hxxps://outlook[.]office365[.]com/Encryption/retrieve[.]ashx?recipientemailaddress=marty[.]moran%40hancockwhitney[.]com&senderemailaddress=Snyder[.]Sabrina%40mayo[.]edu&senderorganization=AwF%2bAAAAAnoAAAADAQAAAFSljC%2fccMhMr9y3UzJ6kDFPVT1tY3Rvb2xzLm9ubWljcm9zb2Z0LmNvbSxPVT1NaWNyb3NvZnQgRXhjaGFuZ2UgSG9zdGVkIE9yZ2FuaXphdGlvbnMsREM9TkFNUFIwMkE5MDAsREM9UFJPRCxEQz1PVVRMT09LLERDPUNPTViYWIUwG%2fxJgt6Den%2fTNSpDTj1Db25maWd1cmF0aW9uLENOPW1jdG9vbHMub25taWNyb3NvZnQuY29tLENOPUNvbmZpZ3VyYXRpb25Vbml0cyxEQz1OQU1QUjAyQTkwMCxEQz1QUk9ELERDPU9VVExPT0ssREM9Q09NAQ%3d%3d&messageid=%3cDS0PR01MB7937B0C1421B6AF6A09186F2E7712%40DS0PR01MB7937[.]prod[.]exchangelabs[.]com%3e&cfmRecipient=SystemMailbox%7b6C0A1EFA-EC06-4AF8-8120-E8DF728D24A6%7d%40mctools[.]onmicrosoft[.]com&consumerEncryption=false&senderorgid=a25fff9c-3f63-4fb2-9a8a-d9bdd0321f9a&urldecoded=1&e4e_sdata=ueX69nK5co9GUnsINPLj4vCtQMeFwZ9qRCEW6X67sTXKg%2bRtCQwvhBV4tE1KupG8iBICvQ5NRmtnEW%2fczn2swQgVPStoefUVxPatFDx3Ej8KOYaAIF47P5wIsku%2b3KCpWHFEWt%2b0Yj71Qjwsm6CAdjkSl6bzECPAmdePIT6EwcjTCQgI3pyoSfvUEN3u6%2f5hEiDm%2fUecSYw58V38onfFh8VfFHihPs118HCdI3peqiKsgaQFu5D%2fJa3J%2bAGi69fZnmjnaIi1uxkjvoEDjIPYAHrokSDNT8mYAwIHYX6%2bKws%2fVXhxz8P8hmSubbmQweVqvOQGhfiqySABXpmioXbx1Q%3d%3d

Analysis

max time kernel
149s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2024, 18:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://outlook.office365.com/Encryption/retrieve.ashx?recipientemailaddress=marty.moran%40hancockwhitney.com&senderemailaddress=Snyder.Sabrina%40mayo.edu&senderorganization=AwF%2bAAAAAnoAAAADAQAAAFSljC%2fccMhMr9y3UzJ6kDFPVT1tY3Rvb2xzLm9ubWljcm9zb2Z0LmNvbSxPVT1NaWNyb3NvZnQgRXhjaGFuZ2UgSG9zdGVkIE9yZ2FuaXphdGlvbnMsREM9TkFNUFIwMkE5MDAsREM9UFJPRCxEQz1PVVRMT09LLERDPUNPTViYWIUwG%2fxJgt6Den%2fTNSpDTj1Db25maWd1cmF0aW9uLENOPW1jdG9vbHMub25taWNyb3NvZnQuY29tLENOPUNvbmZpZ3VyYXRpb25Vbml0cyxEQz1OQU1QUjAyQTkwMCxEQz1QUk9ELERDPU9VVExPT0ssREM9Q09NAQ%3d%3d&messageid=%3cDS0PR01MB7937B0C1421B6AF6A09186F2E7712%40DS0PR01MB7937.prod.exchangelabs.com%3e&cfmRecipient=SystemMailbox%7b6C0A1EFA-EC06-4AF8-8120-E8DF728D24A6%7d%40mctools.onmicrosoft.com&consumerEncryption=false&senderorgid=a25fff9c-3f63-4fb2-9a8a-d9bdd0321f9a&urldecoded=1&e4e_sdata=ueX69nK5co9GUnsINPLj4vCtQMeFwZ9qRCEW6X67sTXKg%2bRtCQwvhBV4tE1KupG8iBICvQ5NRmtnEW%2fczn2swQgVPStoefUVxPatFDx3Ej8KOYaAIF47P5wIsku%2b3KCpWHFEWt%2b0Yj71Qjwsm6CAdjkSl6bzECPAmdePIT6EwcjTCQgI3pyoSfvUEN3u6%2f5hEiDm%2fUecSYw58V38onfFh8VfFHihPs118HCdI3peqiKsgaQFu5D%2fJa3J%2bAGi69fZnmjnaIi1uxkjvoEDjIPYAHrokSDNT8mYAwIHYX6%2bKws%2fVXhxz8P8hmSubbmQweVqvOQGhfiqySABXpmioXbx1Q%3d%3d

