hxxps://drive[.]google[.]com/drive/folders/1yYYvjQUYI6mNZcxwXwOVcqRUiV1Q6hCX?usp=sharing

Analysis

max time kernel
481s
max time network
484s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-01-2025 13:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/drive/folders/1yYYvjQUYI6mNZcxwXwOVcqRUiV1Q6hCX?usp=sharing

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1836	Free AA ver 1 (1).exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
7	drive.google.com
8	drive.google.com
144	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Free AA ver 1 (1).exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 934324.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 263315.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3752	msedge.exe
3752	msedge.exe
4328	msedge.exe
4328	msedge.exe
5052	identity_helper.exe
5052	identity_helper.exe
3928	msedge.exe
3928	msedge.exe
3468	msedge.exe
3468	msedge.exe
4984	msedge.exe
4984	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs

pid	Process
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1836	Free AA ver 1 (1).exe
1836	Free AA ver 1 (1).exe
1836	Free AA ver 1 (1).exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4328 wrote to memory of 3128	4328	msedge.exe	82
PID 4328 wrote to memory of 3128	4328	msedge.exe	82
PID 4328 wrote to memory of 4116	4328	msedge.exe	83
PID 4328 wrote to memory of 4116	4328	msedge.exe	83
PID 4328 wrote to memory of 4116	4328	msedge.exe	83
PID 4328 wrote to memory of 4116	4328	msedge.exe	83
PID 4328 wrote to memory of 4116	4328	msedge.exe	83
PID 4328 wrote to memory of 4116	4328	msedge.exe	83
PID 4328 wrote to memory of 4116	4328	msedge.exe	83
PID 4328 wrote to memory of 4116	4328	msedge.exe	83
PID 4328 wrote to memory of 4116	4328	msedge.exe	83
PID 4328 wrote to memory of 4116	4328	msedge.exe	83
PID 4328 wrote to memory of 4116	4328	msedge.exe	83
PID 4328 wrote to memory of 4116	4328	msedge.exe	83
PID 4328 wrote to memory of 4116	4328	msedge.exe	83
PID 4328 wrote to memory of 4116	4328	msedge.exe	83
PID 4328 wrote to memory of 4116	4328	msedge.exe	83
PID 4328 wrote to memory of 4116	4328	msedge.exe	83
PID 4328 wrote to memory of 4116	4328	msedge.exe	83
PID 4328 wrote to memory of 4116	4328	msedge.exe	83
PID 4328 wrote to memory of 4116	4328	msedge.exe	83
PID 4328 wrote to memory of 4116	4328	msedge.exe	83
PID 4328 wrote to memory of 4116	4328	msedge.exe	83
PID 4328 wrote to memory of 4116	4328	msedge.exe	83
PID 4328 wrote to memory of 4116	4328	msedge.exe	83
PID 4328 wrote to memory of 4116	4328	msedge.exe	83
PID 4328 wrote to memory of 4116	4328	msedge.exe	83
PID 4328 wrote to memory of 4116	4328	msedge.exe	83
PID 4328 wrote to memory of 4116	4328	msedge.exe	83
PID 4328 wrote to memory of 4116	4328	msedge.exe	83
PID 4328 wrote to memory of 4116	4328	msedge.exe	83
PID 4328 wrote to memory of 4116	4328	msedge.exe	83
PID 4328 wrote to memory of 4116	4328	msedge.exe	83
PID 4328 wrote to memory of 4116	4328	msedge.exe	83
PID 4328 wrote to memory of 4116	4328	msedge.exe	83
PID 4328 wrote to memory of 4116	4328	msedge.exe	83
PID 4328 wrote to memory of 4116	4328	msedge.exe	83
PID 4328 wrote to memory of 4116	4328	msedge.exe	83
PID 4328 wrote to memory of 4116	4328	msedge.exe	83
PID 4328 wrote to memory of 4116	4328	msedge.exe	83
PID 4328 wrote to memory of 4116	4328	msedge.exe	83
PID 4328 wrote to memory of 4116	4328	msedge.exe	83
PID 4328 wrote to memory of 3752	4328	msedge.exe	84
PID 4328 wrote to memory of 3752	4328	msedge.exe	84
PID 4328 wrote to memory of 2312	4328	msedge.exe	85
PID 4328 wrote to memory of 2312	4328	msedge.exe	85
PID 4328 wrote to memory of 2312	4328	msedge.exe	85
PID 4328 wrote to memory of 2312	4328	msedge.exe	85
PID 4328 wrote to memory of 2312	4328	msedge.exe	85
PID 4328 wrote to memory of 2312	4328	msedge.exe	85
PID 4328 wrote to memory of 2312	4328	msedge.exe	85
PID 4328 wrote to memory of 2312	4328	msedge.exe	85
PID 4328 wrote to memory of 2312	4328	msedge.exe	85
PID 4328 wrote to memory of 2312	4328	msedge.exe	85
PID 4328 wrote to memory of 2312	4328	msedge.exe	85
PID 4328 wrote to memory of 2312	4328	msedge.exe	85
PID 4328 wrote to memory of 2312	4328	msedge.exe	85
PID 4328 wrote to memory of 2312	4328	msedge.exe	85
PID 4328 wrote to memory of 2312	4328	msedge.exe	85
PID 4328 wrote to memory of 2312	4328	msedge.exe	85
PID 4328 wrote to memory of 2312	4328	msedge.exe	85
PID 4328 wrote to memory of 2312	4328	msedge.exe	85
PID 4328 wrote to memory of 2312	4328	msedge.exe	85
PID 4328 wrote to memory of 2312	4328	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://drive.google.com/drive/folders/1yYYvjQUYI6mNZcxwXwOVcqRUiV1Q6hCX?usp=sharing
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff97a0846f8,0x7ff97a084708,0x7ff97a084718
  2⤵
  PID:3128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,1816993702034842612,3271926914065792004,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
