hxxp:///search?q=reflection+nebula&rlz=1CAKLUN_enGB1063&oq=&gs_lcrp=EgZjaHJvbWUqCQgFEEUYOxjCAzIJCAAQRRg7GMIDMgkIARBFGDsYwgMyCQgCEEUYOxjCAzIJCAMQRRg7GMIDMgkIBBBFGDsYwgMyCQgFEEUYOxjCAzIJCAYQRRg7GMIDMgkIBxBFGDsYwgPSAQsyODE5NDAzajBqN6gCCLACAQ&sourceid=chrome&ie=UTF-8&safe=active&ssui=on

max time kernel
320s
max time network
742s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
31/12/2023, 02:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http:///search?q=reflection+nebula&rlz=1CAKLUN_enGB1063&oq=&gs_lcrp=EgZjaHJvbWUqCQgFEEUYOxjCAzIJCAAQRRg7GMIDMgkIARBFGDsYwgMyCQgCEEUYOxjCAzIJCAMQRRg7GMIDMgkIBBBFGDsYwgMyCQgFEEUYOxjCAzIJCAYQRRg7GMIDMgkIBxBFGDsYwgPSAQsyODE5NDAzajBqN6gCCLACAQ&sourceid=chrome&ie=UTF-8&safe=active&ssui=on

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-771046930-2949676035-3337286276-1000\{E93BA689-A1C6-4B49-A825-85D0DC6BA4C5}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-771046930-2949676035-3337286276-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1552	msedge.exe
1552	msedge.exe
884	msedge.exe
884	msedge.exe
692	identity_helper.exe
692	identity_helper.exe
3460	msedge.exe
3460	msedge.exe
3548	msedge.exe
3548	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs

pid	Process
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
244	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 884 wrote to memory of 3568	884	msedge.exe	79
PID 884 wrote to memory of 3568	884	msedge.exe	79
PID 884 wrote to memory of 2920	884	msedge.exe	81
PID 884 wrote to memory of 2920	884	msedge.exe	81
PID 884 wrote to memory of 2920	884	msedge.exe	81
PID 884 wrote to memory of 2920	884	msedge.exe	81
PID 884 wrote to memory of 2920	884	msedge.exe	81
PID 884 wrote to memory of 2920	884	msedge.exe	81
PID 884 wrote to memory of 2920	884	msedge.exe	81
PID 884 wrote to memory of 2920	884	msedge.exe	81
PID 884 wrote to memory of 2920	884	msedge.exe	81
PID 884 wrote to memory of 2920	884	msedge.exe	81
PID 884 wrote to memory of 2920	884	msedge.exe	81
PID 884 wrote to memory of 2920	884	msedge.exe	81
PID 884 wrote to memory of 2920	884	msedge.exe	81
PID 884 wrote to memory of 2920	884	msedge.exe	81
PID 884 wrote to memory of 2920	884	msedge.exe	81
PID 884 wrote to memory of 2920	884	msedge.exe	81
PID 884 wrote to memory of 2920	884	msedge.exe	81
PID 884 wrote to memory of 2920	884	msedge.exe	81
PID 884 wrote to memory of 2920	884	msedge.exe	81
PID 884 wrote to memory of 2920	884	msedge.exe	81
PID 884 wrote to memory of 2920	884	msedge.exe	81
PID 884 wrote to memory of 2920	884	msedge.exe	81
PID 884 wrote to memory of 2920	884	msedge.exe	81
PID 884 wrote to memory of 2920	884	msedge.exe	81
PID 884 wrote to memory of 2920	884	msedge.exe	81
PID 884 wrote to memory of 2920	884	msedge.exe	81
PID 884 wrote to memory of 2920	884	msedge.exe	81
PID 884 wrote to memory of 2920	884	msedge.exe	81
PID 884 wrote to memory of 2920	884	msedge.exe	81
PID 884 wrote to memory of 2920	884	msedge.exe	81
PID 884 wrote to memory of 2920	884	msedge.exe	81
PID 884 wrote to memory of 2920	884	msedge.exe	81
PID 884 wrote to memory of 2920	884	msedge.exe	81
PID 884 wrote to memory of 2920	884	msedge.exe	81
PID 884 wrote to memory of 2920	884	msedge.exe	81
PID 884 wrote to memory of 2920	884	msedge.exe	81
PID 884 wrote to memory of 2920	884	msedge.exe	81
PID 884 wrote to memory of 2920	884	msedge.exe	81
PID 884 wrote to memory of 2920	884	msedge.exe	81
PID 884 wrote to memory of 2920	884	msedge.exe	81
PID 884 wrote to memory of 1552	884	msedge.exe	82
PID 884 wrote to memory of 1552	884	msedge.exe	82
PID 884 wrote to memory of 4100	884	msedge.exe	83
PID 884 wrote to memory of 4100	884	msedge.exe	83
PID 884 wrote to memory of 4100	884	msedge.exe	83
PID 884 wrote to memory of 4100	884	msedge.exe	83
PID 884 wrote to memory of 4100	884	msedge.exe	83
PID 884 wrote to memory of 4100	884	msedge.exe	83
PID 884 wrote to memory of 4100	884	msedge.exe	83
PID 884 wrote to memory of 4100	884	msedge.exe	83
PID 884 wrote to memory of 4100	884	msedge.exe	83
PID 884 wrote to memory of 4100	884	msedge.exe	83
PID 884 wrote to memory of 4100	884	msedge.exe	83
PID 884 wrote to memory of 4100	884	msedge.exe	83
PID 884 wrote to memory of 4100	884	msedge.exe	83
PID 884 wrote to memory of 4100	884	msedge.exe	83
PID 884 wrote to memory of 4100	884	msedge.exe	83
PID 884 wrote to memory of 4100	884	msedge.exe	83
PID 884 wrote to memory of 4100	884	msedge.exe	83
PID 884 wrote to memory of 4100	884	msedge.exe	83
PID 884 wrote to memory of 4100	884	msedge.exe	83
PID 884 wrote to memory of 4100	884	msedge.exe	83

