hxxps://lap[.]quantumkill[.]info/index[.]php/campaigns/ea7678bd9q177

Analysis

max time kernel
317s
max time network
327s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
12-06-2024 00:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://lap.quantumkill.info/index.php/campaigns/ea7678bd9q177

Score

6^/10

motw phishing

Malware Config

Signatures

Mark of the Web detected: This indicates that the page was originally saved or cloned. 1 IoCs
phishing motw

Processes:

flow ioc

59 http://nestpromails.com/

flow	ioc
59	http://nestpromails.com/

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2080292272-204036150-2159171770-1000\{643A823B-6E63-4FAC-BFEE-152FDAAB062A}	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exe

pid	process
3040	msedge.exe
3040	msedge.exe
3612	msedge.exe
3612	msedge.exe
4500	identity_helper.exe
4500	identity_helper.exe
4120	msedge.exe
4120	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs

Processes:

msedge.exe

pid	process
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3612 wrote to memory of 1712	3612	msedge.exe	msedge.exe
PID 3612 wrote to memory of 1712	3612	msedge.exe	msedge.exe
PID 3612 wrote to memory of 1528	3612	msedge.exe	msedge.exe
PID 3612 wrote to memory of 1528	3612	msedge.exe	msedge.exe
PID 3612 wrote to memory of 1528	3612	msedge.exe	msedge.exe
PID 3612 wrote to memory of 1528	3612	msedge.exe	msedge.exe
PID 3612 wrote to memory of 1528	3612	msedge.exe	msedge.exe
PID 3612 wrote to memory of 1528	3612	msedge.exe	msedge.exe
PID 3612 wrote to memory of 1528	3612	msedge.exe	msedge.exe
PID 3612 wrote to memory of 1528	3612	msedge.exe	msedge.exe
PID 3612 wrote to memory of 1528	3612	msedge.exe	msedge.exe
PID 3612 wrote to memory of 1528	3612	msedge.exe	msedge.exe
PID 3612 wrote to memory of 1528	3612	msedge.exe	msedge.exe
PID 3612 wrote to memory of 1528	3612	msedge.exe	msedge.exe
PID 3612 wrote to memory of 1528	3612	msedge.exe	msedge.exe
PID 3612 wrote to memory of 1528	3612	msedge.exe	msedge.exe
PID 3612 wrote to memory of 1528	3612	msedge.exe	msedge.exe
PID 3612 wrote to memory of 1528	3612	msedge.exe	msedge.exe
PID 3612 wrote to memory of 1528	3612	msedge.exe	msedge.exe
PID 3612 wrote to memory of 1528	3612	msedge.exe	msedge.exe
PID 3612 wrote to memory of 1528	3612	msedge.exe	msedge.exe
PID 3612 wrote to memory of 1528	3612	msedge.exe	msedge.exe
PID 3612 wrote to memory of 1528	3612	msedge.exe	msedge.exe
PID 3612 wrote to memory of 1528	3612	msedge.exe	msedge.exe
PID 3612 wrote to memory of 1528	3612	msedge.exe	msedge.exe
PID 3612 wrote to memory of 1528	3612	msedge.exe	msedge.exe
PID 3612 wrote to memory of 1528	3612	msedge.exe	msedge.exe
PID 3612 wrote to memory of 1528	3612	msedge.exe	msedge.exe
PID 3612 wrote to memory of 1528	3612	msedge.exe	msedge.exe
PID 3612 wrote to memory of 1528	3612	msedge.exe	msedge.exe
PID 3612 wrote to memory of 1528	3612	msedge.exe	msedge.exe
PID 3612 wrote to memory of 1528	3612	msedge.exe	msedge.exe
PID 3612 wrote to memory of 1528	3612	msedge.exe	msedge.exe
PID 3612 wrote to memory of 1528	3612	msedge.exe	msedge.exe
PID 3612 wrote to memory of 1528	3612	msedge.exe	msedge.exe
PID 3612 wrote to memory of 1528	3612	msedge.exe	msedge.exe
PID 3612 wrote to memory of 1528	3612	msedge.exe	msedge.exe
PID 3612 wrote to memory of 1528	3612	msedge.exe	msedge.exe
PID 3612 wrote to memory of 1528	3612	msedge.exe	msedge.exe
PID 3612 wrote to memory of 1528	3612	msedge.exe	msedge.exe
PID 3612 wrote to memory of 1528	3612	msedge.exe	msedge.exe
PID 3612 wrote to memory of 1528	3612	msedge.exe	msedge.exe
PID 3612 wrote to memory of 3040	3612	msedge.exe	msedge.exe
PID 3612 wrote to memory of 3040	3612	msedge.exe	msedge.exe
PID 3612 wrote to memory of 2768	3612	msedge.exe	msedge.exe
PID 3612 wrote to memory of 2768	3612	msedge.exe	msedge.exe
PID 3612 wrote to memory of 2768	3612	msedge.exe	msedge.exe
PID 3612 wrote to memory of 2768	3612	msedge.exe	msedge.exe
PID 3612 wrote to memory of 2768	3612	msedge.exe	msedge.exe
PID 3612 wrote to memory of 2768	3612	msedge.exe	msedge.exe
PID 3612 wrote to memory of 2768	3612	msedge.exe	msedge.exe
PID 3612 wrote to memory of 2768	3612	msedge.exe	msedge.exe
PID 3612 wrote to memory of 2768	3612	msedge.exe	msedge.exe
PID 3612 wrote to memory of 2768	3612	msedge.exe	msedge.exe
PID 3612 wrote to memory of 2768	3612	msedge.exe	msedge.exe
PID 3612 wrote to memory of 2768	3612	msedge.exe	msedge.exe
PID 3612 wrote to memory of 2768	3612	msedge.exe	msedge.exe
PID 3612 wrote to memory of 2768	3612	msedge.exe	msedge.exe
PID 3612 wrote to memory of 2768	3612	msedge.exe	msedge.exe
PID 3612 wrote to memory of 2768	3612	msedge.exe	msedge.exe
PID 3612 wrote to memory of 2768	3612	msedge.exe	msedge.exe
PID 3612 wrote to memory of 2768	3612	msedge.exe	msedge.exe
PID 3612 wrote to memory of 2768	3612	msedge.exe	msedge.exe
PID 3612 wrote to memory of 2768	3612	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://lap.quantumkill.info/index.php/campaigns/ea7678bd9q177
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa9db446f8,0x7ffa9db44708,0x7ffa9db44718
2⤵
PID:1712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,6092737256911336374,10930917984616622969,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
2⤵
PID:1528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,6092737256911336374,10930917984616622969,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,6092737256911336374,10930917984616622969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:8
2⤵
PID:2768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6092737256911336374,10930917984616622969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
2⤵
PID:4936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6092737256911336374,10930917984616622969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
2⤵
PID:4412

