hxxps://docs[.]google[.]com/presentation/d/e/2PACX-1vQuAhjrDGYcemgFcPzx1yVa7eQEod21UyyjGsUvaZxYHO9ZUvFxYlA8okUMo8tyyYQHLLmqZBka89Cj/pub?start=false&loop=false&delayms=3000&slide=id[.]p

Resubmissions

17/11/2023, 02:33

231117-c2cktsdf79 5

17/11/2023, 01:54

231117-cb23ssec8t 5

17/11/2023, 01:46

231117-b65xhaeb81 5

Analysis

max time kernel
208s
max time network
212s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
17/11/2023, 01:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://docs.google.com/presentation/d/e/2PACX-1vQuAhjrDGYcemgFcPzx1yVa7eQEod21UyyjGsUvaZxYHO9ZUvFxYlA8okUMo8tyyYQHLLmqZBka89Cj/pub?start=false&loop=false&delayms=3000&slide=id.p

Score

5^/10

microsoft phishing

Malware Config

Signatures

Detected potential entity reuse from brand microsoft.
phishing microsoft

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3868	msedge.exe
3868	msedge.exe
4852	msedge.exe
4852	msedge.exe
3568	identity_helper.exe
3568	identity_helper.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs

pid	Process
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4852 wrote to memory of 1588	4852	msedge.exe	61
PID 4852 wrote to memory of 1588	4852	msedge.exe	61
PID 4852 wrote to memory of 1552	4852	msedge.exe	90
PID 4852 wrote to memory of 1552	4852	msedge.exe	90
PID 4852 wrote to memory of 1552	4852	msedge.exe	90
PID 4852 wrote to memory of 1552	4852	msedge.exe	90
PID 4852 wrote to memory of 1552	4852	msedge.exe	90
PID 4852 wrote to memory of 1552	4852	msedge.exe	90
PID 4852 wrote to memory of 1552	4852	msedge.exe	90
PID 4852 wrote to memory of 1552	4852	msedge.exe	90
PID 4852 wrote to memory of 1552	4852	msedge.exe	90
PID 4852 wrote to memory of 1552	4852	msedge.exe	90
PID 4852 wrote to memory of 1552	4852	msedge.exe	90
PID 4852 wrote to memory of 1552	4852	msedge.exe	90
PID 4852 wrote to memory of 1552	4852	msedge.exe	90
PID 4852 wrote to memory of 1552	4852	msedge.exe	90
PID 4852 wrote to memory of 1552	4852	msedge.exe	90
PID 4852 wrote to memory of 1552	4852	msedge.exe	90
PID 4852 wrote to memory of 1552	4852	msedge.exe	90
PID 4852 wrote to memory of 1552	4852	msedge.exe	90
PID 4852 wrote to memory of 1552	4852	msedge.exe	90
PID 4852 wrote to memory of 1552	4852	msedge.exe	90
PID 4852 wrote to memory of 1552	4852	msedge.exe	90
PID 4852 wrote to memory of 1552	4852	msedge.exe	90
PID 4852 wrote to memory of 1552	4852	msedge.exe	90
PID 4852 wrote to memory of 1552	4852	msedge.exe	90
PID 4852 wrote to memory of 1552	4852	msedge.exe	90
PID 4852 wrote to memory of 1552	4852	msedge.exe	90
PID 4852 wrote to memory of 1552	4852	msedge.exe	90
PID 4852 wrote to memory of 1552	4852	msedge.exe	90
PID 4852 wrote to memory of 1552	4852	msedge.exe	90
PID 4852 wrote to memory of 1552	4852	msedge.exe	90
PID 4852 wrote to memory of 1552	4852	msedge.exe	90
PID 4852 wrote to memory of 1552	4852	msedge.exe	90
PID 4852 wrote to memory of 1552	4852	msedge.exe	90
PID 4852 wrote to memory of 1552	4852	msedge.exe	90
PID 4852 wrote to memory of 1552	4852	msedge.exe	90
PID 4852 wrote to memory of 1552	4852	msedge.exe	90
PID 4852 wrote to memory of 1552	4852	msedge.exe	90
PID 4852 wrote to memory of 1552	4852	msedge.exe	90
PID 4852 wrote to memory of 1552	4852	msedge.exe	90
PID 4852 wrote to memory of 1552	4852	msedge.exe	90
PID 4852 wrote to memory of 3868	4852	msedge.exe	89
PID 4852 wrote to memory of 3868	4852	msedge.exe	89
PID 4852 wrote to memory of 4936	4852	msedge.exe	91
PID 4852 wrote to memory of 4936	4852	msedge.exe	91
PID 4852 wrote to memory of 4936	4852	msedge.exe	91
PID 4852 wrote to memory of 4936	4852	msedge.exe	91
PID 4852 wrote to memory of 4936	4852	msedge.exe	91
PID 4852 wrote to memory of 4936	4852	msedge.exe	91
PID 4852 wrote to memory of 4936	4852	msedge.exe	91
PID 4852 wrote to memory of 4936	4852	msedge.exe	91
PID 4852 wrote to memory of 4936	4852	msedge.exe	91
PID 4852 wrote to memory of 4936	4852	msedge.exe	91
PID 4852 wrote to memory of 4936	4852	msedge.exe	91
PID 4852 wrote to memory of 4936	4852	msedge.exe	91
PID 4852 wrote to memory of 4936	4852	msedge.exe	91
PID 4852 wrote to memory of 4936	4852	msedge.exe	91
PID 4852 wrote to memory of 4936	4852	msedge.exe	91
PID 4852 wrote to memory of 4936	4852	msedge.exe	91
PID 4852 wrote to memory of 4936	4852	msedge.exe	91
PID 4852 wrote to memory of 4936	4852	msedge.exe	91
PID 4852 wrote to memory of 4936	4852	msedge.exe	91
PID 4852 wrote to memory of 4936	4852	msedge.exe	91

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://docs.google.com/presentation/d/e/2PACX-1vQuAhjrDGYcemgFcPzx1yVa7eQEod21UyyjGsUvaZxYHO9ZUvFxYlA8okUMo8tyyYQHLLmqZBka89Cj/pub?start=false&loop=false&delayms=3000&slide=id.p
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xd8,0x114,0x7fff0d9a46f8,0x7fff0d9a4708,0x7fff0d9a4718
  2⤵
  PID:1588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,6706035997824422171,5214226968781282466,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,6706035997824422171,5214226968781282466,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
  2⤵
  PID:1552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,6706035997824422171,5214226968781282466,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8
  2⤵
  PID:4936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,6706035997824422171,5214226968781282466,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3604 /prefetch:1
  2⤵
  PID:5012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,6706035997824422171,5214226968781282466,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3640 /prefetch:1
  2⤵
  PID:1576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,6706035997824422171,5214226968781282466,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1
  2⤵
  PID:368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,6706035997824422171,5214226968781282466,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1
  2⤵
  PID:1100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,6706035997824422171,5214226968781282466,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1
  2⤵
  PID:4388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,6706035997824422171,5214226968781282466,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1
  2⤵
  PID:4700
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,6706035997824422171,5214226968781282466,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5960 /prefetch:8
  2⤵
  PID:5068
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,6706035997824422171,5214226968781282466,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5960 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,6706035997824422171,5214226968781282466,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
  2⤵
  PID:4308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,6706035997824422171,5214226968781282466,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
  2⤵
  PID:1184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,6706035997824422171,5214226968781282466,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:1
  2⤵
  PID:1188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,6706035997824422171,5214226968781282466,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
  2⤵
  PID:5572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,6706035997824422171,5214226968781282466,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
  2⤵
  PID:5740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,6706035997824422171,5214226968781282466,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:1
  2⤵
  PID:3120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,6706035997824422171,5214226968781282466,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
  2⤵
  PID:6020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,6706035997824422171,5214226968781282466,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:1
  2⤵
  PID:5532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,6706035997824422171,5214226968781282466,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6108 /prefetch:1
  2⤵
  PID:2540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2168,6706035997824422171,5214226968781282466,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6076 /prefetch:8
  2⤵
  PID:5768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,6706035997824422171,5214226968781282466,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6348 /prefetch:1
  2⤵
  PID:4668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,6706035997824422171,5214226968781282466,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3960 /prefetch:1
  2⤵
  PID:5804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,6706035997824422171,5214226968781282466,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6756 /prefetch:1
  2⤵
  PID:4516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,6706035997824422171,5214226968781282466,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6300 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,6706035997824422171,5214226968781282466,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6044 /prefetch:1
  2⤵
  PID:4568

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2864

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6dded92ec95cf9f22410bdeac841a00d

SHA1
83c32c23d53c59d654868f0b2a5c6be0a46249c2

SHA256
1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e

SHA512
e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\986c327d-e606-4777-b79d-01f84d8bbdac.tmp

Filesize
6KB

MD5
b714db037989f4c13183219eb2cc408c

SHA1
add09033bde7b2f38d79bb4dea4560904baa14d5

SHA256
1254266417ddb78f2e2e2eca5416af80ba2f47495a0e58f9afafc3dd1173ecb8

SHA512
72f7db10383ff593c13953ef734553819dd862b4b574de9003af924192e48ce7f89ad4d591500843b8d513ad42479db80970674d7c3837d7608df23c2306a069

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
19KB

MD5
ce700cb8ec015f0458323559f29e300b

SHA1
18df88f6a0d13b2544de26032d61835b07220a84

SHA256
d3bb20dece9c68b7f3364770e1c175bac66ea261b8fd3ab9472116a2cd70a9cd

SHA512
3db0ce1788332d793985226b8e6d48ec72f4bbad75eef7cdd6172c810d8f9c080d4396fe6304e8412f4aab89cb1003ff56f91a1b413aacdd59dec007c700b1c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
175KB

MD5
7107c752f3901d95bdc4e9d46ac2b6d8

SHA1
747a0d933dc2ef38a98fa11a44ba661ec6a5eae3

SHA256
c4a5ecaf090da5f8115afcf0d4b723810054ecf3de31acc5ea6d48f9eb2d4111

SHA512
71d4ff3fa6c9a902b299302109d034d4610ac8a31ace170f09a3f66bd0d1259c41361fc29f2205fec6eb49995ffc73563399a6ccc536b8412bf1064485caabd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
159KB

MD5
78450fe21afa3391dc4dc62d5f1e09f2

SHA1
8aed39e81b26f10dd32c5b131eb7493d6d41b06a

SHA256
4903f015531ad7a745aa8c5155780c51adba6e0f671607c3fa1447795f33b794

SHA512
46db3beebdbfc0ae2b4e6d8f015e0f122851cf57662d5f445e2c4cd4f7ca2097690a610247e08f789685411d75b018cc35bc0a679b4dcf9e68c9fa164f347256

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
165KB

MD5
34049e45a502035c1ee78f0b0967588e

SHA1
dd604c54963f4ae0cb4cc1c6890b66822a6d7b82

SHA256
a84c114bbb185448de945b27fca0b6ee207f4801505e3046f35db050f4720eaf

SHA512
07b046af74583dc5ccb2dd1a636042b36dd4ee50aa6e7a3871cc26bec7aee823dcb2ef8bae3f465a374b04ae92b8cfb90f41ad3a76a0d2db1b6ca764d8eb204c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
142KB

MD5
d1e0216a2cc3db1dd95ad3230a39a0ca

SHA1
a629d848286dcdb6876631bdd3bfd7dc6e05422d

SHA256
b41f67ebf201d922b8668a628078e11dbece1fdf875d1df93495c3ba3cd31372

SHA512
50f8b14adf524175f2867c7e198c71f78a5b9a1c2447229a418c382519299820ea1f0dc77af121c58ea116e2cfb4163b62c961cdb7091fcc4e9691d6135f3883

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

Filesize
43KB

MD5
820f40594a0e8d5f9d58546208aa9060

SHA1
e17ed5116a34c432013a244c979ac9da53829d74

SHA256
f8f708049e1e1609af3959cd21eaf313c8192d3e962887a7a2e1f9b353d3fc80

SHA512
95879b255a90ccdc41c8696bf7aa05796db56528fc4be78f2d13eb2233740ac8cf0f92bdeaa169ebc5c745f3e76ee9fc67d2626160b9e01c5f5a19b8cbea605f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018

Filesize
16KB

MD5
12e3dac858061d088023b2bd48e2fa96

SHA1
e08ce1a144eceae0c3c2ea7a9d6fbc5658f24ce5

SHA256
90cdaf487716184e4034000935c605d1633926d348116d198f355a98b8c6cd21

SHA512
c5030c55a855e7a9e20e22f4c70bf1e0f3c558a9b7d501cfab6992ac2656ae5e41b050ccac541efa55f9603e0d349b247eb4912ee169d44044271789c719cd01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
456B

MD5
caadc91f29a96045dd37208b58b8fe58

SHA1
4dff5901237b36262dd7c16f85ef267456d6cecf

SHA256
e15b059134258f984791a894dea57fd835fe588f89659223a21309f0bcac356c

SHA512
f06d9853779a206d3422d06dc0109a9625cd46881fa4a13aa72d86c81d0f5f239289957ba2d750aa206cf164e32ed8d639c2a9720c838506f9a8afb7bd04a8ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
7555b167b8673df3a141db83a4d4532c

SHA1
1a4b56ea416f1408fc4a65f5332d82d79f28820b

SHA256
f14adcbb9c9aaf9ae3af17ed02e843c8654e461fc5c12b09cb377607708f4091

SHA512
a18cd7af5622af87202d08d2da9b97abfe681c6cf90e5ae19d4ea093c2ba444ccabf8bcd989be53a47e73b6da12efa612ba329911c032d6039ee5b30de81bf70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
0b86fa4840200c733aed889222e8f9a3

SHA1
83fbbdfe5ef758052ef63689d906f821d22c4dcf

SHA256
7e69337a3e90b596c829757a896baf45afaa483c013f2cd4111ea0d8de8c5a2d

SHA512
503761b2c749329db848f21c77bcbe78044434f8a242280fde4e1bd3c0f3b1b868a0c6742672e5e470afcf7a1f2295a43814243b8bf06b3e887972de83a8b8e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
81b7da01d00317741f4b5c380ab23408

SHA1
3e4498e45f36125696565323553c7504a42b87ef

SHA256
18782b1b79be546a2e0667f39e519686bfdcedd48d115c67f60508e5087f6e0f

SHA512
d781cd1ec54241d6891107cdcc499ade00eec2f944b389d8c7c021d9a08612535ca630c785a7b72766ca02d878e17ec2e069073d611b140bceddca20d529abd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5b820fc6fd2225064991f835c048d563

SHA1
bd435c3de7eda0bc75863b9fda1bd1f4cc00bec7

SHA256
dd2d3e80d1a76406a1736e76c12792b803c1c0f3c0661d125be7fa1d231ccf8c

SHA512
5620065c70a4ba3f99eab0e7d40cd67f0e256a5b0d6e900578a28ac96fcab85907d083ae7d9630f792ed12a088c24018ba5c3ec104fa25ba100e993853025879

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9972e5a8190c5de067e34d83acf5023e

SHA1
7eb7a4ace638b87dd70fb83bb1d61a8e2316089b

SHA256
e8a21d38ac4f4f2bccc9dd84c7442395da184b00a7de71028c5776e6b78c2e27

SHA512
3c098af546d77f3ffe5da53cdd2262ed3aa9f70094d35b51d4d344312e09bb181d3803c21f6b64a8a5c5231cf250453a02922232de10b2d5d6c24fccad99e213

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5282f4178b2ce3fa58a9752ccbd3b4f0

SHA1
c20caaa9e1017da73da17831011b29eae6999f7c

SHA256
a6d4d7f56b04bc89104fc200f7721023f539634beefef361fe424bd190804d83

SHA512
7167dd8f26584dfedc315042183a95dc6966fa5c8f2dfcc7b488d5bb56f230ffc2de617db3e640a96699b870f60f8cb13d999d242b7251d4b1e4c115f0211c64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
fcb25ad332482a819a8c670cf52d8259

SHA1
fcf71ef7a7ee4914f4b9309d92fac6407cafd222

SHA256
aedcbc3ad18c015a838b226fbf9f54d3320f299ba92546d7710575293f2c3537

SHA512
d48e53119548ee62b6d129251c947f4162ed1536716ede9057e499e76a4a3df89fb2c54365978f6b30320d8bd5215bfe2986f10a7408b7b70ac55159aac00e61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9d7a8304d77167cea278a25aeb8da1a2

SHA1
17a1f453fa072043183deedf0a9a70d2f1a82b27

SHA256
e98c9d028c25031a9bcfa6b0b36517d2f97985773d0ef0c0b25ffd55af8954d7

SHA512
4e4cd3f9883afda963c52c535f34e48803bcb7dd97c0dd12c268668ec2f0a0ecd73ab200b26c82c0f0d479f14e36ab166a1990ecce87ff852d84878e7323ff39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
11031f89bdc095cf7d79c3dd511fa179

SHA1
dd8230bc80e9eb6d93c45116d7166da655f458e1

SHA256
7a8cac71c5e275af7951745d93c32a678889e2ca48b0de49ead0d58d87345f87

SHA512
7bdd981e2498ed448a87fb8c09404714797eb8080932aaba01ec943b4b37ffd35b4a10d438cefa2acec736cde84418a99089961bcfd22dcedd815e8b553b157e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
11edd4459bfc50432616b5c55d048a9d

SHA1
18dc3c57b1613169f9019da484ccdd74aed2a409

SHA256
52024886411ca2085f424034cb58d586785c03fad70e85b76d34a07d12d3ad82

SHA512
3912e3050556a0cb926ca5a74d4f7c6bf1561b7f057c2220ab3d59ccbcdcc2c0d94b323476cd25daed3d92bb3a37ba23df05971095564cbe5ae694946aaf8107

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2ea77d811d0310831c0d80c27e8f922a

SHA1
f972e4c9b0b976fd188b206e90ba550cb496aa83

SHA256
78bb8dfb689a073d5195638797094cc268b749d2f15ea6527a8794b0e89f1605

SHA512
f93bf9b3fc378ee6905b6c488e109cad875a2bf47a50fff897ea18b019366c1c074b41ea6fcef9594a6752773fe99a510325e53726a017ea191ce967551bcf6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7c5a36f945d9fe7bc61524c252af81b3

SHA1
e1dc78d9c250d085f00c0d920b227012eadc1bdd

SHA256
ebef8f781f34aa3f6c106b2647fa56a156d752c04447486f783fc02b1b599316

SHA512
d8ae00315ae2a1e10bc407ec2556e29156f6875c033ab618b34d47b8b4a18ebb868bd0204a762741cbead3b031bad9913c9a82e4c155f5e1664b3182ea41dc4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2a12b2f335fc81e884cfe158e7c80013

SHA1
4fc9b661273db4b51cd80919fb5501e3b77c8a5b

SHA256
f3a3adf7ce7c5bbb78d76e94a12f44592383bcf9bf242bad0c2141fb3e1bad92

SHA512
6b1ddc71fdba9b7c1c0e9f58219bb5cfc9127ed719f0a55d062b0efd49eb18ccb23cfd34fa34cb72ea39a3e1bddaf3f7ce2e1100ced4dd71b1af4124e5407d70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe586368.TMP

Filesize
371B

MD5
8f1ac008b5891df756d5712041ceb3d7

SHA1
3fef9952d6f982ef5cbb6699ffa20a558886e758

SHA256
f2157208a6cd2145f0e1ab7b13bc11b2ceb391a8d87abaa10a6e11e11a57b548

SHA512
468c5b31b55bbe1428b29857b39e4e371c71efbd40db74bf43af2d250ce7dfdf79dc62ee07b5a61ad663b3c0c6368dec099fa1fd4f1abe5103fbafa7abf7d1f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\a83c5e1e-b65c-47e9-9b6e-8221191efe11.tmp

Filesize
9KB

MD5
b73e2c38f32d8efc21284b092185016e

SHA1
94208cc761952303ae2e87480de0060a3dbc0f47

SHA256
9e2b7a65f87f7e925e95818ca5e361831c953ab7ebcf1502be76bb23fe49d78c

SHA512
2e5cd86ed83a59f210465e7cf6656adb45ed2120de7d4be79fa8316d11e3cf16ed1b9775de054d4e5225f101cc2c518d76c31d87b9062fe7b36f179c2ef2c927

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\cf78a1ac-4e53-4011-97ba-8abde8d96378.tmp

Filesize
24KB

MD5
e05436aebb117e9919978ca32bbcefd9

SHA1
97b2af055317952ce42308ea69b82301320eb962

SHA256
cc9bd0953e70356e31a957ad9a9b1926f5e2a9f6a297cdef303ac693a2a86b7f

SHA512
11328e9514ffaa3c1eab84fae06595d75c8503bd5601adfd806182d46065752885a871b738439b356d1bb2c1ac71fc81e9d46bd2d0daa1b2ba0f40543bf952b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\d35d5a75-c0cd-4bba-8c31-bc43ad23e84f.tmp

Filesize
6KB

MD5
c32c6794a0894a06548660699b79a876

SHA1
7d34cedf47cc2730fe5f9120ae43bbd3f8a4d81e

SHA256
99e42a8b2154fff20b85915675e1126339a5004ba98fd66915fe4f13045b9765

SHA512
70978ed6d7f596065978653a6ca9494dd49dbc7d465077a872b1a62d8dba6449ec31402e8683681dacae192b011ad143d7e210c36bc99f5cc511d5a665af2a4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000006

Filesize
17KB

MD5
913728da90cf90d8e78af59c60b47c3d

SHA1
f42f2a545d4fcaf4f76d0f060f52e33a47df7f1e

SHA256
b0b478f9aa6aaf8d5811e296047ae1f8ee07f4c4998fe9d7b960755ea1fafb82

SHA512
3af86e053dd56aef03e6f967a49b1a0d492616a71e2e49090e0c8e5cbe58ff37ccc55e91f06bf34096059a49f3de84b0bca587f3f17c366f97c0f7a0fd17c974

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8205bd5d1ba7f6fef7e260824f212936

SHA1
aee518120d38e34a8df9a2d9b9428d0f9a14a59f

SHA256
09cfd3d610c69e26158a297167e86fc75571a06304109783ff3c9a2decd0f59c

SHA512
f58562cc785436b27c6aac0fba41c67a465b1f207576cb3eef96e9dcd18b5602259b7375536f10f8ce1974d749a5bf00f192b1e5ea9a728da2912657eb38165e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
20481ce272ee1183b0b41d1d635d30e9

SHA1
4561dab3383f230dc6a8f022337f47b2b923cb58

SHA256
8e906a582503a716024ef2df8c624267c03cc035417b0cd293a61b70aeec107d

SHA512
70b50c0d08b309c22a8cfafaa2f50f3f3b93ac46c023881aba77500cb728a3d061f14d5e4d0ee5618dc434b1ecca9ef6513dc93b15a4aa92aceb247835c92760

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d5d1fb9c22e95343aaef43241f322c01

SHA1
d257f5ab2ba45465ed2bb34a05a517382875e313

SHA256
16c20ffb249592c6500cc3dc3c71ccf90f084c2b10215e0935c2c92de5042545

SHA512
4ef8617a5ecf893008996199b603deaba2471123e75a69fc2097dc5e3ef6bcb7621bc8f48b1586a364fefecf5f04b5e9510b3bc959b4fe6bfc8880e1ff6bea12

Download Submit