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2196	msedge.exe
2196	msedge.exe
3976	msedge.exe
3976	msedge.exe
4572	identity_helper.exe
4572	identity_helper.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3976 wrote to memory of 2276	3976	msedge.exe	82
PID 3976 wrote to memory of 2276	3976	msedge.exe	82
PID 3976 wrote to memory of 2188	3976	msedge.exe	83
PID 3976 wrote to memory of 2188	3976	msedge.exe	83
PID 3976 wrote to memory of 2188	3976	msedge.exe	83
PID 3976 wrote to memory of 2188	3976	msedge.exe	83
PID 3976 wrote to memory of 2188	3976	msedge.exe	83
PID 3976 wrote to memory of 2188	3976	msedge.exe	83
PID 3976 wrote to memory of 2188	3976	msedge.exe	83
PID 3976 wrote to memory of 2188	3976	msedge.exe	83
PID 3976 wrote to memory of 2188	3976	msedge.exe	83
PID 3976 wrote to memory of 2188	3976	msedge.exe	83
PID 3976 wrote to memory of 2188	3976	msedge.exe	83
PID 3976 wrote to memory of 2188	3976	msedge.exe	83
PID 3976 wrote to memory of 2188	3976	msedge.exe	83
PID 3976 wrote to memory of 2188	3976	msedge.exe	83
PID 3976 wrote to memory of 2188	3976	msedge.exe	83
PID 3976 wrote to memory of 2188	3976	msedge.exe	83
PID 3976 wrote to memory of 2188	3976	msedge.exe	83
PID 3976 wrote to memory of 2188	3976	msedge.exe	83
PID 3976 wrote to memory of 2188	3976	msedge.exe	83
PID 3976 wrote to memory of 2188	3976	msedge.exe	83
PID 3976 wrote to memory of 2188	3976	msedge.exe	83
PID 3976 wrote to memory of 2188	3976	msedge.exe	83
PID 3976 wrote to memory of 2188	3976	msedge.exe	83
PID 3976 wrote to memory of 2188	3976	msedge.exe	83
PID 3976 wrote to memory of 2188	3976	msedge.exe	83
PID 3976 wrote to memory of 2188	3976	msedge.exe	83
PID 3976 wrote to memory of 2188	3976	msedge.exe	83
PID 3976 wrote to memory of 2188	3976	msedge.exe	83
PID 3976 wrote to memory of 2188	3976	msedge.exe	83
PID 3976 wrote to memory of 2188	3976	msedge.exe	83
PID 3976 wrote to memory of 2188	3976	msedge.exe	83
PID 3976 wrote to memory of 2188	3976	msedge.exe	83
PID 3976 wrote to memory of 2188	3976	msedge.exe	83
PID 3976 wrote to memory of 2188	3976	msedge.exe	83
PID 3976 wrote to memory of 2188	3976	msedge.exe	83
PID 3976 wrote to memory of 2188	3976	msedge.exe	83
PID 3976 wrote to memory of 2188	3976	msedge.exe	83
PID 3976 wrote to memory of 2188	3976	msedge.exe	83
PID 3976 wrote to memory of 2188	3976	msedge.exe	83
PID 3976 wrote to memory of 2188	3976	msedge.exe	83
PID 3976 wrote to memory of 2196	3976	msedge.exe	84
PID 3976 wrote to memory of 2196	3976	msedge.exe	84
PID 3976 wrote to memory of 2984	3976	msedge.exe	85
PID 3976 wrote to memory of 2984	3976	msedge.exe	85
PID 3976 wrote to memory of 2984	3976	msedge.exe	85
PID 3976 wrote to memory of 2984	3976	msedge.exe	85
PID 3976 wrote to memory of 2984	3976	msedge.exe	85
PID 3976 wrote to memory of 2984	3976	msedge.exe	85
PID 3976 wrote to memory of 2984	3976	msedge.exe	85
PID 3976 wrote to memory of 2984	3976	msedge.exe	85
PID 3976 wrote to memory of 2984	3976	msedge.exe	85
PID 3976 wrote to memory of 2984	3976	msedge.exe	85
PID 3976 wrote to memory of 2984	3976	msedge.exe	85
PID 3976 wrote to memory of 2984	3976	msedge.exe	85
PID 3976 wrote to memory of 2984	3976	msedge.exe	85
PID 3976 wrote to memory of 2984	3976	msedge.exe	85
PID 3976 wrote to memory of 2984	3976	msedge.exe	85
PID 3976 wrote to memory of 2984	3976	msedge.exe	85
PID 3976 wrote to memory of 2984	3976	msedge.exe	85
PID 3976 wrote to memory of 2984	3976	msedge.exe	85
PID 3976 wrote to memory of 2984	3976	msedge.exe	85
PID 3976 wrote to memory of 2984	3976	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://outlook.office365.com/Encryption/retrieve.ashx?recipientemailaddress=marty.moran%40hancockwhitney.com&senderemailaddress=Snyder.Sabrina%40mayo.edu&senderorganization=AwF%2bAAAAAnoAAAADAQAAAFSljC%2fccMhMr9y3UzJ6kDFPVT1tY3Rvb2xzLm9ubWljcm9zb2Z0LmNvbSxPVT1NaWNyb3NvZnQgRXhjaGFuZ2UgSG9zdGVkIE9yZ2FuaXphdGlvbnMsREM9TkFNUFIwMkE5MDAsREM9UFJPRCxEQz1PVVRMT09LLERDPUNPTViYWIUwG%2fxJgt6Den%2fTNSpDTj1Db25maWd1cmF0aW9uLENOPW1jdG9vbHMub25taWNyb3NvZnQuY29tLENOPUNvbmZpZ3VyYXRpb25Vbml0cyxEQz1OQU1QUjAyQTkwMCxEQz1QUk9ELERDPU9VVExPT0ssREM9Q09NAQ%3d%3d&messageid=%3cDS0PR01MB7937B0C1421B6AF6A09186F2E7712%40DS0PR01MB7937.prod.exchangelabs.com%3e&cfmRecipient=SystemMailbox%7b6C0A1EFA-EC06-4AF8-8120-E8DF728D24A6%7d%40mctools.onmicrosoft.com&consumerEncryption=false&senderorgid=a25fff9c-3f63-4fb2-9a8a-d9bdd0321f9a&urldecoded=1&e4e_sdata=ueX69nK5co9GUnsINPLj4vCtQMeFwZ9qRCEW6X67sTXKg%2bRtCQwvhBV4tE1KupG8iBICvQ5NRmtnEW%2fczn2swQgVPStoefUVxPatFDx3Ej8KOYaAIF47P5wIsku%2b3KCpWHFEWt%2b0Yj71Qjwsm6CAdjkSl6bzECPAmdePIT6EwcjTCQgI3pyoSfvUEN3u6%2f5hEiDm%2fUecSYw58V38onfFh8VfFHihPs118HCdI3peqiKsgaQFu5D%2fJa3J%2bAGi69fZnmjnaIi1uxkjvoEDjIPYAHrokSDNT8mYAwIHYX6%2bKws%2fVXhxz8P8hmSubbmQweVqvOQGhfiqySABXpmioXbx1Q%3d%3d
