hxxps://drive[.]google[.]com/file/d/14IeoglqoxXk9D_SbCU70grZgLBt_8EwA/view

Resubmissions

21-11-2024 06:12

241121-gynk5syfje 6

Analysis

max time kernel
149s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
21-11-2024 06:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/14IeoglqoxXk9D_SbCU70grZgLBt_8EwA/view

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	drive.google.com
6	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
976	msedge.exe
976	msedge.exe
3324	msedge.exe
3324	msedge.exe
4968	identity_helper.exe
4968	identity_helper.exe
4640	msedge.exe
4640	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

pid	Process
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	104	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	104	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe

Suspicious use of SendNotifyMessage 28 IoCs

pid	Process
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3324 wrote to memory of 2352	3324	msedge.exe	79
PID 3324 wrote to memory of 2352	3324	msedge.exe	79
PID 3324 wrote to memory of 1600	3324	msedge.exe	80
PID 3324 wrote to memory of 1600	3324	msedge.exe	80
PID 3324 wrote to memory of 1600	3324	msedge.exe	80
PID 3324 wrote to memory of 1600	3324	msedge.exe	80
PID 3324 wrote to memory of 1600	3324	msedge.exe	80
PID 3324 wrote to memory of 1600	3324	msedge.exe	80
PID 3324 wrote to memory of 1600	3324	msedge.exe	80
PID 3324 wrote to memory of 1600	3324	msedge.exe	80
PID 3324 wrote to memory of 1600	3324	msedge.exe	80
PID 3324 wrote to memory of 1600	3324	msedge.exe	80
PID 3324 wrote to memory of 1600	3324	msedge.exe	80
PID 3324 wrote to memory of 1600	3324	msedge.exe	80
PID 3324 wrote to memory of 1600	3324	msedge.exe	80
PID 3324 wrote to memory of 1600	3324	msedge.exe	80
PID 3324 wrote to memory of 1600	3324	msedge.exe	80
PID 3324 wrote to memory of 1600	3324	msedge.exe	80
PID 3324 wrote to memory of 1600	3324	msedge.exe	80
PID 3324 wrote to memory of 1600	3324	msedge.exe	80
PID 3324 wrote to memory of 1600	3324	msedge.exe	80
PID 3324 wrote to memory of 1600	3324	msedge.exe	80
PID 3324 wrote to memory of 1600	3324	msedge.exe	80
PID 3324 wrote to memory of 1600	3324	msedge.exe	80
PID 3324 wrote to memory of 1600	3324	msedge.exe	80
PID 3324 wrote to memory of 1600	3324	msedge.exe	80
PID 3324 wrote to memory of 1600	3324	msedge.exe	80
PID 3324 wrote to memory of 1600	3324	msedge.exe	80
PID 3324 wrote to memory of 1600	3324	msedge.exe	80
PID 3324 wrote to memory of 1600	3324	msedge.exe	80
PID 3324 wrote to memory of 1600	3324	msedge.exe	80
PID 3324 wrote to memory of 1600	3324	msedge.exe	80
PID 3324 wrote to memory of 1600	3324	msedge.exe	80
PID 3324 wrote to memory of 1600	3324	msedge.exe	80
PID 3324 wrote to memory of 1600	3324	msedge.exe	80
PID 3324 wrote to memory of 1600	3324	msedge.exe	80
PID 3324 wrote to memory of 1600	3324	msedge.exe	80
PID 3324 wrote to memory of 1600	3324	msedge.exe	80
PID 3324 wrote to memory of 1600	3324	msedge.exe	80
PID 3324 wrote to memory of 1600	3324	msedge.exe	80
PID 3324 wrote to memory of 1600	3324	msedge.exe	80
PID 3324 wrote to memory of 1600	3324	msedge.exe	80
PID 3324 wrote to memory of 976	3324	msedge.exe	81
PID 3324 wrote to memory of 976	3324	msedge.exe	81
PID 3324 wrote to memory of 2872	3324	msedge.exe	82
PID 3324 wrote to memory of 2872	3324	msedge.exe	82
PID 3324 wrote to memory of 2872	3324	msedge.exe	82
PID 3324 wrote to memory of 2872	3324	msedge.exe	82
PID 3324 wrote to memory of 2872	3324	msedge.exe	82
PID 3324 wrote to memory of 2872	3324	msedge.exe	82
PID 3324 wrote to memory of 2872	3324	msedge.exe	82
PID 3324 wrote to memory of 2872	3324	msedge.exe	82
PID 3324 wrote to memory of 2872	3324	msedge.exe	82
PID 3324 wrote to memory of 2872	3324	msedge.exe	82
PID 3324 wrote to memory of 2872	3324	msedge.exe	82
PID 3324 wrote to memory of 2872	3324	msedge.exe	82
PID 3324 wrote to memory of 2872	3324	msedge.exe	82
PID 3324 wrote to memory of 2872	3324	msedge.exe	82
PID 3324 wrote to memory of 2872	3324	msedge.exe	82
PID 3324 wrote to memory of 2872	3324	msedge.exe	82
PID 3324 wrote to memory of 2872	3324	msedge.exe	82
PID 3324 wrote to memory of 2872	3324	msedge.exe	82
PID 3324 wrote to memory of 2872	3324	msedge.exe	82
PID 3324 wrote to memory of 2872	3324	msedge.exe	82

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://drive.google.com/file/d/14IeoglqoxXk9D_SbCU70grZgLBt_8EwA/view
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe945b3cb8,0x7ffe945b3cc8,0x7ffe945b3cd8
  2⤵
  PID:2352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,2380471699458791864,15870999933487126847,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:2
  2⤵
  PID:1600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1896,2380471699458791864,15870999933487126847,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2388 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1896,2380471699458791864,15870999933487126847,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8
  2⤵
  PID:2872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,2380471699458791864,15870999933487126847,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:1980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,2380471699458791864,15870999933487126847,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,2380471699458791864,15870999933487126847,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:1
  2⤵
  PID:4744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,2380471699458791864,15870999933487126847,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
  2⤵
  PID:4596
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1896,2380471699458791864,15870999933487126847,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6068 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,2380471699458791864,15870999933487126847,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3716 /prefetch:1
  2⤵
  PID:4352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,2380471699458791864,15870999933487126847,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
  2⤵
  PID:2388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1896,2380471699458791864,15870999933487126847,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5460 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,2380471699458791864,15870999933487126847,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
  2⤵
  PID:2304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,2380471699458791864,15870999933487126847,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6456 /prefetch:1
  2⤵
  PID:5080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,2380471699458791864,15870999933487126847,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6512 /prefetch:1
  2⤵
  PID:1040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,2380471699458791864,15870999933487126847,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1
  2⤵
  PID:3836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,2380471699458791864,15870999933487126847,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
  2⤵
  PID:2616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,2380471699458791864,15870999933487126847,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
  2⤵
  PID:5112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,2380471699458791864,15870999933487126847,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2464 /prefetch:1
  2⤵
  PID:2088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,2380471699458791864,15870999933487126847,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6652 /prefetch:1
  2⤵
  PID:2760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,2380471699458791864,15870999933487126847,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6228 /prefetch:1
  2⤵
  PID:2816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,2380471699458791864,15870999933487126847,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6700 /prefetch:1
  2⤵
  PID:4076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1896,2380471699458791864,15870999933487126847,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5348 /prefetch:8
  2⤵
  PID:2328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1896,2380471699458791864,15870999933487126847,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6596 /prefetch:8
  2⤵
  PID:4648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,2380471699458791864,15870999933487126847,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4776 /prefetch:1
  2⤵
  PID:2816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,2380471699458791864,15870999933487126847,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4848 /prefetch:1
  2⤵
  PID:4788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,2380471699458791864,15870999933487126847,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6540 /prefetch:1
  2⤵
  PID:2008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,2380471699458791864,15870999933487126847,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3144 /prefetch:1
  2⤵
  PID:3128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,2380471699458791864,15870999933487126847,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4140 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3048

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:104

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1688

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004DC 0x00000000000004D4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:104

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
826c7cac03e3ae47bfe2a7e50281605e

SHA1
100fbea3e078edec43db48c3312fbbf83f11fca0

SHA256
239b1d7cc6f76e1d1832b0587664f114f38a21539cb8548e25626ed5053ea2ab

SHA512
a82f3c817a6460fd8907a4ac6ab37c2129fb5466707edcfb565c255680d7f7212a5669fe2a42976150f16e4e549ea8310078f22ed35514ee1b7b45b46d8cc96e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
02a4b762e84a74f9ee8a7d8ddd34fedb

SHA1
4a870e3bd7fd56235062789d780610f95e3b8785

SHA256
366e497233268d7cdf699242e4b2c7ecc1999d0a84e12744f5af2b638e9d86da

SHA512
19028c45f2e05a0cb32865a2554513c1536bf9da63512ff4e964c94a3e171f373493c7787d2d2a6df8012648bbefab63a9de924f119c50c39c727cf81bdc659f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
8d165b6a589523d57c970e7af63d5b8b

SHA1
886472587e3706624256e24e972b49cb8aafbaea

SHA256
49bba075bccf4bf8133c5e611a1bed88f0a73e1dfd9241db89b0438690ecd194

SHA512
815cc48f4fcfbd38e61ad567476bfeb08a8b62d4a821d16966c32dfa92dcb27aa97fd147347282d67de7092dee147b0fd193889d26b20fb37ff02bdabe757525

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
480B

MD5
d4e00729b4e26ea33b7414c777ab8e6b

SHA1
8a6181b21f109e826e039e1b0dbea18c431b9d9b

SHA256
1bc4212eb25eb87aaa399514c74fe744f2eb2ac8f8b64fbdc58ad368c8c9e063

SHA512
9b01abaff70ddf8ead4b5f852e3e8f88bdc82d71a42af8ccde67da357bf5196917d5b47c7a921494bdb94c9493d7ca35377314864bd936545654a5d236361f67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
f87db2c11ad5935047176d7cb1b63a94

SHA1
dd67b1f92b1900375d7728f92cbfc9e5d49d8c14

SHA256
efe0d16861b99d58bc03813e8f8172630feba93eda721da1a1a88a925d501d6b

SHA512
c15411f35942a80eafd44125a0ce8b98c1c4e791b638e31aee46d74ec6e89502f96b2ffb2ed9683f0a56af6ee9ef576761d68200879d99e5be83eaa116a7025c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
a0f7d02c05bcbb67ae6d97898a740e58

SHA1
9eda1af54d2961014fa00e2ef26558284ab18819

SHA256
0202c0c9d52f376f45c5daf9428fb09c34c9102fc2bd72b5f5a13bdf7ad6c0d2

SHA512
f9b734644b9cc01376c7325fae388c326ab033707f27f7a364ce0698948bd40041790a382d5b05c92acdcc67e9f222e8c221ddf99ccd78ff7bd8fcfd774f4b29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Platform Notifications\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
f98e6b084c4839e4e4b52cedd94459a9

SHA1
b13d33a1d6b1b71e9dc246bcd58d1cbd74b08fc9

SHA256
0e7a4fa3fc6b48308ce3380fddd4af2ec09d168ffa8e86ef7175705f1b6481af

SHA512
79e4439751814aaf907943e8a0a74f827e1fb513b0918029a55f4d5865b3501a55d3403ea0e483142f54b3a8114d6cf2a45cba041df1d6f5ac103cd64b5a7cd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c8ca012d2301458e7fd87dd65ae3ae40

SHA1
a8c13a96ee1473977383343aafcbb17d5aef54ba

SHA256
a38c28fbb1f0beb2578790c84b811003fa100eb580eb1fe7a07bb2f0373e0bbe

SHA512
566b0ef97b30218842a2fddd386705104fa5a5a0d7cfc0935c456777795eba3f1026bb7f72b3153308955e580ce7ed3c71c6ea79ac0b6baabeb2c8ce06ce7790

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
824b6554676b01cc6e798ffa03e28050

SHA1
12a1405daf1a36bac368bef6dcaff5e0236e60d0

SHA256
37fcd1df4347f8f9b5f62338d51edd37ecc5b812bead3e16d5d7997080637eed

SHA512
70e190c93f987d7942181516087debff01416ad8a6bdaf0953a0d3dbf06c00d895ae6d53046ac81f54166ef3ffb1a5f2fc7f746861ec95f7675cddbc9de2920f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5a59f307e5f1b2222dcff8cf53605dbc

SHA1
b1565997537f1b451fe35174e3a2b5145faa55d6

SHA256
587b61f0b285c318f4104d7a20efb55bb5a23323482858308d82f73fab52e503

SHA512
ea2bcc4edd9bb17a6438ca6824ee2bbc60a194ae5a0ef6964e4b2268facf5e49d15d2b60f06754df56314c98339c044f22b7a017a4770f6e667d15346f0c5353

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
75e859edf7f182e8f70868204dcde210

SHA1
5cd00f183e85193e0123e6758cd3ec16de181131

SHA256
58edd5672adaabf1cb75b7863c2aaca8bed6652b159971d61e182b8456114839

SHA512
f54fe4d728d546b3906537923e49168bd337f3af81a1399d0c9d932cf9719bfeeae356598cd2f9287d39809d10deb3c1990081aa395a4ca836388cd18a279822

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\fcfe225e-dcbd-4e82-bf09-e566389320e5\index-dir\the-real-index

Filesize
2KB

MD5
f1a88b8a53c4acde8a87fdce117af3c6

SHA1
f14230cc3f7e199771f869f912afe73ee0902da9

SHA256
3b3f85f93c5264811ae7ae96e3ab2bb82e834aab7c9bf197b340f328a0a4bcc0

SHA512
6b1876e4554eea42205b97777e2b3873693f6dd34e0d8d53348408e454e51936c137f55f7838b63b6f2895cf43493bcebe14f40e04a053832b1802288c078657

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\fcfe225e-dcbd-4e82-bf09-e566389320e5\index-dir\the-real-index

Filesize
2KB

MD5
384c2478adc423881bc911cef5b0bad0

SHA1
074406fa51429aa42ba7c6c2575e9503cf592c73

SHA256
114a381be6dd33c6902db94770a19f9302ef82745fbe7af53b27d1983931b0a3

SHA512
d1849bfe57ff464fba4e114925e8a30b7ebce9b4040fd7848cc6d3e33b1dfb4b86bf10cc48349cf916ee8dc9c27adc65e4f3811077d1f3d3b5e3f69161b66a30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\fcfe225e-dcbd-4e82-bf09-e566389320e5\index-dir\the-real-index~RFe58b6f7.TMP

Filesize
48B

MD5
b66ef6afe111d2dac051c67438e03ca2

SHA1
a398c80d4216ba0f9d23249f524ea0fc6b6edf08

SHA256
400218a0a422285679f1f053c7a492e348bf3e0204738b206bd8445e292038be

SHA512
e0dc20f6d27993768a0d41d51561d035efabd62b22db8f811482823d8fcb33c399a7aa11b47b81076bbddaecd94773afd4eb4890d3a1dfaded270b7d4bc8a5e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
84B

MD5
36a5a707970cf6dc32e03fb408d18cad

SHA1
2bc0e32bfcf027d68c253bc94cfd56364d2db1f7

SHA256
ffdad1db817efee5034526ee98949db3c7f5602b01e319be91628f6d987188dd

SHA512
89e1980a6056d0cb05fa1297df12937a934d25d6345f689bd96bac1306b104c51a90f6730bb93e60284bc5c5da456fbf5e2c829d3442abd02809d9a39a4e2b4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
89B

MD5
0dff9392b3062d8a6557715d2766729e

SHA1
4da7268e180f926afc9c2aeb8bf1487b076aecbc

SHA256
c2c715e3a804c3c0e250db2a4bfb48c0f8383a50037225a5ad70aa1dc041baab

SHA512
8e87d89ef6069cc723087d4b51953200a8769b07cb5d50a7c1587e980c91ca4c7bd2c68aa236784cec9e18a5fc6e59c0b58c908410260181d576e2682c9026dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
112268e6f031e56759dc331e1bb2a34a

SHA1
4f6b0f657a752e840412e532367d03d02e97a935

SHA256
10228e499f8f38f75f082199cc5389a96a61b0013a80300476f8d66c5ae3441c

SHA512
de95bb0ba012361b5e26b007ca4f22d63d71f1060b196fd5808facec07f900b6563bf65fcf52940849216dcfae552d658c993b35e36fa7fb4da0acc6fff36faf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
26f6d9886c0aa634890fe1c2e328a446

SHA1
f48cfd4ff0b9872e0a6d6fd5f6e724e706d9ef09

SHA256
42639c6a7dd6146ce8f817f679c2ea99be9d09f9636bf4932985f9232b634dd1

SHA512
5561ada450018a5ca4dc6048b7697873629d845419ed64b883dcc805d8a0562303cc03b418ac40028c0ebe0fbb153a9ce73cf734d43f4f1b28945ffa5a064943

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
84B

MD5
202b25d50e744570d5881b6322720349

SHA1
ca43b9a57c19f5208c579bf3df92df75e157f321

SHA256
3f4e1297f28e84a859787d8b856b591ee8c853f513ac670bbd4044098cb2a7dd

SHA512
2cf3908014a32d606eb949e1d595bbf2981caa7d109428139e241e7247fad946e5ed19e232d03fb39bd9ccd2c18b5fb187e34d26c857e954dde1c4884bed24ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
2e54013d3516c9f58d7484e0bf9f398b

SHA1
b21d5697562646df300e9944213d609f6f640aa8

SHA256
b044758528fc43be5ec044f2bcc94564f3332890498130ad4af37675329b605d

SHA512
9458210e2e493e59acd7b3a1b63f53945d8c521b3952339a2ee34fdd21414e34b0d56fd9f60cabfbee2f92897daa4842034cfb317d8f5ad48fd3ea507499a015

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58ae9a.TMP

Filesize
48B

MD5
8dbf70c73b4935ae5804dfc9b5fe68f3

SHA1
005ee1205a671b9c718253eb2f1ac4a0d9b42f95

SHA256
c2b47d53d56c2aacbad49e1eb9acc6317cc2b385ceed9924de4ec647657946f3

SHA512
5bddbf27f248fa4bd786cfa7fb49ba4484aec8922b4f5182cbd4e32b6433128ce4e4bdaffa55bc0348580dea8feface8edf23b9964929be902049740acf6091d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
db45a5b1b54eef09101c72d3fd208141

SHA1
34a7169e23f7a7725827f3ef6e4932aedf1e5247

SHA256
3a6d2c441a8d5440d4cf10505cfc4a2884473cda6e033c1e30a4b030d40b0015

SHA512
5dd9b89e27148f5048e644f587a2c009c79a14bd68aa2d931c422f4d443b31d71d2fec16309fc972f54612f29c5e74a138803dbf9e6ea54b19446bdf1ada7c01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d382b59067a139b8c50270727277c20a

SHA1
836407c4d1048bdbab8fee93ac8d25f68d2c76ac

SHA256
0b6fce5bc4ab408826d3e7fd8cececc424f925d75bd742dab0677f59cd4b8506

SHA512
dc4b99bb3434e58b447c41c7eefb81a8014fef490415da2e953e6fabe759ffe7b5f52e60e30b0cce82f5030dfb3afbabfa74bacf4616bb1b49d6d1ec5078d7f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5865f8.TMP

Filesize
1KB

MD5
66b21d0e36c5deee8056d5b13ec818ea

SHA1
dc7a86d7b42a5e94ad60af7ef773d4abd59fc915

SHA256
5fc816c8ae2c5ab3fe99e74331c9be74b6a6c98eaecaae464aadc100144975dc

SHA512
b32824ef7ebac3d95dd0c2759ae9a8da139910577ddc32b9657a8b1e57400585457ac0d4d13f71058903df25ea1ade2b4a4e5fc316c04443eacbc04b8d2cf19d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a46ff6cf261d9196a1065fda63990705

SHA1
5e743ad678f2e18686e2f704c0c1a6a3406ac9c7

SHA256
1c7cc37bec70a3ec90a75613745be23a2cdefc8219ea35362c5990ae808ae7d5

SHA512
788fb6d158a3c535102916699368233ba194a6875bc196bafeb872e09ca844f6df613f9d7425f022fd76e4cd75baa4cf1ca7f113aa57cb71bc9fbc8c80d431f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
24ea43df8e4914f7ede8fce72532c96b

SHA1
8847834bcbcf6d7bba6e4cb4fafc17b75893f519

SHA256
acb75990ccbf87028807c7851a456e6af1b7556d78217383fe90812f4ddaeb18

SHA512
56f3b5859b642320ca47100ef7bb71bad0ab1df47cea0cab658ff9bac79bd729fc6d029861de9573b4f0cba9236fe5d37337b017ce48fc49500a5fd7eae14a5b

Download Submit