hxxps://drive[.]google[.]com/uc?id=13GcL47wYT-uIofyROKnVhdx1p9_QfApr&export=download

Analysis

max time kernel
145s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-01-2025 16:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/uc?id=13GcL47wYT-uIofyROKnVhdx1p9_QfApr&export=download

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
9	drive.google.com
17	drive.google.com
18	drive.google.com
19	drive.google.com

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{4D22B8A1-D816-11EF-A4B7-D2BD7E71DA05} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31157283"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "570517023"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008feab3899d6f0040b0c13684496d5c5700000000020000000000106600000001000020000000eb1e837b0e9104fe8f04ded3e0de7365c1766dfda6c8043dbd3a20d6a7b87341000000000e800000000200002000000088f8addf170c8a843799edec20aaba5a2c069b8fc7709f5a4a5622f0c09405c92000000084a1b10df2e040c8c977370298295cb0141138b7496b82f57e9c411d28522038400000006d81e13f7b4af05ffd4bf28a21c15d329a70a85a892a7497f59fdf737ba751a59764f3ff63fdb03db26090d5a1868f51fb3aec883065c3fcaa0d207ca65db9dd	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "562235259"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31157283"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90314b22236cdb01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80ec4f22236cdb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "444242551"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008feab3899d6f0040b0c13684496d5c5700000000020000000000106600000001000020000000be4c96bc3b04f72235bc651dd54203a594d4d5da20d6051ed014ebea5d75ad5b000000000e800000000200002000000049b360308b39505e19dfbc73f045e83cfdca6cc3f75d8a986b07ebba4b1fa6ae2000000083613d090c8dbe4f1bd694ff38f8d0b7fffaf064f3f31cec4616bb3f1f7f50d54000000034511f42414205569524f7da9e170de97c26cdfd68fe46d8c6714d4142f623415471e0160daf6b73525d80ab969f0afedc98c6534727ee583bab55743ee53217	iexplore.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3088	msedge.exe
3088	msedge.exe
1096	msedge.exe
1096	msedge.exe
4444	msedge.exe
4444	msedge.exe
3168	identity_helper.exe
3168	identity_helper.exe
3576	mspaint.exe
3576	mspaint.exe
1516	msedge.exe
1516	msedge.exe
1516	msedge.exe
1516	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4548	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1096	msedge.exe
1096	msedge.exe
1096	msedge.exe
1096	msedge.exe
1096	msedge.exe
1096	msedge.exe
1096	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTcbPrivilege	3704	svchost.exe
Token: SeRestorePrivilege	3704	svchost.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
1096	msedge.exe
1096	msedge.exe
1096	msedge.exe
1096	msedge.exe
1096	msedge.exe
1096	msedge.exe
1096	msedge.exe
1096	msedge.exe
1096	msedge.exe
1096	msedge.exe
1096	msedge.exe
1096	msedge.exe
1096	msedge.exe
1096	msedge.exe
1096	msedge.exe
1096	msedge.exe
1096	msedge.exe
1096	msedge.exe
1096	msedge.exe
1096	msedge.exe
1096	msedge.exe
1096	msedge.exe
1096	msedge.exe
1096	msedge.exe
1096	msedge.exe
1096	msedge.exe
1096	msedge.exe
1096	msedge.exe
1096	msedge.exe
1096	msedge.exe
1096	msedge.exe
1096	msedge.exe
1096	msedge.exe
2144	iexplore.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1096	msedge.exe
1096	msedge.exe
1096	msedge.exe
1096	msedge.exe
1096	msedge.exe
1096	msedge.exe
1096	msedge.exe
1096	msedge.exe
1096	msedge.exe
1096	msedge.exe
1096	msedge.exe
1096	msedge.exe
1096	msedge.exe
1096	msedge.exe
1096	msedge.exe
1096	msedge.exe
1096	msedge.exe
1096	msedge.exe
1096	msedge.exe
1096	msedge.exe
1096	msedge.exe
1096	msedge.exe
1096	msedge.exe
1096	msedge.exe

