76b46daf7d91e30f37780cbdb19863a1faf4c192fa2e221995432f903479a44d

Resubmissions

12/12/2023, 05:40

231212-gc66cshah9 3

12/12/2023, 03:54

12/12/2023, 03:29

12/12/2023, 03:21

12/12/2023, 02:23

12/12/2023, 01:55

Analysis

max time kernel
1184s
max time network
1193s
platform
windows11-21h2_x64
resource
win11-20231129-en
resource tags

arch:x64arch:x86image:win11-20231129-enlocale:en-usos:windows11-21h2-x64system
submitted
12/12/2023, 05:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

how to evict a tenant without rental agreement qld 75227.js
Size

843KB
MD5

c1ec1d082324850bebd8e7826098a516
SHA1

cafd1bdff3c8501c9d14c5fcc1fd87cb468c40b3
SHA256

7abd6a84f2ac6899901d0ebf5795a5626533018f5eaa3cbf97023d2c67380be6
SHA512

9b6f039c4be149f974a83cf9d4fc5af9cdccbaf17ebf36198e67362d5c91d425e16e558432f972f4587328e491e8087f3466eb3afeea8150e2389e9d26f7e323
SSDEEP

24576:SUCgo+ogQc5WfNnZmD/nAdzFrJCeT+hH4WkyQTaEFNE3NEr:SUCgo+ogQc5WfNnZmD/n4zFrJ1WkyQTZ

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-2379530898-3444504291-4008811794-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2840	powershell.exe
2840	powershell.exe
2840	powershell.exe
2840	powershell.exe
2840	powershell.exe
2840	powershell.exe
2840	powershell.exe
2840	powershell.exe
2840	powershell.exe
2840	powershell.exe
2840	powershell.exe
2840	powershell.exe
2840	powershell.exe
2840	powershell.exe
4600	msedge.exe
4600	msedge.exe
4940	msedge.exe
4940	msedge.exe
1652	identity_helper.exe
1652	identity_helper.exe
1452	msedge.exe
1452	msedge.exe
2840	powershell.exe
2840	powershell.exe
2840	powershell.exe
2840	powershell.exe
2840	powershell.exe
2840	powershell.exe
2840	powershell.exe
2840	powershell.exe
2840	powershell.exe
2840	powershell.exe
2840	powershell.exe
2840	powershell.exe
2840	powershell.exe
2840	powershell.exe
2840	powershell.exe
2840	powershell.exe
2840	powershell.exe
2840	powershell.exe
2840	powershell.exe
2840	powershell.exe
2840	powershell.exe
2840	powershell.exe
2840	powershell.exe
2840	powershell.exe
2840	powershell.exe
2840	powershell.exe
2840	powershell.exe
2840	powershell.exe
2840	powershell.exe
2840	powershell.exe
2840	powershell.exe
2840	powershell.exe
2840	powershell.exe
2840	powershell.exe
2840	powershell.exe
2840	powershell.exe
2840	powershell.exe
2840	powershell.exe
2840	powershell.exe
2840	powershell.exe
2840	powershell.exe
2840	powershell.exe

Suspicious behavior: LoadsDriver 10 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
672	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2840	powershell.exe
Token: SeIncreaseQuotaPrivilege	2840	powershell.exe
Token: SeSecurityPrivilege	2840	powershell.exe
Token: SeTakeOwnershipPrivilege	2840	powershell.exe
Token: SeLoadDriverPrivilege	2840	powershell.exe
Token: SeSystemProfilePrivilege	2840	powershell.exe
Token: SeSystemtimePrivilege	2840	powershell.exe
Token: SeProfSingleProcessPrivilege	2840	powershell.exe
Token: SeIncBasePriorityPrivilege	2840	powershell.exe
Token: SeCreatePagefilePrivilege	2840	powershell.exe
Token: SeBackupPrivilege	2840	powershell.exe
Token: SeRestorePrivilege	2840	powershell.exe
Token: SeShutdownPrivilege	2840	powershell.exe
Token: SeDebugPrivilege	2840	powershell.exe
Token: SeSystemEnvironmentPrivilege	2840	powershell.exe
Token: SeRemoteShutdownPrivilege	2840	powershell.exe
Token: SeUndockPrivilege	2840	powershell.exe
Token: SeManageVolumePrivilege	2840	powershell.exe
Token: 33	2840	powershell.exe
Token: 34	2840	powershell.exe
Token: 35	2840	powershell.exe
Token: 36	2840	powershell.exe
Token: SeIncreaseQuotaPrivilege	2840	powershell.exe
Token: SeSecurityPrivilege	2840	powershell.exe
Token: SeTakeOwnershipPrivilege	2840	powershell.exe
Token: SeLoadDriverPrivilege	2840	powershell.exe
Token: SeSystemProfilePrivilege	2840	powershell.exe
Token: SeSystemtimePrivilege	2840	powershell.exe
Token: SeProfSingleProcessPrivilege	2840	powershell.exe
Token: SeIncBasePriorityPrivilege	2840	powershell.exe
Token: SeCreatePagefilePrivilege	2840	powershell.exe
Token: SeBackupPrivilege	2840	powershell.exe
Token: SeRestorePrivilege	2840	powershell.exe
Token: SeShutdownPrivilege	2840	powershell.exe
Token: SeDebugPrivilege	2840	powershell.exe
Token: SeSystemEnvironmentPrivilege	2840	powershell.exe
Token: SeRemoteShutdownPrivilege	2840	powershell.exe
Token: SeUndockPrivilege	2840	powershell.exe
Token: SeManageVolumePrivilege	2840	powershell.exe
Token: 33	2840	powershell.exe
Token: 34	2840	powershell.exe
Token: 35	2840	powershell.exe
Token: 36	2840	powershell.exe
Token: SeIncreaseQuotaPrivilege	2840	powershell.exe
Token: SeSecurityPrivilege	2840	powershell.exe
Token: SeTakeOwnershipPrivilege	2840	powershell.exe
Token: SeLoadDriverPrivilege	2840	powershell.exe
Token: SeSystemProfilePrivilege	2840	powershell.exe
Token: SeSystemtimePrivilege	2840	powershell.exe
Token: SeProfSingleProcessPrivilege	2840	powershell.exe
Token: SeIncBasePriorityPrivilege	2840	powershell.exe
Token: SeCreatePagefilePrivilege	2840	powershell.exe
Token: SeBackupPrivilege	2840	powershell.exe
Token: SeRestorePrivilege	2840	powershell.exe
Token: SeShutdownPrivilege	2840	powershell.exe
Token: SeDebugPrivilege	2840	powershell.exe
Token: SeSystemEnvironmentPrivilege	2840	powershell.exe
Token: SeRemoteShutdownPrivilege	2840	powershell.exe
Token: SeUndockPrivilege	2840	powershell.exe
Token: SeManageVolumePrivilege	2840	powershell.exe
Token: 33	2840	powershell.exe
Token: 34	2840	powershell.exe
Token: 35	2840	powershell.exe
Token: 36	2840	powershell.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4720 wrote to memory of 2164	4720	wscript.EXE	89
PID 4720 wrote to memory of 2164	4720	wscript.EXE	89
PID 2164 wrote to memory of 2840	2164	cscript.exe	91
PID 2164 wrote to memory of 2840	2164	cscript.exe	91
PID 3520 wrote to memory of 4736	3520	cmd.exe	97
PID 3520 wrote to memory of 4736	3520	cmd.exe	97
PID 4940 wrote to memory of 4712	4940	msedge.exe	107
PID 4940 wrote to memory of 4712	4940	msedge.exe	107
PID 4940 wrote to memory of 2100	4940	msedge.exe	109
PID 4940 wrote to memory of 2100	4940	msedge.exe	109
PID 4940 wrote to memory of 2100	4940	msedge.exe	109
PID 4940 wrote to memory of 2100	4940	msedge.exe	109
PID 4940 wrote to memory of 2100	4940	msedge.exe	109
PID 4940 wrote to memory of 2100	4940	msedge.exe	109
PID 4940 wrote to memory of 2100	4940	msedge.exe	109
PID 4940 wrote to memory of 2100	4940	msedge.exe	109
PID 4940 wrote to memory of 2100	4940	msedge.exe	109
PID 4940 wrote to memory of 2100	4940	msedge.exe	109
PID 4940 wrote to memory of 2100	4940	msedge.exe	109
PID 4940 wrote to memory of 2100	4940	msedge.exe	109
PID 4940 wrote to memory of 2100	4940	msedge.exe	109
PID 4940 wrote to memory of 2100	4940	msedge.exe	109
PID 4940 wrote to memory of 2100	4940	msedge.exe	109
PID 4940 wrote to memory of 2100	4940	msedge.exe	109
PID 4940 wrote to memory of 2100	4940	msedge.exe	109
PID 4940 wrote to memory of 2100	4940	msedge.exe	109
PID 4940 wrote to memory of 2100	4940	msedge.exe	109
PID 4940 wrote to memory of 2100	4940	msedge.exe	109
PID 4940 wrote to memory of 2100	4940	msedge.exe	109
PID 4940 wrote to memory of 2100	4940	msedge.exe	109
PID 4940 wrote to memory of 2100	4940	msedge.exe	109
PID 4940 wrote to memory of 2100	4940	msedge.exe	109
PID 4940 wrote to memory of 2100	4940	msedge.exe	109
PID 4940 wrote to memory of 2100	4940	msedge.exe	109
PID 4940 wrote to memory of 2100	4940	msedge.exe	109
PID 4940 wrote to memory of 2100	4940	msedge.exe	109
PID 4940 wrote to memory of 2100	4940	msedge.exe	109
PID 4940 wrote to memory of 2100	4940	msedge.exe	109
PID 4940 wrote to memory of 2100	4940	msedge.exe	109
PID 4940 wrote to memory of 2100	4940	msedge.exe	109
PID 4940 wrote to memory of 2100	4940	msedge.exe	109
PID 4940 wrote to memory of 2100	4940	msedge.exe	109
PID 4940 wrote to memory of 2100	4940	msedge.exe	109
PID 4940 wrote to memory of 2100	4940	msedge.exe	109
PID 4940 wrote to memory of 2100	4940	msedge.exe	109
PID 4940 wrote to memory of 2100	4940	msedge.exe	109
PID 4940 wrote to memory of 2100	4940	msedge.exe	109
PID 4940 wrote to memory of 2100	4940	msedge.exe	109
PID 4940 wrote to memory of 4600	4940	msedge.exe	108
PID 4940 wrote to memory of 4600	4940	msedge.exe	108
PID 4940 wrote to memory of 5068	4940	msedge.exe	110
PID 4940 wrote to memory of 5068	4940	msedge.exe	110
PID 4940 wrote to memory of 5068	4940	msedge.exe	110
PID 4940 wrote to memory of 5068	4940	msedge.exe	110
PID 4940 wrote to memory of 5068	4940	msedge.exe	110
PID 4940 wrote to memory of 5068	4940	msedge.exe	110
PID 4940 wrote to memory of 5068	4940	msedge.exe	110
PID 4940 wrote to memory of 5068	4940	msedge.exe	110
PID 4940 wrote to memory of 5068	4940	msedge.exe	110
PID 4940 wrote to memory of 5068	4940	msedge.exe	110
PID 4940 wrote to memory of 5068	4940	msedge.exe	110
PID 4940 wrote to memory of 5068	4940	msedge.exe	110
PID 4940 wrote to memory of 5068	4940	msedge.exe	110
PID 4940 wrote to memory of 5068	4940	msedge.exe	110

