e6aa31e3da43f05be1f777d5f562a0f4518bd859b92284039272d5de893c5457

Analysis

max time kernel
75s
max time network
72s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
02-01-2025 12:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

README.txt
Size

2KB
MD5

beb5e48f88284fea2f47e6d0e42e4bfe
SHA1

0935110d5273eebd136057c03463e7b761b72be5
SHA256

e6aa31e3da43f05be1f777d5f562a0f4518bd859b92284039272d5de893c5457
SHA512

51b3040f668cb90855489407c4c35d558e2f63722d835e4c505991f738ee92e1f49d68cc83e1b7d33a1e0bc46c0eb971eee39e2c002bef8740480637e838c056

Score

10^/10

microsoft discovery phishing product:outlook

Malware Config

Signatures

Detected microsoft outlook phishing page
phishing microsoft product:outlook
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings	cmd.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4988	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1784	msedge.exe
1784	msedge.exe
4972	msedge.exe
4972	msedge.exe
1700	msedge.exe
1700	msedge.exe
1744	identity_helper.exe
1744	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs

pid	Process
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4956 wrote to memory of 4988	4956	cmd.exe	78
PID 4956 wrote to memory of 4988	4956	cmd.exe	78
PID 4972 wrote to memory of 1088	4972	msedge.exe	82
PID 4972 wrote to memory of 1088	4972	msedge.exe	82
PID 4972 wrote to memory of 4264	4972	msedge.exe	83
PID 4972 wrote to memory of 4264	4972	msedge.exe	83
PID 4972 wrote to memory of 4264	4972	msedge.exe	83
PID 4972 wrote to memory of 4264	4972	msedge.exe	83
PID 4972 wrote to memory of 4264	4972	msedge.exe	83
PID 4972 wrote to memory of 4264	4972	msedge.exe	83
PID 4972 wrote to memory of 4264	4972	msedge.exe	83
PID 4972 wrote to memory of 4264	4972	msedge.exe	83
PID 4972 wrote to memory of 4264	4972	msedge.exe	83
PID 4972 wrote to memory of 4264	4972	msedge.exe	83
PID 4972 wrote to memory of 4264	4972	msedge.exe	83
PID 4972 wrote to memory of 4264	4972	msedge.exe	83
PID 4972 wrote to memory of 4264	4972	msedge.exe	83
PID 4972 wrote to memory of 4264	4972	msedge.exe	83
PID 4972 wrote to memory of 4264	4972	msedge.exe	83
PID 4972 wrote to memory of 4264	4972	msedge.exe	83
PID 4972 wrote to memory of 4264	4972	msedge.exe	83
PID 4972 wrote to memory of 4264	4972	msedge.exe	83
PID 4972 wrote to memory of 4264	4972	msedge.exe	83
PID 4972 wrote to memory of 4264	4972	msedge.exe	83
PID 4972 wrote to memory of 4264	4972	msedge.exe	83
PID 4972 wrote to memory of 4264	4972	msedge.exe	83
PID 4972 wrote to memory of 4264	4972	msedge.exe	83
PID 4972 wrote to memory of 4264	4972	msedge.exe	83
PID 4972 wrote to memory of 4264	4972	msedge.exe	83
PID 4972 wrote to memory of 4264	4972	msedge.exe	83
PID 4972 wrote to memory of 4264	4972	msedge.exe	83
PID 4972 wrote to memory of 4264	4972	msedge.exe	83
PID 4972 wrote to memory of 4264	4972	msedge.exe	83
PID 4972 wrote to memory of 4264	4972	msedge.exe	83
PID 4972 wrote to memory of 4264	4972	msedge.exe	83
PID 4972 wrote to memory of 4264	4972	msedge.exe	83
PID 4972 wrote to memory of 4264	4972	msedge.exe	83
PID 4972 wrote to memory of 4264	4972	msedge.exe	83
PID 4972 wrote to memory of 4264	4972	msedge.exe	83
PID 4972 wrote to memory of 4264	4972	msedge.exe	83
PID 4972 wrote to memory of 4264	4972	msedge.exe	83
PID 4972 wrote to memory of 4264	4972	msedge.exe	83
PID 4972 wrote to memory of 4264	4972	msedge.exe	83
PID 4972 wrote to memory of 4264	4972	msedge.exe	83
PID 4972 wrote to memory of 1784	4972	msedge.exe	84
PID 4972 wrote to memory of 1784	4972	msedge.exe	84
PID 4972 wrote to memory of 2664	4972	msedge.exe	85
PID 4972 wrote to memory of 2664	4972	msedge.exe	85
PID 4972 wrote to memory of 2664	4972	msedge.exe	85
PID 4972 wrote to memory of 2664	4972	msedge.exe	85
PID 4972 wrote to memory of 2664	4972	msedge.exe	85
PID 4972 wrote to memory of 2664	4972	msedge.exe	85
PID 4972 wrote to memory of 2664	4972	msedge.exe	85
PID 4972 wrote to memory of 2664	4972	msedge.exe	85
PID 4972 wrote to memory of 2664	4972	msedge.exe	85
PID 4972 wrote to memory of 2664	4972	msedge.exe	85
PID 4972 wrote to memory of 2664	4972	msedge.exe	85
PID 4972 wrote to memory of 2664	4972	msedge.exe	85
PID 4972 wrote to memory of 2664	4972	msedge.exe	85
PID 4972 wrote to memory of 2664	4972	msedge.exe	85
PID 4972 wrote to memory of 2664	4972	msedge.exe	85
PID 4972 wrote to memory of 2664	4972	msedge.exe	85
PID 4972 wrote to memory of 2664	4972	msedge.exe	85
PID 4972 wrote to memory of 2664	4972	msedge.exe	85

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\README.txt
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4956
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\README.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:4988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff88ba43cb8,0x7ff88ba43cc8,0x7ff88ba43cd8
  2⤵
  PID:1088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,3433965075404407431,14803360099119960280,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1952 /prefetch:2
  2⤵
  PID:4264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,3433965075404407431,14803360099119960280,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,3433965075404407431,14803360099119960280,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2560 /prefetch:8
  2⤵
  PID:2664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3433965075404407431,14803360099119960280,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:2512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3433965075404407431,14803360099119960280,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:4068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3433965075404407431,14803360099119960280,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4080 /prefetch:1
  2⤵
  PID:4668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3433965075404407431,14803360099119960280,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4048 /prefetch:1
  2⤵
  PID:3880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,3433965075404407431,14803360099119960280,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4084 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1700
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,3433965075404407431,14803360099119960280,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5276 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3433965075404407431,14803360099119960280,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
  2⤵
  PID:5052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3433965075404407431,14803360099119960280,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3996 /prefetch:1
  2⤵
  PID:3372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3433965075404407431,14803360099119960280,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
  2⤵
  PID:3344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3433965075404407431,14803360099119960280,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4080 /prefetch:1
  2⤵
  PID:4684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3433965075404407431,14803360099119960280,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:1
  2⤵
  PID:4092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3433965075404407431,14803360099119960280,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6088 /prefetch:1
  2⤵
  PID:692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3433965075404407431,14803360099119960280,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3004 /prefetch:1
  2⤵
  PID:3376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3433965075404407431,14803360099119960280,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
  2⤵
  PID:4672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3433965075404407431,14803360099119960280,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1660 /prefetch:1
  2⤵
  PID:3500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3433965075404407431,14803360099119960280,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
  2⤵
  PID:1308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3433965075404407431,14803360099119960280,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4248 /prefetch:1
  2⤵
  PID:240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3433965075404407431,14803360099119960280,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:1
  2⤵
  PID:4332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3433965075404407431,14803360099119960280,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:1
  2⤵
  PID:3144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3433965075404407431,14803360099119960280,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:1
  2⤵
  PID:4288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3433965075404407431,14803360099119960280,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5828 /prefetch:1
  2⤵
  PID:2064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3433965075404407431,14803360099119960280,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3972 /prefetch:1
  2⤵
  PID:4616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3433965075404407431,14803360099119960280,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:1
  2⤵
  PID:3356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3433965075404407431,14803360099119960280,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:1
  2⤵
  PID:744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3433965075404407431,14803360099119960280,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1
  2⤵
  PID:5072

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1032

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
826c7cac03e3ae47bfe2a7e50281605e

SHA1
100fbea3e078edec43db48c3312fbbf83f11fca0

SHA256
239b1d7cc6f76e1d1832b0587664f114f38a21539cb8548e25626ed5053ea2ab

SHA512
a82f3c817a6460fd8907a4ac6ab37c2129fb5466707edcfb565c255680d7f7212a5669fe2a42976150f16e4e549ea8310078f22ed35514ee1b7b45b46d8cc96e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
02a4b762e84a74f9ee8a7d8ddd34fedb

SHA1
4a870e3bd7fd56235062789d780610f95e3b8785

SHA256
366e497233268d7cdf699242e4b2c7ecc1999d0a84e12744f5af2b638e9d86da

SHA512
19028c45f2e05a0cb32865a2554513c1536bf9da63512ff4e964c94a3e171f373493c7787d2d2a6df8012648bbefab63a9de924f119c50c39c727cf81bdc659f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
1c9d1ef0b348a016393e3a5615958887

SHA1
22286c37a78b043397140a31053129ff8356b57d

SHA256
e043059a9907e41e246eeb77bf2f510e416cd5d9c003effea3f3c9d9f63ad750

SHA512
7580a8d606dce21da1681ee4a2dc9ddf7f00c03449e8acfcc744cd9af416e0ff0cd91ef7b2af821af0ff4504cd2622a51ceb837fbafd65762f6da4d1287a074a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9d67964491fb9e07da2e9caac35520d9

SHA1
917212914c8f3bf1abf97b3d9c82f071af9a9758

SHA256
09c065f1ff74bd74a04202baaf63fca8b8fb09ff909d1098c0bd80081826d5f1

SHA512
0fb1552a0719f1e3cdb775652cddbeadf39aaa06bc2c5d5d700bd52e21f455a06813be287abcb263fc903c9fc89d00d7a71f75cdf3038f08cf43b8e8a61aa48a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d96f5dc2595535f6e81e5c4f72d564ff

SHA1
d15fdff546372c6ece1fbef9483834e7f28036f5

SHA256
02fa9be7dc57fb3190e9cb96e8cbf103192c3310dc90252518ccc28074cc4dcf

SHA512
9a031a058afb0f2179b5e1218755a007b5277e51d04c27674462d21ab698848afc4b3af685780786181e1107f289f475b7f15386a9c775e6b8121ed6819182d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
734754b140a1473d21d51b72d7af086d

SHA1
0ea778ef63b3fbf2e9584a8ab1bf78cb85a93ce1

SHA256
b2e4573afe61453438d42964730bd5a25f4c616985da706873ea75bada450bff

SHA512
32ce3f6890aadb6c4caa660a5df0816a57912242923d59f81dcf785f65aaef4b318aee565ff022c8c54b46033cd9a30d733ba7cc651a76f023375f298e1d5d96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
12c57b14917e750898465a48a29215d6

SHA1
958d5a06b88356b2d8d2595d241f4d4a291f7bc1

SHA256
7f99eb10364bd1bc179834e43d7cbc51a1c25befc4d7e3230231c62df1d4fd25

SHA512
0f0d658dc3fc700c195c857d4f86975d43d3c148135e20fbb1676f26f796ebc74f7824c5330250661895b8b492134ea2fa6055e7cadfeafc071819c1f9418889

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
85ab8ca6b0cb76b1923f90c429732503

SHA1
56061ab1aeb5fb10fcfde469d3ccf3f6cce030cd

SHA256
87533f6d5a02c1567a3c47595e8df5734442a785cab8aa6eb643dffd54dd9806

SHA512
2939e58d5dfe1c5a4f324e65d089f52361d480eec7de71f0ac3c0c9e880a23deca1862d05e54c8fdbeebd30b764d95157d52b726fc64a6a31db65a8fd84eac38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
63ee56b008c01737abf714db53fc374c

SHA1
452cacac1e3de1dbf22abafd306709607366f8ba

SHA256
8c42d44fb7b953abcc53dff5b9a3b0acd014e2d4beb92c034f0ff1c387ed1d11

SHA512
11dcc7458df060facd6d59bc23cd94b95a3184fbb08dd723cebeab0753f4c3855aba8eec0b51411072b30a0a005e56618da550b66f9eb230fd6b29199caf5af3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4356c5b25b9bfd993c26761a4b0496b9

SHA1
abb3dca44c18ab191f498fa09d124b17bd6d8041

SHA256
a2942c945384a67962a16d7dabe690250f1c8e852e54c19f3d2c6ccfbdfe7371

SHA512
e65fa1eba6a5fca0d7be1f58e1a2c9a46443d090916fd2839cdadf26d1a620a3f562af1e3ee4eab0a6cedb384d719155b41e64abcfc06af8930537c56807c4bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe587049.TMP

Filesize
1KB

MD5
735570800f1821ea6883a81935a2500a

SHA1
2ea5b4e9d543e231965ac49f1e028272cb6bdf29

SHA256
2ecce8e1d4dc39cb8126f752cc114befdaef6f85c4977e372ce3bde9d4483534

SHA512
aaa8039f572af94efb6f39bda932cffdeb9eeab8d584867d49f4191e112a452e9bb1c46911bf54593c617ffa229f1e44b7215a8278619a4469d95dcad5b7466a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
69df2d9f05a8653e18ddec7e3c86b6b2

SHA1
3a7c6a90550dff04fbff2341d1471c5a6b2fee89

SHA256
b8334f1a99135ab0675dfa15f3b47e612d50893e41735e31de87aec23e7137ac

SHA512
9225fa5fc5f316811012e9f98804f9cec2186a7f08e77482ebce89db0132638348b4445280b79579e7c0cb50a3cf51174ce708cb2237419ba2ccd4540fc9684e

Download Submit