Suspicious use of SetWindowsHookEx 19 IoCs

pid	Process
3576	mspaint.exe
4548	OpenWith.exe
4596	OpenWith.exe
4596	OpenWith.exe
4596	OpenWith.exe
4596	OpenWith.exe
4596	OpenWith.exe
4596	OpenWith.exe
4596	OpenWith.exe
4596	OpenWith.exe
4596	OpenWith.exe
4596	OpenWith.exe
4596	OpenWith.exe
2144	iexplore.exe
2144	iexplore.exe
1712	IEXPLORE.EXE
1712	IEXPLORE.EXE
1712	IEXPLORE.EXE
1712	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1096 wrote to memory of 5052	1096	msedge.exe	84
PID 1096 wrote to memory of 5052	1096	msedge.exe	84
PID 1096 wrote to memory of 4152	1096	msedge.exe	85
PID 1096 wrote to memory of 4152	1096	msedge.exe	85
PID 1096 wrote to memory of 4152	1096	msedge.exe	85
PID 1096 wrote to memory of 4152	1096	msedge.exe	85
PID 1096 wrote to memory of 4152	1096	msedge.exe	85
PID 1096 wrote to memory of 4152	1096	msedge.exe	85
PID 1096 wrote to memory of 4152	1096	msedge.exe	85
PID 1096 wrote to memory of 4152	1096	msedge.exe	85
PID 1096 wrote to memory of 4152	1096	msedge.exe	85
PID 1096 wrote to memory of 4152	1096	msedge.exe	85
PID 1096 wrote to memory of 4152	1096	msedge.exe	85
PID 1096 wrote to memory of 4152	1096	msedge.exe	85
PID 1096 wrote to memory of 4152	1096	msedge.exe	85
PID 1096 wrote to memory of 4152	1096	msedge.exe	85
PID 1096 wrote to memory of 4152	1096	msedge.exe	85
PID 1096 wrote to memory of 4152	1096	msedge.exe	85
PID 1096 wrote to memory of 4152	1096	msedge.exe	85
PID 1096 wrote to memory of 4152	1096	msedge.exe	85
PID 1096 wrote to memory of 4152	1096	msedge.exe	85
PID 1096 wrote to memory of 4152	1096	msedge.exe	85
PID 1096 wrote to memory of 4152	1096	msedge.exe	85
PID 1096 wrote to memory of 4152	1096	msedge.exe	85
PID 1096 wrote to memory of 4152	1096	msedge.exe	85
PID 1096 wrote to memory of 4152	1096	msedge.exe	85
PID 1096 wrote to memory of 4152	1096	msedge.exe	85
PID 1096 wrote to memory of 4152	1096	msedge.exe	85
PID 1096 wrote to memory of 4152	1096	msedge.exe	85
PID 1096 wrote to memory of 4152	1096	msedge.exe	85
PID 1096 wrote to memory of 4152	1096	msedge.exe	85
PID 1096 wrote to memory of 4152	1096	msedge.exe	85
PID 1096 wrote to memory of 4152	1096	msedge.exe	85
PID 1096 wrote to memory of 4152	1096	msedge.exe	85
PID 1096 wrote to memory of 4152	1096	msedge.exe	85
PID 1096 wrote to memory of 4152	1096	msedge.exe	85
PID 1096 wrote to memory of 4152	1096	msedge.exe	85
PID 1096 wrote to memory of 4152	1096	msedge.exe	85
PID 1096 wrote to memory of 4152	1096	msedge.exe	85
PID 1096 wrote to memory of 4152	1096	msedge.exe	85
PID 1096 wrote to memory of 4152	1096	msedge.exe	85
PID 1096 wrote to memory of 4152	1096	msedge.exe	85
PID 1096 wrote to memory of 3088	1096	msedge.exe	86
PID 1096 wrote to memory of 3088	1096	msedge.exe	86
PID 1096 wrote to memory of 4884	1096	msedge.exe	87
PID 1096 wrote to memory of 4884	1096	msedge.exe	87
PID 1096 wrote to memory of 4884	1096	msedge.exe	87
PID 1096 wrote to memory of 4884	1096	msedge.exe	87
PID 1096 wrote to memory of 4884	1096	msedge.exe	87
PID 1096 wrote to memory of 4884	1096	msedge.exe	87
PID 1096 wrote to memory of 4884	1096	msedge.exe	87
PID 1096 wrote to memory of 4884	1096	msedge.exe	87
PID 1096 wrote to memory of 4884	1096	msedge.exe	87
PID 1096 wrote to memory of 4884	1096	msedge.exe	87
