hxxps://docs[.]google[.]com/presentation/d/e/2PACX-1vQ_2SU-K3VHDyQZQrsuF5w-vsb7tg8B5x6CFSzjfxSy7vxBB7GOElHRtU19TRpgmx5k2BC-gFKUfAvz/pub?start=false&loop=false&delayms=3000

Analysis

max time kernel
145s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
26-06-2024 16:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://docs.google.com/presentation/d/e/2PACX-1vQ_2SU-K3VHDyQZQrsuF5w-vsb7tg8B5x6CFSzjfxSy7vxBB7GOElHRtU19TRpgmx5k2BC-gFKUfAvz/pub?start=false&loop=false&delayms=3000

Score

5^/10

microsoft phishing

Malware Config

Signatures

Detected potential entity reuse from brand microsoft.
phishing microsoft

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4204450073-1267028356-951339405-1000\{6681027F-FA6B-4B62-A617-F6115F2FC914}	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exe

pid process

4356 msedge.exe
4356 msedge.exe
4668 msedge.exe
4668 msedge.exe
2380 identity_helper.exe
2380 identity_helper.exe
3500 msedge.exe
3500 msedge.exe
5820 msedge.exe
5820 msedge.exe
5820 msedge.exe
5820 msedge.exe

pid	process
4356	msedge.exe
4356	msedge.exe
4668	msedge.exe
4668	msedge.exe
2380	identity_helper.exe
2380	identity_helper.exe
3500	msedge.exe
3500	msedge.exe
5820	msedge.exe
5820	msedge.exe
5820	msedge.exe
5820	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 27 IoCs

Processes:

msedge.exe

pid	process
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4668 wrote to memory of 2124	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 2124	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1036	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1036	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1036	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1036	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1036	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1036	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1036	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1036	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1036	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1036	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1036	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1036	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1036	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1036	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1036	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1036	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1036	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1036	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1036	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1036	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1036	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1036	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1036	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1036	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1036	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1036	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1036	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1036	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1036	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1036	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1036	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1036	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1036	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1036	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1036	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1036	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1036	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1036	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1036	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1036	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 4356	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 4356	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 3216	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 3216	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 3216	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 3216	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 3216	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 3216	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 3216	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 3216	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 3216	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 3216	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 3216	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 3216	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 3216	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 3216	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 3216	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 3216	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 3216	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 3216	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 3216	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 3216	4668	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://docs.google.com/presentation/d/e/2PACX-1vQ_2SU-K3VHDyQZQrsuF5w-vsb7tg8B5x6CFSzjfxSy7vxBB7GOElHRtU19TRpgmx5k2BC-gFKUfAvz/pub?start=false&loop=false&delayms=3000
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8ec6f46f8,0x7ff8ec6f4708,0x7ff8ec6f4718
2⤵
PID:2124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,4187827138600181550,17738466998414679363,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
2⤵
PID:1036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,4187827138600181550,17738466998414679363,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2368 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,4187827138600181550,17738466998414679363,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2892 /prefetch:8
2⤵
PID:3216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,4187827138600181550,17738466998414679363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
2⤵
PID:3608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,4187827138600181550,17738466998414679363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
2⤵
PID:2184

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,4187827138600181550,17738466998414679363,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5116 /prefetch:8
2⤵
PID:4752

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,4187827138600181550,17738466998414679363,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5116 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,4187827138600181550,17738466998414679363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1
2⤵
PID:4040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,4187827138600181550,17738466998414679363,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
2⤵
PID:2848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,4187827138600181550,17738466998414679363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1
2⤵
PID:3296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,4187827138600181550,17738466998414679363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5828 /prefetch:1
2⤵
PID:2584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,4187827138600181550,17738466998414679363,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:1
2⤵
PID:2692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,4187827138600181550,17738466998414679363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
2⤵
PID:5168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,4187827138600181550,17738466998414679363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1
2⤵
PID:5180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2076,4187827138600181550,17738466998414679363,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5728 /prefetch:8
2⤵
PID:5968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,4187827138600181550,17738466998414679363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:1
2⤵
PID:6096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,4187827138600181550,17738466998414679363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
2⤵
PID:5144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,4187827138600181550,17738466998414679363,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
2⤵
PID:3296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,4187827138600181550,17738466998414679363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1
2⤵
PID:3208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,4187827138600181550,17738466998414679363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6692 /prefetch:1
2⤵
PID:5628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,4187827138600181550,17738466998414679363,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:1
2⤵
PID:5612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,4187827138600181550,17738466998414679363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1972 /prefetch:1
2⤵
PID:4312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,4187827138600181550,17738466998414679363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6684 /prefetch:1
2⤵
PID:6124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2076,4187827138600181550,17738466998414679363,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6068 /prefetch:8
2⤵
PID:4420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2076,4187827138600181550,17738466998414679363,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3368 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,4187827138600181550,17738466998414679363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
2⤵
PID:4264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,4187827138600181550,17738466998414679363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1972 /prefetch:1
2⤵
PID:5676

