hxxps://drive[.]google[.]com/file/d/19CBI8PSnpbc0ZPwJxkeqKIwTDasMcw4h/view?usp=classroom_web&authuser=0

Resubmissions

08-01-2025 11:34

250108-npnm4syjez 6

08-01-2025 11:30

250108-nmangazqgj 6

Analysis

max time kernel
45s
max time network
46s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-01-2025 11:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/19CBI8PSnpbc0ZPwJxkeqKIwTDasMcw4h/view?usp=classroom_web&authuser=0

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
25	drive.google.com
26	drive.google.com
4	drive.google.com
24	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
536	msedge.exe
536	msedge.exe
4144	msedge.exe
4144	msedge.exe
3840	identity_helper.exe
3840	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4144 wrote to memory of 4028	4144	msedge.exe	84
PID 4144 wrote to memory of 4028	4144	msedge.exe	84
PID 4144 wrote to memory of 3700	4144	msedge.exe	85
PID 4144 wrote to memory of 3700	4144	msedge.exe	85
PID 4144 wrote to memory of 3700	4144	msedge.exe	85
PID 4144 wrote to memory of 3700	4144	msedge.exe	85
PID 4144 wrote to memory of 3700	4144	msedge.exe	85
PID 4144 wrote to memory of 3700	4144	msedge.exe	85
PID 4144 wrote to memory of 3700	4144	msedge.exe	85
PID 4144 wrote to memory of 3700	4144	msedge.exe	85
PID 4144 wrote to memory of 3700	4144	msedge.exe	85
PID 4144 wrote to memory of 3700	4144	msedge.exe	85
PID 4144 wrote to memory of 3700	4144	msedge.exe	85
PID 4144 wrote to memory of 3700	4144	msedge.exe	85
PID 4144 wrote to memory of 3700	4144	msedge.exe	85
PID 4144 wrote to memory of 3700	4144	msedge.exe	85
PID 4144 wrote to memory of 3700	4144	msedge.exe	85
PID 4144 wrote to memory of 3700	4144	msedge.exe	85
PID 4144 wrote to memory of 3700	4144	msedge.exe	85
PID 4144 wrote to memory of 3700	4144	msedge.exe	85
PID 4144 wrote to memory of 3700	4144	msedge.exe	85
PID 4144 wrote to memory of 3700	4144	msedge.exe	85
PID 4144 wrote to memory of 3700	4144	msedge.exe	85
PID 4144 wrote to memory of 3700	4144	msedge.exe	85
PID 4144 wrote to memory of 3700	4144	msedge.exe	85
PID 4144 wrote to memory of 3700	4144	msedge.exe	85
PID 4144 wrote to memory of 3700	4144	msedge.exe	85
PID 4144 wrote to memory of 3700	4144	msedge.exe	85
PID 4144 wrote to memory of 3700	4144	msedge.exe	85
PID 4144 wrote to memory of 3700	4144	msedge.exe	85
PID 4144 wrote to memory of 3700	4144	msedge.exe	85
PID 4144 wrote to memory of 3700	4144	msedge.exe	85
PID 4144 wrote to memory of 3700	4144	msedge.exe	85
PID 4144 wrote to memory of 3700	4144	msedge.exe	85
PID 4144 wrote to memory of 3700	4144	msedge.exe	85
PID 4144 wrote to memory of 3700	4144	msedge.exe	85
PID 4144 wrote to memory of 3700	4144	msedge.exe	85
PID 4144 wrote to memory of 3700	4144	msedge.exe	85
PID 4144 wrote to memory of 3700	4144	msedge.exe	85
PID 4144 wrote to memory of 3700	4144	msedge.exe	85
PID 4144 wrote to memory of 3700	4144	msedge.exe	85
PID 4144 wrote to memory of 3700	4144	msedge.exe	85
PID 4144 wrote to memory of 536	4144	msedge.exe	86
PID 4144 wrote to memory of 536	4144	msedge.exe	86
PID 4144 wrote to memory of 216	4144	msedge.exe	87
PID 4144 wrote to memory of 216	4144	msedge.exe	87
PID 4144 wrote to memory of 216	4144	msedge.exe	87
PID 4144 wrote to memory of 216	4144	msedge.exe	87
PID 4144 wrote to memory of 216	4144	msedge.exe	87
PID 4144 wrote to memory of 216	4144	msedge.exe	87
PID 4144 wrote to memory of 216	4144	msedge.exe	87
PID 4144 wrote to memory of 216	4144	msedge.exe	87
PID 4144 wrote to memory of 216	4144	msedge.exe	87
PID 4144 wrote to memory of 216	4144	msedge.exe	87
PID 4144 wrote to memory of 216	4144	msedge.exe	87
PID 4144 wrote to memory of 216	4144	msedge.exe	87
PID 4144 wrote to memory of 216	4144	msedge.exe	87
PID 4144 wrote to memory of 216	4144	msedge.exe	87
PID 4144 wrote to memory of 216	4144	msedge.exe	87
PID 4144 wrote to memory of 216	4144	msedge.exe	87
PID 4144 wrote to memory of 216	4144	msedge.exe	87
PID 4144 wrote to memory of 216	4144	msedge.exe	87
PID 4144 wrote to memory of 216	4144	msedge.exe	87
PID 4144 wrote to memory of 216	4144	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://drive.google.com/file/d/19CBI8PSnpbc0ZPwJxkeqKIwTDasMcw4h/view?usp=classroom_web&authuser=0
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8ee3846f8,0x7ff8ee384708,0x7ff8ee384718
  2⤵
  PID:4028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,13069344377247749164,17474216519852821306,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
  2⤵
  PID:3700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,13069344377247749164,17474216519852821306,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2468 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,13069344377247749164,17474216519852821306,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8
  2⤵
  PID:216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,13069344377247749164,17474216519852821306,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:3036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,13069344377247749164,17474216519852821306,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:4520
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,13069344377247749164,17474216519852821306,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4800 /prefetch:8
  2⤵
  PID:348
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,13069344377247749164,17474216519852821306,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4800 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,13069344377247749164,17474216519852821306,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3852 /prefetch:1
  2⤵
  PID:4956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,13069344377247749164,17474216519852821306,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4876 /prefetch:1
  2⤵
  PID:3108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,13069344377247749164,17474216519852821306,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1
  2⤵
  PID:2860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,13069344377247749164,17474216519852821306,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1
  2⤵
  PID:1576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,13069344377247749164,17474216519852821306,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:1
  2⤵
  PID:4920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,13069344377247749164,17474216519852821306,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1
  2⤵
  PID:2192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,13069344377247749164,17474216519852821306,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4552 /prefetch:1
  2⤵
  PID:3028

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:728

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e55832d7cd7e868a2c087c4c73678018

SHA1
ed7a2f6d6437e907218ffba9128802eaf414a0eb

SHA256
a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574

SHA512
897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c2d9eeb3fdd75834f0ac3f9767de8d6f

SHA1
4d16a7e82190f8490a00008bd53d85fb92e379b0

SHA256
1e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66

SHA512
d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

Filesize
24KB

MD5
2b77b2c0394bfd2a458452006e617f96

SHA1
11eff89a8e3e64401818f81a02bdc84e8ecc4325

SHA256
c46f001852fd8e16bb731f21cadcfa0cda8e7d064e11b0faa18d6bb8325acb1f

SHA512
21dd89b9d6874539477e8b8dc8d98877c86595a8b0b8deb624547c3f407fb41550f65ff744c22f25c574994414a28e73f4d0794c5bd49be890fdac7906f0ba30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7d5ad4fcb493004ab85ae70ba8a35168

SHA1
732a2febe6bf05db53f0332aeda5aab8c168f841

SHA256
85a80f1f3f743cad87f286b715183319f44fa5876eee6372efdfc805c794a02b

SHA512
676f74db045eab4de07a18f4ae566dbdfa0c6312f5796cd3fe00227c98777ee20442bcdbe0e155d800f986e8eae0ddbc4fd43aba0f9df16a99716fd628f3676f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
62ed426881aea7eb07771f6c4c5ce695

SHA1
0c582e9aeb3aff170f023863420b7115fc3111c8

SHA256
9c6862cf06ddd4e78b369be6f74001beacc11a5d019831f08014c88eb4d39fa6

SHA512
a91c2fc98517bf285f7dc99f11cb031d411c8195c52365ee1e7d268fed04eae321478e46c30cc757c0d962a6f3a7030454dd3273786cfa1c80b3d47655b5f694

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4f9a1d9b7fd306fc016de58326a8b65c

SHA1
b247409b683f0e1e827ad73e0268b2bbc85535d5

SHA256
dd2932188d58ee8a95a26f40e3cd95dd9849809d5aeb12b80998470fdbcf3aa5

SHA512
c7d69717546c0fda3ff56c776357a4f7c99d0e1d242f3f2a21338159834860b747c40aa7a8096d1b289b2ffcbda44264774c98877841e0e48a362b09097920c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
62ae72ed4feabce6714560fb0370fcd6

SHA1
24404a9cdd3773fd24dd89be0036ee6078d5597b

SHA256
218af526953c4e8e482349b7de678f5997c43693eff8dbea1458de2ebff89caf

SHA512
fb7ee3162da4ffc1dd7aaebdf6863cf12c553567589e6b6987e7c46779199748f2f1441062f9d6dc1df46eb998bf435c3e7493c3fd244a57a6123a35d14bb355

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe584ab0.TMP

Filesize
203B

MD5
3a96576a234d7c5825685c15d0ac0c0c

SHA1
e34bb67e4795dfe03ec019047dfa4eb40749a092

SHA256
1e10457b1aa180c8d23ab86b78a51cfd0899dbbcb5be7ca22035acfd5b61962f

SHA512
472cb16ac9baad2536678e5a67b9e8c60786b69c9c538144af089caeab51881eb07ae24d38748aabc95c6e96228b9da2e88b3e8cb314085a84891cc6e5f39723

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
904c0b5e59ac00d53f7634530cdd1e7e

SHA1
96683710f4591f8dcf04d2bd25c5a9916ef08048

SHA256
1efd5e4c74f25dc99f3ff994481831792765f9adcebc36f5343c82289a7691ad

SHA512
a3f3aa807e17227589c19ee77dec03c119c093d17d391fba61067cdb88822f77629bffffe3c443ef6ae36ce7cda459a91b44c4b10f0628cc9aa4d2f7a3434dbe

Download Submit