hxxp://𝐦𝐭𝟐[.]𝐫𝐞𝐬𝐭

Resubmissions

10/08/2024, 14:32

240810-rwsgesxfka 8

10/08/2024, 14:29

240810-rtmhdstbqr 3

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10/08/2024, 14:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://𝐦𝐭𝟐.𝐫𝐞𝐬𝐭

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 336383.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1368	msedge.exe
1368	msedge.exe
3964	msedge.exe
3964	msedge.exe
2952	identity_helper.exe
2952	identity_helper.exe
5216	msedge.exe
5216	msedge.exe
5216	msedge.exe
5216	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs

pid	Process
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3964 wrote to memory of 1976	3964	msedge.exe	85
PID 3964 wrote to memory of 1976	3964	msedge.exe	85
PID 3964 wrote to memory of 4000	3964	msedge.exe	86
PID 3964 wrote to memory of 4000	3964	msedge.exe	86
PID 3964 wrote to memory of 4000	3964	msedge.exe	86
PID 3964 wrote to memory of 4000	3964	msedge.exe	86
PID 3964 wrote to memory of 4000	3964	msedge.exe	86
PID 3964 wrote to memory of 4000	3964	msedge.exe	86
PID 3964 wrote to memory of 4000	3964	msedge.exe	86
PID 3964 wrote to memory of 4000	3964	msedge.exe	86
PID 3964 wrote to memory of 4000	3964	msedge.exe	86
PID 3964 wrote to memory of 4000	3964	msedge.exe	86
PID 3964 wrote to memory of 4000	3964	msedge.exe	86
PID 3964 wrote to memory of 4000	3964	msedge.exe	86
PID 3964 wrote to memory of 4000	3964	msedge.exe	86
PID 3964 wrote to memory of 4000	3964	msedge.exe	86
PID 3964 wrote to memory of 4000	3964	msedge.exe	86
PID 3964 wrote to memory of 4000	3964	msedge.exe	86
PID 3964 wrote to memory of 4000	3964	msedge.exe	86
PID 3964 wrote to memory of 4000	3964	msedge.exe	86
PID 3964 wrote to memory of 4000	3964	msedge.exe	86
PID 3964 wrote to memory of 4000	3964	msedge.exe	86
PID 3964 wrote to memory of 4000	3964	msedge.exe	86
PID 3964 wrote to memory of 4000	3964	msedge.exe	86
PID 3964 wrote to memory of 4000	3964	msedge.exe	86
PID 3964 wrote to memory of 4000	3964	msedge.exe	86
PID 3964 wrote to memory of 4000	3964	msedge.exe	86
PID 3964 wrote to memory of 4000	3964	msedge.exe	86
PID 3964 wrote to memory of 4000	3964	msedge.exe	86
PID 3964 wrote to memory of 4000	3964	msedge.exe	86
PID 3964 wrote to memory of 4000	3964	msedge.exe	86
PID 3964 wrote to memory of 4000	3964	msedge.exe	86
PID 3964 wrote to memory of 4000	3964	msedge.exe	86
PID 3964 wrote to memory of 4000	3964	msedge.exe	86
PID 3964 wrote to memory of 4000	3964	msedge.exe	86
PID 3964 wrote to memory of 4000	3964	msedge.exe	86
PID 3964 wrote to memory of 4000	3964	msedge.exe	86
PID 3964 wrote to memory of 4000	3964	msedge.exe	86
PID 3964 wrote to memory of 4000	3964	msedge.exe	86
PID 3964 wrote to memory of 4000	3964	msedge.exe	86
PID 3964 wrote to memory of 4000	3964	msedge.exe	86
PID 3964 wrote to memory of 4000	3964	msedge.exe	86
PID 3964 wrote to memory of 1368	3964	msedge.exe	87
PID 3964 wrote to memory of 1368	3964	msedge.exe	87
PID 3964 wrote to memory of 2588	3964	msedge.exe	88
PID 3964 wrote to memory of 2588	3964	msedge.exe	88
PID 3964 wrote to memory of 2588	3964	msedge.exe	88
PID 3964 wrote to memory of 2588	3964	msedge.exe	88
PID 3964 wrote to memory of 2588	3964	msedge.exe	88
PID 3964 wrote to memory of 2588	3964	msedge.exe	88
PID 3964 wrote to memory of 2588	3964	msedge.exe	88
PID 3964 wrote to memory of 2588	3964	msedge.exe	88
PID 3964 wrote to memory of 2588	3964	msedge.exe	88
PID 3964 wrote to memory of 2588	3964	msedge.exe	88
PID 3964 wrote to memory of 2588	3964	msedge.exe	88
PID 3964 wrote to memory of 2588	3964	msedge.exe	88
PID 3964 wrote to memory of 2588	3964	msedge.exe	88
PID 3964 wrote to memory of 2588	3964	msedge.exe	88
PID 3964 wrote to memory of 2588	3964	msedge.exe	88
PID 3964 wrote to memory of 2588	3964	msedge.exe	88
PID 3964 wrote to memory of 2588	3964	msedge.exe	88
PID 3964 wrote to memory of 2588	3964	msedge.exe	88
PID 3964 wrote to memory of 2588	3964	msedge.exe	88
PID 3964 wrote to memory of 2588	3964	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://𝐦𝐭𝟐.𝐫𝐞𝐬
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffba9d046f8,0x7ffba9d04708,0x7ffba9d04718
  2⤵
  PID:1976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,11730111014229046248,1925543501863394462,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
  2⤵
