hxxps://firstmail[.]ltd/

Resubmissions

19/01/2025, 17:23

250119-vymwhaxphz 7

19/01/2025, 17:21

19/01/2025, 17:08

19/01/2025, 17:02

19/01/2025, 17:00

Analysis

max time kernel
263s
max time network
269s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/01/2025, 17:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://firstmail.ltd/

Score

10^/10

google discovery phishing

Malware Config

Signatures

Detected google phishing page
phishing google
A potential corporate email address has been identified in the URL: [email protected]
phishing
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Children	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe\Children	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\DisplayName = "Chrome Sandbox"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Moniker = "cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe"	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3352	msedge.exe
3352	msedge.exe
4664	msedge.exe
4664	msedge.exe
3516	identity_helper.exe
3516	identity_helper.exe
3464	msedge.exe
4952	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1504	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1504	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4664 wrote to memory of 4696	4664	msedge.exe	84
PID 4664 wrote to memory of 4696	4664	msedge.exe	84
PID 4664 wrote to memory of 4860	4664	msedge.exe	85
PID 4664 wrote to memory of 4860	4664	msedge.exe	85
PID 4664 wrote to memory of 4860	4664	msedge.exe	85
PID 4664 wrote to memory of 4860	4664	msedge.exe	85
PID 4664 wrote to memory of 4860	4664	msedge.exe	85
PID 4664 wrote to memory of 4860	4664	msedge.exe	85
PID 4664 wrote to memory of 4860	4664	msedge.exe	85
PID 4664 wrote to memory of 4860	4664	msedge.exe	85
PID 4664 wrote to memory of 4860	4664	msedge.exe	85
PID 4664 wrote to memory of 4860	4664	msedge.exe	85
PID 4664 wrote to memory of 4860	4664	msedge.exe	85
PID 4664 wrote to memory of 4860	4664	msedge.exe	85
PID 4664 wrote to memory of 4860	4664	msedge.exe	85
PID 4664 wrote to memory of 4860	4664	msedge.exe	85
PID 4664 wrote to memory of 4860	4664	msedge.exe	85
PID 4664 wrote to memory of 4860	4664	msedge.exe	85
PID 4664 wrote to memory of 4860	4664	msedge.exe	85
PID 4664 wrote to memory of 4860	4664	msedge.exe	85
PID 4664 wrote to memory of 4860	4664	msedge.exe	85
PID 4664 wrote to memory of 4860	4664	msedge.exe	85
PID 4664 wrote to memory of 4860	4664	msedge.exe	85
PID 4664 wrote to memory of 4860	4664	msedge.exe	85
PID 4664 wrote to memory of 4860	4664	msedge.exe	85
PID 4664 wrote to memory of 4860	4664	msedge.exe	85
PID 4664 wrote to memory of 4860	4664	msedge.exe	85
PID 4664 wrote to memory of 4860	4664	msedge.exe	85
PID 4664 wrote to memory of 4860	4664	msedge.exe	85
PID 4664 wrote to memory of 4860	4664	msedge.exe	85
PID 4664 wrote to memory of 4860	4664	msedge.exe	85
PID 4664 wrote to memory of 4860	4664	msedge.exe	85
PID 4664 wrote to memory of 4860	4664	msedge.exe	85
PID 4664 wrote to memory of 4860	4664	msedge.exe	85
PID 4664 wrote to memory of 4860	4664	msedge.exe	85
PID 4664 wrote to memory of 4860	4664	msedge.exe	85
PID 4664 wrote to memory of 4860	4664	msedge.exe	85
PID 4664 wrote to memory of 4860	4664	msedge.exe	85
PID 4664 wrote to memory of 4860	4664	msedge.exe	85
PID 4664 wrote to memory of 4860	4664	msedge.exe	85
PID 4664 wrote to memory of 4860	4664	msedge.exe	85
PID 4664 wrote to memory of 4860	4664	msedge.exe	85
PID 4664 wrote to memory of 3352	4664	msedge.exe	86
PID 4664 wrote to memory of 3352	4664	msedge.exe	86
PID 4664 wrote to memory of 2308	4664	msedge.exe	87
PID 4664 wrote to memory of 2308	4664	msedge.exe	87
PID 4664 wrote to memory of 2308	4664	msedge.exe	87
PID 4664 wrote to memory of 2308	4664	msedge.exe	87
PID 4664 wrote to memory of 2308	4664	msedge.exe	87
PID 4664 wrote to memory of 2308	4664	msedge.exe	87
PID 4664 wrote to memory of 2308	4664	msedge.exe	87
PID 4664 wrote to memory of 2308	4664	msedge.exe	87
PID 4664 wrote to memory of 2308	4664	msedge.exe	87
PID 4664 wrote to memory of 2308	4664	msedge.exe	87
PID 4664 wrote to memory of 2308	4664	msedge.exe	87
PID 4664 wrote to memory of 2308	4664	msedge.exe	87
PID 4664 wrote to memory of 2308	4664	msedge.exe	87
PID 4664 wrote to memory of 2308	4664	msedge.exe	87
PID 4664 wrote to memory of 2308	4664	msedge.exe	87
PID 4664 wrote to memory of 2308	4664	msedge.exe	87
PID 4664 wrote to memory of 2308	4664	msedge.exe	87
PID 4664 wrote to memory of 2308	4664	msedge.exe	87
PID 4664 wrote to memory of 2308	4664	msedge.exe	87
PID 4664 wrote to memory of 2308	4664	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://firstmail.ltd/
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa048146f8,0x7ffa04814708,0x7ffa04814718
  2⤵
  PID:4696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,17640439248677746968,16605350048642166569,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
  2⤵
  PID:4860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,17640439248677746968,16605350048642166569,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2420 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,17640439248677746968,16605350048642166569,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2936 /prefetch:8
  2⤵
  PID:2308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17640439248677746968,16605350048642166569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:1220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17640439248677746968,16605350048642166569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
  2⤵
  PID:3844
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,17640439248677746968,16605350048642166569,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5612 /prefetch:8
  2⤵
  PID:4384
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,17640439248677746968,16605350048642166569,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5612 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=media.mojom.MediaFoundationService --field-trial-handle=2056,17640439248677746968,16605350048642166569,131072 --lang=en-US --service-sandbox-type=mf_cdm --mojo-platform-channel-handle=5708 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17640439248677746968,16605350048642166569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:1
  2⤵
  PID:2680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17640439248677746968,16605350048642166569,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3996 /prefetch:1
  2⤵
  PID:3316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17640439248677746968,16605350048642166569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
  2⤵
  PID:2344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17640439248677746968,16605350048642166569,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:1
  2⤵
  PID:2392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=media.mojom.MediaFoundationService --field-trial-handle=2056,17640439248677746968,16605350048642166569,131072 --lang=en-US --service-sandbox-type=mf_cdm --mojo-platform-channel-handle=5260 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2056,17640439248677746968,16605350048642166569,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5348 /prefetch:8
  2⤵
  PID:1060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,17640439248677746968,16605350048642166569,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5980 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17640439248677746968,16605350048642166569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=904 /prefetch:1
  2⤵
  PID:456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17640439248677746968,16605350048642166569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:1900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17640439248677746968,16605350048642166569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3124 /prefetch:1
  2⤵
  PID:3156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17640439248677746968,16605350048642166569,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:1
  2⤵
  PID:3400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17640439248677746968,16605350048642166569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6328 /prefetch:1
  2⤵
  PID:1572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17640439248677746968,16605350048642166569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6616 /prefetch:1
  2⤵
  PID:1896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17640439248677746968,16605350048642166569,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6280 /prefetch:1
  2⤵
  PID:1300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17640439248677746968,16605350048642166569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6540 /prefetch:1
  2⤵
  PID:4144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17640439248677746968,16605350048642166569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6356 /prefetch:1
  2⤵
  PID:1836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17640439248677746968,16605350048642166569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6352 /prefetch:1
  2⤵
  PID:2768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17640439248677746968,16605350048642166569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6820 /prefetch:1
  2⤵
  PID:4956

