hxxps://onedrive[.]live[.]com/redir?resid=2607B1BE70906DC8*217543&authkey=*21AP5Rxm6D6hMGfwk&page=View&wd=target*28Quick*20Notes[.]one*7Cc6b436e0-b292-49a0-a6f5-de2faf95b2e1*2FLifeanalytics**BDOCUMENTO*7C2b2503ff-f3eb-4fd6-a6a2-e1abf60e1946*2F29&wdorigin=NavigationUrl

Analysis

max time kernel
168s
max time network
180s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
25/03/2024, 13:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://onedrive.live.com/redir?resid=2607B1BE70906DC8*217543&authkey=*21AP5Rxm6D6hMGfwk&page=View&wd=target*28Quick*20Notes.one*7Cc6b436e0-b292-49a0-a6f5-de2faf95b2e1*2FLifeanalytics**BDOCUMENTO*7C2b2503ff-f3eb-4fd6-a6a2-e1abf60e1946*2F29&wdorigin=NavigationUrl

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-513485977-2495024337-1260977654-1000\{258B3DE1-2DF8-4833-AF86-ECA265EE5446}	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2172	msedge.exe
2172	msedge.exe
2728	msedge.exe
2728	msedge.exe
1848	identity_helper.exe
1848	identity_helper.exe
5464	msedge.exe
5464	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

pid	Process
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 1692	2728	msedge.exe	87
PID 2728 wrote to memory of 1692	2728	msedge.exe	87
PID 2728 wrote to memory of 4476	2728	msedge.exe	90
PID 2728 wrote to memory of 4476	2728	msedge.exe	90
PID 2728 wrote to memory of 4476	2728	msedge.exe	90
PID 2728 wrote to memory of 4476	2728	msedge.exe	90
PID 2728 wrote to memory of 4476	2728	msedge.exe	90
PID 2728 wrote to memory of 4476	2728	msedge.exe	90
PID 2728 wrote to memory of 4476	2728	msedge.exe	90
PID 2728 wrote to memory of 4476	2728	msedge.exe	90
PID 2728 wrote to memory of 4476	2728	msedge.exe	90
PID 2728 wrote to memory of 4476	2728	msedge.exe	90
PID 2728 wrote to memory of 4476	2728	msedge.exe	90
PID 2728 wrote to memory of 4476	2728	msedge.exe	90
PID 2728 wrote to memory of 4476	2728	msedge.exe	90
PID 2728 wrote to memory of 4476	2728	msedge.exe	90
PID 2728 wrote to memory of 4476	2728	msedge.exe	90
PID 2728 wrote to memory of 4476	2728	msedge.exe	90
PID 2728 wrote to memory of 4476	2728	msedge.exe	90
PID 2728 wrote to memory of 4476	2728	msedge.exe	90
PID 2728 wrote to memory of 4476	2728	msedge.exe	90
PID 2728 wrote to memory of 4476	2728	msedge.exe	90
PID 2728 wrote to memory of 4476	2728	msedge.exe	90
PID 2728 wrote to memory of 4476	2728	msedge.exe	90
PID 2728 wrote to memory of 4476	2728	msedge.exe	90
PID 2728 wrote to memory of 4476	2728	msedge.exe	90
PID 2728 wrote to memory of 4476	2728	msedge.exe	90
PID 2728 wrote to memory of 4476	2728	msedge.exe	90
PID 2728 wrote to memory of 4476	2728	msedge.exe	90
PID 2728 wrote to memory of 4476	2728	msedge.exe	90
PID 2728 wrote to memory of 4476	2728	msedge.exe	90
PID 2728 wrote to memory of 4476	2728	msedge.exe	90
PID 2728 wrote to memory of 4476	2728	msedge.exe	90
PID 2728 wrote to memory of 4476	2728	msedge.exe	90
PID 2728 wrote to memory of 4476	2728	msedge.exe	90
PID 2728 wrote to memory of 4476	2728	msedge.exe	90
PID 2728 wrote to memory of 4476	2728	msedge.exe	90
PID 2728 wrote to memory of 4476	2728	msedge.exe	90
PID 2728 wrote to memory of 4476	2728	msedge.exe	90
PID 2728 wrote to memory of 4476	2728	msedge.exe	90
PID 2728 wrote to memory of 4476	2728	msedge.exe	90
PID 2728 wrote to memory of 4476	2728	msedge.exe	90
PID 2728 wrote to memory of 2172	2728	msedge.exe	91
PID 2728 wrote to memory of 2172	2728	msedge.exe	91
PID 2728 wrote to memory of 4456	2728	msedge.exe	92
PID 2728 wrote to memory of 4456	2728	msedge.exe	92
PID 2728 wrote to memory of 4456	2728	msedge.exe	92
PID 2728 wrote to memory of 4456	2728	msedge.exe	92
PID 2728 wrote to memory of 4456	2728	msedge.exe	92
PID 2728 wrote to memory of 4456	2728	msedge.exe	92
PID 2728 wrote to memory of 4456	2728	msedge.exe	92
PID 2728 wrote to memory of 4456	2728	msedge.exe	92
PID 2728 wrote to memory of 4456	2728	msedge.exe	92
PID 2728 wrote to memory of 4456	2728	msedge.exe	92
PID 2728 wrote to memory of 4456	2728	msedge.exe	92
PID 2728 wrote to memory of 4456	2728	msedge.exe	92
PID 2728 wrote to memory of 4456	2728	msedge.exe	92
PID 2728 wrote to memory of 4456	2728	msedge.exe	92
PID 2728 wrote to memory of 4456	2728	msedge.exe	92
PID 2728 wrote to memory of 4456	2728	msedge.exe	92
PID 2728 wrote to memory of 4456	2728	msedge.exe	92
PID 2728 wrote to memory of 4456	2728	msedge.exe	92
PID 2728 wrote to memory of 4456	2728	msedge.exe	92
PID 2728 wrote to memory of 4456	2728	msedge.exe	92

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://onedrive.live.com/redir?resid=2607B1BE70906DC8*217543&authkey=*21AP5Rxm6D6hMGfwk&page=View&wd=target*28Quick*20Notes.one*7Cc6b436e0-b292-49a0-a6f5-de2faf95b2e1*2FLifeanalytics**BDOCUMENTO*7C2b2503ff-f3eb-4fd6-a6a2-e1abf60e1946*2F29&wdorigin=NavigationUrl
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffef88f46f8,0x7ffef88f4708,0x7ffef88f4718
  2⤵
  PID:1692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,8322683441375623486,1585860047459545181,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
  2⤵
  PID:4476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,8322683441375623486,1585860047459545181,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,8322683441375623486,1585860047459545181,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:8
  2⤵
  PID:4456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8322683441375623486,1585860047459545181,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8322683441375623486,1585860047459545181,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:2520
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,8322683441375623486,1585860047459545181,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4916 /prefetch:8
  2⤵
  PID:2660
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,8322683441375623486,1585860047459545181,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4916 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8322683441375623486,1585860047459545181,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
  2⤵
  PID:3184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8322683441375623486,1585860047459545181,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:1
  2⤵
  PID:3744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8322683441375623486,1585860047459545181,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:4352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8322683441375623486,1585860047459545181,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
  2⤵
  PID:3844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8322683441375623486,1585860047459545181,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1876 /prefetch:1
  2⤵
  PID:5184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8322683441375623486,1585860047459545181,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
  2⤵
  PID:5192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8322683441375623486,1585860047459545181,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
  2⤵
  PID:5584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8322683441375623486,1585860047459545181,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
  2⤵
  PID:5676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8322683441375623486,1585860047459545181,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:1
  2⤵
  PID:5180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8322683441375623486,1585860047459545181,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:1
  2⤵
  PID:1644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8322683441375623486,1585860047459545181,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
  2⤵
  PID:5124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2136,8322683441375623486,1585860047459545181,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5688 /prefetch:8
  2⤵
  PID:5476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2136,8322683441375623486,1585860047459545181,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4604 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:5464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8322683441375623486,1585860047459545181,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6184 /prefetch:1
  2⤵
  PID:6068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8322683441375623486,1585860047459545181,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6164 /prefetch:1
  2⤵
  PID:6032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8322683441375623486,1585860047459545181,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
  2⤵
  PID:5364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8322683441375623486,1585860047459545181,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:1
  2⤵
  PID:1584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8322683441375623486,1585860047459545181,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6756 /prefetch:1
  2⤵
  PID:5960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,8322683441375623486,1585860047459545181,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1996 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1196

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3640

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7c6136bc98a5aedca2ea3004e9fbe67d

SHA1
74318d997f4c9c351eef86d040bc9b085ce1ad4f

SHA256
50c3bd40caf7e9a82496a710f58804aa3536b44d57e2ee5e2af028cbebc6c2f2

SHA512
2d2fb839321c56e4cb80562e9a1daa4baf48924d635729dc5504a26462796919906f0097dd1fc7fd053394c0eea13c25219dec54ffe6e9abb6e8cb9afa66bada

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5c6aef82e50d05ffc0cf52a6c6d69c91

SHA1
c203efe5b45b0630fee7bd364fe7d63b769e2351

SHA256
d9068cf3d04d62a9fb1cdd4c3cf7c263920159171d1b84cb49eff7cf4ed5bc32

SHA512
77ad48936e8c3ee107a121e0b2d1216723407f76872e85c36413237ca1c47b8c40038b8a6349b072bbcc6a29e27ddda77cf686fa97569f4d86531e6b2ac485ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\3ae96aac-0a1f-4d0b-8dbc-06383c5df164.tmp

Filesize
6KB

MD5
bfcbc88af4e94fb53a342f0cc0994826

SHA1
199643fa39306596258c66e31022844117f3c4be

SHA256
048d2ad6a8fc1ada15885907d7a160299374d98993f3bc18ddb77d59c1ef9558

SHA512
97dc6d52ea69862bcbe6f426ce43fc604e21d09f79b3da18046ef6a05ded5ed6a0be9b877a2215fbcccb153f8e74b7bc0cabe8943dfd9e082cb07d1ddb65c2c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
67KB

MD5
88a552e6be1ac3978c49143983276b3a

SHA1
dbf4f4dc62a3da564b1a87b5191dc9a72a9b9423

SHA256
927121d8118a41fa3460b9ad84daeae59ea60dc9607e462b7e1341bea60da8d5

SHA512
125b13be3d209ff5cc12d8f9f12d01d271cd50c2800059241ebb419167c21adfa9d979ff6b8d88052f5d302e98090b7c8ceff4894b397168d8ba6d8a6204fb9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
34KB

MD5
02214b097305a8302b21e630fa201576

SHA1
90c2a31521803b73e847f7a3e0cfceec84df9fa5

SHA256
1d98076cfae6a0a8f0b0b1c654270b900de83e633cc01d98ef63e6a8e485a3f4

SHA512
553c81eb51880f83b9918aef766ff0f41170895b1cda2589f0b69c3d1362de8e8decf14a413f6b5df1fb7ce07fc939211407b29046188b37c290133c9d5e1cd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
84KB

MD5
74e33b4b54f4d1f3da06ab47c5936a13

SHA1
6e5976d593b6ee3dca3c4dbbb90071b76e1cd85c

SHA256
535fc48679c38decd459ad656bdd6914e539754265244d0cc7b1da6bddf3e287

SHA512
79218e8ee50484af968480ff9b211815c97c3f3035414e685aa5d15d9b4152682d87b66202339f212bf3b463a074bf7a4431107b50303f28e2eb4b17843991c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
19KB

MD5
76a3f1e9a452564e0f8dce6c0ee111e8

SHA1
11c3d925cbc1a52d53584fd8606f8f713aa59114

SHA256
381396157ed5e8021dd8e660142b35eb71a63aecd33062a1103ce9c709c7632c

SHA512
a1156a907649d6f2c3f7256405d9d5c62a626b8d4cd717fa2f29d2fbe91092a2b3fdd0716f8f31e59708fe12274bc2dea6c9ae6a413ea290e70ddf921fe7f274

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001e

Filesize
1.1MB

MD5
fcb3b79b4ee2a97d69020a59b8d5caee

SHA1
4c8c8dc00b8c71694cdadbfd1fe70358d34a0883

SHA256
36b4ec7a0ae8d3b2f907b88735287ffc68c0c35e472b3c8cc30f49f4387c9f8b

SHA512
7874b3e78d0c0ef2f1f2e417a989550208c20aab398ef9ec800104dc047ec3866863dbbeab379fdbda7643210b03e20d7305a5fb776df88bef72ad89023cb558

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000041

Filesize
197KB

MD5
5e28e72b443ded036a4cf369d0dda3bf

SHA1
0500de4480a54243b12d096745c6ba04c9479e66

SHA256
15fc7a054efbb9f76d937448fbb4814d7b3f25a6d137e24c1a69e32947eae71e

SHA512
7d17a5248e54e4dda8fd17a4d662edbb274629161a1e25b3b7f7f5112541663a5040788177268c53b2c78bc7e6d2204ccfb342d93c2ceec0a12d8a41788c088b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
cf40e2db80295cc737f5ebdae6082faf

SHA1
688f2a07a8988799317e62492b7de015d3d8e06e

SHA256
77a424cb201ed1d0eaa3f09c27993281d81586b8c41cfc9ac6ef71ce57875591

SHA512
19e6ea4bf0a5b262aabcf2f0e56312f4410fb3eae198bad73d180905b69581359c4f156c0b7d002f3ccabae1319618f6c2b98ab86fa617c693937639807d87b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
472872d7f3e1af6f635b141f92f600f3

SHA1
153df13bf5111c22b40c014f021318acc4dbe9b1

SHA256
fbd7fc1c8b3a374ddf19a2335139c34d4cf1f20bf1f781ba635c28ca9500f303

SHA512
0bf403d0dff339fc79a790a97e538aeb737e2d57f1fbadfdc17f2e0e2f0b365dc3fc5f85b3c047b06a93cea2e29da9f450afb739cbeb9ec2207de85453a8a6da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
2c5fc8b1710328086f0086673d54223d

SHA1
9c2c7b8f515f9751920eb478da5295fda3fcf543

SHA256
44b63e91f643b679e03cd6d2f02f8408515018d22d3bce790c105270867461cd

SHA512
70662be1d6ad157ea438bb7ccd00fa51b90c6ea5fb951794bdc0b00d30d5f685190bc6e0b90b78b33b0be5d033bd44d712a685e5226d9813648c387b2af1aa40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
31718c8dad8dc387e540252f6e3d9c1d

SHA1
aadb4280f4d5d6523595b878c78f75d2d7036712

SHA256
40bd6c276b97fa849594ffc4605dfb371ed209b0458b0161d6e43a7898ebe98d

SHA512
1d0b6289cff6a7129ceed214a428cf326600c89ddeb85459630b94da7ca9cc611a3de7f314b2b92f152f07b5124b283d959900d3d8bf66b9c6152b473ebf3db0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
797feb0e79b74e8647fcd99bca4336d2

SHA1
ebfbf4119274cf5b9f7a4d4543daa2531aaa29d0

SHA256
d1337b9f795e83f00e6745b057986588d3bae2b45a2d5e50c3b38a9fcf335c97

SHA512
1946df9656b6f726eb917b6a46611a21c45badc9a563a34b6467373164754eff52beaa6845c1f82d5a3da2a907b44653ab9762e3477d461495448595a6d17ff8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b0b2e4b019c2dce59cf56113f4cfa245

SHA1
c58ad5716d166fbc95da311a47887f958b040b7d

SHA256
9e2f3cded6cfaa60d79f0ca83e058a8cb479f8869b23d5194e53152f1a5f479a

SHA512
97cd9cb2ce085cca781c2460f06f5224793e3128ffb00be7349215987efa121fe4513e45de363b548d65edd315634d0acd10b52d6c476bbaaa10aa5afeda88dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
3edbe041e92973e3b1f7c697ef8f0792

SHA1
9719f4b0e36837535f045ca9112d08f3b35238c9

SHA256
34d7f14397dc956f04089f4e051a47bef5f59b349da36b5cb8a0c3799f8181f0

SHA512
f8412e61c94462afc189244d9694796acb0fb734741784c2a61582bdc4978cb610a735b3e7bae837068b61a9b5ba07243a0f098c923d833ea733c1b1938c9c03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
87a8f975837d4a647bd57cbf87dacc86

SHA1
eabf022d6d25bba96d077abe960b5b1098e5f6d9

SHA256
469c3c7d8fb6798701bff2de4bb54f2f58e12725e9a7f02b691aaa61fbc577dc

SHA512
1980fceee2ef46c0dca3f40ccd1a23cf4f8fb71b3bd3272829d0fca88b563268334936d9be9e7e4d56e1c4c78b9af65dbda0b839cbb1c3eacd2811efc7db3fd1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
873B

MD5
c015d7867405873af96f4ad3695ab3b6

SHA1
6c92b169cbdd2317e7a460c57ef9208f1d22f0fd

SHA256
580d997a4465ce3821bf4e1bd727198a5348984d4a65177eebcbd172aa1288d8

SHA512
877fca81781e7452b130b04fd417803184921c90ccb125077b0737f19500227896fe69731e124d62154f3116449cc49074fe6a6803d50ec6ab03978d6bea100b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ef25228a0fcf64beda90b82e3a45a157

SHA1
7c04d4b8a5638bcda0fded2f18558f082010ec4e

SHA256
6c9d65cd302c15496ff06e1481e42312c95c854328648128d5461f2bea8f2e45

SHA512
b60baf436c68e7ed468c7e4fff8a41d833d728f6b0a7f9661f70229fd1f5d232db1fccd7300865540bc971c11e99ce883263f7fc7895696e0f63ea0d3e191ee0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
4234acdc1188bb2f148af61295d29455

SHA1
ea7153b5c48d8d3ef99e37c9fd2dae80c6331857

SHA256
9c17ebd659d47c0ebf2db047fba37ef23734d014edf95df0fd3012270cfc94b2

SHA512
8cd6ba4a859050cdb9f86dcd6a43ac393dd1dbff65bb77004aca4fdaeeab50259b7aad2f5702f0ff09beb2c26fd1dbc72a3bb266cdbffcaa3dd45c657c1806c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
38a03c9d8ec2edc4a90a9f4f1cbb7f72

SHA1
c3cf5e388ba7fb802f0a0d82e5f0ea9ef2164210

SHA256
0c71ae40a30165b0821d5f82953e4c4e9130fc9c1c55dd6dbacdf53aeafb661e

SHA512
5032f9b83c60dff3ee26a1afeeaecca3c119a17cc9958719460f71a9e29e5ef7c9d889f290d08403107c9c3c17fa399bd7f62f1ff38fed4cc0e1c32963c4b897

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5892b9c25d4fe8185a59a4ec60ce5cc5

SHA1
99e3fb5cbb29207517a0baddc5f9bd7f45f1b19e

SHA256
e88e7d21cad4d6bdd6046f87e50c123406e4ad3a1f15a6bce819feb900656a17

SHA512
8ed4abdddb6610d54e61e1c1d2049f68c144d9d985212cc803aeeb7a7586caf10a0baf9f76dd2348164e3d4fa47a039427faa485184933a682aa0db3964a366f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5837c4.TMP

Filesize
204B

MD5
3eaa6b65aff8b53cef7a81dd0567f76b

SHA1
82ba372361778946b45bb54d8081a172186fb15e

SHA256
5a434827c9bc7e552339d826427bbf8af1c907fc575b513266ac0b599334a64b

SHA512
a2fe87985a2b8692e5d7ee2c3cfb856df27e5b94d6d82315999e1ec07d34732095144dbbe9a93a060a19b11024a215a169de4822c52da6dee0a9adcab39eccc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\e9c60a0c-0ee6-4dde-81f0-074834983f72.tmp

Filesize
1KB

MD5
d2402a42ce237bd058165ebea2612be7

SHA1
95a0796e201c11708e396f9913baa0492f1b53c9

SHA256
523aada6788f99da8d399c4c6b47363f21e85661285f062adb19639cd846f156

SHA512
c4342b8df410dfc4266bfc45e7757c43b6b4b79f8518853542692300b6c89d1973234a583323d41c3175609d06d3155853c46b75bba7383699f10eb470af738d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b12c84f55b5f381941874c62c7c63cef

SHA1
835ecd8e033d725858b834e27673b1a1329b8f32

SHA256
ddf42b37dbcd1358ab67b37121c7644704fc88c00c006ed03796e863602b41a5

SHA512
0d5f1fdd5b2131f30a5f87869c52106926d8977920689ac955ed337b53950edd4bbe54787b1c93223b2e8d061d39a984729c71ab2b2d7e9290c3878ea742842d

Download Submit