hxxps://outlook[.]office[.]com/findtime/vote?getrequesturl=https%3a%2f%2foutlook[.]office[.]com%2fows%2fPUID%3a10032002AB98452E%40c82b56a3-b5b4-4e6f-8c50-ef3f5f8f6fcf%2fbeta%2fOutlookMeetingPolls%2fGetPollForVotingPage%3fid%3dRgAAAAAjpiKCFtwnTKRxqpqea1-GBwC4R8_zserSS49AmCoqsGjxAACu5dkkAAC4R8_zserSS49AmCoqsGjxAACu5wpRAAAA0%26authtoken%3deyJhbGciOiJSUzI1NiIsImtpZCI6IloyeTkxSDI2NlFTcTVySGR2K1ljUFRxUVVzTT0iLCJ0eXAiOiJKV1QiLCJ4NXQiOiJNTkVPUHc1MEpXTk11NFBjT0ZFaTVYVW9ralUifQ[.]eyJvaWQiOiI3NTUxN2QxYS1hM2VmLTQyZTQtYWRlMS0yZDQzZWM3YWQwODMiLCJ2ZXIiOiJSZXNvdXJjZUxvb3BiYWNrLlVzZXIuVjEiLCJzY3AiOiJPdXRsb29rUG9sbC1JbnRlcm5hbC5SZWFkV3JpdGUiLCJyc2NvcGVsZW4iOiIyMzYiLCJyZXNvdXJjZV9zY29wZSI6IntcIlVSTFwiOlwicFlZZ2IrZnUzb3JjRWI5bkxvWURnNS9uM1hXRHRDd2puTHVFa1ZEeGtPYz1cIn0iLCJjb3JyaWQiOiIxNTQ5OGRiNi0yOWRlLTQ0M2UtOTM5MS0yYTA4NGE1NDI5YWYiLCJhcHBpZCI6IjE1N2NkZmJmLTczOTgtNGE1Ni05NmMzLWU5M2U5YWIzMDliNSIsImFwcGlkYWNyIjoiMCIsInRpZCI6ImM4MmI1NmEzLWI1YjQtNGU2Zi04YzUwLWVmM2Y1ZjhmNmZjZiIsImlhdCI6MTcwODUzODg2MSwibmJmIjoxNzA4NTM4ODYxLCJleHAiOjE3MTYzMTQ4NjEsImlzcyI6Imh0dHBzOi8vcmVzb3VyY2Uuc2VsZi8iLCJhdWQiOiJodHRwczovL291dGxvb2sub2ZmaWNlLmNvbSJ9[.]tG1jaB0GzV58WrHNXNhDK8VKAeUAVX6F9yBTr9nZErlCZU5Tb3Q57HkxsspGXuzkX9v_wpTIxElQMGYSUvWPrcigMaLMT8e_I68QUaKrP5vMoIjut5kDb0E7JeC9GFWXs21U9tlxDhiwyniDtI8_KmRRn5hS8B-aJMjwx5zfNtqqqROaSekD29NfzgAN4SjXtTP5npOBA-39VXyLEI7SwFc1UJM4Adcmv45-m8kf8AodkqKZhfRpy-2LGtEhocUdw8enuWTM4TXHYhgpy4qT18kYRHUGej2l3S-CCy8LKS5clNFyfSWgOv9JGjzrPZIay0cuMHMntju4lqM4ky0jrw&anonymous

Analysis

max time kernel
147s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
22/02/2024, 02:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://outlook.office.com/findtime/vote?getrequesturl=https%3a%2f%2foutlook.office.com%2fows%2fPUID%3a10032002AB98452E%40c82b56a3-b5b4-4e6f-8c50-ef3f5f8f6fcf%2fbeta%2fOutlookMeetingPolls%2fGetPollForVotingPage%3fid%3dRgAAAAAjpiKCFtwnTKRxqpqea1-GBwC4R8_zserSS49AmCoqsGjxAACu5dkkAAC4R8_zserSS49AmCoqsGjxAACu5wpRAAAA0%26authtoken%3deyJhbGciOiJSUzI1NiIsImtpZCI6IloyeTkxSDI2NlFTcTVySGR2K1ljUFRxUVVzTT0iLCJ0eXAiOiJKV1QiLCJ4NXQiOiJNTkVPUHc1MEpXTk11NFBjT0ZFaTVYVW9ralUifQ.eyJvaWQiOiI3NTUxN2QxYS1hM2VmLTQyZTQtYWRlMS0yZDQzZWM3YWQwODMiLCJ2ZXIiOiJSZXNvdXJjZUxvb3BiYWNrLlVzZXIuVjEiLCJzY3AiOiJPdXRsb29rUG9sbC1JbnRlcm5hbC5SZWFkV3JpdGUiLCJyc2NvcGVsZW4iOiIyMzYiLCJyZXNvdXJjZV9zY29wZSI6IntcIlVSTFwiOlwicFlZZ2IrZnUzb3JjRWI5bkxvWURnNS9uM1hXRHRDd2puTHVFa1ZEeGtPYz1cIn0iLCJjb3JyaWQiOiIxNTQ5OGRiNi0yOWRlLTQ0M2UtOTM5MS0yYTA4NGE1NDI5YWYiLCJhcHBpZCI6IjE1N2NkZmJmLTczOTgtNGE1Ni05NmMzLWU5M2U5YWIzMDliNSIsImFwcGlkYWNyIjoiMCIsInRpZCI6ImM4MmI1NmEzLWI1YjQtNGU2Zi04YzUwLWVmM2Y1ZjhmNmZjZiIsImlhdCI6MTcwODUzODg2MSwibmJmIjoxNzA4NTM4ODYxLCJleHAiOjE3MTYzMTQ4NjEsImlzcyI6Imh0dHBzOi8vcmVzb3VyY2Uuc2VsZi8iLCJhdWQiOiJodHRwczovL291dGxvb2sub2ZmaWNlLmNvbSJ9.tG1jaB0GzV58WrHNXNhDK8VKAeUAVX6F9yBTr9nZErlCZU5Tb3Q57HkxsspGXuzkX9v_wpTIxElQMGYSUvWPrcigMaLMT8e_I68QUaKrP5vMoIjut5kDb0E7JeC9GFWXs21U9tlxDhiwyniDtI8_KmRRn5hS8B-aJMjwx5zfNtqqqROaSekD29NfzgAN4SjXtTP5npOBA-39VXyLEI7SwFc1UJM4Adcmv45-m8kf8AodkqKZhfRpy-2LGtEhocUdw8enuWTM4TXHYhgpy4qT18kYRHUGej2l3S-CCy8LKS5clNFyfSWgOv9JGjzrPZIay0cuMHMntju4lqM4ky0jrw&anonymous

