hxxps://download[.]visualstudio[.]microsoft[.]com/download/pr/b6f19ef3-52ca-40b1-b78b-0712d3c8bf4d/426bd0d376479d551ce4d5ac0ecf63a5/dotnet-sdk-8[.]0[.]302-win-x64[.]exe

Analysis

max time kernel
149s
max time network
152s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
06-10-2024 00:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://download.visualstudio.microsoft.com/download/pr/b6f19ef3-52ca-40b1-b78b-0712d3c8bf4d/426bd0d376479d551ce4d5ac0ecf63a5/dotnet-sdk-8.0.302-win-x64.exe

Score

8^/10

defense_evasion discovery

Malware Config

Signatures

Downloads MZ/PE file

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\dotnet-sdk-8.0.302-win-x64.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\dotnet-sdk-8.0.302-win-x64.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 419730.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
5084	msedge.exe
5084	msedge.exe
280	msedge.exe
280	msedge.exe
1780	identity_helper.exe
1780	identity_helper.exe
1612	msedge.exe
1612	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
2036	msedge.exe
2036	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 25 IoCs

pid	Process
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe
280	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 280 wrote to memory of 2596	280	msedge.exe	78
PID 280 wrote to memory of 2596	280	msedge.exe	78
PID 280 wrote to memory of 2056	280	msedge.exe	79
PID 280 wrote to memory of 2056	280	msedge.exe	79
PID 280 wrote to memory of 2056	280	msedge.exe	79
PID 280 wrote to memory of 2056	280	msedge.exe	79
PID 280 wrote to memory of 2056	280	msedge.exe	79
PID 280 wrote to memory of 2056	280	msedge.exe	79
PID 280 wrote to memory of 2056	280	msedge.exe	79
PID 280 wrote to memory of 2056	280	msedge.exe	79
PID 280 wrote to memory of 2056	280	msedge.exe	79
PID 280 wrote to memory of 2056	280	msedge.exe	79
PID 280 wrote to memory of 2056	280	msedge.exe	79
PID 280 wrote to memory of 2056	280	msedge.exe	79
PID 280 wrote to memory of 2056	280	msedge.exe	79
PID 280 wrote to memory of 2056	280	msedge.exe	79
PID 280 wrote to memory of 2056	280	msedge.exe	79
PID 280 wrote to memory of 2056	280	msedge.exe	79
PID 280 wrote to memory of 2056	280	msedge.exe	79
PID 280 wrote to memory of 2056	280	msedge.exe	79
PID 280 wrote to memory of 2056	280	msedge.exe	79
PID 280 wrote to memory of 2056	280	msedge.exe	79
PID 280 wrote to memory of 2056	280	msedge.exe	79
PID 280 wrote to memory of 2056	280	msedge.exe	79
PID 280 wrote to memory of 2056	280	msedge.exe	79
PID 280 wrote to memory of 2056	280	msedge.exe	79
PID 280 wrote to memory of 2056	280	msedge.exe	79
PID 280 wrote to memory of 2056	280	msedge.exe	79
PID 280 wrote to memory of 2056	280	msedge.exe	79
PID 280 wrote to memory of 2056	280	msedge.exe	79
PID 280 wrote to memory of 2056	280	msedge.exe	79
PID 280 wrote to memory of 2056	280	msedge.exe	79
PID 280 wrote to memory of 2056	280	msedge.exe	79
PID 280 wrote to memory of 2056	280	msedge.exe	79
PID 280 wrote to memory of 2056	280	msedge.exe	79
PID 280 wrote to memory of 2056	280	msedge.exe	79
PID 280 wrote to memory of 2056	280	msedge.exe	79
PID 280 wrote to memory of 2056	280	msedge.exe	79
PID 280 wrote to memory of 2056	280	msedge.exe	79
PID 280 wrote to memory of 2056	280	msedge.exe	79
PID 280 wrote to memory of 2056	280	msedge.exe	79
PID 280 wrote to memory of 2056	280	msedge.exe	79
PID 280 wrote to memory of 5084	280	msedge.exe	80
PID 280 wrote to memory of 5084	280	msedge.exe	80
PID 280 wrote to memory of 1168	280	msedge.exe	81
PID 280 wrote to memory of 1168	280	msedge.exe	81
PID 280 wrote to memory of 1168	280	msedge.exe	81
PID 280 wrote to memory of 1168	280	msedge.exe	81
PID 280 wrote to memory of 1168	280	msedge.exe	81
PID 280 wrote to memory of 1168	280	msedge.exe	81
PID 280 wrote to memory of 1168	280	msedge.exe	81
PID 280 wrote to memory of 1168	280	msedge.exe	81
PID 280 wrote to memory of 1168	280	msedge.exe	81
PID 280 wrote to memory of 1168	280	msedge.exe	81
PID 280 wrote to memory of 1168	280	msedge.exe	81
PID 280 wrote to memory of 1168	280	msedge.exe	81
PID 280 wrote to memory of 1168	280	msedge.exe	81
PID 280 wrote to memory of 1168	280	msedge.exe	81
PID 280 wrote to memory of 1168	280	msedge.exe	81
PID 280 wrote to memory of 1168	280	msedge.exe	81
PID 280 wrote to memory of 1168	280	msedge.exe	81
PID 280 wrote to memory of 1168	280	msedge.exe	81
PID 280 wrote to memory of 1168	280	msedge.exe	81
PID 280 wrote to memory of 1168	280	msedge.exe	81

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://download.visualstudio.microsoft.com/download/pr/b6f19ef3-52ca-40b1-b78b-0712d3c8bf4d/426bd0d376479d551ce4d5ac0ecf63a5/dotnet-sdk-8.0.302-win-x64.exe
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8e8a53cb8,0x7ff8e8a53cc8,0x7ff8e8a53cd8
  2⤵
  PID:2596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1856,17571837021377593968,11775479374181531942,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1876 /prefetch:2
  2⤵
  PID:2056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1856,17571837021377593968,11775479374181531942,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1856,17571837021377593968,11775479374181531942,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2580 /prefetch:8
  2⤵
  PID:1168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,17571837021377593968,11775479374181531942,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:4196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,17571837021377593968,11775479374181531942,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:3740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,17571837021377593968,11775479374181531942,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:1
  2⤵
  PID:4544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1856,17571837021377593968,11775479374181531942,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5112 /prefetch:8
  2⤵
  PID:4484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,17571837021377593968,11775479374181531942,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:1
  2⤵
  PID:2192
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1856,17571837021377593968,11775479374181531942,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6120 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,17571837021377593968,11775479374181531942,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:1
  2⤵
  PID:3624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,17571837021377593968,11775479374181531942,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:1
  2⤵
  PID:5108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,17571837021377593968,11775479374181531942,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:1
  2⤵
  PID:4836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1856,17571837021377593968,11775479374181531942,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5116 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,17571837021377593968,11775479374181531942,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
  2⤵
  PID:492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,17571837021377593968,11775479374181531942,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6388 /prefetch:1
  2⤵
  PID:1752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,17571837021377593968,11775479374181531942,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6444 /prefetch:1
  2⤵
  PID:4080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,17571837021377593968,11775479374181531942,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6644 /prefetch:1
  2⤵
  PID:800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,17571837021377593968,11775479374181531942,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6732 /prefetch:1
  2⤵
  PID:1580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,17571837021377593968,11775479374181531942,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1
  2⤵
  PID:1504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,17571837021377593968,11775479374181531942,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1
  2⤵
  PID:3624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,17571837021377593968,11775479374181531942,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6704 /prefetch:1
  2⤵
  PID:4520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,17571837021377593968,11775479374181531942,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7132 /prefetch:1
  2⤵
  PID:492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,17571837021377593968,11775479374181531942,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7100 /prefetch:1
  2⤵
  PID:1348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,17571837021377593968,11775479374181531942,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4940 /prefetch:1
  2⤵
  PID:4840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,17571837021377593968,11775479374181531942,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6868 /prefetch:1
  2⤵
  PID:3532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,17571837021377593968,11775479374181531942,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6448 /prefetch:1
  2⤵
  PID:5064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,17571837021377593968,11775479374181531942,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7156 /prefetch:1
  2⤵
  PID:4472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,17571837021377593968,11775479374181531942,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:1
  2⤵
  PID:3984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,17571837021377593968,11775479374181531942,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6700 /prefetch:1
  2⤵
  PID:2428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1856,17571837021377593968,11775479374181531942,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6432 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,17571837021377593968,11775479374181531942,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1852 /prefetch:1
  2⤵
  PID:3956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,17571837021377593968,11775479374181531942,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6384 /prefetch:1
  2⤵
  PID:3044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1856,17571837021377593968,11775479374181531942,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3784 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2036

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1164

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b4ae6009e2df12ce252d03722e8f4288

SHA1
44de96f65d69cbae416767040f887f68f8035928

SHA256
7778069a1493fdb62e6326ba673f03d9a8f46bc0eea949aabbbbc00dcdaddf9d

SHA512
bb810721e52c77793993470692bb2aab0466f13ed4576e4f4cfa6bc5fcfc59c13552299feb6dfd9642ea07b19a5513d90d0698d09ca1d15e0598133929c05fe1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4bf4b59c3deb1688a480f8e56aab059d

SHA1
612c83e7027b3bfb0e9d2c9efad43c5318e731bb

SHA256
867ab488aa793057395e9c10f237603cfb180689298871cdf0511132f9628c82

SHA512
2ec6c89f9653f810e9f80f532abaff2a3c0276f6d299dce1b1eadf6a59e8072ed601a4f9835db25d4d2610482a00dd5a0852d0ef828678f5c5ed33fe64dddca9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
67KB

MD5
929b1f88aa0b766609e4ca5b9770dc24

SHA1
c1f16f77e4f4aecc80dadd25ea15ed10936cc901

SHA256
965eaf004d31e79f7849b404d0b8827323f9fe75b05fe73b1226ccc4deea4074

SHA512
fe8d6b94d537ee9cae30de946886bf7893d3755c37dd1662baf1f61e04f47fa66e070210c990c4a956bde70380b7ce11c05ad39f9cbd3ea55b129bb1f573fa07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
19KB

MD5
76a3f1e9a452564e0f8dce6c0ee111e8

SHA1
11c3d925cbc1a52d53584fd8606f8f713aa59114

SHA256
381396157ed5e8021dd8e660142b35eb71a63aecd33062a1103ce9c709c7632c

SHA512
a1156a907649d6f2c3f7256405d9d5c62a626b8d4cd717fa2f29d2fbe91092a2b3fdd0716f8f31e59708fe12274bc2dea6c9ae6a413ea290e70ddf921fe7f274

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
0da7b26e14d68c3fb00329176b847295

SHA1
4746cd15a67fbf16d9582859790e84a0b0c073df

SHA256
7105ae9dc8dac882850a4ccde6657ae303150ffaec76127aa7e90786484d45e2

SHA512
d4174aa400c6d26bb210de23516a05ece1b3fe1788a5a5c6fb186bff8ec2c3ff98389ae45604ef7b45b080322c8fa6a86c78ba42ef1a751032a700273ddd968b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
cf1fd22d5bab2c7eba40bdeba59a1a86

SHA1
5f1266ffe7945d15e5c1a63f7a8df1fc89ec6ce1

SHA256
fe529b12300c21b70e5aa38c1ea801d31796b71738b7acbbdb3f43bb6acbfa62

SHA512
2503a1c51714c61a8410f54f20588e4c693aa7c009e36dd6655151eda401f8b17230a32d9bbc85bd9b0ac7882d6b3626a45bdb4d33234015e42908ec5bf1312f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
1e8f5ae13a52775ae8e0fb52759579f0

SHA1
f6b2a58441e44f4c90aef38851b0b7829cae3bc3

SHA256
46adbd3b7dd6c8a76f7dc0beaa33d33c0d201915b771e4f672e0fddbfb04dd64

SHA512
618126296b9510788650a7ed2d296906e3c6824c770cc42f3c918472103c82b66b27f26071ca802d58f4efd40a800be4223fda9ead406fb73796cff5441fb967

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
34dcd570330e742dfe2d1c42a62918ae

SHA1
914eb8dbcd599f0f6e192a2c03ef026202086bf6

SHA256
1740900f90f76cb7fda5348b44ef64d247e3cca3ac8107d6fd3d68c81ac8fe3a

SHA512
16e918b79bd0db80e986c426bff7ac0dc53cc9be3471e45c962e2a0a1d0b579056fdd1588dc8a078f8d06b2e46c710afd369ee46b1e54afba02182ffc09e34db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
60d8c708362569967473cd613562eb43

SHA1
d899fe956cd54a96087a7f40d6dfc6740e7f1061

SHA256
33d8fc4789e90460a7ce6838b92b89950e5976087aa8275f994000a4474c9590

SHA512
3deb79c0bafb54dc74c890e16355d6ae488754c14996a8907f7aad19239670608547b2130cedcb54282bbaaa3191e3a032678838ea80d43d9daca03f5636f39f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3ebff99326d13c7015262d0fb933b360

SHA1
34a080a828cddc48baf9c15b389078a2cda5e930

SHA256
06942f911926c9ac3bb3b6a4db97977f396448a2e21527e6d478cd50349eb593

SHA512
920320a08a6200bfa45e9937a74d5511a322340d50e6b40a49acbe49036165da2f9ddb2d5db833ea0b87408c180d8e92072d673c04c3a49e469da5fed76f5fe3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
3c463f18c76d8a40c5b68ac3c1db2e7e

SHA1
4e4d94d82ff348300f7224990cc47de0bd7873ac

SHA256
0e18944ceaf656357a0d174e1354e2b617a58cd8cba2f329ac1f3fda5a650faf

SHA512
5a4050c3736a42805081065392ecd12ddbfc2f5988bc16b6934e2b9e1c403d03d575225e6aef096f8358ae3160a7bb43e4e67738c870ef9163349941c8a24973

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
da7e9ec73667b2e4f71e902fc9549356

SHA1
6082f0008259be45d9bbc891aeab155a391a40d2

SHA256
0d9396ad4ed1cf4ccfe656025d72ab012742889d8f48d853c4fbf75ba06b6439

SHA512
a405ed6780cf221da3ee224e1424274928f27985dd6d7ca17c3beb48be11b4f30607215a8f7724aaeecbf0208504bf3ea5d156b44e5d87dbe4eba04c31ccde6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3a9ff21a9bf810c29951fe812bf63edb

SHA1
eab1d560edacf5fcc49044845ed6b18bf4841625

SHA256
2c5dfc8dc87139819ff85df5214ec36ee128ebdaacba1de4b547ef7031fb8458

SHA512
cb727ece9ec117119eff65ba132020e713ebaeceecbbdac7ab6fecc551f78aa25acbd2b4d83b85fa668f446a5eaabe82ffc6acd5fd30ac757c8f983451970d73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
873B

MD5
b8e102c1f74619ce4ec7326c270b82de

SHA1
0aad76406470380190223d50ca4d2acb4b7e5779

SHA256
ded437281ed94d95cdbc7e9a3b69a60734ad3eaa20363182a9ca3efc9d4622a4

SHA512
1d61eab4391b8c50923eae74dec514a33fe1c3a97600e31d80d51486a371a6e67924116a236222f9ddd9191a9c801da4eafdb57a3b1304c7af76f79ebabaf8a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
873B

MD5
cb31d609b0e7a9c025600a04e9e34aed

SHA1
879bc4ff27f2046aa23ee7c50b7e654d03467b6a

SHA256
33fa3cf8f0501054e123ad2820aeed182249f2475eba8be0ff8007fcc606a11c

SHA512
0fbd27fad35898e654ea73cbf51c063580c4c69be950d3fa9f4a52cae60b4abd850a5d003cda4b752a8b3f8a6d2aef26e1da956ad45c741e7035e2eee1f21f31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
873B

MD5
b9f073519cbebfb0ae5e5bf69ce2ed9c

SHA1
9987932d06cd4961d4c426a29b355464923db522

SHA256
7c51db6b4e96be51af374e9c8fad66a188f8db184148b7f77811ffa2498b0537

SHA512
55c06f138d5a1d7d4d983aeb65a4ecdaeecc21474bb09459e41e7598add8270707e5db232c65d836019223ca277a25ea4189cab7555ca63d948d79976e124c33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe581410.TMP

Filesize
538B

MD5
ad15167b32933751619ac8d450f371da

SHA1
3a07963145e00c2af90b285ccfd3397345dd7f99

SHA256
b9b21dac883fadc6c55a4047c7219d2a6ccb258a1147523da7fb54b50d7c6068

SHA512
de85f0de29beb50c19800fa5ae3356091d95099fa91f32f64692a0a467b0e8439e90a2ad1965524c7ef81c18eae183a2c00bfd48954159bd0df8537fdc260f6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
09e94727848bd0ad3981bf5697114a8b

SHA1
db6be0a790266b3ceaff60d4e8b5f2c0acda0b8e

SHA256
91207792f9ff57d77810c2873926444b34994c853443c21403c6a80324575c38

SHA512
b1ff6d2084f3b2f250eaccc1e072f10cb6c7d3bff49aa52395fac69778b3522258b7a4cfcc5cd5d5a12a2ed5a4fd96f6683aa0e6d23fc7030d5415fd8137cb9b

Download Submit
C:\Users\Admin\Downloads\dotnet-sdk-8.0.302-win-x64.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit