hxxps://www[.]google[.]es/url?q=queryf7lf(spellCorrectionEnabled%3Atrue%2CrecentSearchParam%3A(id%3A3891228890%2CdoLogHistory%3Atrue)%2Cfilters%3AList((type%3AREGION%2Cvalues%3AList((id%3A103644278%2Ctext%3AUnited%2520States%2CselectionType%3AINCLUDED))))%2Ckeywords%3Aremote)&sessionId=5NTcRf4wT3OOZdAOuNu6%2FQ%3D%3Dquery(spellCorrectionEnabled%3Atrue%2CrecentSearchParam%3A(id%3A3891228890%2CdoLogHistory%3Atrue)%2Cfilters%3AList((type%3AREGION%2Cvalues%3AList((id%3A103644278%2Ctext%3AUnited%2520States%2CselectionType%3AINCLUDED))))%2Ckeywords%3Aremote)&sessionId=5NTcRf4wT3OOZdAOuNu6%2FQ%3D%3Dquery(spellCorrectionEnabled%3Atrue%2CrecentSearchParam%3A(id%3A3891228890%2CdoLogHistory%3Atrue)%2Cfilters%3AList((type%3AREGION%2Cvalues%3AList((id%3A103644278%2Ctext%3AUnited%2520States%2CselectionType%3AINCLUDED))))%2Ckeywords%3Aremote)&sessionId=5NTcRf4wT3OOZdAOuNu6%2FQ%3D%3Dquery(spellCorrectionEnabled%3Atrue%2CrecentSearchParam%3A(id%3A3891228890%2CdoLogHistory%3Atrue)%2Cfilters%3AList((type%3AREGION%2Cvalues%3AList((id%3A103644278%2Ctext%3AUnited%2520States%2CselectionType%3AINCLUDED))))%2Ckeywords%3Aremote)&sessionId=5NTcRf4wT3OOZdAOuNu6%2FQ%3D%3D&sa=t&url=amp%2fsafrareal[.]com[.]br%2fyoya%2fcyqpgnyciwml72zkqv8cfohbclplrlifm5ofa/eGluemUubGl1QG1hbm4taHVtbWVsLmNvbQ==$?

Analysis

max time kernel
253s
max time network
256s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-11-2024 02:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.google.es/url?q=queryf7lf(spellCorrectionEnabled%3Atrue%2CrecentSearchParam%3A(id%3A3891228890%2CdoLogHistory%3Atrue)%2Cfilters%3AList((type%3AREGION%2Cvalues%3AList((id%3A103644278%2Ctext%3AUnited%2520States%2CselectionType%3AINCLUDED))))%2Ckeywords%3Aremote)&sessionId=5NTcRf4wT3OOZdAOuNu6%2FQ%3D%3Dquery(spellCorrectionEnabled%3Atrue%2CrecentSearchParam%3A(id%3A3891228890%2CdoLogHistory%3Atrue)%2Cfilters%3AList((type%3AREGION%2Cvalues%3AList((id%3A103644278%2Ctext%3AUnited%2520States%2CselectionType%3AINCLUDED))))%2Ckeywords%3Aremote)&sessionId=5NTcRf4wT3OOZdAOuNu6%2FQ%3D%3Dquery(spellCorrectionEnabled%3Atrue%2CrecentSearchParam%3A(id%3A3891228890%2CdoLogHistory%3Atrue)%2Cfilters%3AList((type%3AREGION%2Cvalues%3AList((id%3A103644278%2Ctext%3AUnited%2520States%2CselectionType%3AINCLUDED))))%2Ckeywords%3Aremote)&sessionId=5NTcRf4wT3OOZdAOuNu6%2FQ%3D%3Dquery(spellCorrectionEnabled%3Atrue%2CrecentSearchParam%3A(id%3A3891228890%2CdoLogHistory%3Atrue)%2Cfilters%3AList((type%3AREGION%2Cvalues%3AList((id%3A103644278%2Ctext%3AUnited%2520States%2CselectionType%3AINCLUDED))))%2Ckeywords%3Aremote)&sessionId=5NTcRf4wT3OOZdAOuNu6%2FQ%3D%3D&sa=t&url=amp%2fsafrareal.com.br%2fyoya%2fcyqpgnyciwml72zkqv8cfohbclplrlifm5ofa/eGluemUubGl1QG1hbm4taHVtbWVsLmNvbQ==$?

Score

7^/10

microsoft discovery phishing

Malware Config

Signatures

A potential corporate email address has been identified in the URL: [email protected]
phishing
Detected potential entity reuse from brand MICROSOFT.
phishing microsoft
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2428	msedge.exe
2428	msedge.exe
4820	msedge.exe
4820	msedge.exe
4916	identity_helper.exe
4916	identity_helper.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4820 wrote to memory of 4780	4820	msedge.exe	83
PID 4820 wrote to memory of 4780	4820	msedge.exe	83
PID 4820 wrote to memory of 908	4820	msedge.exe	84
PID 4820 wrote to memory of 908	4820	msedge.exe	84
PID 4820 wrote to memory of 908	4820	msedge.exe	84
PID 4820 wrote to memory of 908	4820	msedge.exe	84
PID 4820 wrote to memory of 908	4820	msedge.exe	84
PID 4820 wrote to memory of 908	4820	msedge.exe	84
PID 4820 wrote to memory of 908	4820	msedge.exe	84
PID 4820 wrote to memory of 908	4820	msedge.exe	84
PID 4820 wrote to memory of 908	4820	msedge.exe	84
PID 4820 wrote to memory of 908	4820	msedge.exe	84
PID 4820 wrote to memory of 908	4820	msedge.exe	84
PID 4820 wrote to memory of 908	4820	msedge.exe	84
PID 4820 wrote to memory of 908	4820	msedge.exe	84
PID 4820 wrote to memory of 908	4820	msedge.exe	84
PID 4820 wrote to memory of 908	4820	msedge.exe	84
PID 4820 wrote to memory of 908	4820	msedge.exe	84
PID 4820 wrote to memory of 908	4820	msedge.exe	84
PID 4820 wrote to memory of 908	4820	msedge.exe	84
PID 4820 wrote to memory of 908	4820	msedge.exe	84
PID 4820 wrote to memory of 908	4820	msedge.exe	84
PID 4820 wrote to memory of 908	4820	msedge.exe	84
PID 4820 wrote to memory of 908	4820	msedge.exe	84
PID 4820 wrote to memory of 908	4820	msedge.exe	84
PID 4820 wrote to memory of 908	4820	msedge.exe	84
PID 4820 wrote to memory of 908	4820	msedge.exe	84
PID 4820 wrote to memory of 908	4820	msedge.exe	84
PID 4820 wrote to memory of 908	4820	msedge.exe	84
PID 4820 wrote to memory of 908	4820	msedge.exe	84
PID 4820 wrote to memory of 908	4820	msedge.exe	84
PID 4820 wrote to memory of 908	4820	msedge.exe	84
PID 4820 wrote to memory of 908	4820	msedge.exe	84
PID 4820 wrote to memory of 908	4820	msedge.exe	84
PID 4820 wrote to memory of 908	4820	msedge.exe	84
PID 4820 wrote to memory of 908	4820	msedge.exe	84
PID 4820 wrote to memory of 908	4820	msedge.exe	84
PID 4820 wrote to memory of 908	4820	msedge.exe	84
PID 4820 wrote to memory of 908	4820	msedge.exe	84
PID 4820 wrote to memory of 908	4820	msedge.exe	84
PID 4820 wrote to memory of 908	4820	msedge.exe	84
PID 4820 wrote to memory of 908	4820	msedge.exe	84
PID 4820 wrote to memory of 2428	4820	msedge.exe	85
PID 4820 wrote to memory of 2428	4820	msedge.exe	85
PID 4820 wrote to memory of 1332	4820	msedge.exe	86
PID 4820 wrote to memory of 1332	4820	msedge.exe	86
PID 4820 wrote to memory of 1332	4820	msedge.exe	86
PID 4820 wrote to memory of 1332	4820	msedge.exe	86
PID 4820 wrote to memory of 1332	4820	msedge.exe	86
PID 4820 wrote to memory of 1332	4820	msedge.exe	86
PID 4820 wrote to memory of 1332	4820	msedge.exe	86
PID 4820 wrote to memory of 1332	4820	msedge.exe	86
PID 4820 wrote to memory of 1332	4820	msedge.exe	86
PID 4820 wrote to memory of 1332	4820	msedge.exe	86
PID 4820 wrote to memory of 1332	4820	msedge.exe	86
PID 4820 wrote to memory of 1332	4820	msedge.exe	86
PID 4820 wrote to memory of 1332	4820	msedge.exe	86
PID 4820 wrote to memory of 1332	4820	msedge.exe	86
PID 4820 wrote to memory of 1332	4820	msedge.exe	86
PID 4820 wrote to memory of 1332	4820	msedge.exe	86
PID 4820 wrote to memory of 1332	4820	msedge.exe	86
PID 4820 wrote to memory of 1332	4820	msedge.exe	86
PID 4820 wrote to memory of 1332	4820	msedge.exe	86
PID 4820 wrote to memory of 1332	4820	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://www.google.es/url?q=queryf7lf(spellCorrectionEnabled%3Atrue%2CrecentSearchParam%3A(id%3A3891228890%2CdoLogHistory%3Atrue)%2Cfilters%3AList((type%3AREGION%2Cvalues%3AList((id%3A103644278%2Ctext%3AUnited%2520States%2CselectionType%3AINCLUDED))))%2Ckeywords%3Aremote)&sessionId=5NTcRf4wT3OOZdAOuNu6%2FQ%3D%3Dquery(spellCorrectionEnabled%3Atrue%2CrecentSearchParam%3A(id%3A3891228890%2CdoLogHistory%3Atrue)%2Cfilters%3AList((type%3AREGION%2Cvalues%3AList((id%3A103644278%2Ctext%3AUnited%2520States%2CselectionType%3AINCLUDED))))%2Ckeywords%3Aremote)&sessionId=5NTcRf4wT3OOZdAOuNu6%2FQ%3D%3Dquery(spellCorrectionEnabled%3Atrue%2CrecentSearchParam%3A(id%3A3891228890%2CdoLogHistory%3Atrue)%2Cfilters%3AList((type%3AREGION%2Cvalues%3AList((id%3A103644278%2Ctext%3AUnited%2520States%2CselectionType%3AINCLUDED))))%2Ckeywords%3Aremote)&sessionId=5NTcRf4wT3OOZdAOuNu6%2FQ%3D%3Dquery(spellCorrectionEnabled%3Atrue%2CrecentSearchParam%3A(id%3A3891228890%2CdoLogHistory%3Atrue)%2Cfilters%3AList((type%3AREGION%2Cvalues%3AList((id%3A103644278%2Ctext%3AUnited%2520States%2CselectionType%3AINCLUDED))))%2Ckeywords%3Aremote)&sessionId=5NTcRf4wT3OOZdAOuNu6%2FQ%3D%3D&sa=t&url=amp%2fsafrareal.com.br%2fyoya%2fcyqpgnyciwml72zkqv8cfohbclplrlifm5ofa/eGluemUubGl1QG1hbm4taHVtbWVsLmNvbQ==$?
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdcf1746f8,0x7ffdcf174708,0x7ffdcf174718
  2⤵
  PID:4780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,16626415008992993822,6826812689100261596,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
  2⤵
  PID:908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,16626415008992993822,6826812689100261596,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2344 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,16626415008992993822,6826812689100261596,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2952 /prefetch:8
  2⤵
  PID:1332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16626415008992993822,6826812689100261596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
  2⤵
  PID:2628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16626415008992993822,6826812689100261596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3604 /prefetch:1
  2⤵
  PID:3064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16626415008992993822,6826812689100261596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4888 /prefetch:1
  2⤵
  PID:4816
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,16626415008992993822,6826812689100261596,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4032 /prefetch:8
  2⤵
  PID:4388
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,16626415008992993822,6826812689100261596,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4032 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16626415008992993822,6826812689100261596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1
  2⤵
  PID:3672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16626415008992993822,6826812689100261596,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
  2⤵
  PID:804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16626415008992993822,6826812689100261596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1012 /prefetch:1
  2⤵
  PID:2656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16626415008992993822,6826812689100261596,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
  2⤵
  PID:2448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,16626415008992993822,6826812689100261596,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4796 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16626415008992993822,6826812689100261596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1816 /prefetch:1
  2⤵
  PID:1064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16626415008992993822,6826812689100261596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1
  2⤵
  PID:436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16626415008992993822,6826812689100261596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1
  2⤵
  PID:4480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2124,16626415008992993822,6826812689100261596,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4816 /prefetch:8
  2⤵
  PID:3704

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1184

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fab8d8d865e33fe195732aa7dcb91c30

SHA1
2637e832f38acc70af3e511f5eba80fbd7461f2c

SHA256
1b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea

SHA512
39a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
36988ca14952e1848e81a959880ea217

SHA1
a0482ef725657760502c2d1a5abe0bb37aebaadb

SHA256
d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6

SHA512
d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

Filesize
215KB

MD5
e579aca9a74ae76669750d8879e16bf3

SHA1
0b8f462b46ec2b2dbaa728bea79d611411bae752

SHA256
6e51c7866705bf0098febfaf05cf4652f96e69ac806c837bfb1199b6e21e6aaf

SHA512
df22f1dff74631bc14433499d1f61609de71e425410067fd08ec193d100b70d98672228906081c309a06bcba03c097ace885240a3ce71e0da4fdb8a022fc9640

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
41KB

MD5
503766d5e5838b4fcadf8c3f72e43605

SHA1
6c8b2fa17150d77929b7dc183d8363f12ff81f59

SHA256
c53b8a39416067f4d70c21be02ca9c84724b1c525d34e7910482b64d8e301cf9

SHA512
5ead599ae1410a5c0e09ee73d0fdf8e8a75864ab6ce12f0777b2938fd54df62993767249f5121af97aa629d8f7c5eae182214b6f67117476e1e2b9a72f34e0b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
19KB

MD5
d5b89ceec2b024c565802c0e51607044

SHA1
74696825d59f384d3d874638537bb4920fdb60cb

SHA256
05dc99c6e0751d3a98e970f628c8426a967cf068a4bd681bdbaf6f627d54c7e2

SHA512
bb683a290b2f506a413baadca020a9716299221746b3e6a0d4c9f4ba481b3605f2911c1011f60f0d38d155f8086c3af51f21d8c0164eccb911b4531983c544e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

Filesize
113KB

MD5
fd7c977e65b312355272d0fc8acdd53b

SHA1
64961ab75b3e05457e8b672799f33851636147c3

SHA256
d5232b401e9d85a1ecef5333dc49e1dae986329b190648ef266c2a5d5c5232e0

SHA512
058b5d032fb1cad26bbfa0808f81c3df9c8e5a3f321980951b1e453e808adf9c5188f1c18f5e59b2ed830aefe6641d514aaba18390ae24ef921ac02b2207557e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\a7f7807b6ecc52a9_0

Filesize
19KB

MD5
289e6e083d650316e09143f72ad30e5e

SHA1
2a663becc45e750c97f41b657606e61f4909873d

SHA256
1df32b6d136508a12775097eca0b2e84f3151730755bea70eab6e3a38f48c085

SHA512
1b66eda2bd0bda99117badfb64324bbb4d885f735ae054e89946fdec5375b222184f741a353aad6896c4ddad10a942ebfdf60f4c66fd440deb4cd28c85c82d70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
cfd0c35bf67afadfbe8d81a0d3257ba1

SHA1
db6cfec7369e2c8cd8e0f68ed4a0729581c93e0b

SHA256
2e3027f29e294ee5efb28b6f409c5e84094973710272c4104de8491cdcc8f386

SHA512
caf6c76bdbcf43a9a95eea79a86faadce14e815afc0f112edba824d4440735c64187c09a751f91d94ac56d074e708e405ed7157b242e1c06f3280d5a83a4054f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
e780a5795f0de0210dd9c9abaf05b878

SHA1
4ec6ee7b84487bd65334c8fd73b5cd4dc1698a27

SHA256
50bc57d3f7f2f09d279b51a5fe561be36d284bed5e721c30efb7125fe9778b38

SHA512
eb8765dfe783b076e67771cf79496f90025a712cd5d482e260bf4b411d0a284cf6fc01feac67c57b7936d91f136a91b8662deaa138828f3d32d7f7ae30fe5f1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
480B

MD5
3344f418a295d2e51f10d4a7e8cb9930

SHA1
a3cc77eb07c24a68fb92d7dc33e3e4d5cd9dff7a

SHA256
d8cd075895b24dafffede72da0b707b772ad192999c0bde53680aec4d6204836

SHA512
4b15443ff9fa8b428e6698b334275c0b5b5fb8b44f38cf701d70868ad846a7d372e1fe90b5e3aed0b7268a82080d401358a13021160d32705f167993dee359cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
643c9b8777e154abaafad32719131a3c

SHA1
1c9266990ee29fd79f03b8600ad4de9c873b03cc

SHA256
3ffdf00c96630f9286c212395c759daf384033b935fb030088780c9953d1c797

SHA512
b5a31c4b538bc4ea4ebce411d6109d7f64edd3d1f4f9ed9bf597f307948557fd82fb6c10252479c2556671bf27b46ecc7871849d68384c540a2bb32869f642be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
749e2a908610accf3ce63c7fbd508397

SHA1
312c084fac1295caf7769d6e8a52ec31a900cecd

SHA256
aa90b35b4f9df96c1fce5a7c75dec902ad63c697e5744aa1dbb0f6472aedcdc2

SHA512
895fc9ab9085edc07c61c0e877014a6b59249a7b15a72063e385904e5deaeefe81a25aace3af82a5d9233137a48e81f659b4e262f51d3596182ae1cc4035cd79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
3e492989d126e52731b7a5e7712d1175

SHA1
e1b59287b9f6f936f5c3692297abe2674663b83b

SHA256
9d2df22eb5cc7fd147261e6474529879e0a7cb7ded1598efec7083cc1c0653c5

SHA512
3302169c4ac9373f21d754224567ec262456d9ee95c7bc407937970685c6120f1c3ddcd69518faff4b5506b6643397c779fa7be3db8e1262befe059fe6762b4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
f5b953dd01057c4f4dd8473164d362ec

SHA1
483ad75056b64c50a7485b0bb3a2a4bd06d1c49e

SHA256
929821fbd6d44b1d056e79d7bce9fd320d6e42bbfab75a53cfc11fba606a168f

SHA512
e4daad178ba0f65df21f396ca7c9d46b65fd68f4fe1f980af65752bfe5ff669ae1f917133b112ec56a22017d25ef1b3210aaf2ce6aa9bd28b9943c4e04d1df16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
0bf164d04f8ae3ebe44379b11062ab9e

SHA1
c3814948a6c29d1d6ab58f5d1a5678dcf55881cb

SHA256
454d06262ab54f1e657c64c6dbbec2f53be57d9bc736522e5a702785768ce1ff

SHA512
599c9b7eadf42abc431f87db2c1c38fdad19ddb2bbd8fc5b0bc75d1ad594deb76369ea6bf8f5dcac18accaaadef755c8685f02f69f9432f6c04eda585b0ba0a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9a0eabc0cd9e9cd85d8227f6dd5f8dd2

SHA1
46c8578eb3660915a9cf10b09e36347e2f76a558

SHA256
9c163d651d97484691a347bcb808bc0141f615c09df28f541dadd45cd6dd00bf

SHA512
5e63b27660ed98b9ae83e8bb41aae3c675dc789bb420fc8c5cc0ded9f4295fa66b66fdc9e8194efa91793a63bac12a04d7f8643de40d29c829370e414a9a9a41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d3ec591a018b56caf8368d6e490c89d6

SHA1
910e3baf386d9e59eae31344171d9e1d9c944e67

SHA256
ad9a8294763eb47b81dee6941870a4cbc269e54914fee14a35def9b3512225b2

SHA512
85abd8f584f81d212a0c47a0ed77729b1b7ae30970c593f4776fa52997a1ef65006d511ebef40123727610d78ee216ba9ce5490e2c836c534330f9e794fe4b4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
6226dff80d6b88f70833c19e7b50e8a6

SHA1
a0b955adab19920e05d8dbe82f435879e0d8fc30

SHA256
560def33b5f72291f8bc63e16a3b33f1992dfe2533a6fa4081cde4eec4aae7a7

SHA512
fd25820ca648ef354ba378da818bd5e7c7748b33deacb5926535d02f8699b14bf93cbe57932a4c409dfc254fe3eecea8f68affadcd83c5d9a371cf4e33d8fe72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
3eb59e86ec991e88966623f8a85ec690

SHA1
e901a5747d37d680dbd437eb2506715e94829a84

SHA256
30ffaf8b8a4a3811aa92dc12c561ed563a893072560c73dc82650ce0bfba7940

SHA512
6ae9c76871f256724fb0313cde5aea488454e1bbd4ee945408ad308cb1f69616b3b36f3a5d5601a8e8a72ed24bdbb06f046e4bdaca1a5b5fad4acd93b30402f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
859dfda927669cec70f33028e058d441

SHA1
c3154d9d8fe10bc167047bc9035ea4dafc502db2

SHA256
86a0c030ffbea37f4ef88b6188791e56afaecf6d9f56738592d9123fe3c808fb

SHA512
3182bf93dfb87f915b1f2c4ff37cfb19a798655fe43bf96135ce5280267f5ad81adf9bc14608135333935f006deafb379862e96215abba2c9a0538df7e2c0b53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1182aa0c25ce805eedb402cc31d636df

SHA1
7b940a267ceb93c347d387a0257775885cac66c5

SHA256
3b0a735a9d634e2a5515f370a48616beddc46b76d2b867243cd86752065a59f2

SHA512
18eb9a211ca1994e392dc582be3f5e5fc31262cb30f6f4dc779a4017cd688e262cbf87f41abda003549d2efc9c14c8ef414a7bc9c3f029e7e259313b8000de3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
92b3bf701446cd086e74db564612ff2e

SHA1
ed8f7cd2a96e97e56d3b016d55ccf052b40039d4

SHA256
2c8aeaa62c78ec9baa3d4644bb6c59f5b5108cab07ffe77cd36de44d41cf31dc

SHA512
1ebfe75437dbbe1ca6966ada4f578140fa57b2ccb84350cf4bbd141adf73c03687be4bc655ebaa7ff640620e37472f188640917c272c5f8608411ff334f5e624

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
204B

MD5
c189734dcd02c5e2bf1eebd69d8201d5

SHA1
1a444d9237d000740453422ec66e8eef62190be7

SHA256
061077661ed9be6ddc44263dcca4030bb348c0294baa4872d0752573e7477f6a

SHA512
7a5e026502d18efc63fde71bfd85dcf09e74f2163b7712d271f61159192180a55e2c144379e5e703d097581e7097f21f93705e562ea0d8e788686a4e2e8f0724

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
204B

MD5
0c3518abe2bf5e5a6a6e40a45088d044

SHA1
82fd7c416c93f4c44303f0cdefd2c0d69c41d588

SHA256
b98d930957391c6ac003b310b9f27e345319bbec04485f2eb0e283ddf617d139

SHA512
43973a87a53054a9c5673e1301ddc77aa1c9a5a776c5817619f496539e7be08efac44c16b8b1ee49f8cd45ae97ca32bb2f4044e04a3a95df3a44991c1ceb3f9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe587395.TMP

Filesize
204B

MD5
d0f712e2eb7df1ffda98fe6343624ac1

SHA1
1dfb5c16b6686a5e8b5306a9c0b75fb12d0fa892

SHA256
f864b5a2b2a496e39d03393e494474e2796fe71a411969b533ee8d419860edb7

SHA512
f2d0bf27a80a6e087bd9d17c0f1b0df388b464120a988c9298a47164e9e49d55cb8d4adfc53a9bc9ddc832d79012706c3ba9e0ad36a0687ae15557c61daade11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
74f69f7fd03d6cb5c4e9c33c8cf13ec2

SHA1
7b2e7e7dfc4ec16a497a993d15272b956c266274

SHA256
3be6e08610aea8f84cab2550e988150e629eac0b265e1eedc8ac5766284a3989

SHA512
5efcdd7cb82231e02c75c94a53cab979dfccfb31a6e8b4670733bc962ad4e2920cfd838cd8c66e5bf24f18791fa550f9488175d56d62eef7e4b32864cd04f527

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.exc

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit