hxxp://webview-formulier[.]dns[.]army

Resubmissions

07/08/2023, 13:03

230807-qae4jafd27 1

07/08/2023, 12:57

230807-p7ezcsgf3w 1

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
07/08/2023, 12:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

http://webview-formulier.dns.army

Score

1^/10

Malware Config

Signatures

Modifies registry class 34 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Downloads"	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e8005398e082303024b98265d99428e115f0000	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4312	msedge.exe
4312	msedge.exe
1420	msedge.exe
1420	msedge.exe
4580	identity_helper.exe
4580	identity_helper.exe
2868	msedge.exe
2868	msedge.exe
5096	msedge.exe
5096	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2868	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1420 wrote to memory of 820	1420	msedge.exe	82
PID 1420 wrote to memory of 820	1420	msedge.exe	82
PID 1420 wrote to memory of 60	1420	msedge.exe	85
PID 1420 wrote to memory of 60	1420	msedge.exe	85
PID 1420 wrote to memory of 60	1420	msedge.exe	85
PID 1420 wrote to memory of 60	1420	msedge.exe	85
PID 1420 wrote to memory of 60	1420	msedge.exe	85
PID 1420 wrote to memory of 60	1420	msedge.exe	85
PID 1420 wrote to memory of 60	1420	msedge.exe	85
PID 1420 wrote to memory of 60	1420	msedge.exe	85
PID 1420 wrote to memory of 60	1420	msedge.exe	85
PID 1420 wrote to memory of 60	1420	msedge.exe	85
PID 1420 wrote to memory of 60	1420	msedge.exe	85
PID 1420 wrote to memory of 60	1420	msedge.exe	85
PID 1420 wrote to memory of 60	1420	msedge.exe	85
PID 1420 wrote to memory of 60	1420	msedge.exe	85
PID 1420 wrote to memory of 60	1420	msedge.exe	85
PID 1420 wrote to memory of 60	1420	msedge.exe	85
PID 1420 wrote to memory of 60	1420	msedge.exe	85
PID 1420 wrote to memory of 60	1420	msedge.exe	85
PID 1420 wrote to memory of 60	1420	msedge.exe	85
PID 1420 wrote to memory of 60	1420	msedge.exe	85
PID 1420 wrote to memory of 60	1420	msedge.exe	85
PID 1420 wrote to memory of 60	1420	msedge.exe	85
PID 1420 wrote to memory of 60	1420	msedge.exe	85
PID 1420 wrote to memory of 60	1420	msedge.exe	85
PID 1420 wrote to memory of 60	1420	msedge.exe	85
PID 1420 wrote to memory of 60	1420	msedge.exe	85
PID 1420 wrote to memory of 60	1420	msedge.exe	85
PID 1420 wrote to memory of 60	1420	msedge.exe	85
PID 1420 wrote to memory of 60	1420	msedge.exe	85
PID 1420 wrote to memory of 60	1420	msedge.exe	85
PID 1420 wrote to memory of 60	1420	msedge.exe	85
PID 1420 wrote to memory of 60	1420	msedge.exe	85
PID 1420 wrote to memory of 60	1420	msedge.exe	85
PID 1420 wrote to memory of 60	1420	msedge.exe	85
PID 1420 wrote to memory of 60	1420	msedge.exe	85
PID 1420 wrote to memory of 60	1420	msedge.exe	85
PID 1420 wrote to memory of 60	1420	msedge.exe	85
PID 1420 wrote to memory of 60	1420	msedge.exe	85
PID 1420 wrote to memory of 60	1420	msedge.exe	85
PID 1420 wrote to memory of 60	1420	msedge.exe	85
PID 1420 wrote to memory of 4312	1420	msedge.exe	84
PID 1420 wrote to memory of 4312	1420	msedge.exe	84
PID 1420 wrote to memory of 1268	1420	msedge.exe	86
PID 1420 wrote to memory of 1268	1420	msedge.exe	86
PID 1420 wrote to memory of 1268	1420	msedge.exe	86
PID 1420 wrote to memory of 1268	1420	msedge.exe	86
PID 1420 wrote to memory of 1268	1420	msedge.exe	86
PID 1420 wrote to memory of 1268	1420	msedge.exe	86
PID 1420 wrote to memory of 1268	1420	msedge.exe	86
PID 1420 wrote to memory of 1268	1420	msedge.exe	86
PID 1420 wrote to memory of 1268	1420	msedge.exe	86
PID 1420 wrote to memory of 1268	1420	msedge.exe	86
PID 1420 wrote to memory of 1268	1420	msedge.exe	86
PID 1420 wrote to memory of 1268	1420	msedge.exe	86
PID 1420 wrote to memory of 1268	1420	msedge.exe	86
PID 1420 wrote to memory of 1268	1420	msedge.exe	86
PID 1420 wrote to memory of 1268	1420	msedge.exe	86
PID 1420 wrote to memory of 1268	1420	msedge.exe	86
PID 1420 wrote to memory of 1268	1420	msedge.exe	86
PID 1420 wrote to memory of 1268	1420	msedge.exe	86
PID 1420 wrote to memory of 1268	1420	msedge.exe	86
PID 1420 wrote to memory of 1268	1420	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://webview-formulier.dns.army
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc6cc046f8,0x7ffc6cc04708,0x7ffc6cc04718
  2⤵
  PID:820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,13420708257796076791,9498027989999734574,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,13420708257796076791,9498027989999734574,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
  2⤵
  PID:60
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,13420708257796076791,9498027989999734574,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8
  2⤵
  PID:1268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13420708257796076791,9498027989999734574,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1
  2⤵
  PID:3668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13420708257796076791,9498027989999734574,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:4944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13420708257796076791,9498027989999734574,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4624 /prefetch:1
  2⤵
  PID:3244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13420708257796076791,9498027989999734574,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4580 /prefetch:1
  2⤵
  PID:2964
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,13420708257796076791,9498027989999734574,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5364 /prefetch:8
  2⤵
  PID:852
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,13420708257796076791,9498027989999734574,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5364 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13420708257796076791,9498027989999734574,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4596 /prefetch:1
  2⤵
  PID:4760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13420708257796076791,9498027989999734574,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3648 /prefetch:1
  2⤵
  PID:4084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13420708257796076791,9498027989999734574,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4652 /prefetch:1
  2⤵
  PID:1924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13420708257796076791,9498027989999734574,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4196 /prefetch:1
  2⤵
  PID:3820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13420708257796076791,9498027989999734574,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3636 /prefetch:1
  2⤵
  PID:212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13420708257796076791,9498027989999734574,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1796 /prefetch:1
  2⤵
  PID:2988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13420708257796076791,9498027989999734574,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1
  2⤵
  PID:3824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13420708257796076791,9498027989999734574,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5912 /prefetch:1
  2⤵
  PID:3036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2100,13420708257796076791,9498027989999734574,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6076 /prefetch:8
  2⤵
  PID:1964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2100,13420708257796076791,9498027989999734574,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4364 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13420708257796076791,9498027989999734574,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3688 /prefetch:1
  2⤵
  PID:1392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,13420708257796076791,9498027989999734574,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6324 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13420708257796076791,9498027989999734574,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:1
  2⤵
  PID:4208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13420708257796076791,9498027989999734574,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6408 /prefetch:1
  2⤵
  PID:1016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,13420708257796076791,9498027989999734574,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1328 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1612