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http:///search?q=reflection+nebula&rlz=1CAKLUN_enGB1063&oq=&gs_lcrp=EgZjaHJvbWUqCQgFEEUYOxjCAzIJCAAQRRg7GMIDMgkIARBFGDsYwgMyCQgCEEUYOxjCAzIJCAMQRRg7GMIDMgkIBBBFGDsYwgMyCQgFEEUYOxjCAzIJCAYQRRg7GMIDMgkIBxBFGDsYwgPSAQsyODE5NDAzajBqN6gCCLACAQ&sourceid=chrome&ie=UTF-8&safe=active&ssui=on
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffef5d13cb8,0x7ffef5d13cc8,0x7ffef5d13cd8
  2⤵
  PID:3568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,12028938084342370344,3520752983517216819,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1908 /prefetch:2
  2⤵
  PID:2920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1892,12028938084342370344,3520752983517216819,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1892,12028938084342370344,3520752983517216819,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2676 /prefetch:8
  2⤵
  PID:4100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,12028938084342370344,3520752983517216819,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3144 /prefetch:1
  2⤵
  PID:1344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,12028938084342370344,3520752983517216819,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:4648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,12028938084342370344,3520752983517216819,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:1
  2⤵
  PID:1452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,12028938084342370344,3520752983517216819,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
  2⤵
  PID:2976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,12028938084342370344,3520752983517216819,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4620 /prefetch:1
  2⤵
  PID:4940
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1892,12028938084342370344,3520752983517216819,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5908 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,12028938084342370344,3520752983517216819,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:1
  2⤵
  PID:4880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,12028938084342370344,3520752983517216819,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1
  2⤵
  PID:4624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1892,12028938084342370344,3520752983517216819,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4584 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,12028938084342370344,3520752983517216819,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:1
  2⤵
  PID:2232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,12028938084342370344,3520752983517216819,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2512 /prefetch:1
  2⤵
  PID:4860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,12028938084342370344,3520752983517216819,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1
  2⤵
  PID:4596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,12028938084342370344,3520752983517216819,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6012 /prefetch:1
  2⤵
  PID:4688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1892,12028938084342370344,3520752983517216819,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3932 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:3548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1892,12028938084342370344,3520752983517216819,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5992 /prefetch:8
  2⤵
  PID:4008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,12028938084342370344,3520752983517216819,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4688 /prefetch:1
  2⤵
  PID:2780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,12028938084342370344,3520752983517216819,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4988 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,12028938084342370344,3520752983517216819,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:4788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,12028938084342370344,3520752983517216819,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:4784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,12028938084342370344,3520752983517216819,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:1
  2⤵
  PID:1388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,12028938084342370344,3520752983517216819,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,12028938084342370344,3520752983517216819,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
  2⤵
  PID:4676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,12028938084342370344,3520752983517216819,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
  2⤵
  PID:5096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,12028938084342370344,3520752983517216819,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:1
  2⤵
  PID:400

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2552

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2144

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
05ed8d7350c6abddb2413582af13b728

SHA1
98b3e6793352038355ee54fc58828e5ca1cf0f77

SHA256
878b0ffac96b1428cb415ab15b289258dcf9fc175ac2571622e4dc1219f32c01

SHA512
b80bf631b56588daf08570c05aac9a67cee414403149c223a005a7dd9c81b5e8d4c6f175815106f039d47c1bfef875ecbf65efba106d5107b137f2aabe446058

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
69KB

MD5
c33c3755c9bc5c370e51bd72a524da35

SHA1
7b4d2ef2b5e0188562afcd4c87060a809a7d2919

SHA256
e30aeba2b555fe999989e290128024451d7b1bccd13060ce16990a39937a3113

SHA512
7c656b1f7e9806208c87b1f22d27f07f400c5bdd3fd258056a4046c7999d4f83f6c473800b09e36450eff9ff9dd86d045eedead515aeb4bdb55e9d9889e90de5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
23KB

MD5
b7f2753a2d9eaa78ab31f64052a1e132

SHA1
0f67da6d1e4e4cd474ef4168d1296d6a55de0a1a

SHA256
6afda9f7927a4986d4b4760c1da41074295fad1232b5130a9005474a0f5e3e4e

SHA512
587794699751514a0d8baab34a898be8cd5bec6fbba246adcb27416c3762aa63099e2dc5780669c09a7138d2eacce550bc5f3776b45f44fc2b676dce4dead432

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
19KB

MD5
76a3f1e9a452564e0f8dce6c0ee111e8

SHA1
11c3d925cbc1a52d53584fd8606f8f713aa59114

SHA256
381396157ed5e8021dd8e660142b35eb71a63aecd33062a1103ce9c709c7632c

SHA512
a1156a907649d6f2c3f7256405d9d5c62a626b8d4cd717fa2f29d2fbe91092a2b3fdd0716f8f31e59708fe12274bc2dea6c9ae6a413ea290e70ddf921fe7f274

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
85KB

MD5
45a177b92bc3dac4f6955a68b5b21745

SHA1
eac969dc4f81a857fdd380b3e9c0963d8d5b87d1

SHA256
2db3b6356f027b2185f1ca4bc6b53e64e428201e70e94d1977f8aab9b24afaeb

SHA512
f6a599340db91e2a4f48babd5f5939f87b907a66a82609347f53381e8712069c3002596156de79650511c644a287cbd8c607be0f877a918ae1392456d76b90ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
1.0MB

MD5
7d8d1f5f623293bc2cc19dd0745835cd

SHA1
c7391938f1fe2a5dbdf25ef880c82aaf2f0b6ae9

SHA256
e78864526098e567cb551b450ab864e97afddc26dd16d22a0b434fef84c9ba81

SHA512
ae4e727ea7dd57ca233b38d719f5039fcad01c7874139189ec772ff155a35db6bc5ac8e84456738ac95d0e8c20a78baf12f41643d8b300c154e90ec9bafd4af0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
97daa7c78664c086a08d2a960a31a927

SHA1
9c410718030896ad34046ba29e731f33fe6e2526

SHA256
f245a06b20d37c81ae30c5801670ca2ebedf697a31f19fb6cd022478bb79be5d

SHA512
0ad41d255d2e33a43bc06c8224d8734403b46e2f87a6668becffeb48b8c55568e2717d99f62e91d219c2864ce4a522198df8c9d501ab2a71744af6d78069ffe3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
38844a51eb030c27d019a4af60023a1c

SHA1
fbde987e2bd7634bf153bcea262cd4111886959f

SHA256
d5a0d3ac8de5d3eb65a2674e99de1e6ff58f6154ac23c0fb7bde1e4270033226

SHA512
243852b84ac26d529d4b2240adbd1696ee8bdac34ca0d4c955b58d6ad8e1058d72a3369afe000d851e3847127db08c915e2d3a9d19345d775e087a53eebb94bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
1ca4d726ee547e87c2f91fc8e8a216d6

SHA1
edf69dac62d5d1ccbbb77792ed72b52c8904fc39

SHA256
c143062f1ac46037937edb8362df077abf938eccbaccb877cea20ac633f7b2d7

SHA512
931bb2f868a485bf14a15cc3b635e775dd4270ce0cabd92d31a1524b1b56d6793f0dbf2509caf1fc5d7c31a6a0de77a09569d37b5888bf28fa6ddfee129f1c9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
398B

MD5
3afe89e5d880c04758d9dbeb945cba07

SHA1
61f1a5d4a1112ce26c0d2731bfebc0d2e3bab56d

SHA256
6c028ff13095386c526f56159c6cccc6a9d33c0b1ededd9273bb31518e66244c

SHA512
445f63744bb9b86356d33c8908087bff08e773f210960cead5d214f26076659637c3a22396337677cfe0f4425bdac24564eeeaee3a8b46028f8c28d42135fbfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
f6bdb42d58d6c89145431c30f2e2a480

SHA1
7ecb008279193e791ca2d7c600299673fa317446

SHA256
6d1b7af4a7f96b8522552f897f248eb5a74f88de83a160674c31e139b77fedd7

SHA512
4820de95ed728fa203229a1c3d6448e762e37ab2fb9b23f438d91c0822184e21f1451cec1d1c7a916af93467ef6c5a6c2b977eb2022544370aeea65b7e0107af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e36fc1ba532bd99360751829af9359d6

SHA1
725498cdf071cff6258e2cbd87a126913d9ccdfc

SHA256
f1ccca6fab3237d93f7a975f796970f1f31fd7794cf641f480cfba9200a31ce1

SHA512
3d0546079b0151fbd1b82d287f48657942c41d681bb3af19264222672973b89fd90cde7cdad7cb6aab2f4fb59c86b29423da035c6acf902a4166aa7a521101d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
be0754bafe376a3e2dde8d0e31b2d238

SHA1
ae6dad955387ec6ea3689ed469fcdd3013936e60

SHA256
a97520d9f4bc16ab595e7a57f11a938c07ab816336c5ff3e4bcdc1150e7911d2

SHA512
81b3c07d39bc6fe583fbf7b543cbea39dd5ebc6dee5f0cee6389755cb7cea3ffb7f6d06febc41557f1ec1e3c282ce4a43f5d23d602d259d1b61d8c96ecc7b087

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
cccc98574011a33ae8f1f5d14661f7ef

SHA1
3e5e65102ef945ca99d1d2b3497b97acec68c5c2

SHA256
cdae18aa37e438905db93174a3fd42992bac5f0ca5083ce0dc0c978b4a46ba67

SHA512
be2a00c096b040a474e564bff1aef34f690319bd10bf2f36db4e2d230e04ba9a12936be98bb59be769e0039da71ad6ff4542e856d3e3a747eca0719e9c64832a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
dbd537365a4f15713a3cbb99e43e28d3

SHA1
4845ce8f5257a128cbc55ab77babd542f8f6a47e

SHA256
e76c1764b79b029591f64d47177147199f1c8919ad27654fcf2e586bda5608d2

SHA512
9ad5704ab0628028cfc6bd765a3bdf76756c076d598d1848fbcc796dc55f034d2045de3264b075a95cf2439fa9bda6af18cd2fd49b32480df6c51debbdffac3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8a85982d2054f7a00bda4199fa228c25

SHA1
adb1d3a556ec0a5e1e34bd2eecb5c121a3a490a9

SHA256
8b5fc957deafbbc0299f75a2591d2c652cab3cdf75f02cce7f20fe29494728be

SHA512
146a7d9ec6081108423411d7ea7ca9f4f40cda20b81360ae9995e732e1b9fb7545d7884ee5e98ecdea5e3e3447128beae38ec0b28dce87d54042ecd8d8e638d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
631ef2d5445bba330c2ae8d9356ebaae

SHA1
b5397efced98081c5d4b8e8044fc09073e92d5ac

SHA256
d8cb2dfb45ad6fe48aff71121c2f03f3fa43a144c166c3556a294727285d3756

SHA512
591f946f2686e82153ae6952ad938bd30fbd527f1e2f5811f0583fc612caea3023875b844b47edbc288bf51089cbfc92845ac3631afdfd92e8a21ccaa34e660c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
903e3ccbfe19ad78ce6faa169d264f92

SHA1
a7f79b37c3861fb5046293d2f0774f4e1c71744b

SHA256
05ab9daf95b245c9323debff164899db3d428b323d9be2191d97053683ae74a1

SHA512
406cc491002e694c6904e30b37695ea662ec7f27b4e244d6607191781469da80b8d1e06b618e1bef33e9c68866352a8b8147cdcdd8a316bf337c9b86fc9c0fd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
25KB

MD5
3da3cf652acf7e0fee298963e8cb77d3

SHA1
8d35e8ba0767c10324335e8fc8f5c422ece4e504

SHA256
9b436ba7a14d3947bfe73fa9bd581f6fbf0acbf26e97a3a54d6d032d19f8cf64

SHA512
89e9555edd366fedaf79bf4c6da816a69fb220c987337369511c4422034cad486338a261eb6954d000dbfa636c969d04b65de62bb6df9c023ca5e11c892ee83d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
bf32fe77e92d389339f396f3e6e4e862

SHA1
8dc7f0296f16d3bf989dd3f4b97702b8fcb06491

SHA256
cadd6bcda89b733817b999253d2a17e50dc301f32148700f1a9223486342b348

SHA512
a5bf37f8f8a6613e656c56e809aa271d0ae10caebe67f291c3c4602cd61ff1fdf6c2199977516812abbfbd5baff09482b820c16d56e6a6edeea9751a408a0b67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
871B

MD5
7d7794ab827247ec4436ae1e4c22017e

SHA1
2ca9264cc4e8e876b2cec63c24d1d23fae41174b

SHA256
a049ad48b68ca628d9771588156bed3e18f9c4e878740180a6c685635558775e

SHA512
92c34259f0262dc1b837d177252b42bddef3ae0c823abbe6cf054c32d7c00759bf53cc79228805500f00c9c5313704f6f169a4c2528505d80df0fd0425d30383

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c083447f2fafb7668a87223f990cf2fc

SHA1
2a049ab6305a72f6e1ca49dd20f611a9e1ba2ead

SHA256
dff27c585b79b35de7da522607fc3366740bf37ce68240a79bf259334ad2a88d

SHA512
2cc26470bec69f010117748ef51ac9b2b62b155532fae52dc5d5a410620acf6a8dc019615251c0993f52aaed34ea80ce1b5d16391bf9ae3df0460a63e2aff679

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5a3f4c.TMP

Filesize
536B

MD5
f6ead64328b9908a9e6b0e9226543332

SHA1
6d7031b6947addd9203eb2a6b06388ae7eae1055

SHA256
dc4063e24056379b599a93441788fc05719db651d8d31c37a664fe9ee7da4929

SHA512
e01fd5add889c2a2eb5518245b08a66526eb158c556c1eba070a6310c62d6419919fd68e6bbe97e67785f1b93bd474e4819e6c5875a41638e69639822e5b72b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
cabea521b07a69faf9ac72a5264bafa5

SHA1
5fc24fc0d79fd2f9ff0db48ffb8745e9cfeab6b3

SHA256
8d00f8a08760f5e2f037418b41b0ab3b5e191b6ce7b8e57b70c68ee5683c55c8

SHA512
eaf5305c003489e89cb1b5910b3200cf99800e85c672fe397b3ca61992cd6f83e5089e27a91ca4d2b1d3b6e684362bc1614ab53e00cf6ead3ca3299d83b047e4

Download Submit