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff83d7446f8,0x7ff83d744708,0x7ff83d744718
  2⤵
  PID:2276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,269707461341473019,16897265286486872274,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
  2⤵
  PID:2188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,269707461341473019,16897265286486872274,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,269707461341473019,16897265286486872274,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:8
  2⤵
  PID:2984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,269707461341473019,16897265286486872274,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,269707461341473019,16897265286486872274,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
  2⤵
  PID:1260
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,269707461341473019,16897265286486872274,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5300 /prefetch:8
  2⤵
  PID:1968
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,269707461341473019,16897265286486872274,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5300 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,269707461341473019,16897265286486872274,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4904 /prefetch:1
  2⤵
  PID:2676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,269707461341473019,16897265286486872274,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:1
  2⤵
  PID:3680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,269707461341473019,16897265286486872274,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:1
  2⤵
  PID:1368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,269707461341473019,16897265286486872274,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:1
  2⤵
  PID:1652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,269707461341473019,16897265286486872274,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=2240 /prefetch:8
  2⤵
  PID:804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,269707461341473019,16897265286486872274,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3064 /prefetch:1
  2⤵
  PID:2692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,269707461341473019,16897265286486872274,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3788 /prefetch:1
  2⤵
  PID:1460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,269707461341473019,16897265286486872274,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:1
  2⤵
  PID:1360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,269707461341473019,16897265286486872274,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1
  2⤵
  PID:2308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,269707461341473019,16897265286486872274,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1
  2⤵
  PID:3144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,269707461341473019,16897265286486872274,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1
  2⤵
  PID:2044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,269707461341473019,16897265286486872274,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
  2⤵
  PID:2288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,269707461341473019,16897265286486872274,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:1
  2⤵
  PID:552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,269707461341473019,16897265286486872274,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1
  2⤵
  PID:4040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,269707461341473019,16897265286486872274,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:1
  2⤵
  PID:4228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,269707461341473019,16897265286486872274,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6096 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3412

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2728

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ecf7ca53c80b5245e35839009d12f866

SHA1
a7af77cf31d410708ebd35a232a80bddfb0615bb

SHA256
882a513b71b26210ff251769b82b2c5d59a932f96d9ce606ca2fab6530a13687

SHA512
706722bd22ce27d854036b1b16e6a3cdb36284b66edc76238a79c2e11cee7d1307b121c898ad832eb1af73e4f08d991d64dc0bff529896ffb4ebe9b3dc381696

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4dd2754d1bea40445984d65abee82b21

SHA1
4b6a5658bae9a784a370a115fbb4a12e92bd3390

SHA256
183b8e82a0deaa83d04736553671cedb738adc909f483b3c5f822a0e6be7477d

SHA512
92d44ee372ad33f892b921efa6cabc78e91025e89f05a22830763217826fa98d51d55711f85c8970ac58abf9adc6c85cc40878032cd6d2589ab226cd099f99e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
942a9cfdff0f01d34d3d7bb5bfee54ff

SHA1
ac9d3ab08d232038bf910196fab9ef39df38a939

SHA256
415e08e9031accfb86f9e1b4d123440724156c1e030bfec59278b7f9d6be956a

SHA512
6a64b86c7b58b42553c1dd887f9e79e342a83f8beea3c855050ff1f8162da0a0a966218e641d93d03001f6b649b0e0bea19f53582e31f926c42c3d184d14dec7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
710B

MD5
3c28bf364859498684729dba0441c35b

SHA1
ecfa28bb4257da37cb769eb559f8f62344443ad3

SHA256
fb18e2180912ccc8f33160dec7f053fdeb763b45eb8ccf1a45b83bc79c4cd2a4

SHA512
621f841ae7cb6ae9ece39498ea61445ad3373cc8de75c06cac347330a6ab1415a6531af66845ddf03a3fb37bbe8cc340c36edbe4c552c196047db0845bad8b6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
0fdfb0ba5a78af166bc03492812d9bde

SHA1
dc14db82b59f0a42efd3215884be255c71462478

SHA256
14e2387a562e63a0e61a855ee8e2fbb825621ec443e7a33553e0e76befb3664f

SHA512
9e297b22d9cedbdeb9d44d966ff6f6eee6f228f94ab53f7adef07bea549724e061475c90a2ec8607a27d56d5d205f377ec2ef19ca94191969db2e1e33e772cc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
4d148ef7ba67f9ccb62cf10550a55e9f

SHA1
68e63430daaf6afe62ed8db6e9d460822fbcddee

SHA256
9b73c61ad5b11596699f14e3365e7f5cbff47aab27c64620513c5ba7cad4e948

SHA512
4aa814d4760e3795c8852fb6401c3ab532c9d823539bbd53582d2bbff756976e360771a38c1eebd190387ecea4aec62e1cbc83ec9fa5be5ec60692458c99db29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ae8aa1bf95d5087b3073ccef11a9b4d3

SHA1
1fc018f086fba886efe9e70665841ba3313b99bd

SHA256
27f1b83bd5dd87017178c8f9ccd87a47f44a2e01815fd791b1e5604b83d3efad

SHA512
aff4a711b5c0571ee30d55db25c304099d7e96334e4f3d2596b7494803fc45c535391c75a791aa5b707bebffeab2faf5172fc3c92833f6c3527fee6f6a5766d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
2e75d807c2dfc455f7df99c512166a1b

SHA1
8b4ea4bbb160385bf21671af8d44566ea32062a8

SHA256
ad244309c147a358c85cd005aa74ad37143d05beedeaee1ab39d1a28d6f79fcd

SHA512
f00f986bf713ce2c9a6e284f19519fd0eda326172281422e5b1d46fe58bff643bed900ece7fe1e6907bde2d84bf9d2d2a6f74aa3f2e27c36324973eae03e3102

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8ac388069058d3d14c2988654f3603f6

SHA1
dc1992100a5a3085568f9c73b441f8c149d2b7c1

SHA256
4025953de86bd81f51b86541bae1bebebcca5c997e4fc1612a5524e81a0ee0aa

SHA512
973eb1c3f8a129a5878be561a1475d3ce4a8be8c502d67254abd7508f65f59533b7738cc1e656ffa4016e3fa29897db91467572829446d667381a6f0f011bc8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
2c469b48748c5221128b66f06c8e7cbd

SHA1
fff57a6dd55ce273579db596cb79adeef7173ac5

SHA256
e2822e4df7918e4d0159ab7f23616d8aaf056d7b50286ab04509f953ca3791bd

SHA512
f12259312519de3a5dc3c6b3c9575985b6b88a2f50831c3ffb1d25101c8a052481eebab001e59b9ff9ff780dc9a2b6e136a7e7445f3c901af228fc3bf5bdc3c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ac2bb690aacc907021ea45598d1a1f9e

SHA1
29d4732a4f6738cdff5c71a2c63bb8fd903898c1

SHA256
d7d982be97b7350a4862f747df622d4dbc49f3e17f40a23d643eaec7ce42c7d1

SHA512
d5114e94148389f74cea0a86a1fb595706655fc5816a763ce416817f9a677f6e4ec1bd496bb9af595fc400b79ea4eeb2e7ec4dcd22c403a56b692c073cbc206b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
370B

MD5
fa8e6a44889b08928ee6df68188bc5af

SHA1
ea49840d23130a194f387e123769cd15eafe18a5

SHA256
38bc891ab80bb217b29f5f3e51ae65710afd6da207bc72df522edb9a53700553

SHA512
990da241babc24c6fff03b63e5d08324c1ff02e258e81eed42a95283a40ccd133021a193727b1b09838cfa6d3fd40f5942466d78a3b51c7c95a82319b1e41329

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
370B

MD5
b3dfc87cad721c67da64a2d7971a9b23

SHA1
71574fc9e91abbb2c539beb80307d1acda135696

SHA256
d96a11d51a20d53a802892d417fce38f776b0d2fe9ebca3b39eb8e80572aa701

SHA512
5ad3f2988a05580368b362840a7c1e08d8100ae5a62e88676dba92f201708af554d8d3210c126d78d34cfdbcd188080c2364cd572efa8ebb231e8813eecfbac2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58e385.TMP

Filesize
203B

MD5
8eb470b60924039a4d3c3e42994682e6

SHA1
cdb1dd715147bd3639fd85b3faa212b2ec9b410b

SHA256
cbc9cf298aa0f6b05e8a37aa45d81fed958c18b965c68b08a4bf16dfc7c6dc65

SHA512
079787b2f9241896cfc054c1e26b3f8998cae878d7d42837539b7803c947d61793c80e786d5bd599331999837c2a0f0bcac2091a4829bc281ab438e42f7dd761

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
801db272f49941e46d2c469fb800c41d

SHA1
e727ef0a442e27f74a97a31b58f6af7684501565

SHA256
808140932c86cb7d9cca0dabda4a158c6d9df8ac8ad219c883cfaf8bc2652eea

SHA512
cce22a23b50b5cae959ed4951ae5b83bf62b1f60efb266b178a7075aa88d1f721a19286711f0d499d007371be1b7fc44c235156fe2377d614ca30b27f806ef59

Download Submit