  PID:4000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,11730111014229046248,1925543501863394462,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,11730111014229046248,1925543501863394462,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:8
  2⤵
  PID:2588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11730111014229046248,1925543501863394462,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11730111014229046248,1925543501863394462,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:212
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,11730111014229046248,1925543501863394462,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5448 /prefetch:8
  2⤵
  PID:1848
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,11730111014229046248,1925543501863394462,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5448 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11730111014229046248,1925543501863394462,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
  2⤵
  PID:3936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11730111014229046248,1925543501863394462,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
  2⤵
  PID:2756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11730111014229046248,1925543501863394462,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
  2⤵
  PID:3340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11730111014229046248,1925543501863394462,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
  2⤵
  PID:1848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11730111014229046248,1925543501863394462,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4876 /prefetch:1
  2⤵
  PID:3648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11730111014229046248,1925543501863394462,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2000 /prefetch:1
  2⤵
  PID:1588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11730111014229046248,1925543501863394462,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6048 /prefetch:1
  2⤵
  PID:4788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11730111014229046248,1925543501863394462,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6220 /prefetch:1
  2⤵
  PID:2924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11730111014229046248,1925543501863394462,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1
  2⤵
  PID:3972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11730111014229046248,1925543501863394462,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6000 /prefetch:1
  2⤵
  PID:3260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2116,11730111014229046248,1925543501863394462,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5888 /prefetch:8
  2⤵
  PID:3976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11730111014229046248,1925543501863394462,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6328 /prefetch:1
  2⤵
  PID:2268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2116,11730111014229046248,1925543501863394462,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6648 /prefetch:8
  2⤵
  PID:4732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11730111014229046248,1925543501863394462,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1
  2⤵
  PID:2956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11730111014229046248,1925543501863394462,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6360 /prefetch:1
  2⤵
  PID:3460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2116,11730111014229046248,1925543501863394462,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3036 /prefetch:8
  2⤵
  PID:4152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11730111014229046248,1925543501863394462,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6168 /prefetch:1
  2⤵
  PID:3208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11730111014229046248,1925543501863394462,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6944 /prefetch:1
  2⤵
  PID:1516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11730111014229046248,1925543501863394462,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3044 /prefetch:1
  2⤵
  PID:4840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,11730111014229046248,1925543501863394462,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6296 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11730111014229046248,1925543501863394462,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
  2⤵
  PID:5644

