hxxps://attachment[.]outlook[.]live[.]net/owa/MSA%3Aslashcd%40msn[.]com/service[.]svc/s/GetAttachmentThumbnail?id=AQMkADAwATIwMTAwAC0wMjZhLTQzMwA3LTAwAi0wMAoARgAAAxnIQ%2BAonkJLs7y5%2FimKkiYHACVFx8Kbel1Eo1CrtcR%2B7vQAAAIBDAAAACVFx8Kbel1Eo1CrtcR%2B7vQABVOhgLAAAAABEgAQACK8WD%2BXXO1IlmAItqRxLHI%3D&thumbnailType=2&isc=1&token=eyJhbGciOiJSUzI1NiIsImtpZCI6IjczRkI5QkJFRjYzNjc4RDRGN0U4NEI0NDBCQUJCMTJBMzM5RDlGOTgiLCJ0eXAiOiJKV1QiLCJ4NXQiOiJjX3VidnZZMmVOVDM2RXRFQzZ1eEtqT2RuNWcifQ[.]eyJvcmlnaW4iOiJodHRwczovL291dGxvb2subGl2ZS5jb20iLCJ1YyI6IjU1YTA4MTYzZmRmZDRhOWViOTA1ZTVhNmRhY2Y5YTFiIiwidmVyIjoiRXhjaGFuZ2UuQ2FsbGJhY2suVjEiLCJhcHBjdHhzZW5kZXIiOiJPd2FEb3dubG9hZEA4NGRmOWU3Zi1lOWY2LTQwYWYtYjQzNS1hYWFhYWFhYWFhYWEiLCJpc3NyaW5nIjoiV1ciLCJhcHBjdHgiOiJ7XCJtc2V4Y2hwcm90XCI6XCJvd2FcIixcInB1aWRcIjpcIjU2NDA0OTUwNTU2NzU0M1wiLFwic2NvcGVcIjpcIk93YURvd25sb2FkXCIsXCJvaWRcIjpcIjAwMDIwMTAwLTAyNmEtNDMzNy0wMDAwLTAwMDAwMDAwMDAwMFwiLFwicHJpbWFyeXNpZFwiOlwiUy0xLTI4MjctMTMxMzI4LTQwNTE4NDU1XCJ9IiwibmJmIjoxNjg2MTQ0NzU0LCJleHAiOjE2ODYxNDUzNTQsImlzcyI6IjAwMDAwMDAyLTAwMDAtMGZmMS1jZTAwLTAwMDAwMDAwMDAwMEA4NGRmOWU3Zi1lOWY2LTQwYWYtYjQzNS1hYWFhYWFhYWFhYWEiLCJhdWQiOiIwMDAwMDAwMi0wMDAwLTBmZjEtY2UwMC0wMDAwMDAwMDAwMDAvYXR0YWNobWVudC5vdXRsb29rLmxpdmUubmV0QDg0ZGY5ZTdmLWU5ZjYtNDBhZi1iNDM1LWFhYWFhYWFhYWFhYSIsImhhcHAiOiJvd2EifQ[.]CTy1fnxAjdX9i5tEOxFy6dDWdp6VADk0m7Zl4af4ScyJCqvol75qt9sc6GxhQYp3zZY8NcHq8aCaYNnaeAQ22AwbLLO0kO7hk6DXBDf05OhFXLKuHtQWXutPvsv-sZGizz1sSuSUa20bf9zagRcKlcMXAJ7k2hGyB2fepcNbwwk0UBW6J-rdal_QlhQNgrSK2sM-lL49OPZITXC-YwcydK1kNYBkbSVslVdWeccEonbW0lXhaDWUudwfOmK_n2RFXxP6zvWPIWlSaejsIbLDxy3CVAwGSIj-8VGAUNVLRYcNl43_f6lmjRkhmnmIGCGQQxeJ3XLKrU1Y4rgluIJ2zQ&X-OWA-CANARY=g5-qBBxQZEWVSCfXPxaSTNBCs0tcZ9sYhDMee5J_wSFib-NLzISbykq7goc6aMM6vdbpvzRPDgY[.]&owa=outlook[.]live[.]com&scriptVer=20230526012[.]07&animation=true

Analysis

max time kernel
146s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2023, 07:27

Sharing

Behavioral task

behavioral1

Sample

https://attachment.outlook.live.net/owa/MSA%3Aslashcd%40msn.com/service.svc/s/GetAttachmentThumbnail?id=AQMkADAwATIwMTAwAC0wMjZhLTQzMwA3LTAwAi0wMAoARgAAAxnIQ%2BAonkJLs7y5%2FimKkiYHACVFx8Kbel1Eo1CrtcR%2B7vQAAAIBDAAAACVFx8Kbel1Eo1CrtcR%2B7vQABVOhgLAAAAABEgAQACK8WD%2BXXO1IlmAItqRxLHI%3D&thumbnailType=2&isc=1&token=eyJhbGciOiJSUzI1NiIsImtpZCI6IjczRkI5QkJFRjYzNjc4RDRGN0U4NEI0NDBCQUJCMTJBMzM5RDlGOTgiLCJ0eXAiOiJKV1QiLCJ4NXQiOiJjX3VidnZZMmVOVDM2RXRFQzZ1eEtqT2RuNWcifQ.eyJvcmlnaW4iOiJodHRwczovL291dGxvb2subGl2ZS5jb20iLCJ1YyI6IjU1YTA4MTYzZmRmZDRhOWViOTA1ZTVhNmRhY2Y5YTFiIiwidmVyIjoiRXhjaGFuZ2UuQ2FsbGJhY2suVjEiLCJhcHBjdHhzZW5kZXIiOiJPd2FEb3dubG9hZEA4NGRmOWU3Zi1lOWY2LTQwYWYtYjQzNS1hYWFhYWFhYWFhYWEiLCJpc3NyaW5nIjoiV1ciLCJhcHBjdHgiOiJ7XCJtc2V4Y2hwcm90XCI6XCJvd2FcIixcInB1aWRcIjpcIjU2NDA0OTUwNTU2NzU0M1wiLFwic2NvcGVcIjpcIk93YURvd25sb2FkXCIsXCJvaWRcIjpcIjAwMDIwMTAwLTAyNmEtNDMzNy0wMDAwLTAwMDAwMDAwMDAwMFwiLFwicHJpbWFyeXNpZFwiOlwiUy0xLTI4MjctMTMxMzI4LTQwNTE4NDU1XCJ9IiwibmJmIjoxNjg2MTQ0NzU0LCJleHAiOjE2ODYxNDUzNTQsImlzcyI6IjAwMDAwMDAyLTAwMDAtMGZmMS1jZTAwLTAwMDAwMDAwMDAwMEA4NGRmOWU3Zi1lOWY2LTQwYWYtYjQzNS1hYWFhYWFhYWFhYWEiLCJhdWQiOiIwMDAwMDAwMi0wMDAwLTBmZjEtY2UwMC0wMDAwMDAwMDAwMDAvYXR0YWNobWVudC5vdXRsb29rLmxpdmUubmV0QDg0ZGY5ZTdmLWU5ZjYtNDBhZi1iNDM1LWFhYWFhYWFhYWFhYSIsImhhcHAiOiJvd2EifQ.CTy1fnxAjdX9i5tEOxFy6dDWdp6VADk0m7Zl4af4ScyJCqvol75qt9sc6GxhQYp3zZY8NcHq8aCaYNnaeAQ22AwbLLO0kO7hk6DXBDf05OhFXLKuHtQWXutPvsv-sZGizz1sSuSUa20bf9zagRcKlcMXAJ7k2hGyB2fepcNbwwk0UBW6J-rdal_QlhQNgrSK2sM-lL49OPZITXC-YwcydK1kNYBkbSVslVdWeccEonbW0lXhaDWUudwfOmK_n2RFXxP6zvWPIWlSaejsIbLDxy3CVAwGSIj-8VGAUNVLRYcNl43_f6lmjRkhmnmIGCGQQxeJ3XLKrU1Y4rgluIJ2zQ&X-OWA-CANARY=g5-qBBxQZEWVSCfXPxaSTNBCs0tcZ9sYhDMee5J_wSFib-NLzISbykq7goc6aMM6vdbpvzRPDgY.&owa=outlook.live.com&scriptVer=20230526012.07&animation=true

Resource

win10v2004-20230703-en

windows10-2004-x64

5 signatures

150 seconds

Report Analysis Logs

General

Target

https://attachment.outlook.live.net/owa/MSA%3Aslashcd%40msn.com/service.svc/s/GetAttachmentThumbnail?id=AQMkADAwATIwMTAwAC0wMjZhLTQzMwA3LTAwAi0wMAoARgAAAxnIQ%2BAonkJLs7y5%2FimKkiYHACVFx8Kbel1Eo1CrtcR%2B7vQAAAIBDAAAACVFx8Kbel1Eo1CrtcR%2B7vQABVOhgLAAAAABEgAQACK8WD%2BXXO1IlmAItqRxLHI%3D&thumbnailType=2&isc=1&token=eyJhbGciOiJSUzI1NiIsImtpZCI6IjczRkI5QkJFRjYzNjc4RDRGN0U4NEI0NDBCQUJCMTJBMzM5RDlGOTgiLCJ0eXAiOiJKV1QiLCJ4NXQiOiJjX3VidnZZMmVOVDM2RXRFQzZ1eEtqT2RuNWcifQ.eyJvcmlnaW4iOiJodHRwczovL291dGxvb2subGl2ZS5jb20iLCJ1YyI6IjU1YTA4MTYzZmRmZDRhOWViOTA1ZTVhNmRhY2Y5YTFiIiwidmVyIjoiRXhjaGFuZ2UuQ2FsbGJhY2suVjEiLCJhcHBjdHhzZW5kZXIiOiJPd2FEb3dubG9hZEA4NGRmOWU3Zi1lOWY2LTQwYWYtYjQzNS1hYWFhYWFhYWFhYWEiLCJpc3NyaW5nIjoiV1ciLCJhcHBjdHgiOiJ7XCJtc2V4Y2hwcm90XCI6XCJvd2FcIixcInB1aWRcIjpcIjU2NDA0OTUwNTU2NzU0M1wiLFwic2NvcGVcIjpcIk93YURvd25sb2FkXCIsXCJvaWRcIjpcIjAwMDIwMTAwLTAyNmEtNDMzNy0wMDAwLTAwMDAwMDAwMDAwMFwiLFwicHJpbWFyeXNpZFwiOlwiUy0xLTI4MjctMTMxMzI4LTQwNTE4NDU1XCJ9IiwibmJmIjoxNjg2MTQ0NzU0LCJleHAiOjE2ODYxNDUzNTQsImlzcyI6IjAwMDAwMDAyLTAwMDAtMGZmMS1jZTAwLTAwMDAwMDAwMDAwMEA4NGRmOWU3Zi1lOWY2LTQwYWYtYjQzNS1hYWFhYWFhYWFhYWEiLCJhdWQiOiIwMDAwMDAwMi0wMDAwLTBmZjEtY2UwMC0wMDAwMDAwMDAwMDAvYXR0YWNobWVudC5vdXRsb29rLmxpdmUubmV0QDg0ZGY5ZTdmLWU5ZjYtNDBhZi1iNDM1LWFhYWFhYWFhYWFhYSIsImhhcHAiOiJvd2EifQ.CTy1fnxAjdX9i5tEOxFy6dDWdp6VADk0m7Zl4af4ScyJCqvol75qt9sc6GxhQYp3zZY8NcHq8aCaYNnaeAQ22AwbLLO0kO7hk6DXBDf05OhFXLKuHtQWXutPvsv-sZGizz1sSuSUa20bf9zagRcKlcMXAJ7k2hGyB2fepcNbwwk0UBW6J-rdal_QlhQNgrSK2sM-lL49OPZITXC-YwcydK1kNYBkbSVslVdWeccEonbW0lXhaDWUudwfOmK_n2RFXxP6zvWPIWlSaejsIbLDxy3CVAwGSIj-8VGAUNVLRYcNl43_f6lmjRkhmnmIGCGQQxeJ3XLKrU1Y4rgluIJ2zQ&X-OWA-CANARY=g5-qBBxQZEWVSCfXPxaSTNBCs0tcZ9sYhDMee5J_wSFib-NLzISbykq7goc6aMM6vdbpvzRPDgY.&owa=outlook.live.com&scriptVer=20230526012.07&animation=true