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\how to evict a tenant without rental agreement qld 75227.js"
1⤵
PID:4372

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:3364

C:\Windows\system32\wscript.EXE
C:\Windows\system32\wscript.EXE HIGHOR~1.JS
1⤵
- Suspicious use of WriteProcessMemory
PID:4720
- C:\Windows\System32\cscript.exe
  "C:\Windows\System32\cscript.exe" "HIGHOR~1.JS"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2164
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe
    3⤵
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2840

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\how to evict a tenant without rental agreement qld 75227.js"
1⤵
PID:4904

C:\Windows\system32\services.exe
"C:\Windows\system32\services.exe"
1⤵
PID:1468

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3520
- C:\Windows\system32\cscript.exe
  cscript.exe "C:\Users\Admin\AppData\Local\Temp\how to evict a tenant without rental agreement qld 75227.js"
  2⤵
  PID:4736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8dc7e3cb8,0x7ff8dc7e3cc8,0x7ff8dc7e3cd8
  2⤵
  PID:4712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1880,11534039659805076738,16927370634017314142,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2328 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,11534039659805076738,16927370634017314142,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1908 /prefetch:2
  2⤵
  PID:2100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1880,11534039659805076738,16927370634017314142,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2656 /prefetch:8
  2⤵
  PID:5068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,11534039659805076738,16927370634017314142,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:4344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,11534039659805076738,16927370634017314142,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:4280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,11534039659805076738,16927370634017314142,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4512 /prefetch:1
  2⤵
  PID:2472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,11534039659805076738,16927370634017314142,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4368 /prefetch:1
  2⤵
  PID:1356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,11534039659805076738,16927370634017314142,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4676 /prefetch:1
  2⤵
  PID:4052
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1880,11534039659805076738,16927370634017314142,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3420 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1880,11534039659805076738,16927370634017314142,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3544 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,11534039659805076738,16927370634017314142,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
  2⤵
  PID:1548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,11534039659805076738,16927370634017314142,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3536 /prefetch:1
  2⤵
  PID:1476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,11534039659805076738,16927370634017314142,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
  2⤵
  PID:1456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,11534039659805076738,16927370634017314142,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3536 /prefetch:1
  2⤵
  PID:3936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,11534039659805076738,16927370634017314142,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4320 /prefetch:1
  2⤵
  PID:3956

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1548

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5d6afc2bfd830a32083c64d184e5a220

SHA1
3d83d57733d0d717e32a7ece2912e5593916b08e

SHA256
05d7bdda813544520f5a4b50509e7b29c24733b233b1333cdf9d5f6016dc7c88

SHA512
29db7c4e85dc41eabc07be506a05df8dbf8b8b9380eeb719ae0e6413afb29e9d823ebe901ed3f924746ca1b99f86f58d93a0a7a7263ee6efaea3eacd6f30b47b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
5bfecfb3315756a2971805d22172274c

SHA1
76dec36cd1be26c589dd53050e5549d798428a23

SHA256
ddcc63183b9aee34b6ab5a11125aa00016ccd76257fd22eda2db602b47a34924

SHA512
2917d2a4f98194f18ef409656632afc06f4e180a0139616517753d8e16a43e013010660b40ccb639460238a67d13eae03d97472d3560e9937d7209cdd7d6969c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6d3e19243c3ab46971d251efd7d08874

SHA1
d8e5f5965d848637d272b3f1cba1d835857e2c98

SHA256
5cea7c93be874f6fc6de43709147a4ebae353cef41b26afc7228a2921eb75ed4

SHA512
d153dfddfe3dfb0e5813fe41393a467eb7e65ad53ab5dbbd8c5e2ef666e08ce9d8d5e78ba56c20ea72d3fcbdf4d643746761b33352952a6fb04f3c6846804d1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3bc89307e1423f4a46f577c025d2e4b1

SHA1
cab6580dec9abf69af03d89b332e75c503c7b207

SHA256
46b7369fead57a1a65065469e4e3c13788c41c87a2799fe03d13e02d39f048ca

SHA512
3d7294e67a292442f825e1fa8549d17d2201ad60c47da9e06054e47e75fa2b8cab64e6dd558ab66dc4cb17aabffb885939e1af98e1e54c944c7f84962c04e4f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
25KB

MD5
1dccb6cfbf5557e99e110e1c88971dcc

SHA1
bea4891349f510ab586da6304f99ccc0eefc8282

SHA256
b13e021c0aa2eab302a1ed8934825d6b884a5f86e44810507458e0462f266cb4

SHA512
6d4876ba1ac513c9494186311eb9134817273ae3020bff649c42d74cba516ff250eefff727881e62655fe6961b4cb663ff6e288fa165dd6fc02e5f965b080359

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
3KB

MD5
ece8b72e7aa86cdd571a555fb8285acc

SHA1
e20985964fc6f841a20fe9b4d274545ede9da925

SHA256
4d5da4f2665b0b2adf3ef3d275d766c5d4e611822ffad6d19e836e0d3dd10a8a

SHA512
909d0c5e793b0435ca8d2e28072a4167b8d7f758cf0fa1526aec95f74411782a1a603501522a4517b1c591a9b9f1f4284d1189525a6b5cdfc1a4d1c8e3dee252

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
3KB

MD5
c2bc2964efb99a08158db1ff858e71a6

SHA1
7b6a748ee45be2f01b63c2994aea64e27ad28041

SHA256
1bd09c3b5765b26804be62c8a9d02b05f271e87b4b35fe4ae5ab0ca2e043ba86

SHA512
fc3498c57380e96d274374cdfccb1f12260bbb21013709eb809b63bdcf051ed1e3ed844cb87eb8dde139a874cc45c9f8c2b64ebee6cb85ac119562c97486ee26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ng5t3sl3.zdi.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\HIGHOR~1.JS

Filesize
14.2MB

MD5
6706ccb49537527d6075d46d2a4eb32b

SHA1
360712d82818102575b834a0932f782f8e2ad1be

SHA256
3d56ab2b4c70b649e37e12dbdc74b221bf658a436160cf44eff0b0126e1e6eaf

SHA512
887b66a560bb7db5bda1e74057461ed5f19cfdb1b06a95152c86738489b618ad9158b5c696f6124b11c0b5f3f56f15e7f8d03c73a21e56421a157020450881c6

Download Submit
memory/2840-16-0x000002669D820000-0x000002669D830000-memory.dmp

Filesize
64KB

Download
memory/2840-20-0x00007FF8E6130000-0x00007FF8E6BF2000-memory.dmp

Filesize
10.8MB

Download
memory/2840-26-0x000002669D820000-0x000002669D830000-memory.dmp

Filesize
64KB

Download
memory/2840-24-0x000002669D820000-0x000002669D830000-memory.dmp

Filesize
64KB

Download
memory/2840-23-0x000002669D820000-0x000002669D830000-memory.dmp

Filesize
64KB

Download
memory/2840-22-0x000002669D820000-0x000002669D830000-memory.dmp

Filesize
64KB

Download
memory/2840-21-0x000002669D820000-0x000002669D830000-memory.dmp

Filesize
64KB

Download
memory/2840-25-0x000002669D820000-0x000002669D830000-memory.dmp

Filesize
64KB

Download
memory/2840-18-0x000002669E060000-0x000002669E084000-memory.dmp

Filesize
144KB

Download
memory/2840-17-0x000002669E060000-0x000002669E08A000-memory.dmp

Filesize
168KB

Download
memory/2840-15-0x000002669D980000-0x000002669D9C6000-memory.dmp

Filesize
280KB

Download
memory/2840-11-0x000002669D820000-0x000002669D830000-memory.dmp

Filesize
64KB

Download
memory/2840-6-0x000002669D8A0000-0x000002669D8C2000-memory.dmp

Filesize
136KB

Download
memory/2840-4-0x000002669D820000-0x000002669D830000-memory.dmp

Filesize
64KB

Download
memory/2840-3-0x00007FF8E6130000-0x00007FF8E6BF2000-memory.dmp

Filesize
10.8MB

Download