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,6092737256911336374,10930917984616622969,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5268 /prefetch:8
2⤵
PID:872

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,6092737256911336374,10930917984616622969,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5268 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6092737256911336374,10930917984616622969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3076 /prefetch:1
2⤵
PID:2892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6092737256911336374,10930917984616622969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5908 /prefetch:1
2⤵
PID:4520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6092737256911336374,10930917984616622969,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:1
2⤵
PID:4640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6092737256911336374,10930917984616622969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1
2⤵
PID:2188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6092737256911336374,10930917984616622969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6124 /prefetch:1
2⤵
PID:4384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6092737256911336374,10930917984616622969,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1
2⤵
PID:5072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6092737256911336374,10930917984616622969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:1
2⤵
PID:1288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6092737256911336374,10930917984616622969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
2⤵
PID:4612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6092737256911336374,10930917984616622969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1360 /prefetch:1
2⤵
PID:2232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6092737256911336374,10930917984616622969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
2⤵
PID:1140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6092737256911336374,10930917984616622969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
2⤵
PID:2376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6092737256911336374,10930917984616622969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6032 /prefetch:1
2⤵
PID:1968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2112,6092737256911336374,10930917984616622969,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5608 /prefetch:8
2⤵
PID:2096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6092737256911336374,10930917984616622969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1
2⤵
PID:1444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6092737256911336374,10930917984616622969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3588 /prefetch:1
2⤵
PID:4256

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2112,6092737256911336374,10930917984616622969,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6048 /prefetch:8
2⤵
PID:3872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2112,6092737256911336374,10930917984616622969,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5672 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4120

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6092737256911336374,10930917984616622969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5944 /prefetch:1
2⤵
PID:2280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6092737256911336374,10930917984616622969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3604 /prefetch:1
2⤵
PID:5036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6092737256911336374,10930917984616622969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5828 /prefetch:1
2⤵
PID:5084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,6092737256911336374,10930917984616622969,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3336 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4284

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4312

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
81e892ca5c5683efdf9135fe0f2adb15

SHA1
39159b30226d98a465ece1da28dc87088b20ecad

SHA256
830f394548cff6eed3608476190a7ee7d65fe651adc638c5b27ce58639a91e17

SHA512
c943f4cfe8615ac159cfac13c10b67e6c0c9093851dd3ac6dda3b82e195d3554e3c37962010a2d0ae5074828d376402624f0dda5499c9997e962e4cfd26444c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
56067634f68231081c4bd5bdbfcc202f

SHA1
5582776da6ffc75bb0973840fc3d15598bc09eb1

SHA256
8c08b0cbceb301c8f960aa674c6e7f6dbf40b4a1c2684e6fb0456ec5ff0e56b4

SHA512
c4657393e0b9ec682570d7e251644a858d33e056ccd0f3eebffd0fde25244b3a699b8d9244bcdac00d6f74b49833629b270e099c2b557f729a9066922583f784

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\34f1c9c5-626d-4dec-8094-6c61cbbcec9d.tmp
Filesize
1KB

MD5
7f078689158829ee4a80de6c8c456d8d

SHA1
d0bad7626839a5f2b1b33537de1f249444d2f234

SHA256
0b76f08522896577a1317efe5d677d737255dce94b9f6a4b49a45af55fa29319

SHA512
814c7d934b77c7cf95a23024a806fb88a18b284c7eb7c324853f1226b57db0e445775bd5c3aa9ce7e84466603818640ebc040bee95ac900b8b1c7b6e911c6062

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001
Filesize
34KB

MD5
0e8eefb4549a2edf26c560cb9845952e

SHA1
8d0b1718aacad934fd0043c87cbc54aa091396bf

SHA256
7f653b3ce9d3277457fc6da4edb246ae2f6c913f088c42dcb8cd2e96267aa21a

SHA512
237659dd4b8680ab4856d38290d57ae9211b479c51033d8db4ac61326551e33cc245ebf10eed35aab6854d8196d6651eb70cb63a2ba1d7373404851fe084772e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002
Filesize
27KB

MD5
876d74bcd0a927aba5be92bf7993f1aa

SHA1
1ffc2b292eb17625a33feaf5460e84d137846811

SHA256
dcb085ad0fca889c4a1b898ccc7458c5d586e5740e7b7bffe065ac6a5e247ada

SHA512
53d4bf3800e1d5e6e988da1c725aa0829c1a33e676d43ea4f1f59e95b13f8b2257136d9c0adcb3e9634ca1550fe7d997991887eaa35e0344c2bfafb00aa49112

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003
Filesize
29KB

MD5
ab1fc8621287e4ea9319a3136812cf80

SHA1
fb4ed2e52e2a8d7ac50a7618a0c2ea5507a24ef3

SHA256
7c00752ce82d6abaed0b9766d35b906b16675facdbe24115b410d1fab975effa

SHA512
b1ee9b00d9c8305521662756e6e1589f955491e5887c94c0a49d8fd41d0038cd42f929a0ab12f5fd44feef4de296a6a43a6ca90767df886fff89bfeda70dfbd7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005
Filesize
300KB

MD5
8b011675121603f7166d62dc35e7ee6f

SHA1
41afff9625344a15b9f9925e57debb29462c1ec1

SHA256
4ea8b0a56c5b990c12c89500cb55b196703bc491918c945ab6bcd470bcfec5b3

SHA512
8c9a64de045f38497f36e8740caaec9812452a84b2bc5680d70d25525ed7f800541d1a702393481f6bcd5822e8c14a2722ba43c4ff03638dd57c592474e42f1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006
Filesize
92KB

MD5
8543242fcf88ba82b9ff1e20d1a8adc5

SHA1
9e670a7779583a53ced8ab09f21474c6e283a796

SHA256
02735b1658ccbd99e6a901fff0c37a368f6ce0ca2709d9c924c59d8523419067

SHA512
56c6928a5201be40061f6d2226f6597e29f6a4e9209e7c4f9244845fa7083016d641a8d6950c52b119d0a718cdf7dbd5a15e7ab0ab75f8772c0c866456d859dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007
Filesize
156KB

MD5
42c1940fc17aaeeee3915e55a82fcd0f

SHA1
cca33cf89907e9a1b7826d06fbc82570abf579de

SHA256
18f6c62c1b6a691cd63a8d8cb664aceea663736d3b06c46c2289fb20fae25798

SHA512
05c3d1507e30c09e66012762671cfbea5dbb08ab7e348477a4fbadfead7a8599ddcc5b82a113832e2799b2f09e07e194b5d9e258512f85b5cda8b19ba1567a0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008
Filesize
74KB

MD5
b55469bb289545cc1cd0127d19552d77

SHA1
e5209795fd2c68d60bab73832be9fb911028d2fe

SHA256
04b2d7ec05b4b1187beec607b5553f4bde0ab12f9f6ee4178f42d779b498eea7

SHA512
fde40f98b0d89988d8569ce1c6be67b4413cab47c35ce4f97fc8f48ccaf887572fb6d49cc28d9cd18bdbcc5468be6a250a2e889c03cd2c59fdd3429d1085d650

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009
Filesize
40KB

MD5
aa12ea792026e66caab5841d4d0b9bab

SHA1
47beeba1239050999e8c98ded40f02ce82a78d3f

SHA256
65fe153a832452e97f5d484440a7047e314d3a83cb61ad2508fed48a820e1de1

SHA512
0b2b1bb8851c60c9d4ab1d039b990a4de5799c97c50b45f64e36a21849c14e785f69196f674ac225b1419d7f501338054074cab6203d041361a4fa1ed8802b27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
45e4ed5944a09367d57e43863c3c062a

SHA1
48fe7203bfd1d0df94ee48981e2b68acdb933b78

SHA256
57330cc48783457dd06c827136481bb602ca1c324b67bb52621404afc86862c9

SHA512
ee54706c617895925cc882b760ef3b5ef2dc22f516d4a4904ed686ab1b0d33e83d983a942bda0724d500ec90994d631654a988efb479bac7bb3a045f38d9c17e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
2KB

MD5
ff45787cd1597d0ddfedf56ed28840df

SHA1
47d21946172871756cb4af445d4594ba37848fa4

SHA256
ad006e43423fea06a441b934fa603b1ca275ec0df0e2f04da2e0541eb7815a38

SHA512
7b429713ae4047836f4d65fe06b06717c2f9f8d0fc78b8e067ea525997b98c295f63e7403fd1bfcb08032716bf68c97685374e6434d3e1ab170c8e10ce28d66e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
2KB

MD5
e74fb3e706897a3dadf31199ba7f489f

SHA1
60e56d76cda227db916f8e1a3d638fa6b8b4fedc

SHA256
4d80226ab3cfb88642fb9909f2931019cbdb1146d942360882e9ea73449e60b7

SHA512
06b23ba36cf5ddb115316bef601a1133550385d3f12404f39a7957fd693aaab9eb20b6f9ea2390ca18dea2d107ed04eec1cffe45a27d7739e2c4c03a8ca2cc23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
2fab14914f9f6c625a462365f1abc3ca

SHA1
54f472e4c82252f63060f63881a10eb0b77d759b

SHA256
ea991a47bb79b98204ccc8c54188705164c4f6976366f90d9352c671bf0075ac

SHA512
d5e24159ba330428b16c138d952183f852f1dcb50c7c8d5b693165b8130eb821fb755e11de67d657b5490c6eefe072c425acf154e4789ec569ebb7323b1d4e2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
725be8d128eff4b29a44f649c8b63025

SHA1
db8935d87feb72952c5626f776fa3da513050fcc

SHA256
c1466612c4722fdddc0eb51540d06c54949eeb3950bd9b584963e00188dfa607

SHA512
f7828cc480958eaf9f6a29234c14a346ce6bdebf8090537b2a9ce9a01ff5ae359d708808ed988a66f705051738102c7930bc22d6fccf67980343edfb6d79397c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
31f59765c16b77b41c65d0d5ac472bf2

SHA1
2c90c6a4467747d2ee518859e00d3d7e546a23e1

SHA256
7558dd0df01cfceec1bad3533ef878bf26b98886c9bae5aa9ad27719a69446de

SHA512
4320dd16f0bc8404b18743f3d99bb9384d86b6b1b2b9d6c618e5ba11e57080caff1efdead6579769556f36570282097127e4385d9e76e8dc852a70fddf37ef97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
a31a8654f408c136f510336f86e6d5e4

SHA1
c29cdc8c223b24b6e22f239e06c59624afe120c5

SHA256
75999295a74e74b1bcf4e784fb9502d79db7e34ea848ddcd4eb89877cb8cfa26

SHA512
6237aa33fec9c654c11163d8cdece2df287d44cb76deb39e4bb8556bcd1c290cfdb3d9fab8ce51187694a25bbedbdac688ae736afb71d49f0bea026777a07deb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
d032109712c402afbd7c6c6c6aba9975

SHA1
117e03810c7a8eab36b421ba3b1c39a6b7715608

SHA256
254f97fc53d40145f8e745590a44b2b72932e7ac361ef9baaa07c4ff089158df

SHA512
bac12c73adcfc3d278ceab311d9912f92c51ed459b649d30f2666f76899352f028f251c1cae9b76213ee407d8d36c579301dbfbef6ec1fcaaf5573a9fe5bb163

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
6ac88a3af759d3be7d4b2c7a5265d945

SHA1
fd7d7e56cec34a642bc8d02960aec967c988ce72

SHA256
4179ad2073d09eb9042d04b3be871eee618af3f9f4c355d36e12976e5a4a596c

SHA512
99804a99a362c8015e6112de5f006d711c7029cdc859ed0fb48ec801192a05fc9e273e2f18bf367de93920c69f254faa746cf9fa96bd78213015792e6d7e8b58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
ec03423b0246ce419f6450757d320ab4

SHA1
4d633194ca81a288e4b63a218d175691305ac179

SHA256
93914085b09e860505137517cd74627a84bf7858db5ecec08a4acfc6c5ca45c7

SHA512
46a7d7cd4109a9ae67d299c49e7d950f4aa402b66f8b692008fbe66ba48230e42cd9af35c29ba4c513c9cfa1cba385d85b6f93b74350bf6442f6fb9f6bd4f6f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
370B

MD5
2fb6c481b25d51c5c29bff0419563350

SHA1
adcdfa2c81e8841ec19d406f2a899480544c1618

SHA256
81a7a9160a45fb362fd17bf095dba6677f3a61f5d560df5640522982c0e83a96

SHA512
c769725c913ce1dee9c3a22a79ca2cf129d9596ebe4e82095cb0ef0b1b37d19340ead490499fdd1f0a55373547af616aa88960b0d9041fa3f5d7b9d4a0c46f96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
59c4229a1beca94edb85a0628a9b49a4

SHA1
2c35345466f9fa14dc329c5656a38a47e55a5c98

SHA256
afc8af077fa7ace7986956c417074414bba27f4849069c2b0aafabfd22c8e7e9

SHA512
bd3fe2cddaf122f19235dbf7d0ac914c15dd5f8d3afb74091de5533e3ce71fac649be10a533ccad64e8d8473a516df444bba1422e89f1f2336394f6d4a45b226

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
370B

MD5
f17ed940755e8cb7baf8e07f87bc60fa

SHA1
68b8ddd6054c3aa69bdbdef7fea660619e22644c

SHA256
9459b36346845b0f2de0f360e1b77c9c27b10f5fb8e4be69228fd43363ff4af4

SHA512
a2d63966390b3c9e7f4a3ccf25f44cbeda8685ba7429a3f3b6c5501b9e884f16d2acb07c79ad46544d54332779834285a0d9eee2f49a860513173934b4f2ca1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
ac8e37880f4229001ab49ce866384a9b

SHA1
b6801b273198444d3ebd916bc21d4e5e5f5803dd

SHA256
b5846573421233bd207b263d181bdc02b75011323bf757bb2d38078571f6638e

SHA512
d09d07d1fbbb34d4175a2f4e17f290aaea1aeccb325cfac415f01f44886cbbd0ca915ca78b5d0692ed6f99a35585838fbc3be1ff64f9c9718d051ee2b6b26ef3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57ee77.TMP
Filesize
202B

MD5
03f2b41e8f48c855d8359ad27a8bdfd3

SHA1
9c68fa4fb10101796deed1b980884a614d416e41

SHA256
73f51ddea406058d50adf9a1693a1e926ebbfffcc674ca3d33e1c36ae6963345

SHA512
e51e26e15c1fa40baaac6fad04ead371fe9ac04fc150807717dd5f5bdc5b6a4b519e6bb12ebd91cc7857057d35027e5ffdfe58fb723319dd96e18cac37fbfe94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
44480a6cc9bcf4e016fe185f01649416

SHA1
09020bb7d028763ff3e903c8a99f4e7cbe0a4828

SHA256
2133cf2ea531b316e6646490f5c3af1d1d9c5a95760fca816127881549007ba1

SHA512
145c14d977412dd496c943013e235cb72858a49d10a0f24f1a19ea2b2c1ff5aa2f407c721858e6227aa58e4ed491217dd199942724e414aba9b1836497ee3670

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize
10KB

MD5
aa7777f8dcdca0d81d587b150757a5cd

SHA1
fdea97d3d4c679eab4ddffb1081baf15d14eabb6

SHA256
4b41e3dc274aec30b47bc59c8cda006593a1cd1ca5b43a7996039b3b920af3d2

SHA512
e4f197d37592cf0ac430e2530299503531481596ba6cf309dd4cdff55e171bef10e8901894ae2f8b493fc928487b0edff64023ca3db50fb0fc4d3aad9b697e37

Download Submit
\??\pipe\LOCAL\crashpad_3612_KQHKIPSMFHRMILOU
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit