hxxps://drive[.]google[.]com/file/d/1oZwSkwqJKL-3du220wh5pVVUwz6wtqfZ/view

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2024 20:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1oZwSkwqJKL-3du220wh5pVVUwz6wtqfZ/view

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	drive.google.com
10	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4892	msedge.exe
4892	msedge.exe
2880	msedge.exe
2880	msedge.exe
4840	identity_helper.exe
4840	identity_helper.exe
1888	msedge.exe
1888	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 22 IoCs

pid	Process
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1044	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 2504	2880	msedge.exe	82
PID 2880 wrote to memory of 2504	2880	msedge.exe	82
PID 2880 wrote to memory of 2904	2880	msedge.exe	83
PID 2880 wrote to memory of 2904	2880	msedge.exe	83
PID 2880 wrote to memory of 2904	2880	msedge.exe	83
PID 2880 wrote to memory of 2904	2880	msedge.exe	83
PID 2880 wrote to memory of 2904	2880	msedge.exe	83
PID 2880 wrote to memory of 2904	2880	msedge.exe	83
PID 2880 wrote to memory of 2904	2880	msedge.exe	83
PID 2880 wrote to memory of 2904	2880	msedge.exe	83
PID 2880 wrote to memory of 2904	2880	msedge.exe	83
PID 2880 wrote to memory of 2904	2880	msedge.exe	83
PID 2880 wrote to memory of 2904	2880	msedge.exe	83
PID 2880 wrote to memory of 2904	2880	msedge.exe	83
PID 2880 wrote to memory of 2904	2880	msedge.exe	83
PID 2880 wrote to memory of 2904	2880	msedge.exe	83
PID 2880 wrote to memory of 2904	2880	msedge.exe	83
PID 2880 wrote to memory of 2904	2880	msedge.exe	83
PID 2880 wrote to memory of 2904	2880	msedge.exe	83
PID 2880 wrote to memory of 2904	2880	msedge.exe	83
PID 2880 wrote to memory of 2904	2880	msedge.exe	83
PID 2880 wrote to memory of 2904	2880	msedge.exe	83
PID 2880 wrote to memory of 2904	2880	msedge.exe	83
PID 2880 wrote to memory of 2904	2880	msedge.exe	83
PID 2880 wrote to memory of 2904	2880	msedge.exe	83
PID 2880 wrote to memory of 2904	2880	msedge.exe	83
PID 2880 wrote to memory of 2904	2880	msedge.exe	83
PID 2880 wrote to memory of 2904	2880	msedge.exe	83
PID 2880 wrote to memory of 2904	2880	msedge.exe	83
PID 2880 wrote to memory of 2904	2880	msedge.exe	83
PID 2880 wrote to memory of 2904	2880	msedge.exe	83
PID 2880 wrote to memory of 2904	2880	msedge.exe	83
PID 2880 wrote to memory of 2904	2880	msedge.exe	83
PID 2880 wrote to memory of 2904	2880	msedge.exe	83
PID 2880 wrote to memory of 2904	2880	msedge.exe	83
PID 2880 wrote to memory of 2904	2880	msedge.exe	83
PID 2880 wrote to memory of 2904	2880	msedge.exe	83
PID 2880 wrote to memory of 2904	2880	msedge.exe	83
PID 2880 wrote to memory of 2904	2880	msedge.exe	83
PID 2880 wrote to memory of 2904	2880	msedge.exe	83
PID 2880 wrote to memory of 2904	2880	msedge.exe	83
PID 2880 wrote to memory of 2904	2880	msedge.exe	83
PID 2880 wrote to memory of 4892	2880	msedge.exe	84
PID 2880 wrote to memory of 4892	2880	msedge.exe	84
PID 2880 wrote to memory of 464	2880	msedge.exe	85
PID 2880 wrote to memory of 464	2880	msedge.exe	85
PID 2880 wrote to memory of 464	2880	msedge.exe	85
PID 2880 wrote to memory of 464	2880	msedge.exe	85
PID 2880 wrote to memory of 464	2880	msedge.exe	85
PID 2880 wrote to memory of 464	2880	msedge.exe	85
PID 2880 wrote to memory of 464	2880	msedge.exe	85
PID 2880 wrote to memory of 464	2880	msedge.exe	85
PID 2880 wrote to memory of 464	2880	msedge.exe	85
PID 2880 wrote to memory of 464	2880	msedge.exe	85
PID 2880 wrote to memory of 464	2880	msedge.exe	85
PID 2880 wrote to memory of 464	2880	msedge.exe	85
PID 2880 wrote to memory of 464	2880	msedge.exe	85
PID 2880 wrote to memory of 464	2880	msedge.exe	85
PID 2880 wrote to memory of 464	2880	msedge.exe	85
PID 2880 wrote to memory of 464	2880	msedge.exe	85
PID 2880 wrote to memory of 464	2880	msedge.exe	85
PID 2880 wrote to memory of 464	2880	msedge.exe	85
PID 2880 wrote to memory of 464	2880	msedge.exe	85
PID 2880 wrote to memory of 464	2880	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://drive.google.com/file/d/1oZwSkwqJKL-3du220wh5pVVUwz6wtqfZ/view
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa2a4e46f8,0x7ffa2a4e4708,0x7ffa2a4e4718
  2⤵
  PID:2504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,9130024144090274102,3287869030767803273,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2040 /prefetch:2
  2⤵
  PID:2904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2020,9130024144090274102,3287869030767803273,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2020,9130024144090274102,3287869030767803273,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:8
  2⤵
  PID:464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,9130024144090274102,3287869030767803273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:2112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,9130024144090274102,3287869030767803273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:4048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,9130024144090274102,3287869030767803273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3960 /prefetch:1