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2308	msedge.exe
2308	msedge.exe
2716	msedge.exe
2716	msedge.exe
2572	identity_helper.exe
2572	identity_helper.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2716 wrote to memory of 2292	2716	msedge.exe	84
PID 2716 wrote to memory of 2292	2716	msedge.exe	84
PID 2716 wrote to memory of 2136	2716	msedge.exe	86
PID 2716 wrote to memory of 2136	2716	msedge.exe	86
PID 2716 wrote to memory of 2136	2716	msedge.exe	86
PID 2716 wrote to memory of 2136	2716	msedge.exe	86
PID 2716 wrote to memory of 2136	2716	msedge.exe	86
PID 2716 wrote to memory of 2136	2716	msedge.exe	86
PID 2716 wrote to memory of 2136	2716	msedge.exe	86
PID 2716 wrote to memory of 2136	2716	msedge.exe	86
PID 2716 wrote to memory of 2136	2716	msedge.exe	86
PID 2716 wrote to memory of 2136	2716	msedge.exe	86
PID 2716 wrote to memory of 2136	2716	msedge.exe	86
PID 2716 wrote to memory of 2136	2716	msedge.exe	86
PID 2716 wrote to memory of 2136	2716	msedge.exe	86
PID 2716 wrote to memory of 2136	2716	msedge.exe	86
PID 2716 wrote to memory of 2136	2716	msedge.exe	86
PID 2716 wrote to memory of 2136	2716	msedge.exe	86
PID 2716 wrote to memory of 2136	2716	msedge.exe	86
PID 2716 wrote to memory of 2136	2716	msedge.exe	86
PID 2716 wrote to memory of 2136	2716	msedge.exe	86
PID 2716 wrote to memory of 2136	2716	msedge.exe	86
PID 2716 wrote to memory of 2136	2716	msedge.exe	86
PID 2716 wrote to memory of 2136	2716	msedge.exe	86
PID 2716 wrote to memory of 2136	2716	msedge.exe	86
PID 2716 wrote to memory of 2136	2716	msedge.exe	86
PID 2716 wrote to memory of 2136	2716	msedge.exe	86
PID 2716 wrote to memory of 2136	2716	msedge.exe	86
PID 2716 wrote to memory of 2136	2716	msedge.exe	86
PID 2716 wrote to memory of 2136	2716	msedge.exe	86
PID 2716 wrote to memory of 2136	2716	msedge.exe	86
PID 2716 wrote to memory of 2136	2716	msedge.exe	86
PID 2716 wrote to memory of 2136	2716	msedge.exe	86
PID 2716 wrote to memory of 2136	2716	msedge.exe	86
PID 2716 wrote to memory of 2136	2716	msedge.exe	86
PID 2716 wrote to memory of 2136	2716	msedge.exe	86
PID 2716 wrote to memory of 2136	2716	msedge.exe	86
PID 2716 wrote to memory of 2136	2716	msedge.exe	86
PID 2716 wrote to memory of 2136	2716	msedge.exe	86
PID 2716 wrote to memory of 2136	2716	msedge.exe	86
PID 2716 wrote to memory of 2136	2716	msedge.exe	86
PID 2716 wrote to memory of 2136	2716	msedge.exe	86
PID 2716 wrote to memory of 2308	2716	msedge.exe	85
PID 2716 wrote to memory of 2308	2716	msedge.exe	85
PID 2716 wrote to memory of 2184	2716	msedge.exe	87
PID 2716 wrote to memory of 2184	2716	msedge.exe	87
PID 2716 wrote to memory of 2184	2716	msedge.exe	87
PID 2716 wrote to memory of 2184	2716	msedge.exe	87
PID 2716 wrote to memory of 2184	2716	msedge.exe	87
PID 2716 wrote to memory of 2184	2716	msedge.exe	87
PID 2716 wrote to memory of 2184	2716	msedge.exe	87
PID 2716 wrote to memory of 2184	2716	msedge.exe	87
PID 2716 wrote to memory of 2184	2716	msedge.exe	87
PID 2716 wrote to memory of 2184	2716	msedge.exe	87
PID 2716 wrote to memory of 2184	2716	msedge.exe	87
PID 2716 wrote to memory of 2184	2716	msedge.exe	87
PID 2716 wrote to memory of 2184	2716	msedge.exe	87
PID 2716 wrote to memory of 2184	2716	msedge.exe	87
PID 2716 wrote to memory of 2184	2716	msedge.exe	87
PID 2716 wrote to memory of 2184	2716	msedge.exe	87
PID 2716 wrote to memory of 2184	2716	msedge.exe	87
PID 2716 wrote to memory of 2184	2716	msedge.exe	87
PID 2716 wrote to memory of 2184	2716	msedge.exe	87
PID 2716 wrote to memory of 2184	2716	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://outlook.office.com/findtime/vote?getrequesturl=https%3a%2f%2foutlook.office.com%2fows%2fPUID%3a10032002AB98452E%40c82b56a3-b5b4-4e6f-8c50-ef3f5f8f6fcf%2fbeta%2fOutlookMeetingPolls%2fGetPollForVotingPage%3fid%3dRgAAAAAjpiKCFtwnTKRxqpqea1-GBwC4R8_zserSS49AmCoqsGjxAACu5dkkAAC4R8_zserSS49AmCoqsGjxAACu5wpRAAAA0%26authtoken%3deyJhbGciOiJSUzI1NiIsImtpZCI6IloyeTkxSDI2NlFTcTVySGR2K1ljUFRxUVVzTT0iLCJ0eXAiOiJKV1QiLCJ4NXQiOiJNTkVPUHc1MEpXTk11NFBjT0ZFaTVYVW9ralUifQ.eyJvaWQiOiI3NTUxN2QxYS1hM2VmLTQyZTQtYWRlMS0yZDQzZWM3YWQwODMiLCJ2ZXIiOiJSZXNvdXJjZUxvb3BiYWNrLlVzZXIuVjEiLCJzY3AiOiJPdXRsb29rUG9sbC1JbnRlcm5hbC5SZWFkV3JpdGUiLCJyc2NvcGVsZW4iOiIyMzYiLCJyZXNvdXJjZV9zY29wZSI6IntcIlVSTFwiOlwicFlZZ2IrZnUzb3JjRWI5bkxvWURnNS9uM1hXRHRDd2puTHVFa1ZEeGtPYz1cIn0iLCJjb3JyaWQiOiIxNTQ5OGRiNi0yOWRlLTQ0M2UtOTM5MS0yYTA4NGE1NDI5YWYiLCJhcHBpZCI6IjE1N2NkZmJmLTczOTgtNGE1Ni05NmMzLWU5M2U5YWIzMDliNSIsImFwcGlkYWNyIjoiMCIsInRpZCI6ImM4MmI1NmEzLWI1YjQtNGU2Zi04YzUwLWVmM2Y1ZjhmNmZjZiIsImlhdCI6MTcwODUzODg2MSwibmJmIjoxNzA4NTM4ODYxLCJleHAiOjE3MTYzMTQ4NjEsImlzcyI6Imh0dHBzOi8vcmVzb3VyY2Uuc2VsZi8iLCJhdWQiOiJodHRwczovL291dGxvb2sub2ZmaWNlLmNvbSJ9.tG1jaB0GzV58WrHNXNhDK8VKAeUAVX6F9yBTr9nZErlCZU5Tb3Q57HkxsspGXuzkX9v_wpTIxElQMGYSUvWPrcigMaLMT8e_I68QUaKrP5vMoIjut5kDb0E7JeC9GFWXs21U9tlxDhiwyniDtI8_KmRRn5hS8B-aJMjwx5zfNtqqqROaSekD29NfzgAN4SjXtTP5npOBA-39VXyLEI7SwFc1UJM4Adcmv45-m8kf8AodkqKZhfRpy-2LGtEhocUdw8enuWTM4TXHYhgpy4qT18kYRHUGej2l3S-CCy8LKS5clNFyfSWgOv9JGjzrPZIay0cuMHMntju4lqM4ky0jrw&anonymous
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8b42246f8,0x7ff8b4224708,0x7ff8b4224718
  2⤵
  PID:2292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,1622458656911111955,11172187764516907852,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,1622458656911111955,11172187764516907852,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
  2⤵
  PID:2136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,1622458656911111955,11172187764516907852,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:8
  2⤵
  PID:2184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1622458656911111955,11172187764516907852,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1622458656911111955,11172187764516907852,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1622458656911111955,11172187764516907852,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:1
  2⤵
  PID:1260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1622458656911111955,11172187764516907852,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3940 /prefetch:1
  2⤵
  PID:3820
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,1622458656911111955,11172187764516907852,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5476 /prefetch:8
  2⤵
  PID:1768
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,1622458656911111955,11172187764516907852,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5476 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1622458656911111955,11172187764516907852,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
  2⤵
  PID:4372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1622458656911111955,11172187764516907852,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:1
  2⤵
  PID:4664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1622458656911111955,11172187764516907852,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:1
  2⤵
  PID:4432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1622458656911111955,11172187764516907852,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1
  2⤵
  PID:428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,1622458656911111955,11172187764516907852,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2012 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4904

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3596

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
91746379e314b064719e43e3422d0388

SHA1
65f1a2b5a93922d589142a6edf99b5b35d986dba

SHA256
0b3cf8ae20afd84c9bf06546e876c84922cb5800526df72a628479f4d5487df7

SHA512
a783d8d9613cf92020fc36fd27d384dbd4e105a1ebd02c4507bf7263e61ff5b377e6d1734b066700782fa64bcbeb11af31ac3972d404625cbdb587cfa3bc0808

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ccf8b7b618672b2da2775b890d06c7af

SHA1
83717bc0ff28b8775a1360ef02882be22e4a5263

SHA256
ef08e2971a9ba903c9b91412275b39aabfd6d4aa5c46ade37d74ff86f0285420

SHA512
eb550889db8c4c0e7d79b2bd85c7d0e61b696df10ce3d76c48ab21b935c7ecc7b12403a00d6570e7d8e4121f72747242c2358f8f0823f804e704bd44ed603b97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
17bd1202c639fe3fc0bb327e67099c11

SHA1
1a0dac910f4ea19ae6626ce87a57615df542bf13

SHA256
af0f4ff3f53d50557a12f2e121948cde215785fd0d6a6b9434810d9446e76775

SHA512
bdcca5a7b7207ec6433a243fb220c296ff18e2a0348373944071f3a4eddf6ffec062f1b2f78a865313468fc4b7e618f3f3b22d79eacd56e7ad9773676da80c33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
726B

MD5
20ba5118938d281fee91427c42415d42

SHA1
ba8a6ee3bd7f1c19a28fe7fdd776da804c041e33

SHA256
243a3c141b778056a0559a135227156aef383367cdbd6cd6092c881795ec2dd6

SHA512
528249ff9693a2a48230f0a849a07b2d392b5d0da0a5fbc4aa686f67bd0f07ecf479c2d4e8eddfef391aec4b349fc2b50c709c56617ddd855a7aeab0238b42e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d15e801641eb87abbc032fd803014c95

SHA1
b41b50e36bd2eb7156e8dd5d2377fbcacf8d3acd

SHA256
2707aa6be58aede904183f87e7f85c08a7ce2bc4350f2b1b3e8b9d5b6facddcf

SHA512
2f95a46b27064684f5386d21f8ad130d52c7dc5d66e9148712dca7d7e1060fa7626ce7f82eedf4ec191c9cd3012364bd4753aff8b51f812647c3d17edd396a6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
eb06fad6d3facdba229a531e57d96886

SHA1
65b5aac5cfd980102ca87a8dda4114117efde28b

SHA256
9158f1c9a6f2e5052022eac14b88732284852416360907eee7d1063488543e2e

SHA512
fd3a758771b75c1ff824fbd87ae54a02084f168a2a0beaf7194edf32fd149b924714f44c45836041b47c64deb00c147c9573bde08bf73bf5d1d77985deda193c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d72ed80fdec047724d875efb17ea729c

SHA1
b28399b10210dc5e14b43206ab175ad94ea5c942

SHA256
455a3f10d0853eb3f834f0aa477ea08da9ea79d4a7106386c902e6ba7a899efc

SHA512
e22ee9bb65948176de48af7f82c0635b3cc77d0022f056500107612a5092d1c21ec24837cca77255764e6f1bb9c1fb007e136358dc76523aef69bcc963d22b99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57ca74.TMP

Filesize
1KB

MD5
d5f7b390549c9f4aeda4881e4382ff47

SHA1
ac935fe3281d614ae13f409bb2ad4fd4a7198c48

SHA256
f515fdf8fa1bfdeddcc9e95c2a6746a4bf52b023888f157b841015d039d99986

SHA512
430c35dd86bf2c4b13f7a10d935d124eeba35205b25b2f264bf702e1ebd533a9f5a2b63f5116b3fe18168aff7f871be77d2424905d0ea1660541e230bf3c13fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
5bfe6f4faa02eb5047d4d14338b0fe0c

SHA1
c35ab2d1154033f084d9331e31e047d4da9287f3

SHA256
bbe9ab5d4a98a1988b2186f3d5bbe6864adcfcdafe0fb9958da159a2d391bb5d

SHA512
9042d43106fddb3a77c3e3de2305aa073a546b54609960a46581a0aab59435193b2883924889a1e80e9463a3e849af1fefb5eaeea7d0f315979b79b5d99341ac

Download Submit