8fffc4d5eed4697ed0aaa0e46f9ecdff311a47ffdc5642c8cb21423f83315fdb

Analysis

max time kernel
971s
max time network
975s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13/01/2025, 20:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Kvaa.jpg
Size

164KB
MD5

ffaf2136b0bfd6e6ce0b28f72978c909
SHA1

ba34b8ef21b1d3f93c1efc0e3f0735aa0e862ba7
SHA256

8fffc4d5eed4697ed0aaa0e46f9ecdff311a47ffdc5642c8cb21423f83315fdb
SHA512

c2b13d1bcf566e2affcba3a8ec34ffd8b3ce4c683fe01545d1f00ae8231f108fd56df754f0690c696775ce31000d643c39cf4dfa8ebc8a2218c33be356884925
SSDEEP

3072:1p19Dw/4Ph7rSnIpoddd7uRKJ6EX99bXKNVFEKeiM4TftdWlSsS3KHZ3N/8yAXoY:1Nauh7Boddd7uRKgEX99jbKeilTLWlSz

Score

5^/10

microsoft discovery phishing

Malware Config

Signatures

Detected potential entity reuse from brand MICROSOFT.
phishing microsoft
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 8 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Moniker = "cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Children	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe\Children	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3442511616-637977696-3186306149-1000\{E5BDFCC9-ABA3-4004-B2C8-A711E1B1D06C}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\DisplayName = "Chrome Sandbox"	msedge.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3384	msedge.exe
3384	msedge.exe
1444	msedge.exe
1444	msedge.exe
1828	identity_helper.exe
1828	identity_helper.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
1500	msedge.exe
2808	msedge.exe
2808	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

pid	Process
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1444 wrote to memory of 1188	1444	msedge.exe	92
PID 1444 wrote to memory of 1188	1444	msedge.exe	92
PID 1444 wrote to memory of 3664	1444	msedge.exe	94
PID 1444 wrote to memory of 3664	1444	msedge.exe	94
PID 1444 wrote to memory of 3664	1444	msedge.exe	94
PID 1444 wrote to memory of 3664	1444	msedge.exe	94
PID 1444 wrote to memory of 3664	1444	msedge.exe	94
PID 1444 wrote to memory of 3664	1444	msedge.exe	94
PID 1444 wrote to memory of 3664	1444	msedge.exe	94
PID 1444 wrote to memory of 3664	1444	msedge.exe	94
PID 1444 wrote to memory of 3664	1444	msedge.exe	94
PID 1444 wrote to memory of 3664	1444	msedge.exe	94
PID 1444 wrote to memory of 3664	1444	msedge.exe	94
PID 1444 wrote to memory of 3664	1444	msedge.exe	94
PID 1444 wrote to memory of 3664	1444	msedge.exe	94
PID 1444 wrote to memory of 3664	1444	msedge.exe	94
PID 1444 wrote to memory of 3664	1444	msedge.exe	94
PID 1444 wrote to memory of 3664	1444	msedge.exe	94
PID 1444 wrote to memory of 3664	1444	msedge.exe	94
PID 1444 wrote to memory of 3664	1444	msedge.exe	94
PID 1444 wrote to memory of 3664	1444	msedge.exe	94
PID 1444 wrote to memory of 3664	1444	msedge.exe	94
PID 1444 wrote to memory of 3664	1444	msedge.exe	94
PID 1444 wrote to memory of 3664	1444	msedge.exe	94
PID 1444 wrote to memory of 3664	1444	msedge.exe	94
PID 1444 wrote to memory of 3664	1444	msedge.exe	94
PID 1444 wrote to memory of 3664	1444	msedge.exe	94
PID 1444 wrote to memory of 3664	1444	msedge.exe	94
PID 1444 wrote to memory of 3664	1444	msedge.exe	94
PID 1444 wrote to memory of 3664	1444	msedge.exe	94
PID 1444 wrote to memory of 3664	1444	msedge.exe	94
PID 1444 wrote to memory of 3664	1444	msedge.exe	94
PID 1444 wrote to memory of 3664	1444	msedge.exe	94
PID 1444 wrote to memory of 3664	1444	msedge.exe	94
PID 1444 wrote to memory of 3664	1444	msedge.exe	94
PID 1444 wrote to memory of 3664	1444	msedge.exe	94
PID 1444 wrote to memory of 3664	1444	msedge.exe	94
PID 1444 wrote to memory of 3664	1444	msedge.exe	94
PID 1444 wrote to memory of 3664	1444	msedge.exe	94
PID 1444 wrote to memory of 3664	1444	msedge.exe	94
PID 1444 wrote to memory of 3664	1444	msedge.exe	94
PID 1444 wrote to memory of 3664	1444	msedge.exe	94
PID 1444 wrote to memory of 3384	1444	msedge.exe	95
PID 1444 wrote to memory of 3384	1444	msedge.exe	95
PID 1444 wrote to memory of 4604	1444	msedge.exe	96
PID 1444 wrote to memory of 4604	1444	msedge.exe	96
PID 1444 wrote to memory of 4604	1444	msedge.exe	96
PID 1444 wrote to memory of 4604	1444	msedge.exe	96
PID 1444 wrote to memory of 4604	1444	msedge.exe	96
PID 1444 wrote to memory of 4604	1444	msedge.exe	96
PID 1444 wrote to memory of 4604	1444	msedge.exe	96
PID 1444 wrote to memory of 4604	1444	msedge.exe	96
PID 1444 wrote to memory of 4604	1444	msedge.exe	96
PID 1444 wrote to memory of 4604	1444	msedge.exe	96
PID 1444 wrote to memory of 4604	1444	msedge.exe	96
PID 1444 wrote to memory of 4604	1444	msedge.exe	96
PID 1444 wrote to memory of 4604	1444	msedge.exe	96
PID 1444 wrote to memory of 4604	1444	msedge.exe	96
PID 1444 wrote to memory of 4604	1444	msedge.exe	96
PID 1444 wrote to memory of 4604	1444	msedge.exe	96
PID 1444 wrote to memory of 4604	1444	msedge.exe	96
PID 1444 wrote to memory of 4604	1444	msedge.exe	96
PID 1444 wrote to memory of 4604	1444	msedge.exe	96
PID 1444 wrote to memory of 4604	1444	msedge.exe	96

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Kvaa.jpg
1⤵
PID:3380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9a07f46f8,0x7ff9a07f4708,0x7ff9a07f4718
  2⤵
  PID:1188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,17373698201990247971,11150808296862751953,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
  2⤵
  PID:3664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,17373698201990247971,11150808296862751953,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,17373698201990247971,11150808296862751953,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:8
  2⤵
  PID:4604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17373698201990247971,11150808296862751953,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:4884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17373698201990247971,11150808296862751953,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:1064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17373698201990247971,11150808296862751953,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4776 /prefetch:1
  2⤵
  PID:2168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17373698201990247971,11150808296862751953,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4836 /prefetch:1
  2⤵
  PID:1464
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,17373698201990247971,11150808296862751953,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3552 /prefetch:8
  2⤵
  PID:3068
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,17373698201990247971,11150808296862751953,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3552 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17373698201990247971,11150808296862751953,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
  2⤵
  PID:4552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17373698201990247971,11150808296862751953,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:1
  2⤵
  PID:4884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17373698201990247971,11150808296862751953,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4664 /prefetch:1
  2⤵
  PID:1508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17373698201990247971,11150808296862751953,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
  2⤵
  PID:4180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17373698201990247971,11150808296862751953,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
  2⤵
  PID:3940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17373698201990247971,11150808296862751953,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:1
  2⤵
  PID:3068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17373698201990247971,11150808296862751953,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4904 /prefetch:1
  2⤵
  PID:1128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17373698201990247971,11150808296862751953,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1
  2⤵
  PID:3164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17373698201990247971,11150808296862751953,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
  2⤵
  PID:3980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17373698201990247971,11150808296862751953,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1
  2⤵
  PID:4180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17373698201990247971,11150808296862751953,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
  2⤵
  PID:1692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17373698201990247971,11150808296862751953,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
  2⤵
  PID:5004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17373698201990247971,11150808296862751953,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1
  2⤵
  PID:4576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17373698201990247971,11150808296862751953,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
  2⤵
  PID:4792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,17373698201990247971,11150808296862751953,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6108 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17373698201990247971,11150808296862751953,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6300 /prefetch:1
  2⤵
  PID:720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=media.mojom.MediaFoundationService --field-trial-handle=2096,17373698201990247971,11150808296862751953,131072 --lang=en-US --service-sandbox-type=mf_cdm --mojo-platform-channel-handle=6256 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2096,17373698201990247971,11150808296862751953,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6216 /prefetch:8
  2⤵
  PID:1484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2096,17373698201990247971,11150808296862751953,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6504 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:2808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17373698201990247971,11150808296862751953,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:1
  2⤵
  PID:672

