hxxps://d1[.]convertcart[.]com/event/v4/click?url=hxxps://1drv[.]ms/f/c/e2bbf129165fed31/EommHLtTGf5KvzbC6l6rWrABt3yIRZKqAnhLlMgPolnSLA?e=38NgdI

Analysis

max time kernel
169s
max time network
169s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
17-01-2025 17:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://d1.convertcart.com/event/v4/click?url=https://1drv.ms/f/c/e2bbf129165fed31/EommHLtTGf5KvzbC6l6rWrABt3yIRZKqAnhLlMgPolnSLA?e=38NgdI

Score

7^/10

microsoft discovery phishing

Malware Config

Signatures

A potential corporate email address has been identified in the URL: [email protected]
phishing
Detected potential entity reuse from brand MICROSOFT.
phishing microsoft
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2528	msedge.exe
2528	msedge.exe
3540	msedge.exe
3540	msedge.exe
460	msedge.exe
460	msedge.exe
568	identity_helper.exe
568	identity_helper.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

pid	Process
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1476	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3540 wrote to memory of 4380	3540	msedge.exe	77
PID 3540 wrote to memory of 4380	3540	msedge.exe	77
PID 3540 wrote to memory of 4128	3540	msedge.exe	78
PID 3540 wrote to memory of 4128	3540	msedge.exe	78
PID 3540 wrote to memory of 4128	3540	msedge.exe	78
PID 3540 wrote to memory of 4128	3540	msedge.exe	78
PID 3540 wrote to memory of 4128	3540	msedge.exe	78
PID 3540 wrote to memory of 4128	3540	msedge.exe	78
PID 3540 wrote to memory of 4128	3540	msedge.exe	78
PID 3540 wrote to memory of 4128	3540	msedge.exe	78
PID 3540 wrote to memory of 4128	3540	msedge.exe	78
PID 3540 wrote to memory of 4128	3540	msedge.exe	78
PID 3540 wrote to memory of 4128	3540	msedge.exe	78
PID 3540 wrote to memory of 4128	3540	msedge.exe	78
PID 3540 wrote to memory of 4128	3540	msedge.exe	78
PID 3540 wrote to memory of 4128	3540	msedge.exe	78
PID 3540 wrote to memory of 4128	3540	msedge.exe	78
PID 3540 wrote to memory of 4128	3540	msedge.exe	78
PID 3540 wrote to memory of 4128	3540	msedge.exe	78
PID 3540 wrote to memory of 4128	3540	msedge.exe	78
PID 3540 wrote to memory of 4128	3540	msedge.exe	78
PID 3540 wrote to memory of 4128	3540	msedge.exe	78
PID 3540 wrote to memory of 4128	3540	msedge.exe	78
PID 3540 wrote to memory of 4128	3540	msedge.exe	78
PID 3540 wrote to memory of 4128	3540	msedge.exe	78
PID 3540 wrote to memory of 4128	3540	msedge.exe	78
PID 3540 wrote to memory of 4128	3540	msedge.exe	78
PID 3540 wrote to memory of 4128	3540	msedge.exe	78
PID 3540 wrote to memory of 4128	3540	msedge.exe	78
PID 3540 wrote to memory of 4128	3540	msedge.exe	78
PID 3540 wrote to memory of 4128	3540	msedge.exe	78
PID 3540 wrote to memory of 4128	3540	msedge.exe	78
PID 3540 wrote to memory of 4128	3540	msedge.exe	78
PID 3540 wrote to memory of 4128	3540	msedge.exe	78
PID 3540 wrote to memory of 4128	3540	msedge.exe	78
PID 3540 wrote to memory of 4128	3540	msedge.exe	78
PID 3540 wrote to memory of 4128	3540	msedge.exe	78
PID 3540 wrote to memory of 4128	3540	msedge.exe	78
PID 3540 wrote to memory of 4128	3540	msedge.exe	78
PID 3540 wrote to memory of 4128	3540	msedge.exe	78
PID 3540 wrote to memory of 4128	3540	msedge.exe	78
PID 3540 wrote to memory of 4128	3540	msedge.exe	78
PID 3540 wrote to memory of 2528	3540	msedge.exe	79
PID 3540 wrote to memory of 2528	3540	msedge.exe	79
PID 3540 wrote to memory of 1124	3540	msedge.exe	80
PID 3540 wrote to memory of 1124	3540	msedge.exe	80
PID 3540 wrote to memory of 1124	3540	msedge.exe	80
PID 3540 wrote to memory of 1124	3540	msedge.exe	80
PID 3540 wrote to memory of 1124	3540	msedge.exe	80
PID 3540 wrote to memory of 1124	3540	msedge.exe	80
PID 3540 wrote to memory of 1124	3540	msedge.exe	80
PID 3540 wrote to memory of 1124	3540	msedge.exe	80
PID 3540 wrote to memory of 1124	3540	msedge.exe	80
PID 3540 wrote to memory of 1124	3540	msedge.exe	80
PID 3540 wrote to memory of 1124	3540	msedge.exe	80
PID 3540 wrote to memory of 1124	3540	msedge.exe	80
PID 3540 wrote to memory of 1124	3540	msedge.exe	80
PID 3540 wrote to memory of 1124	3540	msedge.exe	80
PID 3540 wrote to memory of 1124	3540	msedge.exe	80
PID 3540 wrote to memory of 1124	3540	msedge.exe	80
PID 3540 wrote to memory of 1124	3540	msedge.exe	80
PID 3540 wrote to memory of 1124	3540	msedge.exe	80
PID 3540 wrote to memory of 1124	3540	msedge.exe	80
PID 3540 wrote to memory of 1124	3540	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://d1.convertcart.com/event/v4/click?url=https://1drv.ms/f/c/e2bbf129165fed31/EommHLtTGf5KvzbC6l6rWrABt3yIRZKqAnhLlMgPolnSLA?e=38NgdI
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd0c4e3cb8,0x7ffd0c4e3cc8,0x7ffd0c4e3cd8
  2⤵
  PID:4380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1796,5509979077651774373,17567100422747688701,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1824 /prefetch:2
  2⤵
  PID:4128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1796,5509979077651774373,17567100422747688701,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1796,5509979077651774373,17567100422747688701,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8
  2⤵
  PID:1124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,5509979077651774373,17567100422747688701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,5509979077651774373,17567100422747688701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:1228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,5509979077651774373,17567100422747688701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:1
  2⤵
  PID:1804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1796,5509979077651774373,17567100422747688701,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3676 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:460
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1796,5509979077651774373,17567100422747688701,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5696 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,5509979077651774373,17567100422747688701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
  2⤵
  PID:5052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,5509979077651774373,17567100422747688701,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
  2⤵
  PID:1208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,5509979077651774373,17567100422747688701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:1
  2⤵
  PID:3932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,5509979077651774373,17567100422747688701,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3948 /prefetch:1
  2⤵
  PID:4980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,5509979077651774373,17567100422747688701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3796 /prefetch:1
  2⤵
  PID:1220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,5509979077651774373,17567100422747688701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
  2⤵
  PID:2984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,5509979077651774373,17567100422747688701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
  2⤵
  PID:1104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,5509979077651774373,17567100422747688701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1160 /prefetch:1
  2⤵
  PID:4880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,5509979077651774373,17567100422747688701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3796 /prefetch:1
  2⤵
  PID:1076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,5509979077651774373,17567100422747688701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:1
  2⤵
  PID:3200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,5509979077651774373,17567100422747688701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6336 /prefetch:1
  2⤵
  PID:4192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,5509979077651774373,17567100422747688701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:1
  2⤵
  PID:5060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,5509979077651774373,17567100422747688701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:1
  2⤵
  PID:412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,5509979077651774373,17567100422747688701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:1
  2⤵
  PID:3056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,5509979077651774373,17567100422747688701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6520 /prefetch:1
  2⤵
  PID:1492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,5509979077651774373,17567100422747688701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6508 /prefetch:1
  2⤵
  PID:5020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,5509979077651774373,17567100422747688701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7152 /prefetch:1
  2⤵
  PID:4880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1796,5509979077651774373,17567100422747688701,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6552 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2148

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3380

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3564

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e9a2c784e6d797d91d4b8612e14d51bd

SHA1
25e2b07c396ee82e4404af09424f747fc05f04c2

SHA256
18ddbb93c981d8006071f9d26924ce3357cad212cbb65f48812d4a474c197ce6

SHA512
fc35688ae3cd448ed6b2069d39ce1219612c54f5bb0dd7b707c9e6f39450fe9fb1338cf5bd0b82a45207fac2fbab1e0eae77e5c9e6488371390eab45f76a5df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1fc959921446fa3ab5813f75ca4d0235

SHA1
0aeef3ba7ba2aa1f725fca09432d384b06995e2a

SHA256
1b1e89d3b2f3da84cc8494d07cf0babc472c426ccb1c4ae13398243360c9d02c

SHA512
899d1e1b0feece25ac97527daddcaaeb069cb428532477849eba43a627502c590261f2c26fef31e4e20efd3d7eb0815336a784c4d2888e05afcf5477af872b06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000023

Filesize
637KB

MD5
e59a09374c7d5cf9f06823985e1a3307

SHA1
b4d7a064cd02ad1fc2f7c5ebd68a43cf4a42c8e3

SHA256
a618d732560700318c8dbb7a1772f2a4094c13dece4dcdbe2c9d35c9d6d36cf5

SHA512
ac04f60b2196012bfa946b213f4aa701ef9932436e1f286b2ae1dc16bc7d3f59b34f6a1b012b80c0d2343e43e4e5399d16880d825a4262d57e0bcde819781709

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000024

Filesize
489KB

MD5
26957e0e3f8646f293098396df0ea6c7

SHA1
cad519cb962fdc0b189b500ddb9367f9726825bb

SHA256
a2666e1376e366a838c3a27dc8722513171b92d663f9cb20b8e5613ccb1635de

SHA512
9231a39d9c663ea89a68bcb73595e40023f7f5988842cc2b124ac394a7e2b17f23e1462f68652726189971f6a9f44c4275b13789d363d7bd6258a870d69b372f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002c

Filesize
175KB

MD5
7107c752f3901d95bdc4e9d46ac2b6d8

SHA1
747a0d933dc2ef38a98fa11a44ba661ec6a5eae3

SHA256
c4a5ecaf090da5f8115afcf0d4b723810054ecf3de31acc5ea6d48f9eb2d4111

SHA512
71d4ff3fa6c9a902b299302109d034d4610ac8a31ace170f09a3f66bd0d1259c41361fc29f2205fec6eb49995ffc73563399a6ccc536b8412bf1064485caabd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002d

Filesize
159KB

MD5
78450fe21afa3391dc4dc62d5f1e09f2

SHA1
8aed39e81b26f10dd32c5b131eb7493d6d41b06a

SHA256
4903f015531ad7a745aa8c5155780c51adba6e0f671607c3fa1447795f33b794

SHA512
46db3beebdbfc0ae2b4e6d8f015e0f122851cf57662d5f445e2c4cd4f7ca2097690a610247e08f789685411d75b018cc35bc0a679b4dcf9e68c9fa164f347256

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002e

Filesize
165KB

MD5
34049e45a502035c1ee78f0b0967588e

SHA1
dd604c54963f4ae0cb4cc1c6890b66822a6d7b82

SHA256
a84c114bbb185448de945b27fca0b6ee207f4801505e3046f35db050f4720eaf

SHA512
07b046af74583dc5ccb2dd1a636042b36dd4ee50aa6e7a3871cc26bec7aee823dcb2ef8bae3f465a374b04ae92b8cfb90f41ad3a76a0d2db1b6ca764d8eb204c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002f

Filesize
142KB

MD5
d1e0216a2cc3db1dd95ad3230a39a0ca

SHA1
a629d848286dcdb6876631bdd3bfd7dc6e05422d

SHA256
b41f67ebf201d922b8668a628078e11dbece1fdf875d1df93495c3ba3cd31372

SHA512
50f8b14adf524175f2867c7e198c71f78a5b9a1c2447229a418c382519299820ea1f0dc77af121c58ea116e2cfb4163b62c961cdb7091fcc4e9691d6135f3883

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000030

Filesize
43KB

MD5
820f40594a0e8d5f9d58546208aa9060

SHA1
e17ed5116a34c432013a244c979ac9da53829d74

SHA256
f8f708049e1e1609af3959cd21eaf313c8192d3e962887a7a2e1f9b353d3fc80

SHA512
95879b255a90ccdc41c8696bf7aa05796db56528fc4be78f2d13eb2233740ac8cf0f92bdeaa169ebc5c745f3e76ee9fc67d2626160b9e01c5f5a19b8cbea605f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000035

Filesize
19KB

MD5
3ba4d76a17add0a6c34ee696f28c8541

SHA1
5e8a4b8334539a7eab798a7799f6e232016cb263

SHA256
17d6ff63dd857a72f37292b5906b40dc087ea27d7b1defcfa6dd1ba82aea0b59

SHA512
8da16a9759bb68a6b408f9f274b882abb3ee7ba19f888448e495b721094bdb2ce5664e9a26bae306a00491235eb94c143e53f618ccd6d50307c3c7f2ef1b4455

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000036

Filesize
672KB

MD5
3e89ae909c6a8d8c56396830471f3373

SHA1
2632f95a5be7e4c589402bf76e800a8151cd036b

SHA256
6665ca6a09f770c6679556eb86cf4234c8bdb0271049620e03199b34b4a16099

SHA512
e7dbe4e95d58f48a0c8e3ed1f489dcf8fbf39c3db27889813b43ee95454deca2816ac1e195e61a844cc9351e04f97afa271b37cab3fc522809ce2be85cc1b8f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000037

Filesize
17KB

MD5
7916a894ebde7d29c2cc29b267f1299f

SHA1
78345ca08f9e2c3c2cc9b318950791b349211296

SHA256
d8f5ab3e00202fd3b45be1acd95d677b137064001e171bc79b06826d98f1e1d3

SHA512
2180abe47fbf76e2e0608ab3a4659c1b7ab027004298d81960dc575cc2e912ecca8c131c6413ebbf46d2aaa90e392eb00e37aed7a79cdc0ac71ba78d828a84c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000038

Filesize
16KB

MD5
12e3dac858061d088023b2bd48e2fa96

SHA1
e08ce1a144eceae0c3c2ea7a9d6fbc5658f24ce5

SHA256
90cdaf487716184e4034000935c605d1633926d348116d198f355a98b8c6cd21

SHA512
c5030c55a855e7a9e20e22f4c70bf1e0f3c558a9b7d501cfab6992ac2656ae5e41b050ccac541efa55f9603e0d349b247eb4912ee169d44044271789c719cd01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
60c222a9404ee4e4c3dc4d1c55ffcafc

SHA1
c5d934928af77a4607f8b518880fdc3e0978e88d

SHA256
a16d5637a89e70584cf5e6818df9915e9aa716729aaaae0870ab153e1988dbbb

SHA512
d19732952c007eadf3bea3b46afbe7164bd608e349cfa83b1ab8f9a5ff2a3815f07366da0fc05c22df50b77d16c88b0b76b747a9b163b69428a40f4608c15e15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
bed172512582929cfcab5c49615f0775

SHA1
8b98bf85ecd27a5408d1ade777cb32285cb3ed01

SHA256
b42169ff0882977a9b4d7991cf7a2f547ddddfd2ca3007705eb9adf4436efb7e

SHA512
3e461f311df853b24bf3d7b89d55eb1f5fa9f0c5cd90a13fda9a6285f2bc95e57a49a053f524a253949aaa4262933c331f6122658b51d2a5adf92ec3d611de0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
c20cd78c89e5d724962aff5b4245dd30

SHA1
f4eb8e22d46937583dafcbf7127eff25865beef6

SHA256
d6743f06a34770b9672c41eaf65ce6338b3b9b9d70b2b54c29af2c7a2ed63169

SHA512
26d641a79928370752f938ff8730d4aa857ce391f03a6076f078615077ff9a2ecb273d01b03261d7b79bd3351f034c3cd5515eee5e92094521014c0ac31fd78a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
114a70ab5ca9636830688c1d8e0c586b