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2996

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4552

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f6f47b83c67fe32ee32811d6611d269c

SHA1
b32353d1d0ed26e0dd5b5f1f402ffd41a105d025

SHA256
ac1866f15ff34d1df4dafa761dbb7dc2c712fe01ac0e171706ef29e205549cbc

SHA512
6ee068efa9fbd3c972169427be2f6377a1204bf99b61579e4d78643e89e729ad65f2abcc70007fd0dd38428e7cd39010a253d6f9cd5e90409e207ddaf5d6720d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
600B

MD5
0801594d92680b6fc59dec8f13976853

SHA1
566d89f2006b7efb351c35dbceaeabf8c388df7d

SHA256
e28f43b82ac06d6fe484c0c40c0a55032564c8566ffa84b1a6e30ba01e563b41

SHA512
f16d099c063162e20c57a1c327e2a5c4bdb097a80701b8937370bf8a83f2cae68f31e7f86fd41f13418d9f3517d02d02bcea06f4caac3143b5c2d727ef4c5407

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
720B

MD5
1ea1df2aa964bccee759f87126603cc6

SHA1
fd89372d88ed4e4d9be70852cf16b389d9e3f9ad

SHA256
d66202501a560d88c87b9deac98544130adc5773d94148f1c36bc92b138a720c

SHA512
9b2101d6be95d496421b701d88b02e0e2a8c4eef4d27891c7659fe2126a1372a94ee64573bf82b5ec76130989e16c530aaf442d4ed3c87e252d346a3a3c6e874

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
790B

MD5
ab527e8f43520d61a857d5d373b89e60

SHA1
0108490cc0def4734882c6f97cf7f705bf873dcc

SHA256
7cbe5f7ba999b9afe0f02255e882b69c265e325ba62a2844fcd6139f97e45e24

SHA512
1392dc82923826ea75a492ca3022d24403ca25c5d27ae6e399f420f99fec7416e20e629482291d84e9203662701e291a9b909e19c2f7a8b3a7fa3246445a9e02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
852B

MD5
99077f3ef0cc48629511ae862d5bd2a4

SHA1
9ca8848fea98e3a0af6b5a73c11e85ba1e7bcf9b

SHA256
ef4aa67b87fb455d346016caf27e85d84d08fe4c7a23e4e47045aae88684b097

SHA512
4338b1df92d5168d7c2a859e43793651c6ea9f97b0007062f8afa46d0d93a41766f3dd7ef45caa2939a39acdfaced326afe3574171557803d1a9eb4a230bcabb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6dced155ba447a5e40e80f7331a265e5

SHA1
c0b31298a71f4e4d69e3dbcad0975408296d4106

SHA256
2a78c65962f2c654d360f607508233076f864dbe155d1b1f9379bf2fed11aff9

SHA512
e886ad1c23369189e3ee4a21fd685e23cad9712e3f1bc2a00fb584eb16b15c743e8f8d22fb99892506dbb4a592d4ef0828c8a52b070cacc31a31da508405e563

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7e0cf12d0a6019d994132075a7cef40b

SHA1
9ddfbd10147cf0f769097a8b44a647b766c1f4bb

SHA256
15c4b33d52d279718fe4b6d55f960d81188eb720d82f9be10b7c019ad9627192

SHA512
f591b8e47a7dfc31c8acc21c8e9ac23d68fcac941596bed8c8d52b962cce72b14507953f4e18ce426860f368785f756d14af85da30a3a4e048435f966dcc6bab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6552b16abcb3897cb698bdfed4ad3145

SHA1
08e07f5d4cc7522cb3061131ed74a2557982bdeb

SHA256
3d879a5e1ed3e288597c48e74ff4edd04c44156b850961e9db873011bca445ba

SHA512
b2e262bcc072c1c586385bd77d8e875517ed2f943e7bf945cec0f33c555cd3c225d7368440cb8f13a44a848aa93e77e05f2e1ec5821382d679ebfa88656b450b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9a0a6ebf5821092dd238b6f125194588

SHA1
3a82b720650b803a660bc30e9c19a4eefabc4bdc

SHA256
2d337e6d44474a936ba06fa498e3fc492e55c5fa4dc7a4ba3431d168111906f5

SHA512
f7475b20e8ddb94a5ee4e108fb879c48d856b97bca03491e7d85559557ed595012f30031430864e8098e3357ad47f9dc6a42a49be6b0b91dbe6219184b028ca4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
5544c64f2a8f49dabc19eb84267b1c9b

SHA1
c5b78d63a8bab1c7b985f7ea2f268d0d7809071e

SHA256
a1fcfee2974a77e76a7431a2069db301861ab42dd41769cead8697f41f5a497f

SHA512
38c80d7c810441fc87beff38929473088cf426b0a25a30820d8a060f493350d99bb8521b314afe00578ea54648fce2aa4e55880a83a4f1048c56307991726565

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
370B

MD5
abf63a0ffd8607e9a74a776bb7cec0e8

SHA1
8862ac7676b61c344a2b5d1901392a1c2c55aa77

SHA256
50086bb637385f2da899cb77411088b2a340cce32886ed2007b09f02cfe2935d

SHA512
4843533cf0a7da971bf9f0508b5c53227d0622be63b2fb4108c13e60450e1c9b863b079a771dded608f99c914f68045033aed737d4121b70609ee03e555be373

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe592522.TMP

Filesize
372B

MD5
6fa85c2f9441113cb0579d88e9483df5

SHA1
ac54c9d8f674fa8a2ba23c925dcb21f1a1891677

SHA256
a8199fa17d13d0c499043601d0e2ac39da2c79ff7e0a616514e0661c9ea558c2

SHA512
28dde4e2dbe448dcd5aa996106d50e2d0272e371c5c4c98482065d1e27adadd1bc51bcd13600625a1e10e296fc34af7a22c376d9aa458be3b087bc8fcb6b2b09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\bdd39979-74be-4bee-9d75-036465ffc8ea.tmp

Filesize
5KB

MD5
729aa60edade925c8552590d4b1fe733

SHA1
e721181d59e4831097cf11ee189b80fe6285d988

SHA256
bce6bedd333b5bc68e41df5886c5dd9638f2a292c731c38db1a301631298391c

SHA512
99a54665e73e8399edb2357fac3db80fa73ec559acd822540c04ea573036ac482d35fcaf48d7cec23f23a2344a8eb38ea3df75c60511288d6d5072ef440ae613

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
13KB

MD5
844cf603c1aaefccfc5186f5d6f468e4

SHA1
3e059b827218a0e1bd8e7dbc8336aa75c7799dd6

SHA256
6fbdb5202e7d645e44450108cc0c0a6488f6175b48888365c7a4ea8b872e4b16

SHA512
4b6f479921ccfc202081696fe3144a8a344baddf4878beaec57c3e620c031c2c248fd77c7e1608f257aaf4024755c06631f1c6fc06d241e39ae831b054a44a08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
36038576040a6ee5779c7f17c751d4c3

SHA1
d0046d6c2d63bad7a6220ca5f813e4c3e035793b

SHA256
1eceff44c211a179f4f1d52acec77477a5259b4c21db061ade3d33870062a6ee

SHA512
46ee25f6215fd4ae2a4af55b01a98129d9981bc7510a34eab4b64505971d956f5d41187e53901ceb89d47b64206575b5c645bcf8d1b07f03b5d8b10bed6bfd19

Download Submit