hxxps://clickme[.]thryv[.]com/ls/click?upn=u001[.]Als7cfHaJU2yMdsJgpsIFlHwqkvEJKIXKd89T-2FvMzJbxcqhVUJbUXYUQ7GrJb0qHSXO4_OEO3HRIZ3eedLymwLhvJt9sqs3j4T3CqpVCO9A0ZKplqH1W1Ad1lCPdQBrRfbSauZPLLCLTYBsXDRt8yGG5FOZ7NK342oFTufTBA9n-2F9XZOKqr3l5Q5SyCKEd7Iy5-2FREW2-2F77302wbp-2B9MI2kJ-2FNk-2BqGdOqTWT5Y4-2F8g717vIpvx9lUoFYGyJfcDChTdfr3A9N4p0b6RwQL7CinQSygCmuVuCz-2FNmJkAweUr9itShH8mScllfEZkp-2FBz-2BNwJK3Isl3yWO5I7-2Bxs8sTsDilMdcrE-2FYUiSgCccg5ZymVUt5FSlwAZiNQ-2BaC7jUZ8arBb295FbjJOzZnoSQTlzI8byS8uFw5VSuzJES06fak4HbJRc-3D#Aaidan@astranis[.]com

Analysis

max time kernel
152s
max time network
215s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10/10/2024, 04:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://clickme.thryv.com/ls/click?upn=u001.Als7cfHaJU2yMdsJgpsIFlHwqkvEJKIXKd89T-2FvMzJbxcqhVUJbUXYUQ7GrJb0qHSXO4_OEO3HRIZ3eedLymwLhvJt9sqs3j4T3CqpVCO9A0ZKplqH1W1Ad1lCPdQBrRfbSauZPLLCLTYBsXDRt8yGG5FOZ7NK342oFTufTBA9n-2F9XZOKqr3l5Q5SyCKEd7Iy5-2FREW2-2F77302wbp-2B9MI2kJ-2FNk-2BqGdOqTWT5Y4-2F8g717vIpvx9lUoFYGyJfcDChTdfr3A9N4p0b6RwQL7CinQSygCmuVuCz-2FNmJkAweUr9itShH8mScllfEZkp-2FBz-2BNwJK3Isl3yWO5I7-2Bxs8sTsDilMdcrE-2FYUiSgCccg5ZymVUt5FSlwAZiNQ-2BaC7jUZ8arBb295FbjJOzZnoSQTlzI8byS8uFw5VSuzJES06fak4HbJRc-3D#[email protected]

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-940901362-3608833189-1915618603-1000\{5636A710-326E-43B3-AF12-7F87009A69AE}	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3540	msedge.exe
3540	msedge.exe
2992	msedge.exe
2992	msedge.exe
620	identity_helper.exe
620	identity_helper.exe
4364	msedge.exe
4364	msedge.exe
6052	msedge.exe
6052	msedge.exe
6052	msedge.exe
6052	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 21 IoCs