SHA1
18447329712e02543d9699f25c99ad08c4a4e92d

SHA256
19d1efe963ef89f891e2bb4018afca45d1377fa537030a138a58287fb584e11e

SHA512
5611fa9035906f4a11f5068ffd24c850c9a503b4dfaa1f0518a51990429a05245a45ecc56804a237bf62bfbe5dfae027988f7d730a76286de24c1c3a695a3618

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d4960e16124bfa3e1d3a5a22948888c0

SHA1
74798d9c3729b5101058a659ce667b8cefb5edbb

SHA256
1ad0a86174a78033ee30d633e0516ba22eb2993fe116f2eab7b048a6a2d6615d

SHA512
291d9df3206798d40a55c96af1785cdf46512c6bb1aa82294fd75aa4bd89e729535275995fd69a66697b5f4e7e8d738017e859108e84426417853d22e8c1a6e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
436cc87b78300b9d5b8a0f5f050d7c71

SHA1
336a01fd57cb03551a4ff3d7cc10376065b018bc

SHA256
cd0128e8e3aec7802715422eb306a23d029a1937e31e170f3d4af6189fba667d

SHA512
de51d013ee72800158c8b1f813d4ba002587a616dfe85f5bce2bf1a2c42d1ea4eb58bcb88f286aae0079b55732b484bd9afe1e64f11036a9b37340edf8e25c7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a7b28de38e0bffb7846c7e136b33ef82

SHA1
bcc535fa87a77225164157222ef5d4237da36788

SHA256
871423de162fe1838f6dfcda2b8e9ec56030510cbf58b201acffa3c8aad23a26

SHA512
d0510c9de423323488874a9b55d599f24fe7cd73ec23f67d7dc251d68655fdaa5046f1d7a37323f0fd215bfd65365398bb29c7b85e679ca3a7fd78eebe13e7c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6f832e7af8c7c5d9837706419e8a9b85

SHA1
ec3788b4dc4d50f6d083fb90730a5d55d9d8aeaf

SHA256
fe5e9d30fba689f00fe7add3ac5e6cd3fe3a70ae564261245cdfd42b8442e040

SHA512
fa53741567d06290b4bcd5746b423fda61e3ed3a77d1f2efe76a21a3d9193ba653568d136396ec77033a13c288b50ee556d1adbdc1804caa3182003b16181d5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cdbef1ac8bd002bb8898b76e382e6ee3

SHA1
7332b00ea3e25358d2f37f6d5525530b8833920d

SHA256
3f87627ffa3fd23ef27f8010f633b5291bb6021715b23da2e22f61c8bddeba66

SHA512
c333cd58e5fe826a3b4a37d51567268c1637e261f03ecdc5a0ceae6277b62627805bdc68b4be9145f4e0e9ce54cbdeb4ce65fd90261a44e8aa01ac012cf9e0da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
de2bc72c70c69f0e3ec1914b4b11ad97

SHA1
b57ab3465e72ab5bb3767eab1b598593b4dc6ee7

SHA256
f93fdffeba59e8ad8dd479186b50b7af89897c14d1039dfb20e44ef2fb861333

SHA512
4c9eba04f036c47e4fce7efb8f8e2e04522d2010d0f1046f4bdbab2e6064174d8200519795006a1e32750c0e82ba4d8fcf8b156081c2ccf6ed397a5240ba6385

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
9754b856ea3161ace11916fc8225e835

SHA1
aad3ca7291d2f13d8d3df352392f77bc549baf36

SHA256
d93fdb146ccf99bcf37ec9d839f260bc46227de1117f51ecd13090c0aa678600

SHA512
ddbd9af926cc1be33df1c46525ce4c46776a31506d9d8f679175d98b48fefee87b744307d92c98098138aee17e00b1c19169f721de935c090112a05305e1b0bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
06870792daa65bda3ceb34de93bd4edc

SHA1
381946fccfae35e720320544d1ab77fb650948f6

SHA256
9d17f025f7c43fb2e195c7a8b177017564c6729601612f26b8a71508e65a6573

SHA512
63a6f2e2e9e95e18991d45b2e5e73fc0d65e4818844278eac927c66dcac8d5867b7f1fbb1cd6b7f94d179e21094c83327b616164639d286577e65847732383ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
5c6216c9e58d603e0ed9cda6c04b76a3

SHA1
efcdd3355edf05d2758429de8824107dc5bed97d

SHA256
59ed3ea589cbb18a92fe6afc031957121728a8ef8f2deba907b79b56de0f56c5

SHA512
20c0d1f9cd92e822fba396b742d83ba711a19656471f3c74756fe52a926a0f33411a9bc1416f7a02e4a4c5820224ced6ee05884954ae21720edc07740196993f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
8049d45b78c2768c4f4a1591d33a992b

SHA1
33117f62f3d72bca6f769f72583e3f3b7cac3f09

SHA256
969189d357eca8923bfaeb3e88ad1c128e4e688b8b819798d52e37c64d1696dd

SHA512
b6618b99679707feffe6599cdc5195293cff4af974bb136497e1b0646c688343808d0f2d5a2ee45ff4531df7abf7ceba149ed96740dee82060a5cf180998f926

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4dfbe2d3a8be30cadba44c097172290d

SHA1
05fc2bbeb9e07efc1bd392b0d3c8d01f7a9a8f32

SHA256
7d650201076d5918fa7f898799a129799367d35358d51cc38f3520321ff6d79d

SHA512
a859d7deae18eece671209e88d24c1596c45241b91290028e7fe40b4daf142da114d723aabb604dcc1362ae4da1ef7180b57be19b296b7aa851de878a7ea3d2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0662a60cff6e0206ba0951fe48adf22e

SHA1
26ef5157b91311f44b83cea87fe59d5e36c84b0e

SHA256
a6f9ed695c5890157d51aefcf033b7a7128d2fe830d1bca2451f1dac58c79d86

SHA512
860c3e07dd59dcac495de096f4f5ff5298814fa4b3b6e4802555a292344fe69c2c944283bc8dc4b2a497bd531dd57b052a3772b6bec3f0bece12a36cc9d05e73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
9518910976a48c9de35a7c32d0403c5c

SHA1
1586f2470081959619f504a4db07a17ef3b0b640

SHA256
20f76e3a95b425f7b9997235f309cc99fe90e85e5b7e30988a06aa86737931ba

SHA512
a4c5780b8caa87294b9f933c3cd98f061b08161d16cf6fc62a9578ff9f05f91bdbe6046f32586031e4523fd3e039ec2c5f1c352acb7a058bd1ebffd536d4fba2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57c14c.TMP

Filesize
1KB

MD5
bd50ec3c2bfd84fccb602224754f17a2

SHA1
efe6fa1d883e6cb28b818689abd77cf91ef89a4f

SHA256
2a195586f05361cfa4a37479965e846131abaf607a37685cf2e36ebd4da56406

SHA512
63e1f52b52678b6b1b75c4b030fc314540e12ecf4dc2eb8606c9fa64b062299fc8f177e4e53da3a27423f0c6aeed5f973ec5993e784ccac5fa4a1fc49f06acda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
34ff87362f3cb240f7cc16dd75f89020

SHA1
689ffc58b1ae735f90876bc2fd7cc9292afbf0e2

SHA256
c2ccd1185fe386b61ece8e9c34185635c225e1f25bdbf7e298e05a1428527683

SHA512
2e3ea1109704630a796174d242a12674f33c840ce16d8937fdd028b4746c68821f3fcfe0a5a156054ed47c49835e5bacf5c0b4cf450d29c0b38ba0167e91980e

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
711f1a880c08e1f7867f1bdd117320b7

SHA1
50c2d0859f6fd41024d486e2ab537507b975991d

SHA256
f868e98aa21c341e365d73e301d87c006b557033d8d7b2808fed207734fe5143

SHA512
885c2abd9047727b33ea760836cbbe4eaf5fddc08375a8b37840c99332131f0f7164f87c0abeb4523f42262349ab12a1c22c12813a9d81d6955c7d20b41a9a0a

Download Submit