hxxps://theoggroup-my[.]sharepoint[.]com/[:]u[:]/g/personal/rohit_theoggroup_co/EW1S6u7eBPZAkl8sn76CFW4B9_fhjfgaN299JnYAgaQ9MQ?e=CXhREy&xsdata=MDV8MDJ8ai5jLnp3YXJ0c0BhbXN0ZXJkYW11bWMubmx8ODQyOTRhODMzNGFhNDQ3YTQ5OTMwOGRkMGQ4OTdhYzJ8NjhkZmFiMWExMWJiNGNjNmJlYjUyOGQ3NTY5ODRmYjZ8MHwwfDYzODY4MTYwNjMxNDY2OTU4MnxVbmtub3dufFRXRnBiR1pzYjNkOGV5SkZiWEIwZVUxaGNHa2lPblJ5ZFdVc0lsWWlPaUl3TGpBdU1EQXdNQ0lzSWxBaU9pSlhhVzR6TWlJc0lrRk9Jam9pVFdGcGJDSXNJbGRVSWpveWZRPT18MHx8fA%3d%3d&sdata=UjZleTdFdHRocVZkVTFPMUEwSzV2WWtVSHBRQ093dWg1YitWbWh2WExoRT0%3d

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2024 20:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://theoggroup-my.sharepoint.com/:u:/g/personal/rohit_theoggroup_co/EW1S6u7eBPZAkl8sn76CFW4B9_fhjfgaN299JnYAgaQ9MQ?e=CXhREy&xsdata=MDV8MDJ8ai5jLnp3YXJ0c0BhbXN0ZXJkYW11bWMubmx8ODQyOTRhODMzNGFhNDQ3YTQ5OTMwOGRkMGQ4OTdhYzJ8NjhkZmFiMWExMWJiNGNjNmJlYjUyOGQ3NTY5ODRmYjZ8MHwwfDYzODY4MTYwNjMxNDY2OTU4MnxVbmtub3dufFRXRnBiR1pzYjNkOGV5SkZiWEIwZVUxaGNHa2lPblJ5ZFdVc0lsWWlPaUl3TGpBdU1EQXdNQ0lzSWxBaU9pSlhhVzR6TWlJc0lrRk9Jam9pVFdGcGJDSXNJbGRVSWpveWZRPT18MHx8fA%3d%3d&sdata=UjZleTdFdHRocVZkVTFPMUEwSzV2WWtVSHBRQ093dWg1YitWbWh2WExoRT0%3d

Score

7^/10

microsoft discovery phishing

Malware Config

Signatures

A potential corporate email address has been identified in the URL: 05|02|[email protected]|84294a8334aa447a499308dd0d897ac2|68dfab1a11bb4cc6beb528d756984fb6|0|0|638681606314669582|Unknown|TWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ==|0|||
phishing
Detected potential entity reuse from brand MICROSOFT.
phishing microsoft
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4268	msedge.exe
4268	msedge.exe
708	msedge.exe
708	msedge.exe
3716	identity_helper.exe
3716	identity_helper.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 708 wrote to memory of 3164	708	msedge.exe	82
PID 708 wrote to memory of 3164	708	msedge.exe	82
PID 708 wrote to memory of 4140	708	msedge.exe	83
PID 708 wrote to memory of 4140	708	msedge.exe	83
PID 708 wrote to memory of 4140	708	msedge.exe	83
PID 708 wrote to memory of 4140	708	msedge.exe	83
PID 708 wrote to memory of 4140	708	msedge.exe	83
PID 708 wrote to memory of 4140	708	msedge.exe	83
PID 708 wrote to memory of 4140	708	msedge.exe	83
PID 708 wrote to memory of 4140	708	msedge.exe	83
PID 708 wrote to memory of 4140	708	msedge.exe	83
PID 708 wrote to memory of 4140	708	msedge.exe	83
PID 708 wrote to memory of 4140	708	msedge.exe	83
PID 708 wrote to memory of 4140	708	msedge.exe	83
PID 708 wrote to memory of 4140	708	msedge.exe	83
PID 708 wrote to memory of 4140	708	msedge.exe	83
PID 708 wrote to memory of 4140	708	msedge.exe	83
PID 708 wrote to memory of 4140	708	msedge.exe	83
PID 708 wrote to memory of 4140	708	msedge.exe	83
PID 708 wrote to memory of 4140	708	msedge.exe	83
PID 708 wrote to memory of 4140	708	msedge.exe	83
PID 708 wrote to memory of 4140	708	msedge.exe	83
PID 708 wrote to memory of 4140	708	msedge.exe	83
PID 708 wrote to memory of 4140	708	msedge.exe	83
PID 708 wrote to memory of 4140	708	msedge.exe	83
PID 708 wrote to memory of 4140	708	msedge.exe	83
PID 708 wrote to memory of 4140	708	msedge.exe	83
PID 708 wrote to memory of 4140	708	msedge.exe	83
PID 708 wrote to memory of 4140	708	msedge.exe	83
PID 708 wrote to memory of 4140	708	msedge.exe	83
PID 708 wrote to memory of 4140	708	msedge.exe	83
PID 708 wrote to memory of 4140	708	msedge.exe	83
PID 708 wrote to memory of 4140	708	msedge.exe	83
PID 708 wrote to memory of 4140	708	msedge.exe	83
PID 708 wrote to memory of 4140	708	msedge.exe	83
PID 708 wrote to memory of 4140	708	msedge.exe	83
PID 708 wrote to memory of 4140	708	msedge.exe	83
PID 708 wrote to memory of 4140	708	msedge.exe	83
PID 708 wrote to memory of 4140	708	msedge.exe	83
PID 708 wrote to memory of 4140	708	msedge.exe	83
PID 708 wrote to memory of 4140	708	msedge.exe	83
PID 708 wrote to memory of 4140	708	msedge.exe	83
PID 708 wrote to memory of 4268	708	msedge.exe	84
PID 708 wrote to memory of 4268	708	msedge.exe	84
PID 708 wrote to memory of 2056	708	msedge.exe	85
PID 708 wrote to memory of 2056	708	msedge.exe	85
PID 708 wrote to memory of 2056	708	msedge.exe	85
PID 708 wrote to memory of 2056	708	msedge.exe	85
PID 708 wrote to memory of 2056	708	msedge.exe	85
PID 708 wrote to memory of 2056	708	msedge.exe	85
PID 708 wrote to memory of 2056	708	msedge.exe	85
PID 708 wrote to memory of 2056	708	msedge.exe	85
PID 708 wrote to memory of 2056	708	msedge.exe	85
PID 708 wrote to memory of 2056	708	msedge.exe	85
PID 708 wrote to memory of 2056	708	msedge.exe	85
PID 708 wrote to memory of 2056	708	msedge.exe	85
PID 708 wrote to memory of 2056	708	msedge.exe	85
PID 708 wrote to memory of 2056	708	msedge.exe	85
PID 708 wrote to memory of 2056	708	msedge.exe	85
PID 708 wrote to memory of 2056	708	msedge.exe	85
PID 708 wrote to memory of 2056	708	msedge.exe	85
PID 708 wrote to memory of 2056	708	msedge.exe	85
PID 708 wrote to memory of 2056	708	msedge.exe	85
PID 708 wrote to memory of 2056	708	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://theoggroup-my.sharepoint.com/:u:/g/personal/rohit_theoggroup_co/EW1S6u7eBPZAkl8sn76CFW4B9_fhjfgaN299JnYAgaQ9MQ?e=CXhREy&xsdata=MDV8MDJ8ai5jLnp3YXJ0c0BhbXN0ZXJkYW11bWMubmx8ODQyOTRhODMzNGFhNDQ3YTQ5OTMwOGRkMGQ4OTdhYzJ8NjhkZmFiMWExMWJiNGNjNmJlYjUyOGQ3NTY5ODRmYjZ8MHwwfDYzODY4MTYwNjMxNDY2OTU4MnxVbmtub3dufFRXRnBiR1pzYjNkOGV5SkZiWEIwZVUxaGNHa2lPblJ5ZFdVc0lsWWlPaUl3TGpBdU1EQXdNQ0lzSWxBaU9pSlhhVzR6TWlJc0lrRk9Jam9pVFdGcGJDSXNJbGRVSWpveWZRPT18MHx8fA%3d%3d&sdata=UjZleTdFdHRocVZkVTFPMUEwSzV2WWtVSHBRQ093dWg1YitWbWh2WExoRT0%3d
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff874cb46f8,0x7ff874cb4708,0x7ff874cb4718
  2⤵
  PID:3164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,3307028246984124146,3311068086277275065,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:2
  2⤵
  PID:4140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,3307028246984124146,3311068086277275065,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,3307028246984124146,3311068086277275065,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:8
  2⤵
  PID:2056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,3307028246984124146,3311068086277275065,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:2960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,3307028246984124146,3311068086277275065,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:2860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,3307028246984124146,3311068086277275065,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:1
  2⤵
  PID:2540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,3307028246984124146,3311068086277275065,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:1
  2⤵
  PID:2460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,3307028246984124146,3311068086277275065,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:2320
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,3307028246984124146,3311068086277275065,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5604 /prefetch:8
  2⤵
  PID:396
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,3307028246984124146,3311068086277275065,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5604 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,3307028246984124146,3311068086277275065,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
  2⤵
  PID:2412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,3307028246984124146,3311068086277275065,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
  2⤵
  PID:1828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,3307028246984124146,3311068086277275065,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
  2⤵
  PID:3100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,3307028246984124146,3311068086277275065,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1
  2⤵
  PID:4456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,3307028246984124146,3311068086277275065,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:1
  2⤵
  PID:1224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,3307028246984124146,3311068086277275065,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:1
  2⤵
  PID:4936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,3307028246984124146,3311068086277275065,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
  2⤵
  PID:3252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,3307028246984124146,3311068086277275065,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6396 /prefetch:1
  2⤵
  PID:5296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,3307028246984124146,3311068086277275065,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6656 /prefetch:1
  2⤵
  PID:5428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,3307028246984124146,3311068086277275065,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6744 /prefetch:1
  2⤵
  PID:5908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,3307028246984124146,3311068086277275065,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1724 /prefetch:1
  2⤵
  PID:5168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,3307028246984124146,3311068086277275065,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1816 /prefetch:1
  2⤵
  PID:5620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2092,3307028246984124146,3311068086277275065,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6260 /prefetch:8
  2⤵
  PID:5672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,3307028246984124146,3311068086277275065,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2056 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:736

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1196

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b8880802fc2bb880a7a869faa01315b0

SHA1
51d1a3fa2c272f094515675d82150bfce08ee8d3

SHA256
467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812

SHA512
e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ba6ef346187b40694d493da98d5da979

SHA1
643c15bec043f8673943885199bb06cd1652ee37

SHA256
d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73

SHA512
2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000023

Filesize
19KB

MD5
f0de9a98dbdfa8c02742ce6d92fb2524

SHA1
cdec682aeb9e39edccc2374dab26f04db754a8b5

SHA256
faf4294f27a542b0f9ea2a7cb2711529ab027cd84a5f5badfae752100855e6be

SHA512
856fc9ab199997e69a9487372bc0083564f7115b3e0678cf1d542b9864e9a88d5ffb85697fd93538dc9439071e3bcd4b8bccbfc610e1a45de104d6362d8adcd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002c

Filesize
672KB

MD5
3e89ae909c6a8d8c56396830471f3373

SHA1
2632f95a5be7e4c589402bf76e800a8151cd036b

SHA256
6665ca6a09f770c6679556eb86cf4234c8bdb0271049620e03199b34b4a16099

SHA512
e7dbe4e95d58f48a0c8e3ed1f489dcf8fbf39c3db27889813b43ee95454deca2816ac1e195e61a844cc9351e04f97afa271b37cab3fc522809ce2be85cc1b8f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
d48ea8dd75bb541b49f88c630388dd56

SHA1
5432c6081c00922667460a569a6aad5ff8915112

SHA256
88fa894daf46fea2077978cdaab40a9017eacc0f1544e27af8b06afdb2469668

SHA512
133ae86fd4380c92b4ec7edf8fa0eca56bd1fd53842f5006725d5be30ccaa325e2e7581a12b14698adcbbaed6d35d20c82374a57535c0dafd462e4af2c0b5acc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
e7f8e06eb42345b9ab513b8794ac85dd

SHA1
a3e680092278ae550967b288cac37950780097f1

SHA256
147c736df54efc04535e8408e7126672ee604cd88b294e5ce2ab7c68a311f4bb

SHA512
dedafd8326a78c5777d24a54d30edde788ee296b39ddeadadc5eeed98b26360200e5aac8b22d080cb08bbf153e529e580f481e134fe95c2fcbbe425f399cf557

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
c214544d684fc37f593d2c818ebba1fa

SHA1
bf713c3142313e13f99f166319a5bafab44a4446

SHA256
9605f482eaaa1c491c0671efa879e392030edc78f8d710a479993b039d0514ba

SHA512
84ce29b8c7ec07e8545712775a599ebf317b4be2e3f66c39423be090f1e1794f3773ea65c733e865e206cd4ca3935e85a78b5be86d0102d0decef40e2c7f7930

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
8efbcfeae6360a65ed48a12495a67f16

SHA1
58e4cb69f85929e953a6effa4d41a5608d014656

SHA256
137683231b1136f5a74d95668fa2852010ce1bfa169aa777cc61f9b18991c6f8

SHA512
2e99966ed380908baf41f2ec75ff739d8858f20aef07035816997a6a93bcd8c6e9d3afba96efe27ea0801a5ad3b83f0b6b6aa6bb7802b0fa554e7f1b37ada77a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ae769fc178e50b3fb5c67ef6b9a50dd8

SHA1
6a956c7698d40641f9dfa50f238bd507cf499d76

SHA256
11c56ae52eae95a90600f07ec652851d1a09f2742757441b5de0414e6096d8ae

SHA512
ed7d08ac8173cf8ff232c7c74de329549410b7b6308e39d112b6dabd9e91b256e9a9a75466f7e27242d27fc57f66d058bd50696adb2dcd164fc69db609ac8ffa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3cbae6f333fb0068e0856638cf0b0bc5

SHA1
d13ac24b922edff3cf36c7afeddd61ec97986b0e

SHA256
bf1dd89cb218f511f0e4da843e8a1cafab22bcec5ae4ab56e6202495ce21391d

SHA512
d87c62ab12fc3a93d0d6a3c6cc7f772fc8431af20eb7fcdc891e1ad9123e86ecadbc50d68c373208b1e5cf19ca60b52690cfacbe15c71058ad51d05ee0786804

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
73a7243469edf784e38b9a23cb20d814

SHA1
7436f07347b81d8b0ad67acdec828044c80c08f1

SHA256
1a643e312b76038783a5986133af309958a65ab474c503f16eeaa04208684fe4

SHA512
3fe0dab0efc7251f7dbd46bf74734c53d922dd978b52bf63360f181954872d9a0b5db8051593f4ab3cee85bf97952262424afb6fb5a16b49508243827fdd9da3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
c587a576d4f2cbcaaec016ebdeb3f2bd

SHA1
dfb9857ba3ff6658c907c4330fc31be787cc03f3

SHA256
f4b7b5c4cb01e6388f3973da291341698d8e380238205fc4d3427f33e9c99019

SHA512
9ca48ad6b7de3aca5b3d5ae0ea17e63020a245e13bd1568d41d7df680c04e71cdd5a2541d73dafb5c9a1cd4ba94b6509faa050080352896dfd95df6f851d2468

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
7d1ec6e80ad85732716e527acabe428e

SHA1
f974237a2aefb1efe720c488c66069d8312c2a76

SHA256
2399582017d4aa0d6a0f22d25f7964f2fc6adcaf4154485af4c06184abe38b3f

SHA512
2c3e60809aee16b7a8708a6e753656cac0e8d95faa94474d8dd2f538f6744454e07cf60dba27a0110fbe1948dcb69ed6e618b429cb66316bf4f1434dd170768d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
9d334901a4173c2d64c0e7954479e126

SHA1
18626c25a6942f7a38556198b729013b4f56ad91

SHA256
f8066112a9f53c4bd46ffe2b5c2b3599fcdfd744b54307d43276476b81bdf7f5

SHA512
bce55fda581aeb343e8c9d0e47227caadcd1562e2623e0b63aabf89de9178f40ef772072bb8e846e5386d656aa75d16fd8936cd3c7fdaf3f0a97e3021b830f74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
45c30ee55a0cb6ab5838a5fd183e447e

SHA1
516770f93cfbfec6b5013d2c8bceff2cba1c179d

SHA256
37f1521fe60753fa5d858ab994cd2962cef2c4f1cad4a7d63b78e17f3c7bf020

SHA512
e95dddd9f94cf41342d1a6b84ecbe0adcedd194d9e53dbb59bbbdfa8b72edd29d6e409783978b76dbcac84e3ae1d7b712e16a28a63f0ff37d8a375d5bda4f5c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
f4b47ca93e8ac86c76fc1c3541700a01

SHA1
21fa8d8c58955c42d56a733ab1f4fbcdb31096ae

SHA256
8ca15445ef4b3ae2a3c6dcd2e57768d4c017606268d94f35883b1bcd8a998f70

SHA512
3fc76658a19183eb5effced514098a50386c0e80e7b71b655ab966c8d0743384b071fa8efa524126989bb7cd1d07cca38f19a7cd7bdf31f56a62eec9d70592e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
8716d43e9df2213c11c20e3239c9afbb

SHA1
92b42c45373428c59cf78f87c7cfded67f883f8f

SHA256
c57619e31668005e48ad0dc5c97953a03854d5f36ce5d0c3fa5eec6961cee96b

SHA512
42be1dae6114f1f4e32744ff597c6978a8cb22b73cf9d4659abf84b2028a888594eaa8c2e03b937122049fdfd0e3ca540640f1add76ce34a9cd948a044773efc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
3b5d77798ccba62691cafdb4ef72c5a5

SHA1
dd939e09a8e0ebd6cc4fe1014f43eae3550d2845

SHA256
75e6802f6e21426b4b8ba2f1c2584bb54295387057a77af65f24d6120814df54

SHA512
a8686a9c68488e9a179e0f84a14a504dd84afc78d1336652ef4a30816dfd208d279080911f857251522c24c998026d1e52be87892aa06c24722582a8bc2f76c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
444189cfb70ec7d5b8201edf476ab364

SHA1
595d4f112a3f6aeece6e0bd99b59e377bba4670e

SHA256
858aa3516c0a808a161a0f08e283073195cb9a720d5b7c97119a01e836cced65

SHA512
9ccf2e10ebbdc5611579f9b46d8f801301234b4050e89ece216e845b85f2439045c577cf830afbf3b2c95c2d3131380784ae0f7817ae1f662dbe75b8728acd26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58216e.TMP

Filesize
1KB

MD5
48e4f833c6af3d1efe05d833cab3e1b1

SHA1
b49672622c8ee61db9f3188c83c33331988b13e4

SHA256
812758bb339cbc69d8692803e4ec8fb1fc38ffc13aff0b7a2d21d25991c528c7

SHA512
4d5360ec9bfdbd0c85ae149a8458f4637beb5743287159094cea5bebb452a052cd9573ada79e207019d54fedc649fcc672ea811ddb7be1b10695ce3d4d9634c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
4919eda12e9398f213b0bb5fd6a6b26b

SHA1
39870280b9fc31a61982d5046d5232da01a31352

SHA256
567e750c98d89183e7ec00f24de184da23e63e214ad7d12143f6f29306b9891e

SHA512
64aa11106bcceae4a3f523ac456b91250cbf0afc16e1dcf6fabc41645e8f70ac5a32a1d7c6cbfaa5e599906b8fc61f43808f3ac0baebb79a8eb6194a353b04ba

Download Submit