hxxps://nam11[.]safelinks[.]protection[.]outlook[.]com/ap/t-59584e83/?url=https%3A%2F%2Fteams[.]microsoft[.]com%2Fl%2Fmeetup-join%2F19%253ameeting_MGJmMzA3NDYtZTNhNS00OWVmLThlNzAtNjVlOTEwNTA3M2I2%2540thread[.]v2%2F0%3Fcontext%3D%257b%2522Tid%2522%253a%252239dba476-5c09-4c63-91da-ce7a3ab5224d%2522%252c%2522Oid%2522%253a%2522277a49bd-3703-4ab3-ad2a-a8e584fe106d%2522%257d&data=05%7C01%7CABALL1-C%40txdot[.]gov%7C51dc114dd2f24428d2f008db8c853e41%7C39dba4765c094c6391dace7a3ab5224d%7C0%7C0%7C638258276127465207%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=WPC2pvLE3pOvctT4IjCTVVDUdQHITEPc4glIR8iYkmo%3D&xdata=Q1Q9MTY5MDMwNjEwNzI1MyZPUj1PdXRsb29rLUJvZHkmQ0lEPTgzMUQ5QjczLTAzODUtNEVCRi05RTU0LTlBQzBDNTFBNzQ0NA%3D%3D&reserved=0

Analysis

max time kernel
104s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2023, 12:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://nam11.safelinks.protection.outlook.com/ap/t-59584e83/?url=https%3A%2F%2Fteams.microsoft.com%2Fl%2Fmeetup-join%2F19%253ameeting_MGJmMzA3NDYtZTNhNS00OWVmLThlNzAtNjVlOTEwNTA3M2I2%2540thread.v2%2F0%3Fcontext%3D%257b%2522Tid%2522%253a%252239dba476-5c09-4c63-91da-ce7a3ab5224d%2522%252c%2522Oid%2522%253a%2522277a49bd-3703-4ab3-ad2a-a8e584fe106d%2522%257d&data=05%7C01%7CABALL1-C%40txdot.gov%7C51dc114dd2f24428d2f008db8c853e41%7C39dba4765c094c6391dace7a3ab5224d%7C0%7C0%7C638258276127465207%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=WPC2pvLE3pOvctT4IjCTVVDUdQHITEPc4glIR8iYkmo%3D&xdata=Q1Q9MTY5MDMwNjEwNzI1MyZPUj1PdXRsb29rLUJvZHkmQ0lEPTgzMUQ5QjczLTAzODUtNEVCRi05RTU0LTlBQzBDNTFBNzQ0NA%3D%3D&reserved=0