  2⤵
  PID:4116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,1816993702034842612,3271926914065792004,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,1816993702034842612,3271926914065792004,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2844 /prefetch:8
  2⤵
  PID:2312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1816993702034842612,3271926914065792004,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:1812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1816993702034842612,3271926914065792004,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:5000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1816993702034842612,3271926914065792004,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4628 /prefetch:1
  2⤵
  PID:3116
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,1816993702034842612,3271926914065792004,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 /prefetch:8
  2⤵
  PID:1916
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,1816993702034842612,3271926914065792004,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1816993702034842612,3271926914065792004,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4888 /prefetch:1
  2⤵
  PID:5060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1816993702034842612,3271926914065792004,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:1
  2⤵
  PID:2308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1816993702034842612,3271926914065792004,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4620 /prefetch:1
  2⤵
  PID:4692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1816993702034842612,3271926914065792004,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:1
  2⤵
  PID:936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2132,1816993702034842612,3271926914065792004,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5220 /prefetch:8
  2⤵
  PID:4408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1816993702034842612,3271926914065792004,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
  2⤵
  PID:452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2132,1816993702034842612,3271926914065792004,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1816993702034842612,3271926914065792004,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
  2⤵
  PID:408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1816993702034842612,3271926914065792004,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
  2⤵
  PID:4104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2132,1816993702034842612,3271926914065792004,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6616 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1816993702034842612,3271926914065792004,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
  2⤵
  PID:4336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1816993702034842612,3271926914065792004,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4644 /prefetch:1
  2⤵
  PID:3344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2132,1816993702034842612,3271926914065792004,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6408 /prefetch:8
  2⤵
  PID:3824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2132,1816993702034842612,3271926914065792004,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6092 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4984
- C:\Users\Admin\Downloads\Free AA ver 1 (1).exe
  "C:\Users\Admin\Downloads\Free AA ver 1 (1).exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,1816993702034842612,3271926914065792004,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5000 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1816993702034842612,3271926914065792004,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
  2⤵
  PID:3224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1816993702034842612,3271926914065792004,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6424 /prefetch:1
  2⤵
  PID:224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1816993702034842612,3271926914065792004,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4648 /prefetch:1
  2⤵
  PID:5068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1816993702034842612,3271926914065792004,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:1
  2⤵
  PID:5016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1816993702034842612,3271926914065792004,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:1
  2⤵
  PID:2216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1816993702034842612,3271926914065792004,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:1
  2⤵
  PID:1108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1816993702034842612,3271926914065792004,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:1
  2⤵
  PID:4520

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1004

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56a4f78e21616a6e19da57228569489b

SHA1
21bfabbfc294d5f2aa1da825c5590d760483bc76

SHA256
d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb

SHA512
c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e443ee4336fcf13c698b8ab5f3c173d0

SHA1
9bf70b16f03820cbe3158e1f1396b07b8ac9d75a

SHA256
79e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b

SHA512
cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\1875649d-e8f0-44f6-9ee0-5efb30450969.tmp

Filesize
1KB

MD5
069f5e23fbbb3e6aef02897ad8fc0cd8

SHA1
7eb03f12d5c9e57f562c106f390d6b1ae0dcfd58

SHA256
74c6a47fe3df8d3922553a85525e231a228512e08f9df647b8305e5c4c60c325

SHA512
c0a3762c64df87e6d814bea9e7c68fbeb70c2a4f64bc4d197061c351ee90707315c35f52ae4029202fdf8eb51c95cd46b69c321ff0542ec25cccbbd6eaf5a160

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
396880fae646f111d4ebdf500a09cd86

SHA1
0cfdb24c2ae106049e19e23866e52d81512113dc

SHA256
39262fffe57adf9a281dcdf656ee6039e90075cb1b81932eca40b80dc5ac5d12

SHA512
bc72ddc5b453ff2e536cacf7f94d04b5730427b50fb86341c68cd875860339c84c9ff4b7a8c2c1515f84c00d0f544e803eedff57db957865e4c9d6a4a2f9c0cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
51a545071085d52b6755af3f825d59aa

SHA1
c88649df2d31ebc933cc592bbc574497a06c17c5

SHA256
5e3831e253258bc867520c6e9aaeaa37618f01fffd7c223954d5b205019f19a5

SHA512
9c2dd579a42f67acb9613081926a5db94685158034e771cb60e12ef5bc32131d3ed696a53d08241b392b3197d78a400c47bfe79ab30295b18d6b916da6847b2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
b75daf30b365476dc0e8d52712c6885e

SHA1
2954ef3b3efccee40a4efde855434b48b4666b12

SHA256
2427a52195cae165503e6c624c3796c4c07454f8ffba1bb734e39fb3dd0a70d9

SHA512
4b453ae546b4d58dec5244c25ce4b0ee22f20f5c8d4841fce5ab134d1e32e3b8dc020421a7a9ed9a0a4c546b63adc100eac015f4f98fb2bb32168c9af8e94b8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
8c4506802620fbb82e94ce4b18327ee5

SHA1
2f84d657023e4c8f10025719142ce4dcb4045907

SHA256
c5dab665177a5e65dc9b9965ec14ce6d316d6e040f73c0e516951e88c5963aa3

SHA512
b730138e8c4e01d62ab256385f9180b3963d796ff038e13e635675a7bab93b5788c4d75fa84473c59dffae84fd31ad10eeae0ecfeca4bb0348ff100d220ea9af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
6e3a0d3ae63261c81acf6aa896f7a9d1

SHA1
eb26bc7dde34fe44ef0c96b1ccfb11136b62b876

SHA256
7d200e4cf771147a5027a415d51d13cdf44b354e32127c902fbbf06bf86d8b2d

SHA512
7ec53715db4fb8df4a189825cec33f2a06880ed07c86ab596a647ef60169b39d59a65d25f7138ca23c65e7e05def1c4e05f6cdfc39a86e741a703576921ee1b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
7af5a6405e326329b69e1d30fdf7b440

SHA1
0a760689d103668d75f493b8fe2566e99b42b5f9

SHA256
4a122bb0634d0288972b310094ca50469297880823e9d25f915489565cc4bf80

SHA512
b324518552d8cf4bb25b86650ce33492e7c717f07e1e99f0f4c0d8c218cf759126536b2bf7f78c0399e3b4e62b0bde0aa32b425f192e5ca2de3fdc8d9799409a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
66175b42cef7f754c8bc53b335b53ae7

SHA1
f83084e63b12fdd707a79a532cf4f323469f889e

SHA256
989a6ee608d8d959e4d490172c91e40d60db6204d8a2a2c0feab04cfa7fe305f

SHA512
e965c76f6a8fedb839f3ef811a92fc1e18673eb68f87917260bd1f767b4b15284db644ef6d28c6a12d5477f22b137b61c007a0643a81aad29aa0852683893238

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a86e81978fb376d3aef15c0801c6be35

SHA1
58785305076a469fe9752c68606e5070cc297911

SHA256
29f13e882e11cfda5e6054480e1d1ccad1279516560cc2db345215fcb010d76f

SHA512
12bf6283fcef2389842ad5e0b428cd7ba45a6ca32a8ab9010dadf59f2182ea139a2da5313e685be0a495e0654d911f3c23710f166f1088748fd20a4f8da7b83d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f375a64dac48cd4b57ba74437ae09e4e

SHA1
b27e7c7ec3f0f49a9650a41d5a8e8bb15338aab4

SHA256
29c8c1b542588c61535ceeb1a14d9c51bef5ae7707b1f6d4c9345835a498e433

SHA512
5a9ce910c7b7af3b96daf2b03fcd4da98d6442e5078d99cc903426718e69f03a07d61214f6468ee77fa931fcecbb474fece2918e6076192eb5393609ffa82db6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
67e1ea4304aa0de697a8e4fb16982b8e

SHA1
8b05ba439e9142e38295b391305b6b0794a878d3

SHA256
4e93f43825c58a1bff88aece63f148cc3abddab6dc35fb26f9a375dd7e03120b

SHA512
3da5301ff009019b8109b9fdccf8e07a78d0d65a38a055a7af5f2aad4d146e13562de7bf84459e81e90405302c0bcb7a915b8bf22c1f2a27bcfc45da8bedbe2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1045adf76f3600b09c0272a824dfed7e

SHA1
59959933e82024da4c3cd58be2dd28d9597d0ed3

SHA256
cfd66ffda156392f3686e6e710400aec8057aa086a30b7681f4b08d45f8a48e5

SHA512
3f9609e4f48c0e2282dc5c6a6316d7dc17711d4a03d9ed4361de40101073f130af89d14bd4cbdbe3c75927f573419ba464968e65e4ae5bcca13a659c8980b140

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
25faf8b990056581dfeb82839fc5e0b9

SHA1
88b59e6ba19e25031bb9839e6e4abe496ba18a52

SHA256
3695df216b19b4dbe4d8f440a3b045b9cc8f76057b51a99ba7d7c480f0dc8107

SHA512
97d8a088126933636affeb72b45c18890bde21dd1ac5f165050e4d88ced7ae00fb82c71c62d5383527677d74c98c3a45966f89eb4af122834d31d01ac25c7c20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b435c3b4b4359a779275217c6568357f

SHA1
5b7555dda41d91b24013a84156989db932c508fa

SHA256
9204d935d5cd7f017d89979d8a29741cd3ac6ee3ce2621f62f96d061afb95fb1

SHA512
b0eaff7d9b663012e0f86603e2763a440a3a1680e6aa3ac85b2e9c8b2b0c31dc8f179645e2243675f38f5c5f5d6bd2185f503165eca857c254b121567122514c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e1ad9046c1c90b059f4a2a7cc4d2be94

SHA1
721c5838d573d88cdb6c622980659345f35e83c9

SHA256
a6029c221c31e7484a6435f12700419105d3a1afb39b5d5744d84d824d2c6636

SHA512
7af64cdbabf1100771b8678eb6055004c661ab5a6f763d5bfa6fa250230b7de489556fe67cc91cf68a6580ab9df42112364c7ddeebda27305f5f8c412c26a7ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4b16263b508a36af24f3a192f5214ecf

SHA1
faaf80232b5ec182c22298206ba67ae4f9ba4a8e

SHA256
85ce02481b7601dda40b71683d0a3e71ec9f19086e57f8f47d89a5f1d9b4f724

SHA512
1e63936074a920adb9c7989e764f2e68f7eb62e2b7b502e25d27756ed60f7202bf27c466a7762cba6c2cd7a5aff52d6817433ac9b46b38f6ccad1042ed26c79a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a9aa8d041e571ce09b6adfbac4bc823b

SHA1
71f5ce1841cf38e1e89100555295e4689e5d740f

SHA256
f0902c3a9947779f05b7e0f8a85a246373c6bda2ecf6f29216e8b74fc0ab6656

SHA512
4e72a98a0e002817c97ad4bd57754a9fb0c70ced7eb479fdbcc1cfa3868bbe360909f01ee15662bb46b0507ede74596eaf23c3cc78766b832e643bc3af53b021

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d965b6ef4b8581205f3f2150c6f42b43

SHA1
628c9bd9a5f48926536bba1f4d414bbf8468a3e4

SHA256
14cd58ad59404becef06ac3162b9e231b8b2581e8aa0c53a94c0755f5cd1c605

SHA512
430835e249d8183b014e3115a093223f919cdfe840fa6b2cde6b11ef3d26888512a8250605b0d653f494bb954688a86c8276105656b2354124e6e39a50b9f4f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a670cfac0679ccc04ee12fb1e46a2842

SHA1
13e7cfc455b6ae4782e19f56535f0b77125cd09c

SHA256
3a24a24104fa32ee5b3ab27839a8eb0bf17015af777acf480756b6834ab65113

SHA512
5aaf5e2a540c5e7d14521e9f28cdd2c8b310f9baaee3267e932dfa05a7178f255b463d001a4174d9dfaee4e465423359cbc30cbf7964e0cc063a2328c5ed7452

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe583bfa.TMP

Filesize
1KB

MD5
b117fe41da1c75bd7d2f343dba7da29d

SHA1
a0044561d61845e82f8c6bffad7232f721695ab1

SHA256
f278318c5214c0815d27f18821b10f1edfcc622d5f350ccc3896afc978b74eee

SHA512
2d79a6a60e8fddc9c7c511a81be6f8ccdd27f8b67e49096219762b88eab26ede6d933e7a65ffcb91f1431f83803ded2ac52aa3b604e159a00c4208d57d66741a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3b04b0e4bafefec1f18b1e28a4f9cdf5

SHA1
4424bce1ba1ec73c4b4d7aac8b63be8d49ac4673

SHA256
9332ad69305414c883fec23409a7c654b9ab3ce5d9864df26b5a18bb04a4e18e

SHA512
39e57468f76b347a1b40d8441016a80591c1b7525a03236fcc97f4c70e7aef0ed11c73a7d43aa41a92c3040a62d72761049c619267863cb6931ac5d919d3c8b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
188db4770873faba67aee63a313baeb2

SHA1
c51530002e90378ed36232b9c44ffe6ed8801d6c

SHA256
b52ef79d5db70c8dd61c97b0a4e811da9e0c3347ce6e19920c62ffdf60d795e7

SHA512
0ed163e2af93289cb3e1692f45c05f0e73ae82e2bd9307f19d1a7477cb50ae9f6812f4176a0179358c8b8df57db4e0a211919e68af3be73ec1c8d32dc3a7529e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 934324.crdownload

Filesize
333KB

MD5
a59b90291db344ed9312c7e45333d622

SHA1
d196a2fdc73354262f075db734c3aff075221ebd

SHA256
48d86255154c209cde650b243bb988ecf6dfceacec32e1a6d9162536af8aa514

SHA512
85e8d22d4433d574e06072ed56a7b91976cc28d69326b0334c8c47bcefebf4257470f12553787b9651890653ae51780b07e815abe5b35f06d38c73d72cdd6af8

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 97302.crdownload

Filesize
384KB

MD5
f2e173f0f7ec89134de4eea87da23144

SHA1
6b595ff4e352fd7f261caa784790941480c979b2

SHA256
e937033492d9e614ebb7c7e5308ba1ab9349d25e0db56b97ca7da58928445a4d

SHA512
29ccdab061598df1d89a7515d62c896b04332d4cffcbef911ffdef7fea7f9b8d89ce9c4c92a02340f1b48472465038e298c9b7de7e13a2d4c6b959c2fecc2c18

Download Submit