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2140

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9b008261dda31857d68792b46af6dd6d

SHA1
e82dc88e2d1da2df7cb19d79a0346b9bb90d52b3

SHA256
9ac598d4f8170f7e475d84103aead9e3c23d5f2d292741a7f56a17bde8b6f7da

SHA512
78853091403a06beeec4998e2e3a4342111895ffd485f7f7cd367741a4883f7a25864cba00a6c86f27dc0c9ce9d04f08011ecc40c8ae9383d33274739ac39f10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0446fcdd21b016db1f468971fb82a488

SHA1
726b91562bb75f80981f381e3c69d7d832c87c9d

SHA256
62c5dc18b25e758f3508582a7c58bb46b734a774d97fc0e8a20614235caa8222

SHA512
1df7c085042266959f1fe0aedc5f6d40ceba485b54159f51f0c38f17bb250b79ea941b735e1b6faf219f23fe8ab65ac4557f545519d52d5416b89ad0f9047a31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000029

Filesize
25KB

MD5
88d1e7a2ea333ffad91736b158310c30

SHA1
790e964bdbc9614a4cf65d581132ccb7c454f441

SHA256
1c26903437c460abfabe79f721ec24c30ea8de5a3c193255600338026417f950

SHA512
0b7fdc1bb6939bd6c8bc2eb1502345932f029f93d1fc4a162e22b3a59c538f48b9c3821c466544697218064c9d38d30eed69759c70cd0e5d2d4ceec9b3443ca7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
163b357419a05c46d6dfc43be1a2abc0

SHA1
f6c00b57b9d8c0857acd1540f6af3456586a80b4

SHA256
ee3729006b6c960768857fc2c845f5cb39113ec027e577ea770ee3b000bcd246

SHA512
b7d0a89f17ef7bf36dc5a7eb0d89b3faba10a0656990500061daf13a22c971a3d86d6fa84339c9154f528c26296bc7e74c4b5f86bba49d641af44764543e5e43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
7768465407f1129b73f4b3494d87b029

SHA1
89c8215c7ad7805c1e25b7665fd56482b31ba1e4

SHA256
7e4f1ebd2ac3e9902bbb70060abe25de4d69d0a51f85242d4200956308f2d0f8

SHA512
b423ed2c70674eb4380eb9e43c09df7ac1594e252aeeb1ece541ea418e39a103c590565beafb139ffeffa49f2f8274fa6c435227789c548af8ca86b05e72964f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
a1975f38e6f0ec4460802b7dac19ecae

SHA1
40d6c4ecbf2033b28a297a18cca175cb2758cedc

SHA256
42b26d4bcea44e7553905755186febfb63a00a554cfd82bb6c7d30662d95d089

SHA512
f61d10d1aa5152b469a402c1436acdbde9cb755f9920461c8d40ae855e6e4019fba6ae9c248bf427c02eb5466f63cade2dd4840a135046522cc5a066c0a21374

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
5312aa1eb5dc55d27143b72c50d7cabe

SHA1
be82606da516a38edb625c63e363d628d59bed97

SHA256
2561cac133774f252899d45b41bfd3b1195342d19e925578b3934bfde7dc940d

SHA512
66610d32a011e0fdb198c28c1667ca5b1422278c9ca986b7ee9e0aa1119c0f816267b6e486c9ebecbeaa86d0e0e5998ae4bb25ebaa61cdce6300694175cabae8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
7a9aa4fb32e26eed8a33919f4d15ae2e

SHA1
31550088d41879a46784ba85c17c11fb21b70947

SHA256
f98167725c8d957ec41b176646c841597bfb6fb82d8f299b57f30feac2ffc044

SHA512
ef3fb6858cf376879ff880bdb44e2b4924292e432e195124a40b4d03dce29e18ed6529bb0d0e5cc1532869f1d90cbe346377cab7eec6172f95a1ae1a6a964603

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4517393e80b654b9f873cd6cc52a41ca

SHA1
3c7455399cd9bdda91bb11d835f1797c70dcecb1

SHA256
402a7cdd9a5859a7b1dd1f85102a4b933c370fc501eeb48fac5d6372a8f324a5

SHA512
e520b13181b61d374cf52cfd1e4ce83f887e19b521491f58d316bafa546b9d3fc2335e77795782e7960a3c0e9b32a9a18ba3789113613d5dfb0ab4e3c2d1326d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
27b2c4ac379ca674ab49117c517dea2e

SHA1
be594cdef36add937b958d3b5033490d46ac0016

SHA256
1f617dfe6472255ef0fdeae49c6c2b2395314164393bdb6651fc945709ba34c5

SHA512
5aec27188ffdfd61a5646a64e6bbe1f01b58c1094a3daec1811afd65a150f40d86130b2c944e692b221faab79a0103dd7444dda22465fc2d32c8577933af9a9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
82a5d954c0d349b1269a16ebd9f063fa