Score

1^/10

Malware Config

Signatures

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1498570331-2313266200-788959944-1000\{4A698389-C869-481C-8082-81A2D513A0DB}	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4588	msedge.exe
4588	msedge.exe
1184	msedge.exe
1184	msedge.exe
2480	identity_helper.exe
2480	identity_helper.exe
1648	msedge.exe
1648	msedge.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: 33	1080	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1080	AUDIODG.EXE
Token: 33	3660	msedge.exe
Token: SeIncBasePriorityPrivilege	3660	msedge.exe
Token: 33	3660	msedge.exe
Token: SeIncBasePriorityPrivilege	3660	msedge.exe
Token: 33	3660	msedge.exe
Token: SeIncBasePriorityPrivilege	3660	msedge.exe
Token: 33	3660	msedge.exe
Token: SeIncBasePriorityPrivilege	3660	msedge.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1184 wrote to memory of 3172	1184	msedge.exe	85
PID 1184 wrote to memory of 3172	1184	msedge.exe	85
PID 1184 wrote to memory of 2576	1184	msedge.exe	88
PID 1184 wrote to memory of 2576	1184	msedge.exe	88
PID 1184 wrote to memory of 2576	1184	msedge.exe	88
PID 1184 wrote to memory of 2576	1184	msedge.exe	88
PID 1184 wrote to memory of 2576	1184	msedge.exe	88
PID 1184 wrote to memory of 2576	1184	msedge.exe	88
PID 1184 wrote to memory of 2576	1184	msedge.exe	88
PID 1184 wrote to memory of 2576	1184	msedge.exe	88
PID 1184 wrote to memory of 2576	1184	msedge.exe	88
PID 1184 wrote to memory of 2576	1184	msedge.exe	88
PID 1184 wrote to memory of 2576	1184	msedge.exe	88
PID 1184 wrote to memory of 2576	1184	msedge.exe	88
PID 1184 wrote to memory of 2576	1184	msedge.exe	88
PID 1184 wrote to memory of 2576	1184	msedge.exe	88
PID 1184 wrote to memory of 2576	1184	msedge.exe	88
PID 1184 wrote to memory of 2576	1184	msedge.exe	88
PID 1184 wrote to memory of 2576	1184	msedge.exe	88
PID 1184 wrote to memory of 2576	1184	msedge.exe	88
PID 1184 wrote to memory of 2576	1184	msedge.exe	88
PID 1184 wrote to memory of 2576	1184	msedge.exe	88
PID 1184 wrote to memory of 2576	1184	msedge.exe	88
PID 1184 wrote to memory of 2576	1184	msedge.exe	88
PID 1184 wrote to memory of 2576	1184	msedge.exe	88
PID 1184 wrote to memory of 2576	1184	msedge.exe	88
PID 1184 wrote to memory of 2576	1184	msedge.exe	88
PID 1184 wrote to memory of 2576	1184	msedge.exe	88
PID 1184 wrote to memory of 2576	1184	msedge.exe	88
PID 1184 wrote to memory of 2576	1184	msedge.exe	88
PID 1184 wrote to memory of 2576	1184	msedge.exe	88
PID 1184 wrote to memory of 2576	1184	msedge.exe	88
PID 1184 wrote to memory of 2576	1184	msedge.exe	88
PID 1184 wrote to memory of 2576	1184	msedge.exe	88
PID 1184 wrote to memory of 2576	1184	msedge.exe	88
PID 1184 wrote to memory of 2576	1184	msedge.exe	88
PID 1184 wrote to memory of 2576	1184	msedge.exe	88
PID 1184 wrote to memory of 2576	1184	msedge.exe	88
PID 1184 wrote to memory of 2576	1184	msedge.exe	88
PID 1184 wrote to memory of 2576	1184	msedge.exe	88
PID 1184 wrote to memory of 2576	1184	msedge.exe	88
PID 1184 wrote to memory of 2576	1184	msedge.exe	88
PID 1184 wrote to memory of 4588	1184	msedge.exe	87
PID 1184 wrote to memory of 4588	1184	msedge.exe	87
PID 1184 wrote to memory of 4104	1184	msedge.exe	89
PID 1184 wrote to memory of 4104	1184	msedge.exe	89
PID 1184 wrote to memory of 4104	1184	msedge.exe	89
PID 1184 wrote to memory of 4104	1184	msedge.exe	89
PID 1184 wrote to memory of 4104	1184	msedge.exe	89
PID 1184 wrote to memory of 4104	1184	msedge.exe	89
PID 1184 wrote to memory of 4104	1184	msedge.exe	89
PID 1184 wrote to memory of 4104	1184	msedge.exe	89
PID 1184 wrote to memory of 4104	1184	msedge.exe	89
PID 1184 wrote to memory of 4104	1184	msedge.exe	89
PID 1184 wrote to memory of 4104	1184	msedge.exe	89
PID 1184 wrote to memory of 4104	1184	msedge.exe	89
PID 1184 wrote to memory of 4104	1184	msedge.exe	89
PID 1184 wrote to memory of 4104	1184	msedge.exe	89
PID 1184 wrote to memory of 4104	1184	msedge.exe	89
PID 1184 wrote to memory of 4104	1184	msedge.exe	89
PID 1184 wrote to memory of 4104	1184	msedge.exe	89
PID 1184 wrote to memory of 4104	1184	msedge.exe	89
PID 1184 wrote to memory of 4104	1184	msedge.exe	89
PID 1184 wrote to memory of 4104	1184	msedge.exe	89