PID 1096 wrote to memory of 4884	1096	msedge.exe	87
PID 1096 wrote to memory of 4884	1096	msedge.exe	87
PID 1096 wrote to memory of 4884	1096	msedge.exe	87
PID 1096 wrote to memory of 4884	1096	msedge.exe	87
PID 1096 wrote to memory of 4884	1096	msedge.exe	87
PID 1096 wrote to memory of 4884	1096	msedge.exe	87
PID 1096 wrote to memory of 4884	1096	msedge.exe	87
PID 1096 wrote to memory of 4884	1096	msedge.exe	87
PID 1096 wrote to memory of 4884	1096	msedge.exe	87
PID 1096 wrote to memory of 4884	1096	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://drive.google.com/uc?id=13GcL47wYT-uIofyROKnVhdx1p9_QfApr&export=download
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc634746f8,0x7ffc63474708,0x7ffc63474718
  2⤵
  PID:5052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2012,9182029136053205921,1890951958156647743,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2028 /prefetch:2
  2⤵
  PID:4152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2012,9182029136053205921,1890951958156647743,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2012,9182029136053205921,1890951958156647743,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:8
  2⤵
  PID:4884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,9182029136053205921,1890951958156647743,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:4932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,9182029136053205921,1890951958156647743,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:4560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2012,9182029136053205921,1890951958156647743,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5088 /prefetch:8
  2⤵
  PID:4972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,9182029136053205921,1890951958156647743,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:1
  2⤵
  PID:3680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2012,9182029136053205921,1890951958156647743,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4444
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2012,9182029136053205921,1890951958156647743,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5524 /prefetch:8
  2⤵
  PID:3604
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2012,9182029136053205921,1890951958156647743,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5524 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,9182029136053205921,1890951958156647743,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6012 /prefetch:1
  2⤵
  PID:3652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,9182029136053205921,1890951958156647743,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:1
  2⤵
  PID:2820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,9182029136053205921,1890951958156647743,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1
  2⤵
  PID:796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,9182029136053205921,1890951958156647743,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
  2⤵
  PID:3988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2012,9182029136053205921,1890951958156647743,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3172 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1516

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4092

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:116

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1240

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Downloads\CliniqueMonSourire_Logo_FR_Turq-Gris.png" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3576

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
1⤵
- Drops file in System32 directory
PID:3064

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4548

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3704
- C:\Windows\system32\dashost.exe
  dashost.exe {1bb87cda-0d54-4222-813ca546cbbffaba}
  2⤵
  PID:4464

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4596
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Downloads\CliniqueMonSourire_Logo_FR_Turq-Gris.png
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:2144
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2144 CREDAT:17410 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56a4f78e21616a6e19da57228569489b

SHA1
21bfabbfc294d5f2aa1da825c5590d760483bc76

SHA256
d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb

SHA512
c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e443ee4336fcf13c698b8ab5f3c173d0

SHA1
9bf70b16f03820cbe3158e1f1396b07b8ac9d75a

SHA256
79e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b

SHA512
cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
512B

MD5
539b5bc41ceaebc7300c85f3f79618c4

SHA1
49f1c082945c05a2be9d9ed4361e0c521c779ea7

SHA256
f4fe5b8db3e07214de561736cb698a2455129fa5cbce70e5238e0ac8b3c68ba0

SHA512
746f694b9f1f58bfccf765f8b5a97cbab0e37023eb363109dc9febe12f97cb765ecc0df246edc602da7df16901578d9a90579acee4f4b233bd83f7ca1834afe9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
98f415db17505aa06c6946182443f16b

SHA1
5cb0e4e7f97a8e61497f74b8dfd598df199a4438

SHA256
dc4b58f811d13a80e669d7283293d2e058a7ab673ff0703fbcb33eaa960aa5d3

SHA512
2a6d720b64289b12302086c0e3cdf5b56341cd253497e863b5564d13476fc93c4f13d03392c895d41cebb3eee20cdcfbae08a4c2d526217567e75ac80b545070

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
bde8a0b23699c4fff7e06f496da43762

SHA1
e5c20b85b8eb41539e9f66904ab3ea4044187dc2

SHA256
c017158b5b36d0db52f82612888d70e514f3b98d43e9c1ba201463ab0b849f98

SHA512
c34e885519f1cb0811a56dc3294172f7e25a51e4cf620da053c35b5e341dc205dcec0deaae7acb0f9123daa3870dec7de1b26727d55b04866405bbe84a99fd8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c26406dcb08c7c1b364589320dd514e2

SHA1
471165c6bb1ab64f4fbe52756f316a3fc0491606

SHA256
93b39638172e63805929fb45fcdf16e7744f6973614178def888afdf0c067101

SHA512
a45302231421ef28acab99a47e49aee9a5428e75f21cb41342bff2f10720e0ea003ea64bc5d9cbee478d41c282a1373bf6e003e84a25538298e91ea03ea07fd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
78c24aa3b3408461960f08c2858706db

SHA1
5fff74618db3c528b6d67327ba167e172a742f07

SHA256
5469b2aede7d0312350f6db24792c4de7b12cc63d838fa87e4e82aa9c719b288

SHA512
83f692a13f7fc5bb50fbe0bb52a203b6e56114ca1d4c4cb68959b9aa331c59d82c77fc293c157a77fd2fc03acf1cd39ad94677910a9688031d0def734781709f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\P2UT3MS5\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\Downloads\CliniqueMonSourire_Logo_FR_Turq-Gris.png.crdownload

Filesize
35KB

MD5
14f5d64b46c002ace4706a1b6ac536f5

SHA1
eea236652726566928f20194a5fcb84901b0361a

SHA256
6daf870effcae8f2640afd1c8a46b514f9afca0af4cd3366c84ed83c6c555a5a

SHA512
9dbaf1e2c6948b82c93bf344e889ce2565dce20070892529c760277db5f64e15a4eb0167e7a43f5b3408fc11cb981dc9dafaf497fadfa2ad883e0c8c750e1c2b

Download Submit
memory/3064-85-0x000002185A170000-0x000002185A180000-memory.dmp

Filesize
64KB

Download
memory/3064-93-0x00000218624D0000-0x00000218624D1000-memory.dmp

Filesize
4KB

Download
memory/3064-95-0x00000218624D0000-0x00000218624D1000-memory.dmp

Filesize
4KB

Download
memory/3064-96-0x0000021862560000-0x0000021862561000-memory.dmp

Filesize
4KB

Download
memory/3064-97-0x0000021862560000-0x0000021862561000-memory.dmp

Filesize
4KB

Download
memory/3064-98-0x0000021862570000-0x0000021862571000-memory.dmp

Filesize
4KB

Download
memory/3064-99-0x0000021862570000-0x0000021862571000-memory.dmp

Filesize
4KB

Download
memory/3064-91-0x0000021862450000-0x0000021862451000-memory.dmp

Filesize
4KB

Download
memory/3064-80-0x00000218597C0000-0x00000218597D0000-memory.dmp

Filesize
64KB

Download