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4388

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2108

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x304 0x4d8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7cb450b1315c63b1d5d89d98ba22da5

SHA1
694005cd9e1a4c54e0b83d0598a8a0c089df1556

SHA256
38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

SHA512
df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
37f660dd4b6ddf23bc37f5c823d1c33a

SHA1
1c35538aa307a3e09d15519df6ace99674ae428b

SHA256
4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

SHA512
807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002b

Filesize
215KB

MD5
d474ec7f8d58a66420b6daa0893a4874

SHA1
4314642571493ba983748556d0e76ec6704da211

SHA256
553a19b6f44f125d9594c02231e4217e9d74d92b7065dc996d92f1e53f6bcb69

SHA512
344062d1be40db095abb7392b047b16f33ea3043158690cf66a2fa554aa2db79c4aa68de1308f1eddf6b9140b9ac5de70aad960b4e8e8b91f105213c4aace348

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
4bce29b2dbf47d14ad35a68427937df6

SHA1
eb52e25c8f8d74b20eac326338019eb78fa36b4c

SHA256
749eea1c892bfde5f365ca9e61fadc5ed14318883c4b62fb954cda2a59df104d

SHA512
806429b582a4ba6f7bc8c322fe61f33c94550bba7e6b01fcd46f67f626468b12e65b615283b9938b2197a3d2f48bc2b250c0b72aa36d3a4b8a8f6b9fa038699b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
576B

MD5
b50f03c6a0cc516e9e583f4c9cac8b8f

SHA1
2174d78e67e51d068b304c8dba9e3e9e77a01797

SHA256
0ea59e6acdaea95d1423799461a3bc72260b78350456922586fcfdf988af5d52

SHA512
c81f56e7741dc7d52eac743069ba843ff5a7ceb4a10ae18c80cc3c7e4d35db188b8dc215cfa1676f18df7ec1288fb9e75db5318a6915f09271b2764265d283a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
713a9e7ed7ad3b5174a0dc0ce46986bd

SHA1
480e781ee6e23e609e5c76bf34a5cff96d259d68

SHA256
064df19e9b59dd0b220fba490c9f3c4761e29de7b337142eb3fce4df6ec072d4

SHA512
6acd62e60014cfc4877247daa8b363906b6350a528c661629988daa678165e49689cb8c7a25da49884a0da3c538d671ae0fe520e40181356170ab1cc7f1c667a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
2dda09e17bb6e190fdef8763d32a1543

SHA1
4d83387c6839d8558b56fc15d0943575d6794281

SHA256
731e89944925dd149b02ded038c94bbc2d3cd18e7c960a0c9e498cc544c4fb2b

SHA512
5fc297c8248dec6a01b577c3528b4949c8a693706f7c8bde6102a258162835a64c681891bf47a40ae322b759f2ea5c6e856616e16ba6cb49fda16de689ee6977

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
528B

MD5
6901dc65638a5cf9ba46a8248efb078c

SHA1
7a3b80c00a706c506f2b8fcd34daa264a5bacf2e

SHA256
5d19d602bcf1e30d5f53849a9dc0c8f827e183e8e053fc81b02d6228eb869ee5

SHA512
9ef08a6a9889fe39691585d7a8a22e1905ca3b5284cd523704538b1c401e3dd424ebf843f08e81560f655dd6af2f1346d64e3fc9aa885f12702dba06a7f04fec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
8c504770ac8348adb702e327295431bd

SHA1
5ecf3d192257c7759e79615358b566cceca24830

SHA256
9a60312e5b32d74ab85c9a2573204214339bca549ae2c500faac24f275d4b83a

SHA512
fa8f2d43375b513dcce1a7c7f9033d5d02407436b7e6e3a210b84d57392db3c303422a89405cd7396d67a5ef781ad05a6679b4bddecfe57c364e34386cd568a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
52875790ce6c22a3213437d03a2d04a6

SHA1
03ef2c60be653008cee967a397d1494bf4f5cb3d

SHA256
e28b90c99e4c5ece27365a876a3738b7a2814837e8cb4c6841fc7c34b10ee289

SHA512
8c5a049cb58eafea548324a88b0a95f34dd88a406db545aed6d04f8fdaff32827764108f1cefade0b1633d4aa5061e3cea621e3137d3bb7813deff6cbdddc14b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
4379a250275e14f29b0c90433051fbac

SHA1
b0d5a35377cdf68b68f1507ed9e81b5a0772e767

SHA256
ddcbbea429959fa4635675d8129fad1957aea52154cd4898a178888920d2d8c3

SHA512
f60005228340660660cd6b8ae7622933b7a31fcfe8bac7e1ffbcf3273c24aff90ad681e88eb30f564e6692ac4a6b27a96d98fe1a91162cf272f83607e59ffcf1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
617c8224d0914facb097d910affa25fc

SHA1
abb08e3a829ab9962be7219c40b1daa19b5e3a2d

SHA256
6455874c9741223e252ea06f8ffeb70805fe8098e11eeef3615bf93e1bedffc8

SHA512
d10661250bb1662b5a87541a0c0d1b2f663e78c474933ebc530fb9184aeda3aca7ebbf0436f52bfdbdff3a8e697658e1b3444aa83a476c99e74f58e12265d5e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
82592ed8703da3e35b141bc19113b776

SHA1
83d27289bbc312d47cf4ff66bfa283fd0739deec

SHA256
924e701dd52837bddbdaa1bfbc13f8ef32fc4fdef6dd3df5e4338c1787846160

SHA512
cb801debc196a8688e7e47fbf9d0c3a9f17a9acb5d445f1e39e4ca0270b4bd79df4c232b9c85af2beff0aa276c3230f4e50aab263ea9970cf12766740d4eec76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
9f63dc9c6e294267fe8a26c7eb2da6ca

SHA1
472373badd353eec26f4ec28a4742dfd58b0ed42

SHA256
45ccd58eea7aa424ec134d8774d5c7cba1219c404be63590d4e2bce398225418

SHA512
a918aa89c20d93fcfff4da3d4ca12f51ab2393e609bf93a536a346de31e55a597bad3d9f6f4c21411f06c43b17ede9e48e9b012f9f7b9a2155e097406a46618e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
ca5583cff5171a9b0796023a7db014be

SHA1
4a75be0b9ff46b9c6b5e2c66b8b545a9c2644c84

SHA256
d85fe3e82b48528defeb05483e1c871128d6b35f1cc54bf0ffd5fadcd15d9c20

SHA512
eda617787d95181449d624c96cf3d44abc4e867f3b7b658ec54c112ac12e41182b0bfef6419beab41741d5c44cfe97cee24569c09b1562e3991d08f5a895b542

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
92394905d656f2cc3ff8640faf57c078

SHA1
6d14da58f3a14ff8084680c3eaddbd90aaa32641

SHA256
c030750febb2dfc5f679577d81f729a470158c2ed8ce11384c4e40cc114122a5

SHA512
7f6722c92ad4aa2676089d936f7fbf4cef65b20195dfc245b6ed8f9bbc920a31e70be9ffb19c58b197b6e77503d4f3a7a694d40dfb3a0d89ad67766b24132a28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2436e0b33eb672679bd247e9bc2d1550

SHA1
044bb040f974e6393a87a1c16b528fc9d8e408d3

SHA256
d3e9312426cd4e7c384c3ef6328db4baf42a6f3ebe8d2c261a1f9d668ace43b0

SHA512
e9fdf7d1e20ef03f9b379fd0fb5121a3f3c81377ad3f7b15a50ce065b1cb0b5ffe4212148880dcafce1f4fa3c46170e394a9d1175fed6ded0d9ca8d959482d75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0e4dae3f3696aef3c34f829d2ff2f1eb

SHA1
015aa84d2c826efbe102674bfdc34a24ce25a111

SHA256
dbc3c87157e647b5cf582d09855946579726e11b58d0bafc83077bee868d1f3f

SHA512
25491baa71ded0ba8e4ea5dd98d42e4ae2797ea86e55b58407e77806f3036f74a8250303e998a006fb2570c49155f367686597d665add2c3e73e1d1adf56f1a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ba35d5119e724b825699c46c9a18c53d

SHA1
49139f461ea4325004299831ab72c55910e08114

SHA256
89a225cfc47bfebce0d486b307f08804637ab06ff3a66e3cb5a77bc7fb64fe2e

SHA512
a1b168781a8d27a1831ea84aa684f899d147957b22ce4b9ccd6d64dc4a9cfe56a4e3d8a6dca24c28b69666644ee0f7397b2920a149c2fe8887785cc982fc95e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
06340343ab933afb6540c4df1c6f9fe4

SHA1
e3a010621a28bf82eb7488c90d9db112e68ee78f

SHA256
78420af9f406960e933f1a47a018cea17b857c161cf9168cc8fb0aeda937473c

SHA512
478504925ba96897d3a07d518e85569650679cb3add2a87a1586618d9b9233ab707060c3719cc7af385fe53de50fb336b100577f9f50a9569d52cfdbc001b44d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
870B

MD5
4a37fa80c3ea34680a8007b5fbde2646

SHA1
d181a36167c9283a6a0fa7e07977a55c2d44d2c1

SHA256
268fcc8204f2edabf1cad738c7edc3d4d4806f6efe93e2f3705047be9fb19323

SHA512
1472baa3c4b4bf8ff93ccee20ed8efa82154081b9c4a19bf69254d73e7e2aa2dd1842e3d131db6c80287aca33a363a0911173d85c48625aabcc1453876cf86da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
372b9ba0bc5a7bfba0d3f15930b1c579

SHA1
8c7b5005c428c595fcc07f82746ce94a5896fb16

SHA256
f91916509c55b7b039b280d66ef9bc5ee7eb9a3310ee3b46d406a5a32ef6ff70

SHA512
dbd61441bb4ab8b0b70a8841953ff3b605830c9dc0d47861bd8000b3723e5a96428929f0a122d0488f3926b6b0c8f90ac3730abb7196385a9fc1a943541917d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
872B

MD5
3a11f92cfefdb0578b8899652abdfd12

SHA1
34388f607a750e35b0ae0f7758cec195d1a4cee6

SHA256
885f577be516849e93b4990611c8329144f8c927e920886818eefecace812b77

SHA512
d7ccfe133d41d9cec92695db5c292a8c9c4ccb68a93b2a1e2cebe495055f552077cbc21f4ac52feee49b11a51469e197967d1646617adbb9a751dcf683128595

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
773350ce9e09b250dc29095bd11349d7

SHA1
df40db971da76c751e46327764958d0db6902f26

SHA256
9235f005e80eeca5da23a56d2e76536722f48061efecabf7b6087f6bc451c57a

SHA512
1fa717c4949ce1a07cc803b7c594e845330f684f04ddc3cf7091542f016fe563272a07709a66032fe3d6462c7de0cbc54a05f27e5ba8d26fdd73a455ba99052d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b18107dce4ae0b8230b4076e14337df3

SHA1
535f27ff67ffb0073758219c2feba35d79ff3e46

SHA256
850de843a6af01b862a1c8966f743c907ed9c1177032570aa6c4a63a0926be4e

SHA512
43750ee9dddd73c16f460270f8ebd781fc2ce20e6f5533980146851ef96f5984c97aad2a530c05d0c481c74a434bbb1bf894c21d9620642b6c7a88435223b82a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ee3c17fa5c1f8b6f4191f2f2a6f79c77

SHA1
fbfb3a134f468136259a72d0851a0ac62f4e8ffb

SHA256
ac215092d9d495131d8a8fb9ed0c81e64450dac9dda9d68c9f56de4ffe02a3b4

SHA512
1713ffa1ce5120de68769be723e3513573642567192e0bcb63487c03a9c74669a1667cd834f0d331e768549dbb5615f3efd68d86c3653143fb85c48c6322943c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
707B

MD5
88e651826543c6f112dc5309183e4fde

SHA1
29e6e7213b39124306a11553fbeb5bb1905e7f96

SHA256
e867df21585452e7ba5b856e479963eca2eddd569aec381be3f8726200b9ee59

SHA512
01b6e173d0c0fcbfc55bc7d085e2490c08b81245929153fb324c80c3ee9d858ab3220d79423e1a9b354caa6f70a2aa1b70ac09d9d4aed9c3d6ae49d3069ce581

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e54f.TMP

Filesize
707B

MD5
02d2a7f16f30482725d7e17dada6a3a1

SHA1
fd10b7e57b410f5587ead287c2a205670eeb549b

SHA256
9d11030165e374a67337e4663f81bb52e8b0574995741b4cdbe59e5e14083dcb

SHA512
f50a6d13ad1dbf77736135d013bfd5648a6664ee802983488e92b8aa20bde9163a1eb8fa763fc4dacbcdb0a01eefc1d491f3912215e090cdfb27c07c65ed1302

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\f055137b-7b95-4134-9106-cee85c7765bd.tmp

Filesize
707B

MD5
05bb0c56a19e0bce6a2d69fb6e9a6203

SHA1
28cde58c0023d34160f2a4c18d694a45aabf8bc0

SHA256
ddb15592524a26f46e0c31427d43d01183e70b78b484710f7f37c464982c9e13

SHA512
9fc231dc4cf9bfccca0eed65c3bc0d14736098baff3965bd30f0de45fb36a123343c37057ac2c199674e1248de5c56451b5db361d16d56ccd8b4185f0cfbe984

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
7ea978f75d8ba73a878e62a79b7199bf

SHA1
9991992ac4f2436cb46f39d6229218d1eb807cd3

SHA256
805240014c939ccc8e76bc5b2efd4a9edbd10234439b3eb5e61018bd151b8e61

SHA512
e971f7a14810c3e328764719bf2a09219ddd58c78653b7f30533b80dfd36b854e5544ac84161771d062e1306d1617aaf3b8cf0671b88a4d4f38711a62dc68d70

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit