hxxps://westend61-my[.]sharepoint[.]com/[:]f[:]/g/personal/protectedlog_westend61_de/EkQ9NPt61TxFll61PvxGomkByf1EO7tMK2AcsV8c1zQXUQ?e=Io4KVX&xsdata=MDV8MDJ8c2xvcGV6Y0BzYWN5ci5jb218YzJjMjczNGE0MTZmNDI2NzA5ZjIwOGRkMDk2MzEzYzN8NjcyYmFmY2UwY2NkNDg2Nzg0MjBlOGJiOTE4NjJhZTB8MHwwfDYzODY3NzA0MzMyNjM3MzA3OXxVbmtub3dufFRXRnBiR1pzYjNkOGV5SkZiWEIwZVUxaGNHa2lPblJ5ZFdVc0lsWWlPaUl3TGpBdU1EQXdNQ0lzSWxBaU9pSlhhVzR6TWlJc0lrRk9Jam9pVFdGcGJDSXNJbGRVSWpveWZRPT18NjAwMDB8fHw%3d&sdata=T0VFQ2JzZUpWYXJmdk53ajdpOTdXQ3NqMloxdlkraStvQjVRYkRqN09kUT0%3d

Analysis

max time kernel
145s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-11-2024 14:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://westend61-my.sharepoint.com/:f:/g/personal/protectedlog_westend61_de/EkQ9NPt61TxFll61PvxGomkByf1EO7tMK2AcsV8c1zQXUQ?e=Io4KVX&xsdata=MDV8MDJ8c2xvcGV6Y0BzYWN5ci5jb218YzJjMjczNGE0MTZmNDI2NzA5ZjIwOGRkMDk2MzEzYzN8NjcyYmFmY2UwY2NkNDg2Nzg0MjBlOGJiOTE4NjJhZTB8MHwwfDYzODY3NzA0MzMyNjM3MzA3OXxVbmtub3dufFRXRnBiR1pzYjNkOGV5SkZiWEIwZVUxaGNHa2lPblJ5ZFdVc0lsWWlPaUl3TGpBdU1EQXdNQ0lzSWxBaU9pSlhhVzR6TWlJc0lrRk9Jam9pVFdGcGJDSXNJbGRVSWpveWZRPT18NjAwMDB8fHw%3d&sdata=T0VFQ2JzZUpWYXJmdk53ajdpOTdXQ3NqMloxdlkraStvQjVRYkRqN09kUT0%3d

Score

7^/10

microsoft discovery phishing

Malware Config

Signatures

A potential corporate email address has been identified in the URL: 05|02|[email protected]|c2c2734a416f426709f208dd096313c3|672bafce0ccd48678420e8bb91862ae0|0|0|638677043326373079|Unknown|TWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ==|60000|||
phishing
A potential corporate email address has been identified in the URL: GetListUsingPathDecodedUrl@a1
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
Detected potential entity reuse from brand MICROSOFT.
phishing microsoft

Probable phishing domain 1 TTPs 1 IoCs

Phishing

T1566

description	flow	ioc	stream
HTTP URL	66	https://login.outofits.com/cdn-cgi/challenge-platform/h/b/orchestrate/chl_page/v1?ray=8e590205fa496370	3

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4452	msedge.exe
4452	msedge.exe
3476	msedge.exe
3476	msedge.exe
968	identity_helper.exe
968	identity_helper.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3476 wrote to memory of 1128	3476	msedge.exe	83
PID 3476 wrote to memory of 1128	3476	msedge.exe	83
PID 3476 wrote to memory of 3580	3476	msedge.exe	85
PID 3476 wrote to memory of 3580	3476	msedge.exe	85
PID 3476 wrote to memory of 3580	3476	msedge.exe	85
PID 3476 wrote to memory of 3580	3476	msedge.exe	85
PID 3476 wrote to memory of 3580	3476	msedge.exe	85
PID 3476 wrote to memory of 3580	3476	msedge.exe	85
PID 3476 wrote to memory of 3580	3476	msedge.exe	85
PID 3476 wrote to memory of 3580	3476	msedge.exe	85
PID 3476 wrote to memory of 3580	3476	msedge.exe	85
PID 3476 wrote to memory of 3580	3476	msedge.exe	85
PID 3476 wrote to memory of 3580	3476	msedge.exe	85
PID 3476 wrote to memory of 3580	3476	msedge.exe	85
PID 3476 wrote to memory of 3580	3476	msedge.exe	85
PID 3476 wrote to memory of 3580	3476	msedge.exe	85
PID 3476 wrote to memory of 3580	3476	msedge.exe	85
PID 3476 wrote to memory of 3580	3476	msedge.exe	85
PID 3476 wrote to memory of 3580	3476	msedge.exe	85
PID 3476 wrote to memory of 3580	3476	msedge.exe	85
PID 3476 wrote to memory of 3580	3476	msedge.exe	85
PID 3476 wrote to memory of 3580	3476	msedge.exe	85
PID 3476 wrote to memory of 3580	3476	msedge.exe	85
PID 3476 wrote to memory of 3580	3476	msedge.exe	85
PID 3476 wrote to memory of 3580	3476	msedge.exe	85
PID 3476 wrote to memory of 3580	3476	msedge.exe	85
PID 3476 wrote to memory of 3580	3476	msedge.exe	85
PID 3476 wrote to memory of 3580	3476	msedge.exe	85
PID 3476 wrote to memory of 3580	3476	msedge.exe	85
PID 3476 wrote to memory of 3580	3476	msedge.exe	85
PID 3476 wrote to memory of 3580	3476	msedge.exe	85
PID 3476 wrote to memory of 3580	3476	msedge.exe	85
PID 3476 wrote to memory of 3580	3476	msedge.exe	85
PID 3476 wrote to memory of 3580	3476	msedge.exe	85
PID 3476 wrote to memory of 3580	3476	msedge.exe	85
PID 3476 wrote to memory of 3580	3476	msedge.exe	85
PID 3476 wrote to memory of 3580	3476	msedge.exe	85
PID 3476 wrote to memory of 3580	3476	msedge.exe	85
PID 3476 wrote to memory of 3580	3476	msedge.exe	85
PID 3476 wrote to memory of 3580	3476	msedge.exe	85
PID 3476 wrote to memory of 3580	3476	msedge.exe	85
PID 3476 wrote to memory of 3580	3476	msedge.exe	85
PID 3476 wrote to memory of 4452	3476	msedge.exe	86
PID 3476 wrote to memory of 4452	3476	msedge.exe	86
PID 3476 wrote to memory of 1328	3476	msedge.exe	87
PID 3476 wrote to memory of 1328	3476	msedge.exe	87
PID 3476 wrote to memory of 1328	3476	msedge.exe	87
PID 3476 wrote to memory of 1328	3476	msedge.exe	87
PID 3476 wrote to memory of 1328	3476	msedge.exe	87
PID 3476 wrote to memory of 1328	3476	msedge.exe	87
PID 3476 wrote to memory of 1328	3476	msedge.exe	87
PID 3476 wrote to memory of 1328	3476	msedge.exe	87
PID 3476 wrote to memory of 1328	3476	msedge.exe	87
PID 3476 wrote to memory of 1328	3476	msedge.exe	87
PID 3476 wrote to memory of 1328	3476	msedge.exe	87
PID 3476 wrote to memory of 1328	3476	msedge.exe	87
PID 3476 wrote to memory of 1328	3476	msedge.exe	87
PID 3476 wrote to memory of 1328	3476	msedge.exe	87
PID 3476 wrote to memory of 1328	3476	msedge.exe	87
PID 3476 wrote to memory of 1328	3476	msedge.exe	87
PID 3476 wrote to memory of 1328	3476	msedge.exe	87
PID 3476 wrote to memory of 1328	3476	msedge.exe	87
PID 3476 wrote to memory of 1328	3476	msedge.exe	87
PID 3476 wrote to memory of 1328	3476	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://westend61-my.sharepoint.com/:f:/g/personal/protectedlog_westend61_de/EkQ9NPt61TxFll61PvxGomkByf1EO7tMK2AcsV8c1zQXUQ?e=Io4KVX&xsdata=MDV8MDJ8c2xvcGV6Y0BzYWN5ci5jb218YzJjMjczNGE0MTZmNDI2NzA5ZjIwOGRkMDk2MzEzYzN8NjcyYmFmY2UwY2NkNDg2Nzg0MjBlOGJiOTE4NjJhZTB8MHwwfDYzODY3NzA0MzMyNjM3MzA3OXxVbmtub3dufFRXRnBiR1pzYjNkOGV5SkZiWEIwZVUxaGNHa2lPblJ5ZFdVc0lsWWlPaUl3TGpBdU1EQXdNQ0lzSWxBaU9pSlhhVzR6TWlJc0lrRk9Jam9pVFdGcGJDSXNJbGRVSWpveWZRPT18NjAwMDB8fHw%3d&sdata=T0VFQ2JzZUpWYXJmdk53ajdpOTdXQ3NqMloxdlkraStvQjVRYkRqN09kUT0%3d
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa0e1046f8,0x7ffa0e104708,0x7ffa0e104718
  2⤵
  PID:1128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,540283566127041285,4378970942075328576,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
  2⤵
  PID:3580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,540283566127041285,4378970942075328576,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,540283566127041285,4378970942075328576,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:8
  2⤵
  PID:1328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,540283566127041285,4378970942075328576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:2016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,540283566127041285,4378970942075328576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:4748
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,540283566127041285,4378970942075328576,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5560 /prefetch:8
  2⤵
  PID:5112
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,540283566127041285,4378970942075328576,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5560 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,540283566127041285,4378970942075328576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
  2⤵
  PID:4976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,540283566127041285,4378970942075328576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:1
  2⤵
  PID:3812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,540283566127041285,4378970942075328576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:1
  2⤵
  PID:4008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,540283566127041285,4378970942075328576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:1
  2⤵
  PID:2776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,540283566127041285,4378970942075328576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:1
  2⤵
  PID:636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,540283566127041285,4378970942075328576,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6084 /prefetch:1
  2⤵
  PID:1396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,540283566127041285,4378970942075328576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:3812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,540283566127041285,4378970942075328576,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6312 /prefetch:1
  2⤵
  PID:4120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,540283566127041285,4378970942075328576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:5316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,540283566127041285,4378970942075328576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:1
  2⤵
  PID:5440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,540283566127041285,4378970942075328576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6724 /prefetch:1
  2⤵
  PID:5480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,540283566127041285,4378970942075328576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
  2⤵
  PID:4280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,540283566127041285,4378970942075328576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:1
  2⤵
  PID:116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,540283566127041285,4378970942075328576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7156 /prefetch:1
  2⤵
  PID:1528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,540283566127041285,4378970942075328576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
  2⤵
  PID:5544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,540283566127041285,4378970942075328576,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5832 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5876

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:836

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Phishing

T1566

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e55832d7cd7e868a2c087c4c73678018

SHA1
ed7a2f6d6437e907218ffba9128802eaf414a0eb

SHA256
a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574

SHA512
897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c2d9eeb3fdd75834f0ac3f9767de8d6f

SHA1
4d16a7e82190f8490a00008bd53d85fb92e379b0

SHA256
1e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66

SHA512
d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
38KB

MD5
e48061b164573549914439e190948500

SHA1
6ba0bcd37274504578503d87274659fbd4b47216

SHA256
eb7da0478ce4d9f3ea966d7fe81e057cdbd2ff0fd3bd9e80e410851ab947f5e9

SHA512
1d5b3b5980d8bfc31373fb5656f9d744fc60510efd637e14b8c4f63e6973fda67de2c4a33b832be54a29102dfc4e3304d4bce914d3100dccdae8358334dcd1f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000bb

Filesize
21KB

MD5
3121eb7b90aafbd79004290988d25744

SHA1
5584f1beb7b9e8ca11833035c9962b3ddd54f904

SHA256
6dbe807b8da91d549a49beec3330d795601ec0f272ea232e91121f3ed703dfe4

SHA512
ed25bf0b7c12742a7b71bc271364970508fb03a5096f42eedc360ce92205af5be0ac4eb0567585882d34629d179f9cab287839247c81f61d894360a83b28aaa3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000bc

Filesize
25KB

MD5
b2b60f1c7184b15ebd6cb2a213c323c5

SHA1
8fed557ff6e49376f3a4bc56f95a548d6075955d

SHA256
dba7c93d3cf4806133d8fe211dce32aa12041fb82acc4591f464052714878fb8

SHA512
e1a4bb4afa8fa8c09e163ba9c0d264425378c8d50f212e2932a2b21cbb6983b566180657bb753681b960d02ca4dee73a5504d433c536e64da979cdf34aabb8c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000be

Filesize
35KB

MD5
a729d45a65e2b9849159e08ef6fd5f12

SHA1
75a14f3e8ac5d4eca6ade8771c84f4f5328301d6

SHA256
11980ecd03e02439a6300eeff5dbf9a48bd52eebf14bbcc246752b0ce5baf223

SHA512
89460bcacbedba68cd7fe67e675c5dfd76e6c43d87ed13d03eebf4a66bc298c85f96605306eb879d4ed89bfe0e53699a11a09bba866226f767ab97203395a6b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000bf