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://nam11.safelinks.protection.outlook.com/ap/t-59584e83/?url=https%3A%2F%2Fteams.microsoft.com%2Fl%2Fmeetup-join%2F19%253ameeting_MGJmMzA3NDYtZTNhNS00OWVmLThlNzAtNjVlOTEwNTA3M2I2%2540thread.v2%2F0%3Fcontext%3D%257b%2522Tid%2522%253a%252239dba476-5c09-4c63-91da-ce7a3ab5224d%2522%252c%2522Oid%2522%253a%2522277a49bd-3703-4ab3-ad2a-a8e584fe106d%2522%257d&data=05%7C01%7CABALL1-C%40txdot.gov%7C51dc114dd2f24428d2f008db8c853e41%7C39dba4765c094c6391dace7a3ab5224d%7C0%7C0%7C638258276127465207%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=WPC2pvLE3pOvctT4IjCTVVDUdQHITEPc4glIR8iYkmo%3D&xdata=Q1Q9MTY5MDMwNjEwNzI1MyZPUj1PdXRsb29rLUJvZHkmQ0lEPTgzMUQ5QjczLTAzODUtNEVCRi05RTU0LTlBQzBDNTFBNzQ0NA%3D%3D&reserved=0
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcc42d46f8,0x7ffcc42d4708,0x7ffcc42d4718
  2⤵
  PID:3172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2184,4270517729112358837,9817437819668019041,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,4270517729112358837,9817437819668019041,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
  2⤵
  PID:2576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2184,4270517729112358837,9817437819668019041,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:8
  2⤵
  PID:4104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,4270517729112358837,9817437819668019041,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:2992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,4270517729112358837,9817437819668019041,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:2520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,4270517729112358837,9817437819668019041,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4588 /prefetch:1
  2⤵
  PID:4264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,4270517729112358837,9817437819668019041,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4580 /prefetch:1
  2⤵
  PID:4820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,4270517729112358837,9817437819668019041,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
  2⤵
  PID:4800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,4270517729112358837,9817437819668019041,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
  2⤵
  PID:2924
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,4270517729112358837,9817437819668019041,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3568 /prefetch:8
  2⤵
  PID:4328
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,4270517729112358837,9817437819668019041,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3568 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,4270517729112358837,9817437819668019041,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4580 /prefetch:1
  2⤵
  PID:5084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,4270517729112358837,9817437819668019041,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:1
  2⤵
  PID:532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,4270517729112358837,9817437819668019041,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
  2⤵
  PID:4236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2184,4270517729112358837,9817437819668019041,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6088 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:1648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2184,4270517729112358837,9817437819668019041,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5444 /prefetch:8
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,4270517729112358837,9817437819668019041,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1
  2⤵
  PID:412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,4270517729112358837,9817437819668019041,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3516 /prefetch:1
  2⤵
  PID:4408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,4270517729112358837,9817437819668019041,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:1
  2⤵
  PID:1548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,4270517729112358837,9817437819668019041,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
  2⤵
  PID:4844

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1924

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1912

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x518 0x4f0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1080

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8411007bafe7b1182af1ad3a1809b4f8

SHA1
4a78ee0762aadd53accae8bb211b8b18dc602070

SHA256
1f274d0d144942d00e43fb94f9c27fc91c68dce50cd374ac6be4472b08215ca3

SHA512
909e2e33b7614cb8bbd14e0dfff1b7f98f4abbf735f88292546ce3bfa665e4cb5ee4418561004e56afc5dd30d21483b05f6358dad5624c0dc3ab1ba9a3be18eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
7b2d3db50db56ae195108541cbea157a

SHA1
f7db5e0fb8b5f101b58f9f43c4738a06e2b095e6

SHA256
bb40dc6023613a7e7b58ccc519c3d60350883370adca6e8a4a102fcb027d6a7e

SHA512
b15b9dfdd6b924e0078227d4a3683ecb74bec9f8d5d0af2246d154647e9e272727724397f755d11d7a9959ee06f21e90f3ae9314d6acaaada7ae41acb677ed95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
901B

MD5
79b2931513c6a9cbb38ceb98143cf185

SHA1
4cfa59cac6aefda9c6eaf9f58b08220006ba069e

SHA256
8878b6d1462028b4c5318c64496db7d6a84b1919ad06e0e54e8c752c5fe41ec6

SHA512
4ba191bc4499f6ba3219dc7abe89372d326a2d4aa6bce489bac5ad94018e58b69f9273e27918b020c06194584c0512a7ed7c2b54a2f97a683096a282cfb77268

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
dd8d5a8bf29d78291cc024361477445b

SHA1
57ae9dcacc698856eebeef3becda1af03ed8e5df

SHA256
299437a77d237eaecb63a10a78ba9e1a099e37464ccecbf2c9e1d0bfcc73d064

SHA512
412f867172d5bed019bd5d938b0b07145f629e69204819217d3bbb58d3f0da5672c72efb50449c647bcbe5fec2979ea7d501fbf72d891f802fbe9c580586c33c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0692bfda2250d6aeecb33156834a4773

SHA1
e623d33f6c3a63e27f45b07f60682f7ae2451ec9

SHA256
8e1a1d08793b97b35d95f9492fb7e90d09fc456ff9928de36427c5daa883822b

SHA512
25d6bcbd89cbbd16d398a13dd0bc425257993e685e0c2599fcc8149d7b4a1cc79a813b8d4bd8288ddcd2a64a51e31ffca8402e789c00e267b620495b3b825074

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0359ef4ecdcb5d728c613b8b26fa2b8a

SHA1
45ea4ad58b69ac6f074aeb6cd5a8d33539ee05b5

SHA256
d18a4dca2985fd70e0ae60cf33931f4e53980af91f6945c587e7df328c5ef84d

SHA512
cecdbdca34bf5b8a9b6bb7eb830f18a298320ff45c9d7b7a03f8ba9ad55c3c7cc5a25f75d681429e9fcb3ecbddabd756080f252419cceaa0ec9e2c988104008d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
be1f5322fe1d095f9c5972943c5c5134

SHA1
75973c1da5500a8d54ce902b58b82342fa093d17

SHA256
11926e0c4318599b0cebea2fd399f7a5a801fe191bb405d6635bc2540c69ee2c

SHA512
7f9f2a029033dde4c1509712b2267155da2d0236c846054766b866ee1021a05afb6a4845334793b9706d06c4d658efeb6ad5b22e7f86a627106e54c2cc4ee5dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f1e5e1db2859fcf31001a59fefdcdc4c

SHA1
1d55ed95dddcdff279b706075eade1921d3c75c8

SHA256
afb7b754e9a09b90e1e55a669facd66b85c458f0872a17858446dd67dc40b9df

SHA512
8f90e0069083734b62336ce5b28ed53f46596531512bcfbe1a62bc01141d375c412d80e4fb8f983f5ae0d5a6807b7a8b81f8eeff309ff10f153e599569755cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6be8d975b6f5bc824db47afd8ee1b7ab

SHA1
77b8f7f609ad0475578a0c80174acc0a196fe5a7

SHA256
5c154a45ca2f84473a3801441d71bed0533f056f13b945f48f7c8d1e0821717e

SHA512
0f9a740c0e5ad521269462ed8b184dd1a0a0c345e23cd0c598c6ecf27fa649c2d07d914bd907ae538aeaf2c8b6b845ed5730e7a50ff218b6f19385d9eef74f51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
8d6265511dc6bf0da987acd5b1ad8603

SHA1
0649b1bbbba787026a5555e408f611675d8745d4

SHA256
9807a3502c3665b40fdc2c4e533956d165e9874aea0b20bfe62c67374bdf15e7

SHA512
025bcebe72e2e4fdf30a2061d354e4fff92210e328c9e11ba69a50bb100e37090640e884113df8225763abde5b0a2c54ce497e431451ddc745eaeffae275851e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
8caf4d73cc5a7d5e3fb3f9f1a9d4a0cc

SHA1
83f8586805286b716c70ddd14a2b7ec6a4d9d0fe

SHA256
0e0c905b688340512e84db6cf8af6dbdfe29195fefde15bd02e4917a2c5fda8c

SHA512
084ef25ea21ee1083735c61b758281ba84b607e42d0186c35c3700b24a176ada47bf2e76ed7dadd3846f2b458c977e83835ced01cda47cdd7ab2d00e5a1a294e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\2b5c392d2730c0910fd56433cc5e73e510d0f2b4\598e0397-6b5c-4f5e-a9bf-735105ea9e65\index-dir\the-real-index

Filesize
120B

MD5
b1f3fb95641c683714c1dc8f127f7ef9

SHA1
70167f8a7bb531597a1455ce94ce65865d641bac

SHA256
ea6f8f2f443b3150e05e2feaa538c6e10f8ae9104afcf0a059256976f71610c7

SHA512
0298dedc9c2b390610b4a255474073230a0faa590c29687092f7fa8d559fa1519e02692bbc7e2f9fc19eca565cc2c3aa8d19667547670227928751ce6dca315a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\2b5c392d2730c0910fd56433cc5e73e510d0f2b4\598e0397-6b5c-4f5e-a9bf-735105ea9e65\index-dir\the-real-index~RFe590edb.TMP

Filesize
48B

MD5
a146ec54ec1488cf60f2bfefcf716461

SHA1
8f9e7c94f281943bfabd3057292d73fdc544bcc8

SHA256
3642ea10c8b64ff6905e271c3670ce8c2ec5563f181c94463c562ccb7531bc82

SHA512
e85634b8cc085f739e296da63aca21b4251b8b4d592e5cc0ec125ee80fb4d72835b08b991c5abeb6eedd091101402eadd9242bd6af5a58f83e9464d064b893be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\2b5c392d2730c0910fd56433cc5e73e510d0f2b4\index.txt

Filesize
109B

MD5
d122b3c63cbdb02e175ec2c0d56705aa

SHA1
f6f1fe9068fa83df3fbbdee7ab02fecc53fa7d38

SHA256
3b84bf1c95f10b7faa646b12efd43903098133ff303a1c3718c2ec0b29a4aee9

SHA512
852eba32be491d4024f7663dae126c79f1ff755fdb61d053d108d9f4a5e4b7c55374666427066464ab8ee1920706e3a48ae683c7efeef8a9e1dd07fa7662c303

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\2b5c392d2730c0910fd56433cc5e73e510d0f2b4\index.txt

Filesize
103B

MD5
ffb098827f40b266b2e118a3faecfd0e

SHA1
9ec473c4c6d6545229ba4d7717a5f8ebae261188

SHA256
5ea15459e66bc9d6da67925a497919bdc9eb67718cd98fbca73fa7e74379b024

SHA512
2a7d1dee96e02c42e02b754ad0b4dc526d2eb98ed99f92f5940f573604419418d6a4c2410d29ccce60be69c12e80ea460f8e73e6b1df1d5aa3e9c32590640074

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2348701c951cb1f0e2340b8153213994

SHA1
c3ac1f3a2dd30fe15f7cf69a26d51dbb6d3c435e

SHA256
ff562ad957af621d908483a0e4012d29d0de94a00e7f6848e021fcb68ab23e27

SHA512
226d85d6a5bc4c4b2c3d15085453c83f53c9e75925af1c804896a0a7e6c6d437b7fdf38aef91e6a3b6672f52535b9290f525ab6edc80a55e1112edfa2eb0f122

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d3d28dacba05612eb21395f772502bd3

SHA1
662f73922c87decaf3d1d8001a7065486abebaba

SHA256
eb4c8ac7741aa48ba4070397b566a0a3960cbd332a1dca5f55c3a875a149c092

SHA512
aeb42e39f3d2bc433921d193a9e101cc89ad0d4338458446a443b4d5c13141ea3952e49988e4b83caadb3790ed10df45221dd30f6712d9f8d629d89b1d886edf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
707B

MD5
212aa69cfc7b49263816e0efef29a850

SHA1
ae85563383607662593b1dff1e267e2a50741560

SHA256
480566d5596e28c97de0cb133cd9a4e987fada1f630f861c4c077dfb7a6e0fc0

SHA512
faf1066a8dd0948ff04528e80c18f5fdf662acb3381512d49b082d37011e926915e60023f397aeb7e8b82e580fa29a27a6054dc1d33f3af43e99800aac8040e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
417ef326714b94c006fb2cf7ca224d2a

