hxxps://schedulechanges[.]swiss[.]com/LinkTracking?q=bvtzZnMeiA0wh58DnFdzBEIvvqFAHltGvpw0y9oquESErYMPsdpl4MFXxV1pXA1VBkEZdmt0Z1Hk7j8ojdeKnCx1WqpKpu38BOAPljRi99JgbPMpdM86sei4JPn90_ZWalV23n-dGHwL1_ImT-zApLU-zoCkQjACKqJZwnLqxbAs1IjDlWnLGsbQkEEehiWz5zudvWHS8jTk2m8oXpmDJaBPUUrS6FOiRDv1Z0DZB8sXkUOgJc4AMZ_aYru5gvgutytIBamAAxOH7TAcoLJJCcOXsZ-0I7rORcdwtwzD5XFWJHexJXXv1zDHrqd9kD0Aqn8TvWKi-3qXzX69sLlEDNPR3ynepW_c2qNdHGg-Lug7dF7D5gcU04zM4QNGeRMUHW-LdyTqlP-izm3Ys_fYOeN0OqV8JSo9QcWY0xndMRCXwWPOao6wPAdGIq12hTPg_zgR6Ht5otkqHEnzDzFlycqhd9wgOoB4-Q5sxmc2CldExZ86V_htdEwF78W_WItUWTXPS7hIdf3ROo_qkFr6K823WdRZK-16wXIl878-54hPxyq9TGuUHwP6_erFPoM1TV04V5BdKxAyZk1GVSRGzQZeR1YQg02_58w-jT3E4EJS1csgreNsXamai6wAjvgl2N2u4Bu_eVbzeZ8BqNh5CbuywbYCG9ZpqV6pYuzhm_WcA-tVwNyjB9hj9ohl4_2XoG53sW0bNc7D93XUs7AJddDnWOaDy4PUxDz5bGfrUq-bGqreobuQTAr3sVxQLcHA&r=642458156

Resubmissions

22/02/2024, 14:11

240222-rhc5ksbb76 1

22/02/2024, 14:08

20/02/2024, 13:04

20/02/2024, 12:18

20/02/2024, 12:13

Analysis

max time kernel
145s
max time network
148s
platform
windows11-21h2_x64
resource
win11-20240214-en
resource tags

arch:x64arch:x86image:win11-20240214-enlocale:en-usos:windows11-21h2-x64system
submitted
20/02/2024, 13:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://schedulechanges.swiss.com/LinkTracking?q=bvtzZnMeiA0wh58DnFdzBEIvvqFAHltGvpw0y9oquESErYMPsdpl4MFXxV1pXA1VBkEZdmt0Z1Hk7j8ojdeKnCx1WqpKpu38BOAPljRi99JgbPMpdM86sei4JPn90_ZWalV23n-dGHwL1_ImT-zApLU-zoCkQjACKqJZwnLqxbAs1IjDlWnLGsbQkEEehiWz5zudvWHS8jTk2m8oXpmDJaBPUUrS6FOiRDv1Z0DZB8sXkUOgJc4AMZ_aYru5gvgutytIBamAAxOH7TAcoLJJCcOXsZ-0I7rORcdwtwzD5XFWJHexJXXv1zDHrqd9kD0Aqn8TvWKi-3qXzX69sLlEDNPR3ynepW_c2qNdHGg-Lug7dF7D5gcU04zM4QNGeRMUHW-LdyTqlP-izm3Ys_fYOeN0OqV8JSo9QcWY0xndMRCXwWPOao6wPAdGIq12hTPg_zgR6Ht5otkqHEnzDzFlycqhd9wgOoB4-Q5sxmc2CldExZ86V_htdEwF78W_WItUWTXPS7hIdf3ROo_qkFr6K823WdRZK-16wXIl878-54hPxyq9TGuUHwP6_erFPoM1TV04V5BdKxAyZk1GVSRGzQZeR1YQg02_58w-jT3E4EJS1csgreNsXamai6wAjvgl2N2u4Bu_eVbzeZ8BqNh5CbuywbYCG9ZpqV6pYuzhm_WcA-tVwNyjB9hj9ohl4_2XoG53sW0bNc7D93XUs7AJddDnWOaDy4PUxDz5bGfrUq-bGqreobuQTAr3sVxQLcHA&r=642458156