Filesize
35KB

MD5
e243d03bb4bdfb80fc2b9c40863299c5

SHA1
7abeba96529b293239da5536d4260efa1e797ad9

SHA256
a8283e1b2cabd16be04a6cb0a292e532d5b74520123e09c2cd9deb9eccf2d1eb

SHA512
7bda56879f1873647edf1b3d18e468430fa9a03ac88e8ac5209e834de13b7c0fd195f684f7afde8e526b4993c1debcdf6373357b925b423afcc37d76ee5c0f41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
1KB

MD5
2004f8310943aa7db5be64e858138f18

SHA1
090962f07f4222460939812c08cbdf2ef901f7a0

SHA256
1fac9cc030519afdb545f3fea1a1c77eba44b22aa1362b8d885b59015b518119

SHA512
7e3b86a18bc78e03f93fd138b4f62c001171f67c0ec1c7a824a856a58c1624d2f4904cc1cd1074b2a0486dfa824d79237c08cc85cc684f25ddb85b66a4074504

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
d9426087832adc89955185e903cc0e60

SHA1
fece9aeff96d7fc6762ba0dc4f2c6a8681bf64ea

SHA256
074a570626534d1af2780e707a78fdaabef49368a9f572838eb8dfadb5e68b8e

SHA512
ea80b23f7f99148208115253e863b3a8a714b0c37cef4147b7a043936c59656fc51fe1d11d8fb194918f8a5fcc4800ed93efb659bfb32d761ab9164c32403484

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
4abd5e99d5330c65ca919c8e015bfa85

SHA1
d744714fc7704b989fc368dfb355dad22c41d36b

SHA256
9d803248e1f735c63e52e9d4dd195438738ddadc5bdb233ae8f5bb0989838ffd

SHA512
41a81532f2d4d08de66bee159a379c64f3746a9ec6a3745e64e0b3feaba0031fc1233ba112857b0c9f8498a71342c44143ef20a95c98a3358954ca739caae34a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
eee0f9d01ef354b95838c8c92428e9dc

SHA1
8ae9f82862f1dbfd9f6fd012ad3b9a81609bea95

SHA256
24b68cd85e3159765e8a544cc1414d08781335adeac46a811a5b72c37f1b2521

SHA512
2d68f75a87b10293056a7d5f46e16150bdc384e10158e34961f458b99626d24c87cef453f705d6cfcc78a7ab6a15833f2b86f903e97056f4898614b3a35f4f23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
015dda0aab880cdf41f0f20fa35068b4

SHA1
018363f8e0e80acc6d1788eec7c932c204c5a056

SHA256
006ee26a4f88547c3d98cf01debdd417b16764f3654c9d9f3355727ba9cf9767

SHA512
50a9ddacd2bd0104d8f2bae835586b68f674131a7f9a5490b4004662564b61ba7fb6ea53d1761ef3591f4b76aaac243d40ee71d334cf86ca46d783a16a4c997f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7205bc884b0f27c05ba66800594dde0f

SHA1
5037256063d739e35fbe00c4d6880f824876d9dc

SHA256
04267b24987b44d99a3ad4ad12900d2fe9f7cc987e97feeb74c04dc195dbe059

SHA512
3fb2f39ffefd8fef6c353fba30b0986dc0d873d0c09b35dc10f42e81e0b19f6334c0d884117f47647ad725dfac4e1a3eda9ac3c0612da368d446e108e10666f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a4c9e7e5aa14395eb55eac8f4257432b

SHA1
a396ae8985ec47742527c3a006c1b9b5d0a653a2

SHA256
26d4469d251e2f96a0d0b46274bf203f470e71b58adb5d10e407d8fa2cd3ea89

SHA512
006adb67b6a23d53cc884beffc9991527332c5bcbae1cc406d69e62f6e288c1d9b3f310a995b752e79a8485fcb9bd022b51b38f7c14c1650adf5435863dee4d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c50ed585f01b12a87dab4642dbe5a6ba

SHA1
4eb722ebb885885de21463596c27be3df44f34ab

SHA256
28278f532bd8e887149e13e8d12691829e2d918748a76ba9f0b3dcd810ee5abe

SHA512
ff4894a8e615c72be667cf659fb8775ea95e2a46c2cac6ff66474994b3b7aa23ce4d46405dddfffb48ea54751299b9c070c980fe9f972a937ace9ee3457a3ada

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1b23b1a1498debdf023e5f617f4f0f9c

SHA1
d63b0a0cf0f3622e0e558083e977898ecf55b285

SHA256
ca691ce38f1ffc3a24c003d8f1922ac2a21016535f7474e056550567ec8874f6

SHA512
2c23d5717044cfa9a00da8ff8daa0af495997257ba306c44b1bedac50c0a0af4aa38668ae9a7f10aacb3b0234d9e419b9a9cc2971cbcca258fab7a99cccf14df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\dd5878835a84b3a025ad2991b61fd6b6804d4b48\596d2044-2514-4999-b52f-404fc75fc342\index-dir\the-real-index

Filesize
21KB

MD5
1c082ddd63fa669ddba259896c394f9d

SHA1
880a350d6ba78a54980e7549c0c8e7237c9eb63e

SHA256
12ccee4fbfe8b1a351e5bc40260deee3a65f692b5eb5ae2181d893c10309608f

SHA512
6d54301dea8ed7f6f7c7df25f4830d3ccd2031544ca7b960e50aa979e8fdc9ec785fcde4911fc388e816dacc59fb9e073466fd40ec794ea67aba84b82af5bb45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\dd5878835a84b3a025ad2991b61fd6b6804d4b48\596d2044-2514-4999-b52f-404fc75fc342\index-dir\the-real-index~RFe585937.TMP

Filesize
48B

MD5
fd974cc1f7ac3680d873795c3a9f4dd5

SHA1
469f843b4912f833327d4d4567242d8223b46a1a

SHA256
1b2be08688d8459437505d94e574510e73029a734a5cd41f0981d59ce3b61808

SHA512
895b4c9a115be7ce847e158b5f47117d2c9bcd6861e269b7d2bca09f9cdc66a0cfaf77eebbfca784fb6267fa93a38c93d1d52327efc6620e5d58e54ea5aac904

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\dd5878835a84b3a025ad2991b61fd6b6804d4b48\fdec7527-510e-4ca1-a14c-c0ac34201729\index-dir\the-real-index

Filesize
768B

MD5
d30e80d006fffb86f25894df4569217f

SHA1
b7e109380a90ffd7d489a0b5a00d39785997dad2

SHA256
1b689437cb293f997aa754e753b7ddc1192b25c38996e414a5af923b61e6ae5a

SHA512
2d99107e32234e9b4a9e279d6f547e3e82c35855a6033156319a143f913c1941f3e9a5b22b9a7b887d3673ca9048767e39cd1f150a1c197a0f0cb50880fc7f3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\dd5878835a84b3a025ad2991b61fd6b6804d4b48\fdec7527-510e-4ca1-a14c-c0ac34201729\index-dir\the-real-index~RFe585abd.TMP

Filesize
48B

MD5
93acc163b23f67d2b2cba3484f1ad7df

SHA1
0d072ea7209b1e7f073076999a6f35bde6cd37bb

SHA256
f4a4eba2f2db3abb815859a2f0ed3110d78133eac1cdf9a97e99cda0c09307ba

SHA512
dabe2f688096b6ee9ce25c29bc98eda999d6faf59413b3846e240717ef18838cfebb4e6fb965e70aedca10117fb9c4355068e0cdd775978d93b80e717beaf5fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\dd5878835a84b3a025ad2991b61fd6b6804d4b48\index.txt

Filesize
179B

MD5
23a3780129ae4f9fd8817cb2adfe26a8

SHA1
ed0e70cde24082298879a79896bd568ea1fe83ec

SHA256
bc8bc7e3d027c045d060771a2f36f75c68fc11f82f5ad30755c5988bb1074a77

SHA512
b2c7815db6c204f6485c90eb86008d94c88fd9fe677e94f1e07d052d815762ed5ed7b1c4b5cd0bbdc5e50b1e8d1d10797d4d1eb8354efcd583545bdf1ce4e416

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\dd5878835a84b3a025ad2991b61fd6b6804d4b48\index.txt

Filesize
175B

MD5
2e144b5b68acb6847b4b0b97ec76c3ef

SHA1
af6daa0118ebd0349949c04afde6cb8b84e04496

SHA256
f4f6d2024fe2c1f45bc2d681cbb116de18acc1294c1b8592f426a251c8d631b2

SHA512
7d7cfaddec2a8e26d36f2f978f156f6249fa3814b95fa474d0ba6a07e1061f25c5a19c2c0296acaeabf35ed8ee946ee2155fd66edad466ce113e344ad9d66fba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\dd5878835a84b3a025ad2991b61fd6b6804d4b48\index.txt~RFe58055a.TMP

Filesize
108B

MD5
aec2608cf2931eda0c73898bf1e8805c

SHA1
fa123115e80c36cd0a1bf8191e21ed114e2047e9

SHA256
94c37735074865d57850fa162fa027a3b6c807f4f0eb30afd23ef5c030af037e

SHA512
c10f8b55ff83513e37cd19381ffbfb90fa79c8f2a1333d1b2b7c801f63aaf5acf273bf444e838559e4f6b17de9c631ebe5068c93460c9750934db3ce3d18e4f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
120B

MD5
186e4ace339f8f6d2e805b72d0d91ae9

SHA1
9f0f2912fcfe408060e22a3e635d59ec7345b4dd

SHA256
4c93485896ec9ef6fc0afa661eb41ed0a11471a5430754326a6a2b06880c9df5

SHA512
f3c8c142a35484e68a9fbb448b33b4b30410aa54aae0076e1d3e3d8c75fb3793a6752642e44a72f4f50859aafb727a1507515d31a1f9e0bdb846ffa1fd5f56ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57f6c4.TMP

Filesize
48B

MD5
c39fbd862b1945283053f82a8fed1a0d

SHA1
9323a1d4cd0559247d097ff19363e1d88e0b4299

SHA256
65612beca28d56f94b7a900dc0bb7b0ba9c237170831377811251c76da12da8d

SHA512
ffa489c659c3b735e5c4d60621047b7f7aacd0596b86c121a8b8e17bcb36f2537ba116e0113bfa72615792467dbc2d82dca33404cd34ea250665b223b3d00f24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f76551b59bf8ff1d9cb39722ba6ccdb0

SHA1
29d5d3008557ccb7bd156b68b03dc610530c4b2d

SHA256
c4798baa73fb14b09ddb76c728098b37af8ecab0719f30baf44a06ecdd55dd1b

SHA512
63bc9c9a87773250a386016b249f150d727adc153fa3c18d63721bc843c3036f609388087c899e1a4362de8414550aa2f4d014ccdf9e979d2431c96b658abd06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
67164a685bd2fa8a8a0bd9465a02fb11

SHA1
d31263244e21bee94b0e862614965f769df26ac7

SHA256
72f271e0557fe974fc0c3ae04a81aecf3c61c010ba10915577dfbc07ddd90b40

SHA512
ed97f888b33110148bcbe25aa14cbfdca267063365a4a49963bbafb296b6cc1e37df9198d052e2074b2a5b1c4063061429900cfac4f4719a73ab3982400647e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0b665d96bc961f858445246a6901b810

SHA1
396b7c6cf1d7c03c9a9d85eedb3e45912d281814

SHA256
c9fea5ea42c323e4abe94637d3b7fc5dfa69500bb952855af06d29d3dcfddcfb

SHA512
0d3f653429a9923b494dc8d52352aa104a022a57b948739936d0ccf4f36170b3a161f15f0273656577c05175ee8d0d3f7e03d5904dcedc9ad94b278b1c06dcdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0176e8fc3f3f8acb09f7c469306877a0

SHA1
0a745b4a15428339dd6de10195f4b012dd1b9d3c

SHA256
777833191e968b32fdda58534aea0ee4ca654032e04e4873d4ea4aa0a1d242e1

SHA512
0096eff265ac0750a8dd78671d360f035047b0c641bf62fc7700a9c8e28196f424b3090d0c5c9e22e2d1ba6cb8ef2aa6c84d8f2eca814e6cb95529f858a5a137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57ebe6.TMP

Filesize
1KB

MD5
0c23e5a0e0344abff30d841ed0ad68be

SHA1
d8e2150624a4a76fba3584815fc1b3ab143f4c17

SHA256
cfe976d259a98e21275f70f2c580ea4abded964c8a5223b38cd347891a12f57a

SHA512
cef1bcd0588ec5bf0b261effa66d534adc4f0c90f698ad9be11631298ebe51cdbc16f8e5f69b27a38dde4124e70e33825a287434de104cb6d3963430c34187c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3542882b19f54f2c71bfe5700bdd27d3

SHA1
d5be567fcdcbfd1b3dfbf1a332c00c32974669a1

SHA256
b0683906c2654a009d9d7ee5b60c127002670ac80ad60e940bcb4a1edecf4807

SHA512
11bf3a222c14398c46ac91ab2fdb92c373943f18383224f09ba5b7a650a6a1d90b6b3f967a624906cd438416b5435087c8c67c4157aa7700adccdfdbb6ea5770

Download Submit