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
820	msedge.exe
820	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
2560	identity_helper.exe
2560	identity_helper.exe
1064	msedge.exe
1064	msedge.exe
1064	msedge.exe
1064	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4104 wrote to memory of 2212	4104	msedge.exe	72
PID 4104 wrote to memory of 2212	4104	msedge.exe	72
PID 4104 wrote to memory of 1084	4104	msedge.exe	84
PID 4104 wrote to memory of 1084	4104	msedge.exe	84
PID 4104 wrote to memory of 1084	4104	msedge.exe	84
PID 4104 wrote to memory of 1084	4104	msedge.exe	84
PID 4104 wrote to memory of 1084	4104	msedge.exe	84
PID 4104 wrote to memory of 1084	4104	msedge.exe	84
PID 4104 wrote to memory of 1084	4104	msedge.exe	84
PID 4104 wrote to memory of 1084	4104	msedge.exe	84
PID 4104 wrote to memory of 1084	4104	msedge.exe	84
PID 4104 wrote to memory of 1084	4104	msedge.exe	84
PID 4104 wrote to memory of 1084	4104	msedge.exe	84
PID 4104 wrote to memory of 1084	4104	msedge.exe	84
PID 4104 wrote to memory of 1084	4104	msedge.exe	84
PID 4104 wrote to memory of 1084	4104	msedge.exe	84
PID 4104 wrote to memory of 1084	4104	msedge.exe	84
PID 4104 wrote to memory of 1084	4104	msedge.exe	84
PID 4104 wrote to memory of 1084	4104	msedge.exe	84
PID 4104 wrote to memory of 1084	4104	msedge.exe	84
PID 4104 wrote to memory of 1084	4104	msedge.exe	84
PID 4104 wrote to memory of 1084	4104	msedge.exe	84
PID 4104 wrote to memory of 1084	4104	msedge.exe	84
PID 4104 wrote to memory of 1084	4104	msedge.exe	84
PID 4104 wrote to memory of 1084	4104	msedge.exe	84
PID 4104 wrote to memory of 1084	4104	msedge.exe	84
PID 4104 wrote to memory of 1084	4104	msedge.exe	84
PID 4104 wrote to memory of 1084	4104	msedge.exe	84
PID 4104 wrote to memory of 1084	4104	msedge.exe	84
PID 4104 wrote to memory of 1084	4104	msedge.exe	84
PID 4104 wrote to memory of 1084	4104	msedge.exe	84
PID 4104 wrote to memory of 1084	4104	msedge.exe	84
PID 4104 wrote to memory of 1084	4104	msedge.exe	84
PID 4104 wrote to memory of 1084	4104	msedge.exe	84
PID 4104 wrote to memory of 1084	4104	msedge.exe	84
PID 4104 wrote to memory of 1084	4104	msedge.exe	84
PID 4104 wrote to memory of 1084	4104	msedge.exe	84
PID 4104 wrote to memory of 1084	4104	msedge.exe	84
PID 4104 wrote to memory of 1084	4104	msedge.exe	84
PID 4104 wrote to memory of 1084	4104	msedge.exe	84
PID 4104 wrote to memory of 1084	4104	msedge.exe	84
PID 4104 wrote to memory of 1084	4104	msedge.exe	84
PID 4104 wrote to memory of 820	4104	msedge.exe	83
PID 4104 wrote to memory of 820	4104	msedge.exe	83
PID 4104 wrote to memory of 2384	4104	msedge.exe	85
PID 4104 wrote to memory of 2384	4104	msedge.exe	85
PID 4104 wrote to memory of 2384	4104	msedge.exe	85
PID 4104 wrote to memory of 2384	4104	msedge.exe	85
PID 4104 wrote to memory of 2384	4104	msedge.exe	85
PID 4104 wrote to memory of 2384	4104	msedge.exe	85
PID 4104 wrote to memory of 2384	4104	msedge.exe	85
PID 4104 wrote to memory of 2384	4104	msedge.exe	85
PID 4104 wrote to memory of 2384	4104	msedge.exe	85
PID 4104 wrote to memory of 2384	4104	msedge.exe	85
PID 4104 wrote to memory of 2384	4104	msedge.exe	85
PID 4104 wrote to memory of 2384	4104	msedge.exe	85
PID 4104 wrote to memory of 2384	4104	msedge.exe	85
PID 4104 wrote to memory of 2384	4104	msedge.exe	85
PID 4104 wrote to memory of 2384	4104	msedge.exe	85
PID 4104 wrote to memory of 2384	4104	msedge.exe	85
PID 4104 wrote to memory of 2384	4104	msedge.exe	85
PID 4104 wrote to memory of 2384	4104	msedge.exe	85
PID 4104 wrote to memory of 2384	4104	msedge.exe	85
PID 4104 wrote to memory of 2384	4104	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://attachment.outlook.live.net/owa/MSA%3Aslashcd%40msn.com/service.svc/s/GetAttachmentThumbnail?id=AQMkADAwATIwMTAwAC0wMjZhLTQzMwA3LTAwAi0wMAoARgAAAxnIQ%2BAonkJLs7y5%2FimKkiYHACVFx8Kbel1Eo1CrtcR%2B7vQAAAIBDAAAACVFx8Kbel1Eo1CrtcR%2B7vQABVOhgLAAAAABEgAQACK8WD%2BXXO1IlmAItqRxLHI%3D&thumbnailType=2&isc=1&token=eyJhbGciOiJSUzI1NiIsImtpZCI6IjczRkI5QkJFRjYzNjc4RDRGN0U4NEI0NDBCQUJCMTJBMzM5RDlGOTgiLCJ0eXAiOiJKV1QiLCJ4NXQiOiJjX3VidnZZMmVOVDM2RXRFQzZ1eEtqT2RuNWcifQ.eyJvcmlnaW4iOiJodHRwczovL291dGxvb2subGl2ZS5jb20iLCJ1YyI6IjU1YTA4MTYzZmRmZDRhOWViOTA1ZTVhNmRhY2Y5YTFiIiwidmVyIjoiRXhjaGFuZ2UuQ2FsbGJhY2suVjEiLCJhcHBjdHhzZW5kZXIiOiJPd2FEb3dubG9hZEA4NGRmOWU3Zi1lOWY2LTQwYWYtYjQzNS1hYWFhYWFhYWFhYWEiLCJpc3NyaW5nIjoiV1ciLCJhcHBjdHgiOiJ7XCJtc2V4Y2hwcm90XCI6XCJvd2FcIixcInB1aWRcIjpcIjU2NDA0OTUwNTU2NzU0M1wiLFwic2NvcGVcIjpcIk93YURvd25sb2FkXCIsXCJvaWRcIjpcIjAwMDIwMTAwLTAyNmEtNDMzNy0wMDAwLTAwMDAwMDAwMDAwMFwiLFwicHJpbWFyeXNpZFwiOlwiUy0xLTI4MjctMTMxMzI4LTQwNTE4NDU1XCJ9IiwibmJmIjoxNjg2MTQ0NzU0LCJleHAiOjE2ODYxNDUzNTQsImlzcyI6IjAwMDAwMDAyLTAwMDAtMGZmMS1jZTAwLTAwMDAwMDAwMDAwMEA4NGRmOWU3Zi1lOWY2LTQwYWYtYjQzNS1hYWFhYWFhYWFhYWEiLCJhdWQiOiIwMDAwMDAwMi0wMDAwLTBmZjEtY2UwMC0wMDAwMDAwMDAwMDAvYXR0YWNobWVudC5vdXRsb29rLmxpdmUubmV0QDg0ZGY5ZTdmLWU5ZjYtNDBhZi1iNDM1LWFhYWFhYWFhYWFhYSIsImhhcHAiOiJvd2EifQ.CTy1fnxAjdX9i5tEOxFy6dDWdp6VADk0m7Zl4af4ScyJCqvol75qt9sc6GxhQYp3zZY8NcHq8aCaYNnaeAQ22AwbLLO0kO7hk6DXBDf05OhFXLKuHtQWXutPvsv-sZGizz1sSuSUa20bf9zagRcKlcMXAJ7k2hGyB2fepcNbwwk0UBW6J-rdal_QlhQNgrSK2sM-lL49OPZITXC-YwcydK1kNYBkbSVslVdWeccEonbW0lXhaDWUudwfOmK_n2RFXxP6zvWPIWlSaejsIbLDxy3CVAwGSIj-8VGAUNVLRYcNl43_f6lmjRkhmnmIGCGQQxeJ3XLKrU1Y4rgluIJ2zQ&X-OWA-CANARY=g5-qBBxQZEWVSCfXPxaSTNBCs0tcZ9sYhDMee5J_wSFib-NLzISbykq7goc6aMM6vdbpvzRPDgY.&owa=outlook.live.com&scriptVer=20230526012.07&animation=true
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdadab46f8,0x7ffdadab4708,0x7ffdadab4718
  2⤵
  PID:2212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2008,13485678940131495316,7581537538136084002,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2008,13485678940131495316,7581537538136084002,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2020 /prefetch:2
  2⤵
  PID:1084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2008,13485678940131495316,7581537538136084002,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8
  2⤵
  PID:2384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,13485678940131495316,7581537538136084002,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:3208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,13485678940131495316,7581537538136084002,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:3068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,13485678940131495316,7581537538136084002,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:1
  2⤵
  PID:4564
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2008,13485678940131495316,7581537538136084002,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3672 /prefetch:8
  2⤵
  PID:688
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2008,13485678940131495316,7581537538136084002,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3672 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,13485678940131495316,7581537538136084002,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1
  2⤵
  PID:452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,13485678940131495316,7581537538136084002,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3684 /prefetch:1
  2⤵
  PID:4508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,13485678940131495316,7581537538136084002,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
  2⤵
  PID:3720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,13485678940131495316,7581537538136084002,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1
  2⤵
  PID:2372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2008,13485678940131495316,7581537538136084002,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5340 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1064

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3368

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:644

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a7ad9bb1054aa03e39b3554833d0c3ec

SHA1
cbd5b99ca100bc2f1292df23bf8e2a5a6f9640d9

SHA256
0c3eae39386b4117ad26187afc4933e254468cd12d813271f4b7420cee73c189

SHA512
d1d0b77e0bc412b4ee687e849531a7c9b70200d45d0bdbf38357b6fc59af835522e749b2fd8c2d4cde73518970568c38d73416c97381a11cc6029c14b1678276

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
686B

MD5
4975e3579e682648e635e48612c8ff75

SHA1
0e4aad13a03bfa417f5a891d313cdf53efe9c7ba

SHA256
9901fd32d824edce0ba02175eae33380266073c892b8483537eeb8e5b7d25bea

SHA512
8ecc97149bd5d16f9b79b002966b76aaedb7ebe6245b4b6c30c2e597a1b6539239e7e83fad9a928f9126b54114a6c2faca45bed4006a569eefeb99a0cfd037f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8d9db0462efcda01f69bc7c201e2b335

SHA1
709e791ba6011859ac030e4563937be5a268c663

SHA256
a38587d0e10d1b090d35c6937e2eeee3a8cc8247694272b33e51c991af313cfd

SHA512
fad839a5387e65e6ca6450390a01d0a5c1fb539219d423ed77c9268fc48e09878fefcfcac2a847320e60296a10bdf81ad0042333a59a01b03b2b6f25394c9c47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1991e760520a7f6c306340a0f6236376

SHA1
1057edd168edf2bbf942f3b3d2c7f97c6320b0b5

SHA256
d0d428245f9cb32de28ce8fe4e2116bfc585388780f18ff08409656e82cb08c9

SHA512
f40bf066c22cce8d5b85f98c95d59e61245e0da3b2f7ead28700eb5e41755072665ed71fbf434c4bfe0211339e071d5221df66f23e4233238a7a67244a811c96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
caefbe71cee6056094b7d38c7857cdec

SHA1
2fa2d6fbafec20428d966bfabe8fc9d237ac98c1

SHA256
0ec1be74c2d75d3884758f9cf11eac9976f195b7a71ddcec354ee8d489d271f0

SHA512
37949b8ec8e8eff744369c1fdbc857c587d418d9e0d181bbce95f592bc88ff7dbf19ab1d58e64b9e7b147ef098547770084bd5def46c13c48baa041ce0d241e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
e62cc4051e1f8eaa0abda5d730a2496b

SHA1
d15346e40b196bc313cbfe5ac96b3c90b83345be

SHA256
ffb5b740b8777d010f0d32a120092084c3cd32eaceb937188d698ddc22df2fcb

SHA512
3e8f6d89c7c153177b2149d86cd8602ceafedf66f5335a86b19dfa46fc38c47f6ff9a272c3b71b4464a5921ebdf2461fba25692ca916b9715bac520bf1e81a22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
e167f8f688f8deb74715f89fac83e152

SHA1
503543c97ab67b21739da860a6ef87ffed5e77a4

SHA256
fb212e4b98c06ed5a451af0388d395e2af40a5521a90c50a1910d79b847cc7e2

SHA512
a461baca62d801b021d88c516dd89bff1bf81184c1fe46e9410106e83b3dbee6413d9e52e64825b72944fb3d43b091f945a3aa9600cd6522fb562453c688bead

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
203390b4dfb3a49a88febdcd9efa5414

SHA1
80c8af626ba5e9fce39abb7246f329265248f8d0

SHA256
07828a655fb5b6f63ed4a0b5dd8737c6fafa85a5e22980fe41c6ac4af5a0d426

SHA512
8f8dbee6f018c4a266054826a1592cf20205bd317593b34c944026f718fa327e8ea59a33d7e48b186920d8d487b59c68473a19108137d427f99c23e7de7bb33e

Download Submit