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1368	msedge.exe
1368	msedge.exe
2116	msedge.exe
2116	msedge.exe
3692	msedge.exe
3692	msedge.exe
4240	identity_helper.exe
4240	identity_helper.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 4368	2116	msedge.exe	45
PID 2116 wrote to memory of 4368	2116	msedge.exe	45
PID 2116 wrote to memory of 2032	2116	msedge.exe	80
PID 2116 wrote to memory of 2032	2116	msedge.exe	80
PID 2116 wrote to memory of 2032	2116	msedge.exe	80
PID 2116 wrote to memory of 2032	2116	msedge.exe	80
PID 2116 wrote to memory of 2032	2116	msedge.exe	80
PID 2116 wrote to memory of 2032	2116	msedge.exe	80
PID 2116 wrote to memory of 2032	2116	msedge.exe	80
PID 2116 wrote to memory of 2032	2116	msedge.exe	80
PID 2116 wrote to memory of 2032	2116	msedge.exe	80
PID 2116 wrote to memory of 2032	2116	msedge.exe	80
PID 2116 wrote to memory of 2032	2116	msedge.exe	80
PID 2116 wrote to memory of 2032	2116	msedge.exe	80
PID 2116 wrote to memory of 2032	2116	msedge.exe	80
PID 2116 wrote to memory of 2032	2116	msedge.exe	80
PID 2116 wrote to memory of 2032	2116	msedge.exe	80
PID 2116 wrote to memory of 2032	2116	msedge.exe	80
PID 2116 wrote to memory of 2032	2116	msedge.exe	80
PID 2116 wrote to memory of 2032	2116	msedge.exe	80
PID 2116 wrote to memory of 2032	2116	msedge.exe	80
PID 2116 wrote to memory of 2032	2116	msedge.exe	80
PID 2116 wrote to memory of 2032	2116	msedge.exe	80
PID 2116 wrote to memory of 2032	2116	msedge.exe	80
PID 2116 wrote to memory of 2032	2116	msedge.exe	80
PID 2116 wrote to memory of 2032	2116	msedge.exe	80
PID 2116 wrote to memory of 2032	2116	msedge.exe	80
PID 2116 wrote to memory of 2032	2116	msedge.exe	80
PID 2116 wrote to memory of 2032	2116	msedge.exe	80
PID 2116 wrote to memory of 2032	2116	msedge.exe	80
PID 2116 wrote to memory of 2032	2116	msedge.exe	80
PID 2116 wrote to memory of 2032	2116	msedge.exe	80
PID 2116 wrote to memory of 2032	2116	msedge.exe	80
PID 2116 wrote to memory of 2032	2116	msedge.exe	80
PID 2116 wrote to memory of 2032	2116	msedge.exe	80
PID 2116 wrote to memory of 2032	2116	msedge.exe	80
PID 2116 wrote to memory of 2032	2116	msedge.exe	80
PID 2116 wrote to memory of 2032	2116	msedge.exe	80
PID 2116 wrote to memory of 2032	2116	msedge.exe	80
PID 2116 wrote to memory of 2032	2116	msedge.exe	80
PID 2116 wrote to memory of 2032	2116	msedge.exe	80
PID 2116 wrote to memory of 2032	2116	msedge.exe	80
PID 2116 wrote to memory of 1368	2116	msedge.exe	81
PID 2116 wrote to memory of 1368	2116	msedge.exe	81
PID 2116 wrote to memory of 3580	2116	msedge.exe	82
PID 2116 wrote to memory of 3580	2116	msedge.exe	82
PID 2116 wrote to memory of 3580	2116	msedge.exe	82
PID 2116 wrote to memory of 3580	2116	msedge.exe	82
PID 2116 wrote to memory of 3580	2116	msedge.exe	82
PID 2116 wrote to memory of 3580	2116	msedge.exe	82
PID 2116 wrote to memory of 3580	2116	msedge.exe	82
PID 2116 wrote to memory of 3580	2116	msedge.exe	82
PID 2116 wrote to memory of 3580	2116	msedge.exe	82
PID 2116 wrote to memory of 3580	2116	msedge.exe	82
PID 2116 wrote to memory of 3580	2116	msedge.exe	82
PID 2116 wrote to memory of 3580	2116	msedge.exe	82
PID 2116 wrote to memory of 3580	2116	msedge.exe	82
PID 2116 wrote to memory of 3580	2116	msedge.exe	82
PID 2116 wrote to memory of 3580	2116	msedge.exe	82
PID 2116 wrote to memory of 3580	2116	msedge.exe	82
PID 2116 wrote to memory of 3580	2116	msedge.exe	82
PID 2116 wrote to memory of 3580	2116	msedge.exe	82
PID 2116 wrote to memory of 3580	2116	msedge.exe	82
PID 2116 wrote to memory of 3580	2116	msedge.exe	82

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://schedulechanges.swiss.com/LinkTracking?q=bvtzZnMeiA0wh58DnFdzBEIvvqFAHltGvpw0y9oquESErYMPsdpl4MFXxV1pXA1VBkEZdmt0Z1Hk7j8ojdeKnCx1WqpKpu38BOAPljRi99JgbPMpdM86sei4JPn90_ZWalV23n-dGHwL1_ImT-zApLU-zoCkQjACKqJZwnLqxbAs1IjDlWnLGsbQkEEehiWz5zudvWHS8jTk2m8oXpmDJaBPUUrS6FOiRDv1Z0DZB8sXkUOgJc4AMZ_aYru5gvgutytIBamAAxOH7TAcoLJJCcOXsZ-0I7rORcdwtwzD5XFWJHexJXXv1zDHrqd9kD0Aqn8TvWKi-3qXzX69sLlEDNPR3ynepW_c2qNdHGg-Lug7dF7D5gcU04zM4QNGeRMUHW-LdyTqlP-izm3Ys_fYOeN0OqV8JSo9QcWY0xndMRCXwWPOao6wPAdGIq12hTPg_zgR6Ht5otkqHEnzDzFlycqhd9wgOoB4-Q5sxmc2CldExZ86V_htdEwF78W_WItUWTXPS7hIdf3ROo_qkFr6K823WdRZK-16wXIl878-54hPxyq9TGuUHwP6_erFPoM1TV04V5BdKxAyZk1GVSRGzQZeR1YQg02_58w-jT3E4EJS1csgreNsXamai6wAjvgl2N2u4Bu_eVbzeZ8BqNh5CbuywbYCG9ZpqV6pYuzhm_WcA-tVwNyjB9hj9ohl4_2XoG53sW0bNc7D93XUs7AJddDnWOaDy4PUxDz5bGfrUq-bGqreobuQTAr3sVxQLcHA&r=642458156
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe55933cb8,0x7ffe55933cc8,0x7ffe55933cd8
  2⤵
  PID:4368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,1181491021726948304,2982877812469832261,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1932 /prefetch:2
  2⤵
  PID:2032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1924,1181491021726948304,2982877812469832261,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1924,1181491021726948304,2982877812469832261,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2532 /prefetch:8
  2⤵
  PID:3580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,1181491021726948304,2982877812469832261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:3088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,1181491021726948304,2982877812469832261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:3528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,1181491021726948304,2982877812469832261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
  2⤵
  PID:4292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,1181491021726948304,2982877812469832261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
  2⤵
  PID:3784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1924,1181491021726948304,2982877812469832261,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5428 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,1181491021726948304,2982877812469832261,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
  2⤵
  PID:4948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,1181491021726948304,2982877812469832261,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1
  2⤵
  PID:2148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,1181491021726948304,2982877812469832261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:1
  2⤵
  PID:3984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1924,1181491021726948304,2982877812469832261,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5112 /prefetch:8
  2⤵
  PID:880
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1924,1181491021726948304,2982877812469832261,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6316 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,1181491021726948304,2982877812469832261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4584 /prefetch:1
  2⤵
  PID:4412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,1181491021726948304,2982877812469832261,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:1
  2⤵
  PID:4468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,1181491021726948304,2982877812469832261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
  2⤵
  PID:4496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,1181491021726948304,2982877812469832261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
  2⤵
  PID:568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,1181491021726948304,2982877812469832261,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6436 /prefetch:1
  2⤵
  PID:4456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,1181491021726948304,2982877812469832261,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3328 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4496

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2880

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3ac94e49addbb0b2b78b1cc0c4fdc41a

SHA1
41dda9076097a81d24a814805f80979eb5736a72

SHA256
259e79a3a5696dd704f943a3146b6622715c38d269751ea5b90c4858aeecaec5

SHA512
9890dd31736bf96b3669a9ba135e029d02a0245e31795f71f15bdb79066e95f8d43233643a78e1a36780b6983d88a5a82f71a07eb91133d9319c014e935fc9fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
648B

MD5
3da3ffd154603a3ea1d27da091a232dc

SHA1
2cfd91d041a92a4d904f3e76c7456e6f7decd502

SHA256
8291408ab9d5502d7cb2d188ddbd246eea3c30ce3990c93b7dfef1df316c66b8

SHA512
906b9a0e4e8eb4a55b23c5e11cccd6eaa3508f16d0156ccecb4d91e83b6787f17b65f72da3b3788947efcf680a7eb2b94c4eb6d61a59361670d16efc0a0ead5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
833B

MD5
aa3c7f8357b97f77067513a17dc2ab94

SHA1
bb448b6b631c12f639ff030861825840c6fe372e

SHA256
e3f071dcf7861a1a7ed46cfdd551270da722d0f6f43da315ebee7863fd3e693f

SHA512
3dea63000a169a67398c91ff932fd477d9e1c6bea67f690def6ce12f8cf8f24d044b80d32059de2289655f994b255abcd59fa90ee5860691084e8a534198a49b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3e90545dd7e218f430d36327a04ef667

SHA1
9146ddb491d2bf7303d927070a7cff4677613130

SHA256
1166a87409f8193db3e8b02725d7389cd86b1710b1d2e23825591425b406eef9

SHA512
88398d5213edabd032661d67fb57197d0342756d53905551e303ce8529514b6e89b1bc5406d5ac452405fb99cb2836203535bd3ff2218eed6d3ebb0497a5a258

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3bbf45589487e8b7a1cee1299f4c141f

SHA1
9e463b00876fa4b6919146a828d48ab50dcabebb

SHA256
c5e2c3761e33db70831d7a417b91e04a85cb2e8c30c729e36ba0eda7642d35b7

SHA512
01c41813010ae77d7a98e3518d4d1eb52e6205fafef399c20ecb519bc1ced0e579419888729deea0c0f2249d43960c9e929640eec5933d92e8023d4bae30c56b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
230bcd429b64ed9bc3cc4ef3fc13464b

SHA1
485e414f8aa3ee67123b86287dc6080be66b3385

SHA256
f2615609044d15337f2b6be43e980802733a51baaf60d74fb44ce14440dd0671

SHA512
7f98e5de2ea892d0becb14e9b01ec52f283b6325885ae73593b1e305dfdbef0c6a576cf16eb54c4747c4e5c15c2dc32a3a7c06d19560193e498dc5695639d518

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
25KB

MD5
0ee370fd0b36aa248467fe639b6efd62

SHA1
8d05ed1594e797f3b884c0640b394305cca30521

SHA256
7546533b63e8d119b7d4d58459a88b1bfeb060128844de5ffa9a2800a07505ba

SHA512
9f36083d5068d2b293bd459c8a03e7d79b1f005f7386dccd2df7599b8f94875bfb7bec715e8141d02dbcd92043c8dc621493939cae7bdfa96763927487bc261c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
19ceb46364c5191db91a1fe599038654

SHA1
cf669cfdc3385e4a870751bbf2fb51330763f995

SHA256
b92e91f01054fd432f85e4089a74e1e8b39a802fcc26bd6203f1f3ce59f62ce5

SHA512
57646de8d3f23c2f24c64ba04d1ab51d45246bf531917104e92e2bf49c970a083c251a4d0f4d5df3756d90b13c4618a78c7f9a1d11eb00c4aea7eb24d4235584

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57d496.TMP

Filesize
1KB

MD5
5d263297d0f1c4b4a499547cd2b80339

SHA1
11c22d8052199858210405433d77629357e7b054

SHA256
2b00c88ccc2f89e3b6191eb7dc1b9df2ace6c2b9bfe85cb7c692b3c822f28e58

SHA512
2c06ffce35e05960af745e4287c3daecb5c8a8c0c188d10f5808541c362bbb5fc14d6b48d31b2d0e96b90733524878ad1bab20c48220b875890d2fb17a19806c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ef95adb6ea8115be9303962641cd627c

SHA1
cc04c413fbc09dbc1d24f6d262355b2a56d2e3c8

SHA256
b8d180e0df5f8bb02b90c78c555ee3bce932c58073389ce8bf6d6bba2c42bfd3

SHA512
b274617a2e9b84e5910060eb0a2d262c333afa72afd09f893d9115fe2e564c0b609f17f45744a76b49bded6a9c23057b310e16e4882b7d54c31baa5b535609b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ca0d56273c7ab06cacf3f6575c425e88

SHA1
5196a84fef854ea82736a792ec5cbec8d0c932f9

SHA256
efb9c176e1f1354bb9e6e73a298131f810bd817d10b01f3ebe32becd4f62b2e8

SHA512
ed40ba426d5487341cc9e417c3ac92ce4dc9e81101d36de4c1953dd81cbf2cd87850dd572496df33b3fb59fb8b9f191ef8257e6e500bd49bc788dc42c1f7db72

Download Submit