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2328

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3768

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b8880802fc2bb880a7a869faa01315b0

SHA1
51d1a3fa2c272f094515675d82150bfce08ee8d3

SHA256
467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812

SHA512
e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ba6ef346187b40694d493da98d5da979

SHA1
643c15bec043f8673943885199bb06cd1652ee37

SHA256
d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73

SHA512
2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\496146a3-8732-4ad9-bb19-37b5a71a40ea.tmp

Filesize
7KB

MD5
1b155bc90ff0d930237ce1946f7520cd

SHA1
f97f712f0731aedba689a48efb43d2267276f04b

SHA256
bc7ae830dc77176e10cdcf8929975bd5cd9f3f3cbccc4bbaf9c9a27be871185a

SHA512
28a459b68027ca91930021d590303bc0f47db1323d5874850f257014b2d4d321b43574498d5267884519fbd3d68990ac861f039263f8608f0bbeb1f2a221393b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002b

Filesize
16KB

MD5
12e3dac858061d088023b2bd48e2fa96

SHA1
e08ce1a144eceae0c3c2ea7a9d6fbc5658f24ce5

SHA256
90cdaf487716184e4034000935c605d1633926d348116d198f355a98b8c6cd21

SHA512
c5030c55a855e7a9e20e22f4c70bf1e0f3c558a9b7d501cfab6992ac2656ae5e41b050ccac541efa55f9603e0d349b247eb4912ee169d44044271789c719cd01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
864B

MD5
00ec525b4898969de6440956eeda86f7

SHA1
368132c757cc0eba3bac191da0559ca7e612c473

SHA256
266aec513d705f86874133717ba1fc6372f8ac4c4a688f83842961be479c7233

SHA512
ac9b0441470dfc9aea9eee2ba16c6ce15b45908977a595b160226eb5c6210c76440b84c9048eda8b592e53d57958e0c8e4a356a0030454c236ae818aec3a0c61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
9fa3a28d5b12f425988e8d98ab45b815

SHA1
59f26a63615c5dbcc49b365b3ad42c57c79131dc

SHA256
0c070416e0effdacb6eb5a81abeeea4ee5be9fbb89ca9d01dc480c68de57a40b

SHA512
4248e15923e62c8daf0983f08f4f3dadf4eac0c13208587e8ea40578fb7a56bfc48955b317fc4874c093856e56fad7a0abe0d7c8160dbf68683daf2892f672b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
11d5e77ed8066fc580541468de2026d3

SHA1
ca316dad8942d8c1d422cde6e76c386bc5d61012

SHA256
b778af2afe16913c5b6554e4e4e6013b4f168be3bb2ad3a4badd6aae36383a8d

SHA512
309043d9de2566a4f1adcfa906a63d251dc10796a7357106f78247631f140ad4e22c17fb99bf5d383909e336aefcf374fc3f468bcad5afb7fd6b68252594ad28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
7e040c625197669f9f0dab1abe7dde58

SHA1
a9c752a0006ab9b8bef69e0766642ad48a44c671

SHA256
79e0ec810708f1959f0d6f3211b3ae7f211f40875298fdd9c57f462a481b90d7

SHA512
4f0a39b6882c5f64695c334d61cbe9a856dc3c823d1558d545a7f999382645cc04e2c615af0cf568077b31892cb86563e2dc9e0b2e4a0d5858e7e2f4915c5d27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
0a232c0e4bbbe8bc407974a4915311e7

SHA1
eb832bf047fb6ef2dde89780a6ca98192975aea1

SHA256
d0180f9a253492a0a62191f503fe4f54235983d3034df3d34f0332a8be7a28ea

SHA512
8153204d49095fde4309005d75ce5df6761846f72e800a093895ca29445c9efed5a338987660279db2236931e168a1af31ceb73146c7e654ff6fda01dd839780

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c02397c59f921d3efa5d7d5114b2e8c2

SHA1
1f4ab4b61ec9add73dc54dd7708a8b084b33754b

SHA256
3b932cfcc4b34aac06bc4d75b88fcdb5e9bc6b08d3d5c1323dddc7c19f98129d

SHA512
f0c0066b5cbec02a9393fd1d79b78d0a1ca4340fa80af2b5a1295a478f23e7900655a58b180e95536faaa143be5206e57a9337dfa8ce0a5cb041217873eccde6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ae3e556103d6cf081692e035aae16c5b

SHA1
9d03e0c026b46b5951f0a3ec5073d1b38894d09d

SHA256
1afa39018dc764033b3b02e577328bd9ad6c16b9191487b4d0545146b349f9f0

SHA512
be2d629dfc51d9b999d777358dd9d5ca94a879e3f1edd21d80b53456a1e36b0555ff9a516d3e00c318020bcce54760edc9b56d2338e05e326a830039b7c1ab90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8ce9365a5efe332d559bf04224aa6782

SHA1
c7d912473bdfb922552da85d445c0b3b9b1150a9

SHA256
233b8fe154e6699fef423286549fdfade9733a28b053069d21e3ad70b6d7c31e

SHA512
0ac9aff05521188451f6b985740930d403790fa59539b5b505142c8d87fb476e95f85ce3229630f014296533612989161e84fd5f710c538a28985a7ed0f90219

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
424e44c93cab2bd3fe6766451615ebf8

SHA1
afe9a67bd059aa3130827c0178209f24b8a106c6

SHA256
24dc26ab2ea2460b56fc9dfaa13c1eea4944bf23800a6dc0c0e819b96cd6a502

SHA512
ffce9b3a6d5e6f358a5649c671514ac81025f32762f9c5b344e3784d4360483d3167392075a111a36ffc1d4465e247cbc8e2e31463f923264a70378125bb51b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
481995654694a9eea65170ae7121953a

SHA1
bac997747b45c6154b30971c6fab32ea321dfe64

SHA256
4d7449313f30adf19a87f38290a56702a37aab0a6489f1cb34c28ac12b8a7469

SHA512
4c9406eee5bfdbe081aa23e0f3c20716a13ec51aa07d9949dc00eb821389ab8a141586b1af48cfdbae700c6b9622925f721e76cfd3171c2a24f2c1071e317174

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
58bb9ae8bad35f836dfa6f84d4f7fe36

SHA1
4877e4e693571736800b248beb3d5ba918ae36b0

SHA256
a1599e6eddb3663e8262b5a2207d4f089b72e647d93e5aefe6158217331a2f8f

SHA512
53872506149c25c29f9edcbf9310c38e5286c130de95d87dbcd260bd9d8a125ea4415928b85b9d87b05fdaef647c2d4392103ec1139caa326aa72cba9273ec92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
ddff51dbdebd034169c9ea45b31ea0ad

SHA1
bf31850ce66c2988d58283e306a4f5d922fb5b3f

SHA256
810b26a6f002db1697e4c8d325f9956159a1a4b45d23e20e14738ed83014e4c2

SHA512
2bdac02a272d94aed4c814fda91712205f403e53593995358c670dd7f2c0c38bb971beb3b9752f60c9e2bca9672784ac985c407526326f57baf9b98090038ee9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
e1bd06513eb0d820f83225f1bdaed4d8

SHA1
d450c5712721952f0670dc0106643d60eac5aea7

SHA256
265148bf8e3eb3021a482a3a86c991f05a0be3b9045218c7a37bdaf77bcf2b4e

SHA512
7f047342ab2cabffd5cb371b633c807ed77f0441851f4a7ad21d81c8705b7e0e3aa865f1a786280731404be13ba85a0f692fe7ad5427f8ec60dd5883a65ba201

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
05d14ac0d816e3c0a7a82fb143854ea5

SHA1
d2d2ee6ade56827bc7b08b2a42c13f8e8c53305d

SHA256
c3d5166c2438d8817cd6501d1d470a22c8e33177a092ccc8a6af7bd9d6058812

SHA512
13f24d14eb7f6c3420603befd1436f30443797f4f48074be89ed4f9e8e74b69b4d777d53eed98700e8585abd4fe6345c9c0b9ab629f05756acd7a1a284de4572

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ef5100fd214e311a01b51e700acd56ff

SHA1
495ff33e1a3e4177e2f79d943b5de5d46b379e5e

SHA256
d81c66550ce9589e28b2f475b006cc4b0b42964e6a9400530c6b7891bff41d89

SHA512
bd3b1b6d06a44954d8a56ea54e99e8ab37f6a4ba30d341104d7d5c79564c1b5e9fe25062ed3890cb06bf225d2fabc9a57b37076a75b38c7155e89a77bbad4865

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
c518e7c630b9b60db1632f53151a9a17

SHA1
e0bc0bec2a7f9855e0043f0eb94e564dd1cd9d3f

SHA256
e05fa1c81ba5a0fdb67de69fe7f4f2b04a0c173369c0a87ad1e2443ed6742c1a

SHA512
c432bc0e28ae2d1f957e07c3c610d6ac7b50abbc5ddd101a2dfd3f21fe68ff297403c6e22e7a8e56022b728b76a493937fe33af8a65c8eb58dfe410d46aa19b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5829da.TMP

Filesize
1KB

MD5
186b7b4781b883c4296c6677ce446e9d

SHA1
db8873cd1dc1d38e614ef7a93907982a0c850cea

SHA256
8200d0ba13bd872c87e00c405713c70ef10713e9edcd46bc457a5bc84113b6c3

SHA512
212477a78d41cbe931c2ff86babaeddd2110cf6173583981d6095b3fb775a754f3cf153b6c981a3237b76e67b3bd6bd57827bb87efa12f3e5e175f7230b24371

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\da4faf8e-cefc-45f9-92d1-acd65f34b90c.tmp

Filesize
7KB

MD5
05d5404fc264748e0121ab017e0f6621

SHA1
90573753c86fc36b5d33a8a5996cbab18d05f21f

SHA256
535ef68ae41523b4d6aa06d67997fc280d0d208c41eacd718deec6c9ad9e8209

SHA512
8334f9c6d6b8fe83ba35c6569c37c6e7973db5d59a3a14ad64751f1c24ec81e59430edf47e63570b758bda9b4a90ced27b4912c68a44e7a04e8992102185179d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
1fa846c0eaa5984e599da473dad9782a

SHA1
f2729ecd12b35cd2862a0c4e6021344603b3bca2

SHA256
4ff7ad7e1b8469dc65ba99df77765d60cf585b8df5f9781cb6ba6ced7468a099

SHA512
21c422343fc5543596725b59cc1b70a745efda6adfa0052a7a7695fe2c7b956316aa328064c8f3ffa377131de277bed8039a6b51304500d8f7558327a008da18

Download Submit