SHA1
72ce4f601956515ecdbf4ab45c158cea57306374

SHA256
fb5628a74938d99d4b3ba2f0f40cdb30f70670c0b655bc0ded1834b8264a6f91

SHA512
849e2b8a81259c0cf170657e66de64e6090d1e52e7cce0f56fa962b9228573d57e52625dc9d3d37c0faf9e85ae44e3357a2af7af5d0b9f37a880c5868ad2456e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f981c228c593ae29e0296a8db1b2683d

SHA1
2628751c07f052fb19408a0bb0e68d364bf4530e

SHA256
91b00ec6142663bc31ad6122fd53d3df4617598aac18ea012470747a9ffa4d93

SHA512
0a578f22168864ec478db9470b580634ec29c2c1199b414b40af2368c397e0f42fe5a2bf3bd265ba759cf825f802c9315671d2be9e3fd6ef2466daea642d444b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1907d32bafbfa76f5625f637725f97fe

SHA1
4aa1fbf3393d79549505ad90a6c9946c57766de2

SHA256
ae0e69eb6a1c7ada1a7ca3271abc94dc7d8ab92e66df8625999bb6bff5392b91

SHA512
8347bf5a7d3f16c91ddf85cec0977426a4e40cca6aea31cfcac02d8d8ff8d9d35946e54614bed8da711da82bebc9a8dde34535dcf043c2e3ff6de359e69dea21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58a2e2.TMP

Filesize
372B

MD5
50d5fe719bc74663cd44792ffa46ab90

SHA1
41753ea99f54a9180eb9ec6c08ef51815f6d66e1

SHA256
88d10aada81aadc567b948d129beacc1358bec97c383928c2aea52de48ec8f18

SHA512
3bfe488690cf0e9b7a05b5ec7c57d45ca64c92254c01fa4c8e50eb22244e10f35fd9287982eba89aaa9f205cbd9882629bd7a3668cbad9ccb7f021e0cf0db8ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
a2b4a64726fcb997348a840cc778f113

SHA1
1ea5ca626b04e4f30bde7eb0c4c0d367d7ebaecf

SHA256
0de56ee9f5a9a87902bd715e6cf7b24faecaed70fc9f57ec62e1760ea5b4868b

SHA512
2a11635a0f4e9e964791c6d7f04aa679824a0f1b4083432d78b6f508c48bd920ce09c8d4d3bdb04c55836e33d08c20ce1dc97371542ffb3c915cc4918614d4cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
c33fb4b2dfe5adc04fba0c9dd758c2d0

SHA1
f1e9e5ef822071d4fa05348da6c319921a8b6f03

SHA256
00356c6c9f3a2c31487cb9ffb84bd8ee49151dae345b070123de6a9ee8bbcf19

SHA512
919209cd5646d7a32de19071664ebd11ddbf6cd6ac2e3fdc065c4d08f444348485fc6cfe4195e5d7d050e302da65e53c2ea9b6bcfcb730803dc9cef42c96cfeb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
e7f540424dddfbcff0d4f5cbee5dc58f

SHA1
6fd11b2880c5b101db3f69a4d19b77d225f329fa

SHA256
c51c520f48efcb979e2d83c2cd5d6698256389e1eac4f0caa6780c63a70e4da5

SHA512
d5282c1d01fafef7f11e4ff46613725a649324bde0d5aa897f17c1b45103075354c6cf456b16716e788929e71f8148501ee45799b89776e819b20ba98e4724ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
13KB

MD5
10c5907b76e16d54a61490f593b5ea7d

SHA1
416d0bd1a326ef36caabca0ec43ff3a2fead4586

SHA256
e821251879463357a6e115f3acf396974b2fedb8d9d4c231ed3d9e30b1b406bb

SHA512
4159e29654734b3ed70857c1874fd8d33fcb67169f065cc0e478173a98d74dc63cdad97e29a80abf4b9cd2541b2664b9356fe6b4cc977171793d367eb8c1a35e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit