hxxp://67[.]191[.]63[.]138/

Analysis

max time kernel
603s
max time network
607s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
09/12/2024, 00:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://67.191.63.138/

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\7337f9e6-fd00-41d3-a0a2-f82f76ab773f.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241209002450.pma	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings	msedge.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
2080	NOTEPAD.EXE
2700	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
232	msedge.exe
232	msedge.exe
1932	msedge.exe
1932	msedge.exe
2636	identity_helper.exe
2636	identity_helper.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
4008	msedge.exe
4008	msedge.exe
2172	msedge.exe
2172	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe

Suspicious use of FindShellTrayWindow 41 IoCs

pid	Process
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 4548	1932	msedge.exe	80
PID 1932 wrote to memory of 4548	1932	msedge.exe	80
PID 1932 wrote to memory of 4372	1932	msedge.exe	81
PID 1932 wrote to memory of 4372	1932	msedge.exe	81
PID 1932 wrote to memory of 4372	1932	msedge.exe	81
PID 1932 wrote to memory of 4372	1932	msedge.exe	81
PID 1932 wrote to memory of 4372	1932	msedge.exe	81
PID 1932 wrote to memory of 4372	1932	msedge.exe	81
PID 1932 wrote to memory of 4372	1932	msedge.exe	81
PID 1932 wrote to memory of 4372	1932	msedge.exe	81
PID 1932 wrote to memory of 4372	1932	msedge.exe	81
PID 1932 wrote to memory of 4372	1932	msedge.exe	81
PID 1932 wrote to memory of 4372	1932	msedge.exe	81
PID 1932 wrote to memory of 4372	1932	msedge.exe	81
PID 1932 wrote to memory of 4372	1932	msedge.exe	81
PID 1932 wrote to memory of 4372	1932	msedge.exe	81
PID 1932 wrote to memory of 4372	1932	msedge.exe	81
PID 1932 wrote to memory of 4372	1932	msedge.exe	81
PID 1932 wrote to memory of 4372	1932	msedge.exe	81
PID 1932 wrote to memory of 4372	1932	msedge.exe	81
PID 1932 wrote to memory of 4372	1932	msedge.exe	81
PID 1932 wrote to memory of 4372	1932	msedge.exe	81
PID 1932 wrote to memory of 4372	1932	msedge.exe	81
PID 1932 wrote to memory of 4372	1932	msedge.exe	81
PID 1932 wrote to memory of 4372	1932	msedge.exe	81
PID 1932 wrote to memory of 4372	1932	msedge.exe	81
PID 1932 wrote to memory of 4372	1932	msedge.exe	81
PID 1932 wrote to memory of 4372	1932	msedge.exe	81
PID 1932 wrote to memory of 4372	1932	msedge.exe	81
PID 1932 wrote to memory of 4372	1932	msedge.exe	81
PID 1932 wrote to memory of 4372	1932	msedge.exe	81
PID 1932 wrote to memory of 4372	1932	msedge.exe	81
PID 1932 wrote to memory of 4372	1932	msedge.exe	81
PID 1932 wrote to memory of 4372	1932	msedge.exe	81
PID 1932 wrote to memory of 4372	1932	msedge.exe	81
PID 1932 wrote to memory of 4372	1932	msedge.exe	81
PID 1932 wrote to memory of 4372	1932	msedge.exe	81
PID 1932 wrote to memory of 4372	1932	msedge.exe	81
PID 1932 wrote to memory of 4372	1932	msedge.exe	81
PID 1932 wrote to memory of 4372	1932	msedge.exe	81
PID 1932 wrote to memory of 4372	1932	msedge.exe	81
PID 1932 wrote to memory of 4372	1932	msedge.exe	81
PID 1932 wrote to memory of 232	1932	msedge.exe	82
PID 1932 wrote to memory of 232	1932	msedge.exe	82
PID 1932 wrote to memory of 4212	1932	msedge.exe	83
PID 1932 wrote to memory of 4212	1932	msedge.exe	83
PID 1932 wrote to memory of 4212	1932	msedge.exe	83
PID 1932 wrote to memory of 4212	1932	msedge.exe	83
PID 1932 wrote to memory of 4212	1932	msedge.exe	83
PID 1932 wrote to memory of 4212	1932	msedge.exe	83
PID 1932 wrote to memory of 4212	1932	msedge.exe	83
PID 1932 wrote to memory of 4212	1932	msedge.exe	83
PID 1932 wrote to memory of 4212	1932	msedge.exe	83
PID 1932 wrote to memory of 4212	1932	msedge.exe	83
PID 1932 wrote to memory of 4212	1932	msedge.exe	83
PID 1932 wrote to memory of 4212	1932	msedge.exe	83
PID 1932 wrote to memory of 4212	1932	msedge.exe	83
PID 1932 wrote to memory of 4212	1932	msedge.exe	83
PID 1932 wrote to memory of 4212	1932	msedge.exe	83
PID 1932 wrote to memory of 4212	1932	msedge.exe	83
PID 1932 wrote to memory of 4212	1932	msedge.exe	83
PID 1932 wrote to memory of 4212	1932	msedge.exe	83
PID 1932 wrote to memory of 4212	1932	msedge.exe	83
PID 1932 wrote to memory of 4212	1932	msedge.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://67.191.63.138/
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffa95b046f8,0x7ffa95b04708,0x7ffa95b04718
  2⤵
  PID:4548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,12410420124506353129,6407842430397492800,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2272 /prefetch:2
  2⤵
  PID:4372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,12410420124506353129,6407842430397492800,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2328 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,12410420124506353129,6407842430397492800,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:8
  2⤵
  PID:4212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,12410420124506353129,6407842430397492800,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:4288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,12410420124506353129,6407842430397492800,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:4880
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,12410420124506353129,6407842430397492800,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5628 /prefetch:8
  2⤵
  PID:3368
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:3308
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x290,0x294,0x298,0x26c,0x29c,0x7ff7d59e5460,0x7ff7d59e5470,0x7ff7d59e5480
    3⤵
    PID:1216
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,12410420124506353129,6407842430397492800,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5628 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,12410420124506353129,6407842430397492800,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
  2⤵
  PID:2444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,12410420124506353129,6407842430397492800,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:1
  2⤵
  PID:520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,12410420124506353129,6407842430397492800,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:3208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,12410420124506353129,6407842430397492800,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:1
  2⤵
  PID:2596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,12410420124506353129,6407842430397492800,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4948 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2152,12410420124506353129,6407842430397492800,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6332 /prefetch:8
  2⤵
  PID:2952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,12410420124506353129,6407842430397492800,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1
  2⤵
  PID:4536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2152,12410420124506353129,6407842430397492800,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5964 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,12410420124506353129,6407842430397492800,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:1
  2⤵
  PID:1164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2152,12410420124506353129,6407842430397492800,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5876 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2172
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\notes.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2080
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\passwords.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,12410420124506353129,6407842430397492800,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2192 /prefetch:1
  2⤵
  PID:648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,12410420124506353129,6407842430397492800,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6772 /prefetch:1
  2⤵
  PID:3952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,12410420124506353129,6407842430397492800,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:1
  2⤵
  PID:3540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,12410420124506353129,6407842430397492800,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3964 /prefetch:1
  2⤵
  PID:240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,12410420124506353129,6407842430397492800,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7004 /prefetch:1
  2⤵
  PID:2288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,12410420124506353129,6407842430397492800,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:1
  2⤵
  PID:3624

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:632

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9d533e1f93a61b94eea29bf4313b0a8e

SHA1
96c1f0811d9e2fbf408e1b7186921b855fc891db

SHA256
ae95a7d192b6dfed1a8a5611850df994c63ba2038018901d59ef4dae64b74ed3

SHA512
b10de657d0cef4255e96daa1b6ad0c99c70b16c13b8e86790ea226e37e9ded1a8f8bed1e137f976d86ebc3ea9a4b5eb67ce2f5b0200025d35dc8e94c947ff3f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fccab8a2a3330ebd702a08d6cc6c1aee

SHA1
2d0ea7fa697cb1723d240ebf3c0781ce56273cf7

SHA256
fa39b46c6f11977f5a2e6f4cd495db424063320fbac26a2eae7466e82ffeb712

SHA512
5339b52bad5dff926b66044067aa3e1a6147c389a27ebd89b0f16e1267621d7ce7af9810010bee81cba7b08c77a33ede8ef4675fe049b9fb2ed510fcaef93d6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\4941873e-4c4b-4332-82d4-c60e13883ade.tmp

Filesize
24KB

MD5
ed659b1d7a51e558246bd24f62fff931

SHA1
84685d6f04379c290e4261ff04e9e1879d54d42c

SHA256
23fafd9073812d5ff8b523b84bc981e4cb410bebbf3675db2b29cfac0dae9690

SHA512
1c3203328583241895db9fb165fcfd595f642e218ee3a453ab6873cbac10ddab693cd2f913bab15c8bb7b5a12c5768b3dfcb278aad754dec1fbffe66b81843cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
c88ec96a590fccb9d3913bc399733035

SHA1
017d013063c71e5360a83ff8e8bdf7265180f988

SHA256
a40ea54d635b4e6964683f4560d24550a462fb08a8fce082a15bfc547e1504e2

SHA512
13a5be54a00777dfd78b7fe7a3797738fea3d0816b8f2fd7a3db257c3458416ee5ae219e15b3a48fb192e362125022393e6a69964342458823f2ee39b97db55b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
e2ce9163a495a35d810fe830f4b22b7d

SHA1
f8a731c98102bd158f1da48168da980a118e9baa

SHA256
1a81c27391be735694f28c5151c2c90292f6b98d5df019e71a11ed2a260feefc

SHA512
cb489ec02051059decef5306201e428a93c84e42a31d76b2a66eef657645cda95ec6ded46cea54cd0334928e8a788d9e73e10bf4431e9a083d4d21d3719d5fc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
818B

MD5
11b83c3a3b4fa9acde3a30b2eba66478

SHA1
465df19d41ddb5306e1a2879a19a2888199356a0

SHA256
d85f3d7ff90790d7ed0df29e5452d354fe91f8da7b9325550ac05edad41ccc2e

SHA512
55cbfa0ad6dc29d702e5249ac78044100226b85b44402af22ab66cec2aa90cb5725eaba9d723225fdb47c1ea0ee3d5a4dc1409dc56ae17888785145c5aa7608f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e1d135550131f9e5eafd1b76992ed122

SHA1
9ca37199c09db9bc243b0c4aa88fcf5b51aa5943

SHA256
c394531dfa1e06fde01b824e0aefab722159010402d962486f230e940b30bb6b

SHA512
501191da2ffb7d27b9ac4b387d304d3f3b3bdefdb8f2ea87fd94f912eb8fa9fabb9775ec212f0c1193d725ac4394550cbf265569a803771e98aea13d97a7d221

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6e9c0548f334471ebc90ac268e3f3ab0

SHA1
e1624df862a07ab58f015ea6bae08206989b9cf7

SHA256
370cee650504c2cb110f85fe152250851b2d5c77aa219623263e632ddcd0b637

SHA512
d1e1ee9251752af7e9b54dcf44bc9c8de918c600acedb5ab385a3d9b15fc45b9ca3d0de370daa35ecad19e65c177fbeb4e5a515a0b524196d3b883d3d7c76d0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2a15695c726aaca0fff5a87a92a41883

SHA1
fd271835387728bc10f57403093d28d5c5ef708c

SHA256
33ce61ac7571c381e972e875688c4bc7dd0ddf2a5628562f6c237d11f6ae0332

SHA512
19f2d23bc0219643fe89eecd57c6d074cb0d3453970db2b19d73943666f25a59384dc31c0055c9fbf47ce5e9b0cfba5a77d6976d39c402867e175d0ab38b287b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
fc775d9f06031f9540152ca3e271081b

SHA1
aade2a034bfcac47d67da8908b7f25fdd9f49b3a

SHA256
ab2cdf3f76add37757a5342954f87472c385f7a4ca7f7aea4a062b786a485e5f

SHA512
c0f005743c802305a9cc4e2311bc763f5c8a81c516ffc9411c07caea9e2eece3667952f2c42b73adc00ddf74b7baf9a38d0349892027344233d030b152aee73a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d299ae2cb1a72db85fff8bf2233a28c9

SHA1
6ea26427efa31db227ce2c71f6a4a0e2ae6155f7

SHA256
811029218e6224c64def14b681d416db8a42755e08b503ad57105a16b0eba15a

SHA512
28d7492e5f2ad8009b0180b5654524758bf64e5fffe52e03e28a947a80a8a65d19c1b36c69b266ed7ec0a4c724d9cb7ba8abefc2c717ee94e17a9ed249f30526

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
7ec09c7cbd7cb0b8a777b3a9e2a1892e

SHA1
3b07979e57b6c93be7d5a6cd8fa954dee91bd8dd

SHA256
a623633f34a241b0dbc9fd26f34446d716955f94e90b2ff9ac8b9df801bdae5e

SHA512
5fff0a38a3b6e4b29d402eef2650011e4d9df514e0624767c84ea31cb73cbba10c7e0b5711cb487976d637f0f60a85c431cf0db54b519411245684c116c07b7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f288733635513f6dcdbd2cfc812d6839

SHA1
ee366db03f377739056c521e50488b87ddc2e2aa

SHA256
092a107ba27959134b0fabe93093df1d696597d5b094c356301ad5505efb00c9

SHA512
318f479336fe7f6a968d373a253262e844e1994a965b40f057b53e5d3fcb22a523c0c47f18dcfda0a9d8f91fa29b942422e4f551fb600cfe6b77f2b7fca17642

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5a0476.TMP

Filesize
1KB

MD5
a4862b62880d1cc0934ec28a56cbca8a

SHA1
e14075badedcca296a83852750c6e2bc6011ff3b

SHA256
5f1d0b4bcdd71f8ae6b3cd1b64c08fbc8e8d20838429cb324c2e52261237696a

SHA512
d05ca4d250d74a05f75d5f4a474791f0c92bcc678dcd98d9c4ec489145b4c9423888a52c61ff35454398b17bfd210a0f85a2472da22c872c9ce0e37c2c608429

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6bfcca7675e5ffd73e388c65703ee3a3

SHA1
55354ad69d84de176983dc345b14fc51fbc34f55

SHA256
48240b511a869c092e82a879ae5da4e85afa053755e077ddc2cdcb8601ee215c

SHA512
ec8a4940ff97d931744318c87ff2fd9afad2e05d2ad72b9bd15099e9d29c98a38746b1374dcbe6c0a64412aa2f1d4a45a8ff823eb840110d5ddfc840823ca827

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2bed590250abfafb68a7c6b751cc0d8f

SHA1
81fe151a432c46ef6c4fb117cafa85f3d0532c9d

SHA256
98b2bafd958e983a41da58265b9bd832996866da6e384874501865fc5d2ce739

SHA512
d6439de0fc068738744de59f65d4352bc560528f3d3d6be2318dfab809b9fba48205cf7e9c8345a23745a38b4c2d93f3d351f0e3f26d7deb2a1ad2617a4f9503

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
103e909e468a307b56532b875b854bb7

SHA1
15c0f81e33a33b95bd16dcbc5eb5d1b95a7a0e93

SHA256
e273f69b5f56066d7b3e03913f55f3b31064b3646d48b5bb76d8306f8dfa6b8b

SHA512
a10c348b30efc1d03ffea4443520b9af972f40be5bc00503692aee59da51f669bd2d7b6f4ca3b2511bbffbffcbfe04e5f7f8868ac11e04e4ca1dffecf1a7fbbd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
3eaf2da5445673f28668729892557dd4

SHA1
5072f2b4abff5613dd488564981f4ba8412e6666

SHA256
7a8e7d5f94574a7063a10392ecbef718ce9b2ffbdc12040c28227d6645bf24cf

SHA512
05393cf0380c0c78d707d7df5954767a1add9c394f5749dda21ee17926f1a81974a6ac94e87487704552885fc978ce8de1938aeccb9a49e5b7241a0df6af3d47

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
be3e8ef6983770b5d323c505de332ae4

SHA1
a8bef2889715fbd2653657f71aa7d68bbbd79c48

SHA256
dc936bce79ff122c9c0d59920a16bd5734f6804ed436c0e023802fe47d574998

SHA512
2594f3e6ed0bb9527f3d0359c3d1edac96c903ec56278bc94c6b46c64ccf239db688a4c8d90a72b5012ca6156c6eb8208caefc16597cb54a93234d4c46e3005f

Download Submit
C:\Users\Admin\Downloads\notes.txt

Filesize
67B

MD5
bd1e6e84fe2a36c1520a2c1f08533b56

SHA1
0358085f9296482331f3ab54797415bb4ed5f4ab

SHA256
3b514590b5404a17f90ba7276198cfba7f0332f492ed431e8e99ad39231c3c1b

SHA512
dd675b63ada9fb8209408241049a406c7155adee3542e93fb8ed7bda47fccd3b559e0d27ba74e4aebd6cb0886b724d31b803321f9a38ff52223ef0f2c4c38cf5

Download Submit
C:\Users\Admin\Downloads\passwords.txt

Filesize
178B

MD5
f0f572d18f8fab2998f9eb1cffc6d980

SHA1
005f5876ccf90d1684eb8b7e72114c44131ee062

SHA256
f9c611d51086b4222bc9115a5eb6ebf5c73b9bffeb90f1eac9436cab62643b1d

SHA512
c797175e69b371748c7440287b30224b727d4ab0ae944256b118f34b4a4ffe2f8264578a24afa5c8da4a145ad09c07a6b96c515f0c6f82eb393de575aa713235

Download Submit