pid	Process
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 3040	2992	msedge.exe	83
PID 2992 wrote to memory of 3040	2992	msedge.exe	83
PID 2992 wrote to memory of 3472	2992	msedge.exe	84
PID 2992 wrote to memory of 3472	2992	msedge.exe	84
PID 2992 wrote to memory of 3472	2992	msedge.exe	84
PID 2992 wrote to memory of 3472	2992	msedge.exe	84
PID 2992 wrote to memory of 3472	2992	msedge.exe	84
PID 2992 wrote to memory of 3472	2992	msedge.exe	84
PID 2992 wrote to memory of 3472	2992	msedge.exe	84
PID 2992 wrote to memory of 3472	2992	msedge.exe	84
PID 2992 wrote to memory of 3472	2992	msedge.exe	84
PID 2992 wrote to memory of 3472	2992	msedge.exe	84
PID 2992 wrote to memory of 3472	2992	msedge.exe	84
PID 2992 wrote to memory of 3472	2992	msedge.exe	84
PID 2992 wrote to memory of 3472	2992	msedge.exe	84
PID 2992 wrote to memory of 3472	2992	msedge.exe	84
PID 2992 wrote to memory of 3472	2992	msedge.exe	84
PID 2992 wrote to memory of 3472	2992	msedge.exe	84
PID 2992 wrote to memory of 3472	2992	msedge.exe	84
PID 2992 wrote to memory of 3472	2992	msedge.exe	84
PID 2992 wrote to memory of 3472	2992	msedge.exe	84
PID 2992 wrote to memory of 3472	2992	msedge.exe	84
PID 2992 wrote to memory of 3472	2992	msedge.exe	84
PID 2992 wrote to memory of 3472	2992	msedge.exe	84
PID 2992 wrote to memory of 3472	2992	msedge.exe	84
PID 2992 wrote to memory of 3472	2992	msedge.exe	84
PID 2992 wrote to memory of 3472	2992	msedge.exe	84
PID 2992 wrote to memory of 3472	2992	msedge.exe	84
PID 2992 wrote to memory of 3472	2992	msedge.exe	84
PID 2992 wrote to memory of 3472	2992	msedge.exe	84
PID 2992 wrote to memory of 3472	2992	msedge.exe	84
PID 2992 wrote to memory of 3472	2992	msedge.exe	84
PID 2992 wrote to memory of 3472	2992	msedge.exe	84
PID 2992 wrote to memory of 3472	2992	msedge.exe	84
PID 2992 wrote to memory of 3472	2992	msedge.exe	84
PID 2992 wrote to memory of 3472	2992	msedge.exe	84
PID 2992 wrote to memory of 3472	2992	msedge.exe	84
PID 2992 wrote to memory of 3472	2992	msedge.exe	84
PID 2992 wrote to memory of 3472	2992	msedge.exe	84
PID 2992 wrote to memory of 3472	2992	msedge.exe	84
PID 2992 wrote to memory of 3472	2992	msedge.exe	84
PID 2992 wrote to memory of 3472	2992	msedge.exe	84
PID 2992 wrote to memory of 3540	2992	msedge.exe	85
PID 2992 wrote to memory of 3540	2992	msedge.exe	85
PID 2992 wrote to memory of 4940	2992	msedge.exe	86
PID 2992 wrote to memory of 4940	2992	msedge.exe	86
PID 2992 wrote to memory of 4940	2992	msedge.exe	86
PID 2992 wrote to memory of 4940	2992	msedge.exe	86
PID 2992 wrote to memory of 4940	2992	msedge.exe	86
PID 2992 wrote to memory of 4940	2992	msedge.exe	86
PID 2992 wrote to memory of 4940	2992	msedge.exe	86
PID 2992 wrote to memory of 4940	2992	msedge.exe	86
PID 2992 wrote to memory of 4940	2992	msedge.exe	86
PID 2992 wrote to memory of 4940	2992	msedge.exe	86
PID 2992 wrote to memory of 4940	2992	msedge.exe	86
PID 2992 wrote to memory of 4940	2992	msedge.exe	86
PID 2992 wrote to memory of 4940	2992	msedge.exe	86
PID 2992 wrote to memory of 4940	2992	msedge.exe	86
PID 2992 wrote to memory of 4940	2992	msedge.exe	86
PID 2992 wrote to memory of 4940	2992	msedge.exe	86
PID 2992 wrote to memory of 4940	2992	msedge.exe	86
PID 2992 wrote to memory of 4940	2992	msedge.exe	86
PID 2992 wrote to memory of 4940	2992	msedge.exe	86
PID 2992 wrote to memory of 4940	2992	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://clickme.thryv.com/ls/click?upn=u001.Als7cfHaJU2yMdsJgpsIFlHwqkvEJKIXKd89T-2FvMzJbxcqhVUJbUXYUQ7GrJb0qHSXO4_OEO3HRIZ3eedLymwLhvJt9sqs3j4T3CqpVCO9A0ZKplqH1W1Ad1lCPdQBrRfbSauZPLLCLTYBsXDRt8yGG5FOZ7NK342oFTufTBA9n-2F9XZOKqr3l5Q5SyCKEd7Iy5-2FREW2-2F77302wbp-2B9MI2kJ-2FNk-2BqGdOqTWT5Y4-2F8g717vIpvx9lUoFYGyJfcDChTdfr3A9N4p0b6RwQL7CinQSygCmuVuCz-2FNmJkAweUr9itShH8mScllfEZkp-2FBz-2BNwJK3Isl3yWO5I7-2Bxs8sTsDilMdcrE-2FYUiSgCccg5ZymVUt5FSlwAZiNQ-2BaC7jUZ8arBb295FbjJOzZnoSQTlzI8byS8uFw5VSuzJES06fak4HbJRc-3D#[email protected]
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa3a0946f8,0x7ffa3a094708,0x7ffa3a094718
  2⤵
  PID:3040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,6481812426613941669,1360535413992793892,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
  2⤵
  PID:3472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,6481812426613941669,1360535413992793892,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,6481812426613941669,1360535413992793892,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8
  2⤵
  PID:4940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6481812426613941669,1360535413992793892,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:1504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6481812426613941669,1360535413992793892,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:4608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6481812426613941669,1360535413992793892,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
  2⤵
  PID:2140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6481812426613941669,1360535413992793892,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
  2⤵
  PID:364
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,6481812426613941669,1360535413992793892,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5408 /prefetch:8
  2⤵
  PID:1336
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,6481812426613941669,1360535413992793892,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5408 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6481812426613941669,1360535413992793892,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2972 /prefetch:1
  2⤵
  PID:528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6481812426613941669,1360535413992793892,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
  2⤵
  PID:4976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6481812426613941669,1360535413992793892,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
  2⤵
  PID:3596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6481812426613941669,1360535413992793892,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
  2⤵
  PID:1860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6481812426613941669,1360535413992793892,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
  2⤵
  PID:3272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6481812426613941669,1360535413992793892,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5988 /prefetch:1
  2⤵
  PID:2368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6481812426613941669,1360535413992793892,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:1
  2⤵
  PID:4204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2076,6481812426613941669,1360535413992793892,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6192 /prefetch:8
  2⤵
  PID:608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2076,6481812426613941669,1360535413992793892,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6212 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6481812426613941669,1360535413992793892,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6460 /prefetch:1
  2⤵
  PID:1316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6481812426613941669,1360535413992793892,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6664 /prefetch:1
  2⤵
  PID:3100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6481812426613941669,1360535413992793892,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6824 /prefetch:1
  2⤵
  PID:2176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6481812426613941669,1360535413992793892,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6928 /prefetch:1
  2⤵
  PID:2556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6481812426613941669,1360535413992793892,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7044 /prefetch:1
  2⤵
  PID:720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6481812426613941669,1360535413992793892,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
  2⤵
  PID:4992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6481812426613941669,1360535413992793892,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6488 /prefetch:1
  2⤵
  PID:2784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6481812426613941669,1360535413992793892,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6944 /prefetch:1
  2⤵
  PID:1232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6481812426613941669,1360535413992793892,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6348 /prefetch:1
  2⤵
  PID:5196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6481812426613941669,1360535413992793892,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7380 /prefetch:1
  2⤵
  PID:5396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,6481812426613941669,1360535413992793892,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4752 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6052

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2432

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e55832d7cd7e868a2c087c4c73678018

SHA1
ed7a2f6d6437e907218ffba9128802eaf414a0eb

SHA256
a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574

SHA512
897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c2d9eeb3fdd75834f0ac3f9767de8d6f

SHA1
4d16a7e82190f8490a00008bd53d85fb92e379b0

SHA256
1e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66

SHA512
d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
213KB

MD5
f942900ff0a10f251d338c612c456948

SHA1
4a283d3c8f3dc491e43c430d97c3489ee7a3d320

SHA256
38b76a54655aff71271a9ad376ac17f20187abd581bf5aced69ccde0fe6e2fd6

SHA512
9b393ce73598ed1997d28ceeddb23491a4d986c337984878ebb0ae06019e30ea77448d375d3d6563c774856d6bc98ee3ca0e0ba88ea5769a451a5e814f6ddb41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001a

Filesize
41KB

MD5
0af350c480ab565287007d89ab48a899

SHA1
4bc2a2c1ed2f10d047429af7c9bcaab3a34f25bd

SHA256
030239207754b0195bad3b58d42e4bfed6df4aeaff730c3fbaeed92021ca4b85

SHA512
3586ded7ed16c12ba8201b1a215f818e0dcff598e012001a4765cd727587e5243c87c8e7afe84af623d34beeced1b536e1e1671cb3baf72175512a6800efdd6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
16cefca25da2b8bfebf86fed3a7234d0

SHA1
dc916c2c51148227eea4d1368bbd86e2ca26ef48

SHA256
5e1c7c425b25edcc702f2bc4aaf6ba961363e85ffa95bb17247c8c15f50798ab

SHA512
6b0950b48525d94f0ac83dd10703e8b9c667b2dfb8de9d46b697433a352360ab110d0163e440080249a249abde35448395b316c4537fb6ffd64241cb4d4c772a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
edb6d62da92b9ccb50bc921773db492a

SHA1
b7ea2f2cd4493de094dcd78e9af0d42d1057056e

SHA256
39550f3eea6e8e98fef1fb7f06c8b805ee9e34aa4f7820389fc9f1f2954cc4ee

SHA512
c397a5ded5ccdd1ad2d3544eac898e519440cd7820ccc2c5ab916aae186c881d3f15c2ee60d90e902d55ccfa9f3d6ac7b0a5fa8789ca47cea7e93a54de6e1d13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
8KB

MD5
293ba4f76d0bb1b636094a0cc4781900

SHA1
1aca0ba02a4776de58a76de6c589a50fe356afeb

SHA256
11aa4f602b186bd07429ea8f8184852259cfebaaebd99dee957d9a1eece16e0d

SHA512
0614d234667c2ce04c44937ddc181d606c717980fa74ab8a269a646fbb52308a332336fed303afa10d93224315c261b79b3d0cea6f5ed879810d0721ab1e3456

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
8KB

MD5
20d4dc287544cbbc158aadaba7ffbb38

SHA1
69c4c05d1a9f2311bb5fe155e0a1135e42d28d51

SHA256
a94a1af30dc311c05734a8dffb307e6e0d47a140e5dccba06c716e8ccf9e96c4

SHA512
ce15103b3efcf7bc63d3715582e5e895ee25b70ad05c0d90a552002f67433265c52960811de88788d712c98f0ae958f0f51635f79ae390bc3ef7f68ad1ef530d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8b4f7aac5f00f23401abe41db777f99d

SHA1
91c0159fc0be108b6720b8fba64dfac12e9d8790

SHA256
6867e90839b1f48fb64632d75e170e2943439210bcfcd34cabdcf4e03b8e86af

SHA512
d2c8f68de8bdb3beb64a6358b50103f6edcae175a0c808aa86302ab47ec78431ee3e0f010b3ff2788455cfe9579f0ff80a35edf7dbb1adb14dff358a83719641

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
2fb77f7ccd7a656eca30ea58f29f7dea

SHA1
98607161fe03052a9a1e884671e113b16915e5dd

SHA256
9e816e70b4e8b4fad8dc965f88a8592d9a92a67a5115e47c59f3cccef98c4c06

SHA512
5055753de5492f231966acff86e0de1bd2db71087f510687c92ecc10b4213d7877354bc8bfeb0705cd3f162635f319641035b6745bbfc0c098a438ed43036a02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b793f710d583006539feabf6d2990060

SHA1
e87f564f4bf3130516359f5553583c7b20e1b91f

SHA256
d6540eaf0e65e8d766e6a9e723bf106c932af728ebe4bb5b78f4bb5e4e2f4192

SHA512
2bebf30661a8147dbfbf3a7f2b0f46437f012b70d10fa421b6ed00bc9c92bce60e5946c7c60fb5aceb85dc8f168f81de00cf2db15953894b6bc18230c28ee06e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
0b7d482a893698250695f26a20c3c64a

SHA1
6d3235a047180649023db7dd705162bbfe4b60c3

SHA256
33c49a5d3df277b42828ecde8d8655b8c4a003a95ec083758fb7dee11b68caa0

SHA512
383ebfe53b01433c721ea6875c7350fda90ae5d961762bbe00006e910189a2e0f619c59d273984d17693ccf6bdaf05861223ab5895adead61bd820eb347ec769

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
2ebad858a5a0c54a592e8ed0c45034df

SHA1
ac55849cef78b2590604f49e4d3503557c41013c

SHA256
fa060e3c950513dad5c30f04433cd97b423907423400b1470c082c6963873064

SHA512
f4917e0147808c2b11c9424d9f352910951e408717b368c8a76b32363950579c1b3f327de8925b5c0ab88c2ab0af03bb4a532d0128abfd57e88446c13cbdc0ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5895a4.TMP

Filesize
4KB

MD5
95f34d33847306baa2e054ef33b77973

SHA1
12fd7d9ce3aac71fe49a09b0f39d776fd719732e

SHA256
d3c9e82d460204a82f272b5f0c4ed3551a2c55914a522499af2f9ca6265d7db3

SHA512
fc0ad3fc5e2ed50e4da56c7c9c3710ee1fb053f263e36bd0cc427b1f7b59cac576b380df03451fb16e2a9906aff51686d835c75a20263e985f92b7f53df1ade5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0a32e8a34f2d6cc4af3abef8192f6b4b

SHA1
7f19227dd6bc32071fe720bdeb6c6d25eb469858

SHA256
a4c6853ac65134a0e0d895f929dd67c3a72d3c8ae507624e567b79d28a16a8b3

SHA512
c416e71c8a5a03e5269c58528fc30ad5802ce69026caa9dc72c5f33834f6467da7d4463990997aa601b3af345ea504152318e8879c6a0625d8e276fbbe66c3bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b344d46eadef13c4e60aa2c98620dafc

SHA1
3d0926f0f9756dd0a845fab56f30d22362789848

SHA256
7b246df46b3066ac3923be1277bf1156a76723523f014cf6d44814dee2ebe2c0

SHA512
f251968f1d9f811be450e91ab2a41ee3ff20c9df8d1d9b18c04083510b054148a582b972ba47a7a60cc8320dfc7b703e563362b0bc96f4e5eb3b4ad66cac6477

Download Submit