hxxps://monsterredblue[.]com/claims/?client=30798

Resubmissions

19-04-2024 10:02

240419-l2z6kaef84 10

19-04-2024 09:41

240419-lnwk8aeh5s 6

Analysis

max time kernel
1047s
max time network
1053s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19-04-2024 09:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://monsterredblue.com/claims/?client=30798

Score

6^/10

motw phishing

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

62 raw.githubusercontent.com
64 raw.githubusercontent.com
Mark of the Web detected: This indicates that the page was originally saved or cloned. 1 IoCs
phishing motw

Processes:

flow ioc

22 https://case.stretto.com/voyager/file-a-claim

flow	ioc
62	raw.githubusercontent.com
64	raw.githubusercontent.com

flow	ioc
22	https://case.stretto.com/voyager/file-a-claim

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
2704	msedge.exe
2704	msedge.exe
3648	msedge.exe
3648	msedge.exe
2784	identity_helper.exe
2784	identity_helper.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 35 IoCs

Processes:

msedge.exe

pid	process
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3648 wrote to memory of 2756	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 2756	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 464	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 464	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 464	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 464	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 464	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 464	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 464	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 464	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 464	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 464	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 464	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 464	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 464	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 464	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 464	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 464	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 464	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 464	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 464	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 464	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 464	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 464	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 464	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 464	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 464	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 464	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 464	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 464	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 464	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 464	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 464	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 464	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 464	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 464	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 464	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 464	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 464	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 464	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 464	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 464	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 2704	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 2704	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 3852	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 3852	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 3852	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 3852	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 3852	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 3852	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 3852	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 3852	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 3852	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 3852	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 3852	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 3852	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 3852	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 3852	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 3852	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 3852	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 3852	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 3852	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 3852	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 3852	3648	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://monsterredblue.com/claims/?client=30798
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9cc5f46f8,0x7ff9cc5f4708,0x7ff9cc5f4718
  2⤵
  PID:2756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,16384876011753616336,16318214634562586372,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
  2⤵
  PID:464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,16384876011753616336,16318214634562586372,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2408 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,16384876011753616336,16318214634562586372,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:8
  2⤵
  PID:3852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16384876011753616336,16318214634562586372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3612 /prefetch:1
  2⤵
  PID:5008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16384876011753616336,16318214634562586372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3644 /prefetch:1
  2⤵
  PID:4040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16384876011753616336,16318214634562586372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4308 /prefetch:1
  2⤵
  PID:4544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16384876011753616336,16318214634562586372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4724 /prefetch:1
  2⤵
  PID:2992
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,16384876011753616336,16318214634562586372,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5708 /prefetch:8
  2⤵
  PID:1948
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,16384876011753616336,16318214634562586372,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5708 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16384876011753616336,16318214634562586372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1
  2⤵
  PID:4768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16384876011753616336,16318214634562586372,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
  2⤵
  PID:3636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16384876011753616336,16318214634562586372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:1964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16384876011753616336,16318214634562586372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3988 /prefetch:1
  2⤵
  PID:3436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16384876011753616336,16318214634562586372,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1
  2⤵
  PID:2204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16384876011753616336,16318214634562586372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4212 /prefetch:1
  2⤵
  PID:1088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16384876011753616336,16318214634562586372,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:1
  2⤵
  PID:2744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16384876011753616336,16318214634562586372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1
  2⤵
  PID:2732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16384876011753616336,16318214634562586372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=212 /prefetch:1
  2⤵
  PID:2252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16384876011753616336,16318214634562586372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
  2⤵
  PID:4700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16384876011753616336,16318214634562586372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3816 /prefetch:1
  2⤵
  PID:4724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16384876011753616336,16318214634562586372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2672 /prefetch:1
  2⤵
  PID:3988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16384876011753616336,16318214634562586372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:1
  2⤵
  PID:4484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16384876011753616336,16318214634562586372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1848 /prefetch:1
  2⤵
  PID:4116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16384876011753616336,16318214634562586372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3096 /prefetch:1
  2⤵
  PID:1188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16384876011753616336,16318214634562586372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:1
  2⤵
  PID:4716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16384876011753616336,16318214634562586372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
  2⤵
  PID:5024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16384876011753616336,16318214634562586372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
  2⤵
  PID:2528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,16384876011753616336,16318214634562586372,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6400 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16384876011753616336,16318214634562586372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
  2⤵
  PID:1252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16384876011753616336,16318214634562586372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:4068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16384876011753616336,16318214634562586372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7036 /prefetch:1
  2⤵
  PID:1624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16384876011753616336,16318214634562586372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1
  2⤵
  PID:2580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16384876011753616336,16318214634562586372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3800 /prefetch:1
  2⤵
  PID:4988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16384876011753616336,16318214634562586372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
  2⤵
  PID:2700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16384876011753616336,16318214634562586372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7000 /prefetch:1
  2⤵
  PID:3732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16384876011753616336,16318214634562586372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1288 /prefetch:1
  2⤵
  PID:1780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16384876011753616336,16318214634562586372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6536 /prefetch:1
  2⤵
  PID:1108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16384876011753616336,16318214634562586372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
  2⤵
  PID:4000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16384876011753616336,16318214634562586372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:4080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16384876011753616336,16318214634562586372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1080 /prefetch:1
  2⤵
  PID:556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16384876011753616336,16318214634562586372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6704 /prefetch:1
  2⤵
  PID:3416

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2196

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
846ce533b9e20979bf1857f1afb61925

SHA1
4c6726618d10805940dba5e6cf849448b552bf68

SHA256
b81574d678f49d36d874dc062a1291092ab94164b92f7e30d42d9c61cc0e77c3

SHA512
8fb228fae89f063159dabc93871db205d836bdb4ec8f54a2f642bd0b1ac531eea0c21234a8ca75a0ae9a008d2399a9bf20a481f5d6a6eab53a533cd03aeaaa2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
104aab1e178489256a1425b28119ec93

SHA1
0bcf8ad28df672c618cb832ba8de8f85bd858a6c

SHA256
b92c19f079ef5948cb58654ce76f582a480a82cddc5083764ed7f1eac27b8d01

SHA512
b4f930f87eb86497672f32eb7cc77548d8afb09ad9fdba0508f368d5710e3a75c44b1fd9f96c98c2f0bd08deb4afde28330b11cf23e456c92cc509d28677d2cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\157973ff-84c9-4f78-b9d7-21e0e879f875.tmp

Filesize
6KB

MD5
53961fd4a04e7e5c6c086b5ec7ac68eb

SHA1
7a4f85b91c4295cfdd649edbd52f98ec0fc50cd7

SHA256
f4b6d7470e6b66cfdae2fbb1d4f87151a4c9c29ba0398f7c5fd9e7058c9301dd

SHA512
8427e6545889934476694044f82b7a3c10898bf51fdd6fb89ff058790f252420fa619078854b8ef598abaf11abca5c098fe5433d3a0557f6ebcfb90164d615db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\3fa0bd2e-606e-4145-b3a5-97737ea24da8.tmp

Filesize
1KB

MD5
c8d6f532417b709769cdf5bcfc9d8ac9

SHA1
37420e8b015b6a1aa8b5d48de05d22830078bae6

SHA256
016d4b5a380b40e0933a81bd1a9e7dc14e7cfc46cfba873497849162f7528a4b

SHA512
1a143fe0883c94e625cbc602b2ace6307eb9eb102b2dc2d336d6197db895eeef39a5cdaa945b4cb5ac750f3531516f78052fc5aeffde4c2115a394acab5fe8f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
480B

MD5
df810edfbe21be20a7ec1a76c9001bef

SHA1
15029598d44218b868aa4f2beeb483e845663ad2

SHA256
2ca5e7a4a4580d77823b70ee32f6f98a01e3962c317e502504761bf018b16ec2

SHA512
a751b13c9019dcf28ba76f0f44d2c2a9b8889411b00745611682a6b10c7e6d60ea3b8602b1265a04395e98c3e75c59279fc84b58e061f65276945e0f76ee6fe1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
432B

MD5
5abdbb0ced5260c0c8986193fa160089

SHA1
c80f843700ba235680a3776511d666f9349ac536

SHA256
a8f5fd23a7565068c6f47e8d444ba9e884df458796b1604c3d3847bd73b50256

SHA512
795c04d276bbf9fd047a7d85816dc22d56677010914e8ebd2b61e6c6ef85233ce8c6d18555e40cbb5bf64623438beecfcf56e535e20df543a59180d83ca9e26e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
293ce8d5c31c144d9f724677abd65826

SHA1
41bfaaa1be69a778120d4a0611758f37fccefb11

SHA256
768263d21763f99c7488b1230ebc2878fd36b4e6555db5bc2e383991dc7a0f0b

SHA512
bb82069c65527c9b42e8d12a1660a99c89cc249a99203b1554452274ea23acf7ef064cc47d2cc108930f69c5c1c144514cea7bd76ccc978b32cc1dfdc9207ee9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
71124b93ac3a92c9244a03c7693be60f

SHA1
5f8911b6abd2425d994103b3f6d2dd786a7fc510

SHA256
48057ec11fb452e047ca891b0981572db04c89840da82bf70a68971ca08fa312

SHA512
e2ec305cb8f613762fcfdde31f938f174b7bbd4b9ec9a20f75ea5601d8cb1c76ec11844be40990ecdb8543824f7e557388bc3b2b259dbcd2c13efcc395d75008

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
dc8ad91c113efdc0a69dc4df0e0e38f5

SHA1
0b782fb3bde0f7fcddb895807f4639de25fd5024

SHA256
095431744b721f341986e4157b1e97ad7df374959ba2db752099e1e8383c47f4

SHA512
e5e7351ead1e4f7927676fd1f68557950786b90b61d35403e2bb12ab402eab1d4140d2dc44a542bfc5cc3c1d0ff52dc9909d960be976856847d32296f251018f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b4f604e31a75dba136a40f32e327a4f8

SHA1
0da8e5cfa09295557cc60e647bb8e5899189816d

SHA256
0d7d6020e41c9196c899562e1451a22f05236c015db121c4ec453d842c786458

SHA512
88ae8f0187dfacd7a315c404db20fad3468b0dd603b9cdded8b503bbb4e807e62d539f80db966d9be2890ecab38bc1a0aeefd04ae9f85c7b0803fe14a364711c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a8bc79df5e906ae1f8733bd45e521513

SHA1
42f2381c358a43e059284d2b6ba702b783c09f93

SHA256
e80abb681d7d25a78e5bc0e136e9b5aa059a4b01334df8d65c318b44d69a7c1a

SHA512
4e41df3332652aa3c2c195c9b70af4fab9c86518093fe3e76e837c5f01f813e0a0f7fcb55ab0b42fe6a47c74726b68baf792593b2f726f3376398f718da812ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6292ff1717e24185452ccfd51a6781e7

SHA1
6401a8136f42e444ea8bf13b32d319b7bee720ec

SHA256
8d8edbafed393bc2cd42570bdb165a2df913bab78e7b9cad961ec643ce5ff109

SHA512
74874d97c7e7331409630a31ff546772ce656be2702c4380bac3db8e8f6c1c7d2c3c83970483a089de14cdba1f6ffdcc3351f1ae4487e88f0041d597d279a61f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
073d62ff02718dbdd79e9f095194347c

SHA1
72f9519583ed526c96ae74b239e193230887d8e5

SHA256
53040edc9d14c161ee390a60b6c27df00d50385cc51734a1ecfd0a22b8d83163

SHA512
c2f49d36a70a3d92a7e595bfc377529e3b6733ca366dec68188504c33a048c51f152ccc5644693144f01295bf52b36870caecef1f2beb012b174a5fd9fc0693c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
26bd659da7fa6f39e7890edd31a91317

SHA1
922f3fb393f90e86d24daad0a9d4c24ace78688c

SHA256
94ca5378b2ff8a20275265a40744e33f5db928f8281d45e00ff4e2bc46b57953

SHA512
0eb00e85a58993e1268ec89ae0163164e963d10217bb62dfafc13376b01fe8b90c90c5a4fecf57a69374ecea035bbdf0923bf50e1f28d17798dbaa55a0938af4

Download Submit
\??\pipe\LOCAL\crashpad_3648_NVMDVLNHCHCBMVAQ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit