hxxps://martinlidtrelast-my[.]sharepoint[.]com/[:]o[:]/g/personal/elin_martinlid_no/EowIthIGvzJOgbTfTzOogNMBKe4w0W2xPPQHg3S8fylMew?e=WjFbpc

Resubmissions

30/06/2024, 05:22

240630-f22rhaxemk 1

30/06/2024, 05:21

240630-f1zwhstgmf 1

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30/06/2024, 05:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://martinlidtrelast-my.sharepoint.com/:o:/g/personal/elin_martinlid_no/EowIthIGvzJOgbTfTzOogNMBKe4w0W2xPPQHg3S8fylMew?e=WjFbpc

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3558294865-3673844354-2255444939-1000\{F93EF116-0F59-49C4-9317-7D19D15682EE}	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4644	msedge.exe
4644	msedge.exe
5028	msedge.exe
5028	msedge.exe
4744	identity_helper.exe
4744	identity_helper.exe
4384	msedge.exe
4384	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

pid	Process
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5028 wrote to memory of 4568	5028	msedge.exe	82
PID 5028 wrote to memory of 4568	5028	msedge.exe	82
PID 5028 wrote to memory of 1856	5028	msedge.exe	83
PID 5028 wrote to memory of 1856	5028	msedge.exe	83
PID 5028 wrote to memory of 1856	5028	msedge.exe	83
PID 5028 wrote to memory of 1856	5028	msedge.exe	83
PID 5028 wrote to memory of 1856	5028	msedge.exe	83
PID 5028 wrote to memory of 1856	5028	msedge.exe	83
PID 5028 wrote to memory of 1856	5028	msedge.exe	83
PID 5028 wrote to memory of 1856	5028	msedge.exe	83
PID 5028 wrote to memory of 1856	5028	msedge.exe	83
PID 5028 wrote to memory of 1856	5028	msedge.exe	83
PID 5028 wrote to memory of 1856	5028	msedge.exe	83
PID 5028 wrote to memory of 1856	5028	msedge.exe	83
PID 5028 wrote to memory of 1856	5028	msedge.exe	83
PID 5028 wrote to memory of 1856	5028	msedge.exe	83
PID 5028 wrote to memory of 1856	5028	msedge.exe	83
PID 5028 wrote to memory of 1856	5028	msedge.exe	83
PID 5028 wrote to memory of 1856	5028	msedge.exe	83
PID 5028 wrote to memory of 1856	5028	msedge.exe	83
PID 5028 wrote to memory of 1856	5028	msedge.exe	83
PID 5028 wrote to memory of 1856	5028	msedge.exe	83
PID 5028 wrote to memory of 1856	5028	msedge.exe	83
PID 5028 wrote to memory of 1856	5028	msedge.exe	83
PID 5028 wrote to memory of 1856	5028	msedge.exe	83
PID 5028 wrote to memory of 1856	5028	msedge.exe	83
PID 5028 wrote to memory of 1856	5028	msedge.exe	83
PID 5028 wrote to memory of 1856	5028	msedge.exe	83
PID 5028 wrote to memory of 1856	5028	msedge.exe	83
PID 5028 wrote to memory of 1856	5028	msedge.exe	83
PID 5028 wrote to memory of 1856	5028	msedge.exe	83
PID 5028 wrote to memory of 1856	5028	msedge.exe	83
PID 5028 wrote to memory of 1856	5028	msedge.exe	83
PID 5028 wrote to memory of 1856	5028	msedge.exe	83
PID 5028 wrote to memory of 1856	5028	msedge.exe	83
PID 5028 wrote to memory of 1856	5028	msedge.exe	83
PID 5028 wrote to memory of 1856	5028	msedge.exe	83
PID 5028 wrote to memory of 1856	5028	msedge.exe	83
PID 5028 wrote to memory of 1856	5028	msedge.exe	83
PID 5028 wrote to memory of 1856	5028	msedge.exe	83
PID 5028 wrote to memory of 1856	5028	msedge.exe	83
PID 5028 wrote to memory of 1856	5028	msedge.exe	83
PID 5028 wrote to memory of 4644	5028	msedge.exe	84
PID 5028 wrote to memory of 4644	5028	msedge.exe	84
PID 5028 wrote to memory of 3968	5028	msedge.exe	85
PID 5028 wrote to memory of 3968	5028	msedge.exe	85
PID 5028 wrote to memory of 3968	5028	msedge.exe	85
PID 5028 wrote to memory of 3968	5028	msedge.exe	85
PID 5028 wrote to memory of 3968	5028	msedge.exe	85
PID 5028 wrote to memory of 3968	5028	msedge.exe	85
PID 5028 wrote to memory of 3968	5028	msedge.exe	85
PID 5028 wrote to memory of 3968	5028	msedge.exe	85
PID 5028 wrote to memory of 3968	5028	msedge.exe	85
PID 5028 wrote to memory of 3968	5028	msedge.exe	85
PID 5028 wrote to memory of 3968	5028	msedge.exe	85
PID 5028 wrote to memory of 3968	5028	msedge.exe	85
PID 5028 wrote to memory of 3968	5028	msedge.exe	85
PID 5028 wrote to memory of 3968	5028	msedge.exe	85
PID 5028 wrote to memory of 3968	5028	msedge.exe	85
PID 5028 wrote to memory of 3968	5028	msedge.exe	85
PID 5028 wrote to memory of 3968	5028	msedge.exe	85
PID 5028 wrote to memory of 3968	5028	msedge.exe	85
PID 5028 wrote to memory of 3968	5028	msedge.exe	85
PID 5028 wrote to memory of 3968	5028	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://martinlidtrelast-my.sharepoint.com/:o:/g/personal/elin_martinlid_no/EowIthIGvzJOgbTfTzOogNMBKe4w0W2xPPQHg3S8fylMew?e=WjFbpc
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8e7e846f8,0x7ff8e7e84708,0x7ff8e7e84718
  2⤵
  PID:4568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,8572381745042819261,442900673477054973,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
  2⤵
  PID:1856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,8572381745042819261,442900673477054973,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,8572381745042819261,442900673477054973,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:8
  2⤵
  PID:3968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8572381745042819261,442900673477054973,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:1560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8572381745042819261,442900673477054973,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8572381745042819261,442900673477054973,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:1
  2⤵
  PID:2744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8572381745042819261,442900673477054973,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4688 /prefetch:1
  2⤵
  PID:4048
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,8572381745042819261,442900673477054973,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5532 /prefetch:8
  2⤵
  PID:852
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,8572381745042819261,442900673477054973,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5532 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8572381745042819261,442900673477054973,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
  2⤵
  PID:3184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8572381745042819261,442900673477054973,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:3972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8572381745042819261,442900673477054973,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6348 /prefetch:1
  2⤵
  PID:3180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8572381745042819261,442900673477054973,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5988 /prefetch:1
  2⤵
  PID:5180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8572381745042819261,442900673477054973,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6060 /prefetch:1
  2⤵
  PID:5188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2124,8572381745042819261,442900673477054973,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6360 /prefetch:8
  2⤵
  PID:5448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8572381745042819261,442900673477054973,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6116 /prefetch:1
  2⤵
  PID:5696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8572381745042819261,442900673477054973,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:1
  2⤵
  PID:6064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2124,8572381745042819261,442900673477054973,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2272 /prefetch:8
  2⤵
  PID:3440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2124,8572381745042819261,442900673477054973,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6544 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8572381745042819261,442900673477054973,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:1
  2⤵
  PID:5540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8572381745042819261,442900673477054973,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6408 /prefetch:1
  2⤵
  PID:5556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8572381745042819261,442900673477054973,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6504 /prefetch:1
  2⤵
  PID:6028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8572381745042819261,442900673477054973,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
  2⤵
  PID:6100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8572381745042819261,442900673477054973,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6948 /prefetch:1
  2⤵
  PID:3028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8572381745042819261,442900673477054973,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7108 /prefetch:1
  2⤵
  PID:5696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2124,8572381745042819261,442900673477054973,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6976 /prefetch:8
  2⤵
  PID:5776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8572381745042819261,442900673477054973,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
  2⤵
  PID:6104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8572381745042819261,442900673477054973,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6956 /prefetch:1
  2⤵
  PID:5792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8572381745042819261,442900673477054973,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:1
  2⤵
  PID:5380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,8572381745042819261,442900673477054973,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5000 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3620

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2424

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f61fa5143fe872d1d8f1e9f8dc6544f9

SHA1
df44bab94d7388fb38c63085ec4db80cfc5eb009

SHA256
284a24b5b40860240db00ef3ae6a33c9fa8349ab5490a634e27b2c6e9a191c64

SHA512
971000784a6518bb39c5cf043292c7ab659162275470f5f6b632ea91a6bcae83bc80517ceb983dd5abfe8fb4e157344cb65c27e609a879eec00b33c5fad563a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
87f7abeb82600e1e640b843ad50fe0a1

SHA1
045bbada3f23fc59941bf7d0210fb160cb78ae87

SHA256
b35d6906050d90a81d23646f86c20a8f5d42f058ffc6436fb0a2b8bd71ee1262

SHA512
ea8e7f24ab823ad710ce079c86c40aa957353a00d2775732c23e31be88a10d212e974c4691279aa86016c4660f5795febf739a15207833df6ed964a9ed99d618

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000045

Filesize
211KB

MD5
151fb811968eaf8efb840908b89dc9d4

SHA1
7ec811009fd9b0e6d92d12d78b002275f2f1bee1

SHA256
043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed

SHA512
83aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
540dc53fc478ffb9b3a5595375f6ff0f

SHA1
b6cb2242085e41ea6c753ff8dea29a4b8d37f3f3

SHA256
25c6491c3352b44e5800f04970ed632ce81f49fec8372fbd991118990503ab7f

SHA512
24cfe357db1b6ed3c5ad7e0cb1bc13c48b315f6d60ff3ebd722f6a7103e57ed600dbe694cc2d7f299ee55d35fe8058a2a36faf2d7faaabf4153353e40fb63ade

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
f6894799447820bb806d15d2a0eb3939

SHA1
3567cad50b40febd7edb9d07bc13468307567cb8

SHA256
bd77a960588c5835361364cb254292afba0696428bb63221a7748b687d45f003

SHA512
d290b106249e96d74a493b4cda72149104eb69eabdfe8c6936bd80ea454c1459e3ce0b06a6fcffa1e1c6068a56245ee84d21829902f6959186f3aa2360354de0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
378289af595063aa3c8c88ed7e86c33b

SHA1
461ad69440dba85f8f27a1947996a6679080ec81

SHA256
2b01ffc8dc0da57389ca5fc6af042e063c83e35fe0d4960f41cdf95004566455

SHA512
e87dae328868be5e874fbfd0f7690350660264d04cd9bb47f51e6d48bd849794ca870bda6645e990bb4468118b65027fb77c670b410b069465d1bbe858e56cf6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
f1e44e5f7f60ede5830151f2b14c5ead

SHA1
71e6ed3b24009ec02e8896c81e9012cf5ebb4c30

SHA256
7dc3c2581a8469676915cd37933b1d618f2664fde2be4261bd88c1507adc2cc4

SHA512
124a886dcaa2cfa929f7b0cc17ca63e3eed0b4e7bb39595e74c4f0f8d06e81a9f71159d37cdfd55f76ece6318df5965434943a5673ef252b8926088636ec724a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
48079a1ed7319dd63e1a9bd157a8c94d

SHA1
92f37f61619a974cfc84296a71c5d9c1e2747c08

SHA256
a6399ef3751613b4ceb1dc6efb694a89b1a97c927673674767c28f20f2908059

SHA512
7a746ef4ffea8e8df1a76cb1ef0b7f0699f3a080af61abae5490d20140b81419248e245cb15695811b3982504361847b69fc007c65c793331440803724fbdbf8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
0a8ba592a33bddc417b9851433a7056e

SHA1
0b56dc9b8cc72a3c3c6b8b36194fd786c8ab53d5

SHA256
7c98738fc252f98504ecac109539dfba0ffe71019a88c6e6c5e7bde71ff47903

SHA512
118db46ef21637f0d5b648898fcb37b56297ab87d33db26e2d76ccc993bffedc3cea93cfad29bb43c75935833ba02794116ad3574dcabc588b81f88d86a8eddd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5e070f81681f110922201c73322c3b4e

SHA1
8d007a85d204d3c9af54a4cb6ca147c64a1e472a

SHA256
abb1d08f49baabc65e9c5d4f1cb7730677875426311a9b0c4cc9072482a4e5f0

SHA512
47e1d4665e285567a9e359a78eb3e924332b676e47f999636cd88871d0a33e158659dd97dfb8a7d590a6add9e7dfb82e872ddf7e92dc28c76088ee8ba4040c87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b9ebc7249f3ca25da1be3ec0a0dbdd54

SHA1
4aacbd1631af3b7e5f26b2a5f4beaa38461ebfd1

SHA256
a655c696ad07404fbba7a9f1195f3c991508da78465257eddb1c8bffbb8b5c58

SHA512
c9a9e1bb648ecdad8dfb7143d44a276612382964b80a479ed477bc3630b1037d4018b9263e785edbdb4079351ec69d124a1c914511684a53f27f760518279831

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
4d7d3a4887f3493fb8112c27cff3a941

SHA1
aa7f7c20d692d68f99327d9b4a4e3b9f49d3c699

SHA256
02e9575e28933935442ad834d73ec0a081a6c0187cad8992766641997f821d82

SHA512
dadb0fb750eaac11a2b7c12a99cc15c349d33c4a6b9cdc83c7e5f92be3d57014623d9ec4874002f8de73c41443cb20cb96d95988442ec3cf986cfc31fccb06c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
410f64c9c94522defc6906cf3e72cc43

SHA1
152dde00a80b504cad9aa98696a1aae5f9a5abf6

SHA256
17ddedb3bdcfc34aa96e0d5f569c319f731b0696feabadc2b54d43a8d31b1ace

SHA512
23801667ef6cdfcd9478fa023df944f7da1d3be3dabfa9d23843ec3b2493989ebe6ae14e50f25c081a6e2a5a3a5049fb409786984f6de7f6caab4d5e40bccbd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5812c8.TMP

Filesize
48B

MD5
d92cf93fe676f66ba8722a5615455ef8

SHA1
464f451762170672742cc1da8a2ea205a8dc1577

SHA256
314f104c7ea717a82ff3db4f6cfcee9e2bc3a3facba023a9e599fb4e4cc9e947

SHA512
31292a37f9fd8b59f168bb69f2de1e6201e62703af65db7d26769cb45a197c3899040a450ea8d2648d5073bcf9f1d7c43002748353f57ac8e258964dae28e17e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
53c4f3ed75f009ad98baafdab563f828

SHA1
0061d539567503128f6882939fab0937a2fd456c

SHA256
e4e9c1cf62dd7343ed6a7ef7778738d1777fc741dcdfd53c532e7955e01447e5

SHA512
8a0a017dd47bf835ee1576034f11ec2e6cc3a2c13b018429415aae17dbc13658a5960f089f1909d7982eec8b1b62db44dce573a54e0a947e534cc1f1fc6e4958

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
1db20dcdc35f08171701e5a505d4d42f

SHA1
e5c132c4f0a1abb1f8b7e74ef7200e29e5cf8034

SHA256
5ba8c6dc1bd327462a1368e782419b0489ff0809f39320a7cd7aa875b48d4dbb

SHA512
a7aec65fc04cb0d544e790f9fdfca6d5585e8808dee3de48359baac41f124bb16fc7db2addc9c1fe1a883ff97b246cb3570da1e59b4c9721bc63ac64cc782fd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
f406e85d79bd9659baf57aa0667f4cc0

SHA1
900a4c84847591f9fe2d4c7f4dedc143fb7dd944

SHA256
0deefefebca11bfb50e05c39504306e0758b84ff98fb1d5e38b8ba62f67b923d

SHA512
7daa1f167de745c42db8bebc07976e6a4f682e8cfdb7f1d294881304ee032fd2f063fa5195012222994b29cf6b23b919d6a14b1fe426625ea4d936d736788710

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
e1631a6f68fd88db73f82cc413f1bc67

SHA1
5f11c7bced213860ca1dd018ec7fc4d807f479b9

SHA256
95098b47a2fd1ca4f8b677459689e2f2e8034793c0c6a267963e7121bb6a232a

SHA512
fc03871c1c0cea9f10bc143b6084559dd06a137841e606c18e38fdf0682eb98efddc60985279845e2d0af280c12f07af2ab8be3d0e0e22e41764b9541bdb988a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
b359d15f86c84cffa073be22ad419bcc

SHA1
ceee7a54893df4f11ea5c5f74051639d91bc6463

SHA256
e28a3483e6eee9e06661c6a0abb8c73503bb747d49649332635d5e41b392c34f

SHA512
164f88db50312aa6be0ef8305283d79828c1cdfe5ca268b6c336dfa52a28c00cda67d7e7adbd3c1048c2c0b49a158811476566cb0950d0450e6ea33d6d47e6ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
c106de802f738321586c4bc449a29874

SHA1
d62acb0f05217980646e5d878db21d9cc24aac6e

SHA256
f2b1cc0429217254ddd6f3a16339ffd7c52bec1e4bdb25a0993a88b377c184a2

SHA512
beae083d5fd27ffced0ac3447e5e7c2082000d00178003a10d6b8e85cef39dc03fdd0d9cde50ebc0d477e3dd3cb6bb7f888c6586e3d9b2afd458908119f1e0de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
047c3fdca6bd51388625c7b34d6eef5a

SHA1
10ba64954d607c5d4f660e8a0a7774116dfaddae

SHA256
0c9ab9158951ca72521db0287d221d3f042df3556ffd469adc29eeb8b1690402

SHA512
4a0f02ca63b6e62351c64a700859ee0e199a9432416ef5f32ee3d423e1af0a9ae93ee2fe42170b4efd9daf0fe64d25dae099842de1da0038f0255c7742352008

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
e53945f414b5d5a009c411f18994ac75

SHA1
e1f600065e326d19a6148e9735c0281a78c63976

SHA256
ff4bc14e4d2b3736b0372eba88edf529f370c201fc2bb8c3f863ead3f8574a00

SHA512
bba3384161ca1d0278cabc9ed4003c3a120b824ebe7c411059da429cf489a0e520b42bc416e24990b9c2dffe4b95a3054676137d747987b878d6da424257467a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe579710.TMP

Filesize
2KB

MD5
7ed3a78a9190ff730b00302a95f43a9b

SHA1
6b002840436be0ef1713480610207293ef572cbd

SHA256
e5f79f3b6908160b32be665c76f8d98051b62bc38b41a58e2ec49c99ef1db322

SHA512
ac3121d225be332494bd22a416b5b0dd556401bb7c29fdde1b50da171816b17e7dd7fe9bf474cb779b88541fbbcf46d5e91988fa85a55fffb26d1b16574cc321

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
91adc03653d51f94a8e124394e413a51

SHA1
0c6b12498541587a77db60ca86dfef2547bd304f

SHA256
f08ddd333ed4fa3318b341eba1c739f33241a1851c103208a29dcf7386b64b84

SHA512
1d715b83c6b7d174b4305fc55bd2216ddc3562a5f63c56b4cd70464a8a4abf9f4fb1027d068d2a5ca5379a47313522ada99cc56fe04856f4897db29f1d3d3952

Download Submit