cee2b4f2286d528d23b94e

SHA1
d76d6b684b7cfbe340e61734a7c197cc672b1af3

SHA256
925dd883d5a2eb44cf1f75e8d71346b98f14c4412a0ea0c350672384a0e83e7a

SHA512
be51d371b79f4cc1f860706207d5978d18660bf1dc0ca6706d43ca0375843ec924aa4a8ed44867661a77e3ec85e278c559ab6f6946cba4f43daf3854b838bb82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
da254f1fcc519d29c3712c043d1770f3

SHA1
704f6599b4f646d0087c30633654694a7f2b04f8

SHA256
a99ab505e9ed853bf929dbfb1cca351555b1486dca1c0ea63afd037cb2242a4c

SHA512
2f3cc8bf6395d5873efcd6e2c75093d639a74294c1959e59d692212b2005aed161c82a280b70085beae19939d1fb221f448fb6a37483165d1b77ca71e717739c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
8019376aa819722ddac7cb314a99a84c

SHA1
1fc719cbc409227e98d0d41283d222c7cdd54ac8

SHA256
71464afcdd055da5c1e800dc01ef68ec572b8945ac2ccf578444b50a95c6820b

SHA512
bef4bea8668c2225ac8eff02234b746945b183b49426f77d715718208810257b9a3f3b44aaab2bbb83ef52dc22e6747555f57a16fbdf6044b2b54795acf3737e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
022c42f1eae6e485aabff12bc1af1fad

SHA1
b4d00712740a1d9077fce83fe2cd2b862259dac6

SHA256
c62c21f23ef7292271fa1d1cc8d00695445b2c164398ddaed54814d6f07af99a

SHA512
381135ad53b87e2b1062465eca08309f0635129a3cebf05ae9dedf10f4e2023ec75f8a5e1682cbfc360cd56df974ffa12431088c14f51cbdab0fe917f3753e9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
6700103d630a302b67b14d54e9a50f27

SHA1
2c982b28391d2f7d13e53800bcd33ace12af077f

SHA256
c12d3d25c3ce3261616b47bd829d5a58e163109254ed6d017d7a5590cdbbda96

SHA512
409aa0cdca7bb3b857d2cfcde1e09865e55bec437552e4b2a65a24f1f4cd9f5814d07b5b575186b5c93bacd0db069e4a893c08387799e81f720b88254a96a38f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
8KB

MD5
ef6ccf484dc5b15ed05e0112d1bb598e

SHA1
d4298be591dc7a0786965dc717638c160c647d70

SHA256
099f87a6250be265b2b33d6b328f65a104a5c657934181ffeb03c399d88babeb

SHA512
36cbeb749e79d7ccd5dd12fecb2d09738d383763051cc74b5c99014b5b13d5ad49d6e8e15a5f59865f58993640364d81844606e4b68e9b910a6aae470176dd56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f7ba7174fb75466b74a06b5c9890b07e

SHA1
ace8366736dcc6c02b39778254e2280cfbf3d6a8

SHA256
613c073de6051ab4bfa5a22c29b5628adfa2fea78ca282df0a9377e4d7ad24ec

SHA512
86b733cabd26e162cf6de681f0e40f24c34325420449f3a39deab212d76d68d55bb940f6b328c721f179c0c352a9cdb29d08d43cc831b9e70097d8e666394217

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
73e5e0c46db84d0ef394d12070eaf2f7

SHA1
a2584ae3765ec22f2131a13b4ac9ea36445957a4

SHA256
6f97d0581d9be5700798b1b34a4a96ddf19a368c0c5ef3a81ffe336a63bcf405

SHA512
5e385f9def2406d77deef3d0dcc22ff7c9e9edaa436bdce135ead4be95e786634d879fc45f4bd52b79b44f6a12c9737d37abcd188d869925d3a4f80bffc94edb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a408b0c489e0e36c74d1dce0bb9608d8

SHA1
a1a57f6341100ff587ff8943079ae6c47d7857d5

SHA256
d7778f3f8106a86607918c917a43528494a41c9ea04f886a1a2d56b849df1136

SHA512
afaf4e1e371cd58ee2c698eb58030bba700b4680d9ea029777cdd6198056cb27ff9466ea336fc88a84ceb9cbdbe933b8a7b8efb8a898c8dcdc41ae53234201cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
6b700d4940ed3ec6ee271648dee40052

SHA1
827a1c6daa4b98b38e63514d37575b0f44f49cbc

SHA256
76b3c64990ff15ea2c415cbe7b53b6d36f220541308545fd08bd44636d0a0369

SHA512
08230b9d55801233afacd236e61ad756d5f39365c030b2505d3478b38601747d20bc53e27c502487a62a49471d556439735c09cf7afe0af8b662448cff60b68b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c073b50fbb66c5de588f70586430041e

SHA1
97560b7ea8ad6e73d13ac54b4441ecc6ceef6db8

SHA256
167711597e02b43be2f8e71291bd0702acc048368159da67a9249590b7f18dc6

SHA512
56e72aed7d4c0ae329c0b81d6f9442adadfce4ec489f9f11529b13cf90e0f294ae552514e02833977338c9f7d7da07cc1a86f66a830193bf14c5f34d4ef5d4a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
8acf3ac10c98679d09038a5122a550ed

SHA1
08cecbac2874e31f62ff42e62ac58e3881c57124

SHA256
9fd7363cd96861c6972f8728a89ab1d080e85949236a435d1482fbb654c6aa97

SHA512
b65c8fd6bf9f57340d4e90f321d24ba0c2ed2bd0ea6c760b565c58243b700eb90147c12df84f84fd9658ad20529c4a3d44eb7e014bc7196bb9ea3cd28387896f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
f5e7d86e59fc43e142e878833192dd5c

SHA1
b83393a5401970be7a5e25f37829b4e098ed22e6

SHA256
cade2e9460727ea1f5ab7c6b6ac38a3ebe7306084eaa18a36b9e192bb4bfb277

SHA512
55998b92c90e61d0c178170713919b354dd87fa320c5212af47fd8f2aeb28911b2c80fc04bacd7cef6e905b96c77779c5d79b5f52c1ee3722f9c1304d447d2ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
b7c9805de2a9c502ae847dd2a03f23be

SHA1
0feb97b3fd6a1f1365a0f6f6598b733dff62cd91

SHA256
05265b1b53a644da69e64e3696e7d124defe1b0b9e879d0c73e19aa3b9c96e97

SHA512
0a13f8f65d161b48c602c1dcbbe3a44bfdbf7b8b9c061716ea2f1025bd61cc7df4965138f5ac35ae41f92656075aaa49158523a7055b778b7e5873c0bf419522

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
93581594986be0586eb67ec9618dd4ff

SHA1
376aea48f22ddb99af24f2db2d0dd275c2e7a397

SHA256
0b4a0ac40b6b6118c0267907c717de9bae52e5be83264eaf5fabdf4b6ed72ccf

SHA512
3f7941e7018e91278f7fa1b2d14423b8845b12bae1ef1f6db0afc86bb873a0814bec99d8ef249f62f3e4dff43eb29c09a635b2e5c5edd4b1ce68b0cf94aec6ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
5a2a7ef4a0fe32abc3c9cf6ff514ed6e

SHA1
e71b8a26d3a1cea201969594987980b06ad02b3e

SHA256
0826e18e880920685e306b469964af60c7f54d8169c9289315fb51360135f132

SHA512
5224090526d8f497298446ccafb664090661fa37e48c591d088f8919ae68696000c1181a51fe1e30f23abecf3acf074e78a39ef41d21faa20ef7c7f48fc32848

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59c848.TMP

Filesize
1KB

MD5
b6ac4be0ffd3a5b36ef5aeb4d5759ea0

SHA1
a6d9ad33e762a6dd569967a31a3e1d6dd4902469

SHA256
391fa7434894340d8bb060539b55ff580930365ac23af5e40b65552e0ce89ad4

SHA512
e9c5183c5eed86a5ecae31a5035e8b2267de6d3bfff938df3d87ba1b5405ca1175c90e25393ea64d309fb848188130f38fe8d27888948e000c13898232c23724

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
8e439bee0d7427b5c6bf067d8f9513e5

SHA1
0e6c81134398372ade3e5c14001ccec8ffae9f36

SHA256
49c3d63a58c4090ca39a66d7aefc5b5d4788301ca56ec66d2fe66b906336831f

SHA512
d89a1412035bdce23f94fc4a462c05a468ae2165081e5316ec588aebf245222042ee034fbee0c8a3d47962f92ea6cc5590ae8797c2c0e99c18e98457674fe5ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
603a43d7112e4975015505300cb68c28

SHA1
dc5aec8231d2432825d899604c9a738150674b41

SHA256
08f30dec6560fb064114b31d3610d95f5a294a6a1cc66622215d3be3726520ca

SHA512
47524d893f07c4368a10912f410b8929398dcab9054905c98473761ae026eac5230ed202377b0891548d6939cd9e96d3520ff8a810ab9bce94aa8a4e0973a234

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2c5f427715544cf477ea9bbc476a0b5c

SHA1
2032e35c98ce7002b4940d5e38d3222759ab1697

SHA256
85823e3489b8bcd20fb64f5cf0a3a702adcd5a8cf8416de2356d3a3619845192

SHA512
6c30889fdcac1082428c9387ccf1c8c6806dae120349d5a37145a15092c995f4ccc96f0dc6c780fde56cd8f51887afc974bd4b44c774568f279a700e3c6fa41d

Download Submit