SHA1
e364497c23edea5709a4a575f4aa968d07826c7a

SHA256
aedbc3c7ab6ea4660a6633768986d6b4c23377f023be9be0b190161bc4142c3c

SHA512
0a9a8c18b4111545a9ab354f77bd2050f0d30fa4d8a18bfb328c399ddfbe126b7ca90a413e29a001972eef12552a2b35dd553d91911523c8f17601bfe24eb053

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b44b3faa43bf6d0afb114b70360df3a7

SHA1
ced556593d4be09e7d592446226557cbd1b6f998

SHA256
fa5c1165bbeb157ccefde7d75b038f81ad1d18e51c4c39e908f9dfdf058761b7

SHA512
e9ebf0ecedc9079e5331a3c69d444802e672c0f7d2fa041e6a61909a70ec2a7bcb28285b240494bf56982437569a15659dc09621437904e823b25f57b5277e4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
26a3a0cb9c6a4fff6f1c433de6bef155

SHA1
fdcef5d83d609872fecc5021b045fa0a93e2bfd0

SHA256
4c68e6d72dcdf4c93ed9413339b09301aaba48bcdf07674f947434a6162aa799

SHA512
86a4de4a737769e1d912d56248ebbf6782456fb961e81333c044fa134670c83a52783f5139958916ba3043cbfd972c28ada3bcf0e941635a245957e3e6e381d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
91e846b501a561436ae54626147fa020

SHA1
edddc8c3d3ac023407a3f7c180d1b8330a010a8e

SHA256
cc840a6979379be7c754a8c08bcc65e742ef89ff00dafc67906d8d5734630205

SHA512
d1c93900e9532e7aad1e8970c2762462e8f1c2761dfa1190ec2b6141b7e0abb7a9f16542b5c2cd49b6b66452ef118fe92f2f52cd2252124f166ce9d6415eb135

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8eee575e337829b63b96222554a58ad4

SHA1
cadf59a028ea61f1e27720b1d5af5ae59d93d03a

SHA256
936089c0785ff45e3456c921dbd5b64b85207fff5bb75aa6d1a2690e2ad07ba6

SHA512
f4f39c85b6038dd0df50c82555f7100ecb87dfe9e85c89a6ddc53625f348fc07f3ebd249cd6fdc8408505e5c6c02f4f16aae9798156fc8f1ce1aa7f2a5549e1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6c0732ec95de116e4adbcd47970268a1

SHA1
e4b940f89526e2c4c24c4ef1f57bd77ced754d99

SHA256
f0245813493ac4abb7fc3f2f1c38cbf1365908c0abe874b7401652246d31f219

SHA512
0cb3920c66f67c28fcb1b0b149208db636cc9db81bc94c407e42c6e3dd7d6b83bed85ca11ecf6df1e32435263232ba28e7b110de3d6358ca04044f62c057deda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
73304f83d495b3acc2097ef1062429a3

SHA1
dace3fc73278ba7dd5338f78333889b602c80633

SHA256
e167ba3209be4476bff6afcafb5b69f63784c59de24ed442ebd7c3adc43e64d4

SHA512
0101e715e9bbf5321727017f7d790b2210ad27d5aee7413f2112548813807cf66dc80c50e6bb0d5fef0ed8a3ffddd4dc91cedf0597fed6d28d5724772d474c49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58a5ff.TMP

Filesize
540B

MD5
14601ab961f230f6e77011b871e2f28d

SHA1
5d03b43e5daf5900bd0413b867e3a114d8233dab

SHA256
a688d521f517f870b75aeb49b9a293e997e9ca0e04de929c974e743ee0dc90f2

SHA512
cc0516bfe1b011dd4774be2045323cad45f832c97aa469db77ec72b4dcabb1df94a053f4f0e64847088e1bfae16523d75ffbb6b9a4dde81c3e02bbb8263290bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fa0fd3c90235e45655156a8456f5d143

SHA1
d26932a9b830fbc82905234c4ad96f16d240f240

SHA256
fd93420d4480dd5fe935b1bc475663073d2b0074fa1df4987b50eef01de5bc38

SHA512
a57406390f836067636e349aca5a1124dc1bb8b7736b86f2c92c2610410dd198f8437ddd7739b0104535f3d318a4a8a4a0dc08528c3671050e83093d39865307

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit