hxxps://click[.]pstmrk[.]it/3s/click[.]pstmrk[.]it%2F3s%2Fclick[.]pstmrk[.]it%252F3s%252Fgigabyteinternet[.]com[.]br%25252F%25252520eub%25252520ib%25252520ibuie%25252520cbv%25252520y%25252520tv%25252520tyv%25252520gy%25252520uvy%25252520tv[.]%25252520itv%25252520gv%25252520iytyuv%25252520g%25252520v[.]%25252520tiyvf%25252520r6d[.]%25252520uiv%25252520hkbv%25252520yt%25252520vr6%25252520d5%25252520765f%25252520v%25252520f%25252520vct%25252520rxc%25252520r6u%25252520iv%25252520vgt%25252520fv%2525252068%2525252048f8r%25252520e5uriv%25252520utyv%252525206%25252520fr%25252520fd7ed%252525205%25252520d6%25252520rft%25252520u6%25252520u%25252520tfdr%252525206f57%25252520g7ti%25252520f6%25252520u58rt7fg%252525206fu%25252520r65d8fr%25252F%25252520gvftrv%25252520tft%25252520fgt6r%25252520tigf%25252520tfrfd6%25252520uf%25252520igf%252525206rf6%25252520uft%252525206u%25252520fu6rdf%25252520ye5d%25252520r6fr%252525206ud%2525252057%25252520d46%25252520fr6%25252520t5d%25252520ey54%25252520sd463sd%252525206fr[.]%252525205d%252525204s%25252520w5%25252520s3%25252520d%252525203e%25252520rr%25252520t%25252520rt%25252520tr%25252520ft%25252520r%25252520t%25252520rf%25252520trf%25252520t%25252520f%25252520t%25252520r%252525205tt%25252520g%25252520frt%25252520yh%25252520gt%25252520yt%25252520yty%25252520y%25252520y%25252F%25252520tvtyrdce%252525206df%25252520gt%25252520yug%25252520t%25252520fg%25252520g78%25252520766%252525205d4%25252520w5s%2525252032%2525252046y6%25252520fugu%25252520yu%25252520gt%25252520f%25252520rfui%25252520gyu%25252520tdf%252525204576%25252520gtyu%25252520uf%25252520574d%252525208f7t%25252520r6%25252520d75%25252520d6fcu%25252520fd75%25252520687gtt6%25252520758g%25252520tr%2525252057d6f%25252520ty%25252520f57rf7g%25252520i%25252Ftrf%25252520r5d%2525252032%25252520534%25252520e6d6u%25252520tgiy%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520r6f%252525205de%25252520ds3%252525205%25252520sdyf%25252520ut6f%252525206%25252520fd54d43ss5%25252520dde5drd%2525252056d%252525205%25252520d346s[.]%25252520rd%25252520e56%25252520d4

Analysis

max time kernel
145s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
18/03/2024, 14:55

Sharing

Behavioral task

behavioral1

Sample

https://click.pstmrk.it/3s/click.pstmrk.it%2F3s%2Fclick.pstmrk.it%252F3s%252Fgigabyteinternet.com.br%25252F%25252520eub%25252520ib%25252520ibuie%25252520cbv%25252520y%25252520tv%25252520tyv%25252520gy%25252520uvy%25252520tv.%25252520itv%25252520gv%25252520iytyuv%25252520g%25252520v.%25252520tiyvf%25252520r6d.%25252520uiv%25252520hkbv%25252520yt%25252520vr6%25252520d5%25252520765f%25252520v%25252520f%25252520vct%25252520rxc%25252520r6u%25252520iv%25252520vgt%25252520fv%2525252068%2525252048f8r%25252520e5uriv%25252520utyv%252525206%25252520fr%25252520fd7ed%252525205%25252520d6%25252520rft%25252520u6%25252520u%25252520tfdr%252525206f57%25252520g7ti%25252520f6%25252520u58rt7fg%252525206fu%25252520r65d8fr%25252F%25252520gvftrv%25252520tft%25252520fgt6r%25252520tigf%25252520tfrfd6%25252520uf%25252520igf%252525206rf6%25252520uft%252525206u%25252520fu6rdf%25252520ye5d%25252520r6fr%252525206ud%2525252057%25252520d46%25252520fr6%25252520t5d%25252520ey54%25252520sd463sd%252525206fr.%252525205d%252525204s%25252520w5%25252520s3%25252520d%252525203e%25252520rr%25252520t%25252520rt%25252520tr%25252520ft%25252520r%25252520t%25252520rf%25252520trf%25252520t%25252520f%25252520t%25252520r%252525205tt%25252520g%25252520frt%25252520yh%25252520gt%25252520yt%25252520yty%25252520y%25252520y%25252F%25252520tvtyrdce%252525206df%25252520gt%25252520yug%25252520t%25252520fg%25252520g78%25252520766%252525205d4%25252520w5s%2525252032%2525252046y6%25252520fugu%25252520yu%25252520gt%25252520f%25252520rfui%25252520gyu%25252520tdf%252525204576%25252520gtyu%25252520uf%25252520574d%252525208f7t%25252520r6%25252520d75%25252520d6fcu%25252520fd75%25252520687gtt6%25252520758g%25252520tr%2525252057d6f%25252520ty%25252520f57rf7g%25252520i%25252Ftrf%25252520r5d%2525252032%25252520534%25252520e6d6u%25252520tgiy%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520r6f%252525205de%25252520ds3%252525205%25252520sdyf%25252520ut6f%252525206%25252520fd54d43ss5%25252520dde5drd%2525252056d%252525205%25252520d346s.%25252520rd%25252520e56%25252520d4

Resource

win10v2004-20240226-en

windows10-2004-x64

6 signatures

150 seconds

Report Analysis Logs

General

Target

https://click.pstmrk.it/3s/click.pstmrk.it%2F3s%2Fclick.pstmrk.it%252F3s%252Fgigabyteinternet.com.br%25252F%25252520eub%25252520ib%25252520ibuie%25252520cbv%25252520y%25252520tv%25252520tyv%25252520gy%25252520uvy%25252520tv.%25252520itv%25252520gv%25252520iytyuv%25252520g%25252520v.%25252520tiyvf%25252520r6d.%25252520uiv%25252520hkbv%25252520yt%25252520vr6%25252520d5%25252520765f%25252520v%25252520f%25252520vct%25252520rxc%25252520r6u%25252520iv%25252520vgt%25252520fv%2525252068%2525252048f8r%25252520e5uriv%25252520utyv%252525206%25252520fr%25252520fd7ed%252525205%25252520d6%25252520rft%25252520u6%25252520u%25252520tfdr%252525206f57%25252520g7ti%25252520f6%25252520u58rt7fg%252525206fu%25252520r65d8fr%25252F%25252520gvftrv%25252520tft%25252520fgt6r%25252520tigf%25252520tfrfd6%25252520uf%25252520igf%252525206rf6%25252520uft%252525206u%25252520fu6rdf%25252520ye5d%25252520r6fr%252525206ud%2525252057%25252520d46%25252520fr6%25252520t5d%25252520ey54%25252520sd463sd%252525206fr.%252525205d%252525204s%25252520w5%25252520s3%25252520d%252525203e%25252520rr%25252520t%25252520rt%25252520tr%25252520ft%25252520r%25252520t%25252520rf%25252520trf%25252520t%25252520f%25252520t%25252520r%252525205tt%25252520g%25252520frt%25252520yh%25252520gt%25252520yt%25252520yty%25252520y%25252520y%25252F%25252520tvtyrdce%252525206df%25252520gt%25252520yug%25252520t%25252520fg%25252520g78%25252520766%252525205d4%25252520w5s%2525252032%2525252046y6%25252520fugu%25252520yu%25252520gt%25252520f%25252520rfui%25252520gyu%25252520tdf%252525204576%25252520gtyu%25252520uf%25252520574d%252525208f7t%25252520r6%25252520d75%25252520d6fcu%25252520fd75%25252520687gtt6%25252520758g%25252520tr%2525252057d6f%25252520ty%25252520f57rf7g%25252520i%25252Ftrf%25252520r5d%2525252032%25252520534%25252520e6d6u%25252520tgiy%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520r6f%252525205de%25252520ds3%252525205%25252520sdyf%25252520ut6f%252525206%25252520fd54d43ss5%25252520dde5drd%2525252056d%252525205%25252520d346s.%25252520rd%25252520e56%25252520d4

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4824	msedge.exe
4824	msedge.exe
2884	msedge.exe
2884	msedge.exe
3940	identity_helper.exe
3940	identity_helper.exe
528	msedge.exe
528	msedge.exe
528	msedge.exe
528	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 2372	2884	msedge.exe	87
PID 2884 wrote to memory of 2372	2884	msedge.exe	87
PID 2884 wrote to memory of 3504	2884	msedge.exe	89
PID 2884 wrote to memory of 3504	2884	msedge.exe	89
PID 2884 wrote to memory of 3504	2884	msedge.exe	89
PID 2884 wrote to memory of 3504	2884	msedge.exe	89
PID 2884 wrote to memory of 3504	2884	msedge.exe	89
PID 2884 wrote to memory of 3504	2884	msedge.exe	89
PID 2884 wrote to memory of 3504	2884	msedge.exe	89
PID 2884 wrote to memory of 3504	2884	msedge.exe	89
PID 2884 wrote to memory of 3504	2884	msedge.exe	89
PID 2884 wrote to memory of 3504	2884	msedge.exe	89
PID 2884 wrote to memory of 3504	2884	msedge.exe	89
PID 2884 wrote to memory of 3504	2884	msedge.exe	89
PID 2884 wrote to memory of 3504	2884	msedge.exe	89
PID 2884 wrote to memory of 3504	2884	msedge.exe	89
PID 2884 wrote to memory of 3504	2884	msedge.exe	89
PID 2884 wrote to memory of 3504	2884	msedge.exe	89
PID 2884 wrote to memory of 3504	2884	msedge.exe	89
PID 2884 wrote to memory of 3504	2884	msedge.exe	89
PID 2884 wrote to memory of 3504	2884	msedge.exe	89
PID 2884 wrote to memory of 3504	2884	msedge.exe	89
PID 2884 wrote to memory of 3504	2884	msedge.exe	89
PID 2884 wrote to memory of 3504	2884	msedge.exe	89
PID 2884 wrote to memory of 3504	2884	msedge.exe	89
PID 2884 wrote to memory of 3504	2884	msedge.exe	89
PID 2884 wrote to memory of 3504	2884	msedge.exe	89
PID 2884 wrote to memory of 3504	2884	msedge.exe	89
PID 2884 wrote to memory of 3504	2884	msedge.exe	89
PID 2884 wrote to memory of 3504	2884	msedge.exe	89
PID 2884 wrote to memory of 3504	2884	msedge.exe	89
PID 2884 wrote to memory of 3504	2884	msedge.exe	89
PID 2884 wrote to memory of 3504	2884	msedge.exe	89
PID 2884 wrote to memory of 3504	2884	msedge.exe	89
PID 2884 wrote to memory of 3504	2884	msedge.exe	89
PID 2884 wrote to memory of 3504	2884	msedge.exe	89
PID 2884 wrote to memory of 3504	2884	msedge.exe	89
PID 2884 wrote to memory of 3504	2884	msedge.exe	89
PID 2884 wrote to memory of 3504	2884	msedge.exe	89
PID 2884 wrote to memory of 3504	2884	msedge.exe	89
PID 2884 wrote to memory of 3504	2884	msedge.exe	89
PID 2884 wrote to memory of 3504	2884	msedge.exe	89
PID 2884 wrote to memory of 4824	2884	msedge.exe	90
PID 2884 wrote to memory of 4824	2884	msedge.exe	90
PID 2884 wrote to memory of 3992	2884	msedge.exe	91
PID 2884 wrote to memory of 3992	2884	msedge.exe	91
PID 2884 wrote to memory of 3992	2884	msedge.exe	91
PID 2884 wrote to memory of 3992	2884	msedge.exe	91
PID 2884 wrote to memory of 3992	2884	msedge.exe	91
PID 2884 wrote to memory of 3992	2884	msedge.exe	91
PID 2884 wrote to memory of 3992	2884	msedge.exe	91
PID 2884 wrote to memory of 3992	2884	msedge.exe	91
PID 2884 wrote to memory of 3992	2884	msedge.exe	91
PID 2884 wrote to memory of 3992	2884	msedge.exe	91
PID 2884 wrote to memory of 3992	2884	msedge.exe	91
PID 2884 wrote to memory of 3992	2884	msedge.exe	91
PID 2884 wrote to memory of 3992	2884	msedge.exe	91
PID 2884 wrote to memory of 3992	2884	msedge.exe	91
PID 2884 wrote to memory of 3992	2884	msedge.exe	91
PID 2884 wrote to memory of 3992	2884	msedge.exe	91
PID 2884 wrote to memory of 3992	2884	msedge.exe	91
PID 2884 wrote to memory of 3992	2884	msedge.exe	91
PID 2884 wrote to memory of 3992	2884	msedge.exe	91
PID 2884 wrote to memory of 3992	2884	msedge.exe	91

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://click.pstmrk.it/3s/click.pstmrk.it%2F3s%2Fclick.pstmrk.it%252F3s%252Fgigabyteinternet.com.br%25252F%25252520eub%25252520ib%25252520ibuie%25252520cbv%25252520y%25252520tv%25252520tyv%25252520gy%25252520uvy%25252520tv.%25252520itv%25252520gv%25252520iytyuv%25252520g%25252520v.%25252520tiyvf%25252520r6d.%25252520uiv%25252520hkbv%25252520yt%25252520vr6%25252520d5%25252520765f%25252520v%25252520f%25252520vct%25252520rxc%25252520r6u%25252520iv%25252520vgt%25252520fv%2525252068%2525252048f8r%25252520e5uriv%25252520utyv%252525206%25252520fr%25252520fd7ed%252525205%25252520d6%25252520rft%25252520u6%25252520u%25252520tfdr%252525206f57%25252520g7ti%25252520f6%25252520u58rt7fg%252525206fu%25252520r65d8fr%25252F%25252520gvftrv%25252520tft%25252520fgt6r%25252520tigf%25252520tfrfd6%25252520uf%25252520igf%252525206rf6%25252520uft%252525206u%25252520fu6rdf%25252520ye5d%25252520r6fr%252525206ud%2525252057%25252520d46%25252520fr6%25252520t5d%25252520ey54%25252520sd463sd%252525206fr.%252525205d%252525204s%25252520w5%25252520s3%25252520d%252525203e%25252520rr%25252520t%25252520rt%25252520tr%25252520ft%25252520r%25252520t%25252520rf%25252520trf%25252520t%25252520f%25252520t%25252520r%252525205tt%25252520g%25252520frt%25252520yh%25252520gt%25252520yt%25252520yty%25252520y%25252520y%25252F%25252520tvtyrdce%252525206df%25252520gt%25252520yug%25252520t%25252520fg%25252520g78%25252520766%252525205d4%25252520w5s%2525252032%2525252046y6%25252520fugu%25252520yu%25252520gt%25252520f%25252520rfui%25252520gyu%25252520tdf%252525204576%25252520gtyu%25252520uf%25252520574d%252525208f7t%25252520r6%25252520d75%25252520d6fcu%25252520fd75%25252520687gtt6%25252520758g%25252520tr%2525252057d6f%25252520ty%25252520f57rf7g%25252520i%25252Ftrf%25252520r5d%2525252032%25252520534%25252520e6d6u%25252520tgiy%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520r6f%252525205de%25252520ds3%252525205%25252520sdyf%25252520ut6f%252525206%25252520fd54d43ss5%25252520dde5drd%2525252056d%252525205%25252520d346s.%25252520rd%25252520e56%25252520d4
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9c99e46f8,0x7ff9c99e4708,0x7ff9c99e4718
  2⤵
  PID:2372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2192,7119687385924130882,18430775214752777728,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:2
  2⤵
  PID:3504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2192,7119687385924130882,18430775214752777728,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2192,7119687385924130882,18430775214752777728,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:8
  2⤵
  PID:3992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,7119687385924130882,18430775214752777728,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3164 /prefetch:1
  2⤵
  PID:1620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,7119687385924130882,18430775214752777728,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:1
  2⤵
  PID:4864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,7119687385924130882,18430775214752777728,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4652 /prefetch:1
  2⤵
  PID:2500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,7119687385924130882,18430775214752777728,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
  2⤵
  PID:3888
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2192,7119687385924130882,18430775214752777728,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5432 /prefetch:8
  2⤵
  PID:4372
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2192,7119687385924130882,18430775214752777728,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5432 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,7119687385924130882,18430775214752777728,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
  2⤵
  PID:3748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,7119687385924130882,18430775214752777728,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
  2⤵
  PID:4572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,7119687385924130882,18430775214752777728,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4680 /prefetch:1
  2⤵
  PID:3988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,7119687385924130882,18430775214752777728,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
  2⤵
  PID:2860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,7119687385924130882,18430775214752777728,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2884 /prefetch:1
  2⤵
  PID:628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,7119687385924130882,18430775214752777728,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3024 /prefetch:1
  2⤵
  PID:3328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2192,7119687385924130882,18430775214752777728,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4640 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:528

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2204

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9ffb5f81e8eccd0963c46cbfea1abc20

SHA1
a02a610afd3543de215565bc488a4343bb5c1a59

SHA256
3a654b499247e59e34040f3b192a0069e8f3904e2398cbed90e86d981378e8bc

SHA512
2d21e18ef3f800e6e43b8cf03639d04510433c04215923f5a96432a8aa361fdda282cd444210150d9dbf8f028825d5bc8a451fd53bd3e0c9528eeb80d6e86597

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e1b45169ebca0dceadb0f45697799d62

SHA1
803604277318898e6f5c6fb92270ca83b5609cd5

SHA256
4c0224fb7cc26ccf74f5be586f18401db57cce935c767a446659b828a7b5ee60

SHA512
357965b8d5cfaf773dbd9b371d7e308d1c86a6c428e542adbfe6bac34a7d2061d0a2f59e84e5b42768930e9b109e9e9f2a87e95cf26b3a69cbff05654ee42b4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
183B

MD5
f90eb9ad2e569376c052eb0326bffc9a

SHA1
ed92a69408ab31b4327e5d42446fc398b772faab

SHA256
5baa19cb05f29648a2427c892884d9a694d90e58faab7a1ee336750126cfb327

SHA512
2348dc312aa5cf5cae52d9595f846368075ce3d932b63b974c4dba5e7a27af4130c1eb1daff1555d40833b7f30d04d9b0a1f8c08d7e8074135c4367fe954cc23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3182f5ed1c542c3ccfbcb67e5eeb3582

SHA1
5f0b7b4ed9579f2212c9bb3c7bdd211659c483b0

SHA256
7db7e168dbd65df806bcc31ed728ec6e64a8e16a92e69d43046ad4f6e7e30bea

SHA512
f8d6da0478825d25ac8ecf13b3d66d0016b81ce46e72f6ab1b8e5dc7993f10e885d32a5375a3d19bc0796fc7de4d80d0cfba898a8864fbdb6b42044327712d05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
76c4cc8207b15b18f5dc229f582d7e4b

SHA1
2bfea4b7c1d90642a3942b26c279e1e952a96605

SHA256
f79682bb15d7a46fbd5d2b9e196de43e1e2f37f5d44bc0d68b54a9ea35133cbe

SHA512
964bbb2d85fe4e53ac6e8bed9704b2aec0507d917d4803f0831b6ef90af705145db41315615bf52487556429998e19fedd006fbf980b3df61ff37c8148efb1f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7079bbd2dffb19b5ee3f6c95f623ec8b

SHA1
9fdae6202ff08ec4c8234bcfea8a5eb9161e2492

SHA256
0167b27ed4c80120b021038d407aae2ae74dfdbd27e7debf377f5e313bb19dd6

SHA512
cee8e356803d16dfdef8af4ba0b38642b858b8d03ea80cb2c66e3dd3f40aaf39e46a2d85a53d81b23037e44dfb0d1dbd48e33ab2c492eaadd2c9bdae37ebd619

Download Submit