  2⤵
  PID:4480
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,9130024144090274102,3287869030767803273,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5980 /prefetch:8
  2⤵
  PID:2772
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,9130024144090274102,3287869030767803273,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5980 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2020,9130024144090274102,3287869030767803273,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6004 /prefetch:8
  2⤵
  PID:2292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,9130024144090274102,3287869030767803273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4004 /prefetch:1
  2⤵
  PID:1972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2020,9130024144090274102,3287869030767803273,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4200 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,9130024144090274102,3287869030767803273,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6236 /prefetch:1
  2⤵
  PID:4004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,9130024144090274102,3287869030767803273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6228 /prefetch:1
  2⤵
  PID:4128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,9130024144090274102,3287869030767803273,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3996 /prefetch:1
  2⤵
  PID:1012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,9130024144090274102,3287869030767803273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
  2⤵
  PID:2180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,9130024144090274102,3287869030767803273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:1
  2⤵
  PID:696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,9130024144090274102,3287869030767803273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6268 /prefetch:1
  2⤵
  PID:4680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,9130024144090274102,3287869030767803273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4800 /prefetch:1
  2⤵
  PID:3880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,9130024144090274102,3287869030767803273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
  2⤵
  PID:5384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,9130024144090274102,3287869030767803273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6120 /prefetch:1
  2⤵
  PID:5604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2020,9130024144090274102,3287869030767803273,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6432 /prefetch:8
  2⤵
  PID:5824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,9130024144090274102,3287869030767803273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6280 /prefetch:1
  2⤵
  PID:6124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,9130024144090274102,3287869030767803273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7012 /prefetch:1
  2⤵
  PID:5220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,9130024144090274102,3287869030767803273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4904 /prefetch:1
  2⤵
  PID:5528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,9130024144090274102,3287869030767803273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6772 /prefetch:1
  2⤵
  PID:5724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,9130024144090274102,3287869030767803273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4680 /prefetch:1
  2⤵
  PID:6108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,9130024144090274102,3287869030767803273,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6852 /prefetch:1
  2⤵
  PID:6120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,9130024144090274102,3287869030767803273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7100 /prefetch:1
  2⤵
  PID:1440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,9130024144090274102,3287869030767803273,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6232 /prefetch:1
  2⤵
  PID:3332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,9130024144090274102,3287869030767803273,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5176 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,9130024144090274102,3287869030767803273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
  2⤵
  PID:4024

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1140

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3280

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1044

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4b4 0x4b8
1⤵
PID:5876

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
dc058ebc0f8181946a312f0be99ed79c

SHA1
0c6f376ed8f2d4c275336048c7c9ef9edf18bff0

SHA256
378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a

SHA512
36e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a0486d6f8406d852dd805b66ff467692

SHA1
77ba1f63142e86b21c951b808f4bc5d8ed89b571

SHA256
c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be

SHA512
065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
47KB

MD5
2bbb6e1cbade9a534747c3b0ddf11e21

SHA1
a0a1190787109ae5b6f97907584ee64183ac7dd5

SHA256
5694ef0044eb39fe4f79055ec5cab35c6a36a45b0f044d7e60f892e9e36430c9

SHA512
3cb1c25a43156199d632f87569d30a4b6db9827906a2312e07aa6f79bb8475a115481aa0ff6d8e68199d035c437163c7e876d76db8c317d8bdf07f6a770668f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

Filesize
67KB

MD5
b275fa8d2d2d768231289d114f48e35f

SHA1
bb96003ff86bd9dedbd2976b1916d87ac6402073

SHA256
1b36ed5c122ad5b79b8cc8455e434ce481e2c0faab6a82726910e60807f178a1

SHA512
d28918346e3fda06cd1e1c5c43d81805b66188a83e8ffcab7c8b19fe695c9ca5e05c7b9808599966df3c4cd81e73728189a131789c94df93c5b2500ce8ec8811

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
63a7d921a73650719bb057adc42c980d

SHA1
e2286e4aa7de49529eb46060824f9cdd27c799d8

SHA256
4859ae1e2315b1204767b8562221021084852ef6d2a367601a3808aeeacedc31

SHA512
a7de39a6d4669535562d84124d150af9af1de6e42db6aaddda0b3a559bd6e70f4a59d5f23478846b549bb87327a811b5a846b143d25e46ebaf14dae3b79f5c16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
456B

MD5
06a6e76e87fd5066464738f6c8366541

SHA1
69f7dac2bebb9b8e8105947c25f4e05bd5286a85

SHA256
411dbaf3b200163b7f6635f8f14c3de1a9f62fb6b9d3dd001aca2311f50e98d7

SHA512
361a3280ca29a0c8be34431cda31b89fd8a84a04d734691162013e86d2d2e0d1b65a6856c4b4010f218af4977cc938bee78a471954a4bf4c79dbd5b13d9412d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
4a199c65e523a5ecbdbf2c270b0f7f3b

SHA1
bc68b469a1434bbc66137f8415444c390c91d0fb

SHA256
0e1f9c49085b4d7044c0c88d7a36a3549cdc1413c1795e6a9a2033e8b48c7d58

SHA512
6649718b858562ea49ee8dc8d06ae853ed7e4b4ea37efd36f9df034613a763ed63dc1d3f72fc134c69380039deaeea972f81d4b823f54e8edc9b59a5a023d031

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
56618ca3405154c487d7e7dc6b75a8be

SHA1
fed6537daeba82fec673ea2560daaf3fc2f379d2

SHA256
cd05f3af993d75cffcd2d6494b2fefc9e6073a99f384aefd3994f9ef4d316886

SHA512
f99000c490f8a7992528f59d14c07dbc147b6f6cfc2f94714e058caec7d81ae6c4ae0db3af69899eb9a6edd8f692cf176a4af2a4792cd2264564e61ac0308b05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
2dc46eba2db2a097a4c93a59086877a0

SHA1
2f5adf0451d76f2913f0d2ded8ec18db8353097e

SHA256
b66ad346fefcd4b4e6f20c644e8f383547464ff035153c9ab8ddc5a180777aa9

SHA512
baa36a3192beb93464b61274a69614a874c87eb1656577dcf4190eeb1c39093442a8599f1a0df1196147932eeb4d7241521ebef565494fd359ca5f5cd1ea7865

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4c0050bd15638880fa32ecbde4774a92

SHA1
fbac361f7c2713aa5c837416b65cc127f665184f

SHA256
537e04d07b5a18e6cdf23b5dc603e7f842a3d15ca2fb4c48d45d11c993a31ee7

SHA512
5626c548eace852edd654191efef380a7bb48dba795110ab6a8efc24354530a276db75ca399f33ea0493918a40dd9f4f6507f5ba9c4e1a0b5dae16d086cb4c2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
65a94c89f02b4f49eb8bb94658120864

SHA1
a957c55e346de0e505e904e46058f085e73e7c48

SHA256
3dc402bb6d6b6a9000ebf6bab333ae233cfab266aa91af9c082f63a42a9ff853

SHA512
59bea8161cf25513e6fa74670451be0b8f115211e191c5892ad6ca5383cfeefc78ce51c17ee7c291862430bafe8e237564bffa59fe5bf0b5f9b19b4959788c77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ad5060d0ddabd13ab6a66c376227cc03

SHA1
426f2bd94513f33d0872ea5627ee97421f3f0be9

SHA256
2db82014161d10c037c443600d008bdab4775a70dedd2dadc68057bbdfb29972

SHA512
8e312ecea513615155ddaa8b1f8b39913b0249e325171e0e37c03150a6d5b68c05673da14808af8ad845d7451cc05a2c79cd1f5f67e377b7ea5084620ce2566d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0e1000d7f6e90adeef35d1e072d90dcc

SHA1
6785bc7fafc7199b53ae9d88d97b65032221008c

SHA256
58705b5cb3c919e37cca889b4c94f01637af0f8c4a0c349c8bc8fab5f05a21f2

SHA512
d48de171acc8e8a117188e33e5ce8570f6338e00e62c17e779404e3b3ad437d91da7b363f5af06c2ca903efe8bfe0d37caf274d59ce28238e1327c4e06e5ae52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
13dcab94e1fe56486fb9a7cdb91948e7

SHA1
e51fe54227d5d954680d26a2768f2ae0c7dc269d

SHA256
999cf4643304b28d2301ef457785ad839e9057b8c016cf391f0b09ba7d97422a

SHA512
954420d3836ccb65a6984abd12e0bb4811489524884ada61b4918301e3aa6930210fc3a211a0cb66c9cbc11a315feff80b04f626c4d1a8c2c0b45d1cb6ac7926

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9503966d03f3a68240eef3043b1b4b9e

SHA1
9e2382a40bb4831b8e69b9622b5b2ef926b7e394

SHA256
a3a849d78eca839e14de1cfa3d387b0193b80d1e3c689d2825012c6234295d61

SHA512
0bf67fb33a3293be096fa1e7ded3aa89350e1f43332ad375e5c65e46093ebb439e203336e15cb0f166a320ced77b84ed9f6d81be29f87a090a951fc7a1f08dda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58055a.TMP

Filesize
874B

MD5
5a4d5b5f1aa897df3fc3993f797a1dc7

SHA1
cdb33cd85004e38b4531ed23347c4d53298a3402

SHA256
644ad4cf63b0b94250bcbab2375bc82001b874d76a859ab6fe2318927e545e87

SHA512
4297e780085c8249b72ae1cd1f1e412edaf2b07b60be5fa06e4b474706b8b995d33590b5d26337fc0c81da29840bb3b05199ba534998d9cdb4ac3ced1771cbe5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\f565ac47-ee32-4274-9f5d-dfb289cbd6bc.tmp

Filesize
10KB

MD5
75743a659971bf31cc330c66745b9a8c

SHA1
d30109443a737760ef3f39e08e37eb7d64d32831

SHA256
518ef9f89ddeb4a315f30706cd41449267cb6a57e9f5724dbee181511b4e994a

SHA512
2a425a839597a92f9a893fcc20f598821629891e5777314ece917b14b85a451b45be37477fcdfd7faee9c417450ac94488c08bbf8ec5d60b64a1cc8c45669b9a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
6aaef654aa05a60b99cef1f9126efcdd

SHA1
3087ae30959045d44301190bf6d95ab40bbfc7ef

SHA256
0069a937a6fff9235139e17a3375b4d4a8483b42f7ecd070005d73c89017710e

SHA512
52874aadaa863d2bb93d14d0875fb420689159c16af95ac5486cf24caa2195426c9291968e72f080d15ec7345cf64b3bbdc95c281e4a60004e454ab5f5cbc8d8

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 531216.crdownload

Filesize
10.0MB

MD5
0e57517b7b71a4ea9383c52f69b946b3

SHA1
a08536b1476670bfdeb483f90096f2ace55c6a27

SHA256
e39d9449218d7f579bb2b64641e4a028e1b798337e27b5445c17c8eaea218eaf

SHA512
0b0bc1d8e716b5d45cb9385b3b9a947c02d2deda87ee15324a8bcd0bbdcd8ad42ad0e17c9c8453c6e1225bab22513d1b77b1be97f45752e383d3cedd34031ef6

Download Submit