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,4187827138600181550,17738466998414679363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6344 /prefetch:1
2⤵
PID:5704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,4187827138600181550,17738466998414679363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6696 /prefetch:1
2⤵
PID:4752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,4187827138600181550,17738466998414679363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6596 /prefetch:1
2⤵
PID:3528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,4187827138600181550,17738466998414679363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
2⤵
PID:2584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,4187827138600181550,17738466998414679363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
2⤵
PID:4868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,4187827138600181550,17738466998414679363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6092 /prefetch:1
2⤵
PID:6036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,4187827138600181550,17738466998414679363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6452 /prefetch:1
2⤵
PID:4884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,4187827138600181550,17738466998414679363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6852 /prefetch:1
2⤵
PID:4520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2076,4187827138600181550,17738466998414679363,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6840 /prefetch:8
2⤵
PID:712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,4187827138600181550,17738466998414679363,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5768 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5820

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2876

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5000

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
dabfafd78687947a9de64dd5b776d25f

SHA1
16084c74980dbad713f9d332091985808b436dea

SHA256
c7658f407cbe799282ef202e78319e489ed4e48e23f6d056b505bc0d73e34201

SHA512
dae1de5245cd9b72117c430250aa2029eb8df1b85dc414ac50152d8eba4d100bcf0320ac18446f865dc96949f8b06a5b9e7a0c84f9c1b0eada318e80f99f9d2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
c39b3aa574c0c938c80eb263bb450311

SHA1
f4d11275b63f4f906be7a55ec6ca050c62c18c88

SHA256
66f8d413a30451055d4b6fa40e007197a4bb93a66a28ca4112967ec417ffab6c

SHA512
eeca2e21cd4d66835beb9812e26344c8695584253af397b06f378536ca797c3906a670ed239631729c96ebb93acfb16327cf58d517e83fb8923881c5fdb6d232

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003b
Filesize
211KB

MD5
151fb811968eaf8efb840908b89dc9d4

SHA1
7ec811009fd9b0e6d92d12d78b002275f2f1bee1

SHA256
043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed

SHA512
83aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
336B

MD5
bd91cda7bfc814d8fc3b62803dc14fb0

SHA1
76e8a0251b1462a0ffe4e5d7b749cd192f72a584

SHA256
b69c053917f2e3432a2c28b8f1730bd46d352b85d1e184a26aee8f0fc854238b

SHA512
f6d7eb87ed7c1223cdca3ab1d4a387d83533ee97c4ab53976b24b0d28aa23bd8ffcb530dd6630a1af80d28e67441f7fb1f735196a866a72c8962eb5aa3d4b1e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
4KB

MD5
c8f5ad0245bf4897c69960f0ad3016c7

SHA1
2c8b663720095420c40d1d098f8fb570a3c1173d

SHA256
c9e6396b4e6a998ffecc06c33c684d0486083d9f919549daccccac83f8fe936e

SHA512
8566083da3093e6867b8559472940db8cf5f1c64bc31300c2c32988fad5f0af27d0bf8d0e3dbce0451b9717458c552b85964daff455d87e0a5ceccab2681dd65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
5KB

MD5
5a2b33b1a9602f4add53f27281600a61

SHA1
2d04d9679f1b1288271024306a018a63931d90d3

SHA256
f10a63a0b4f72fd8e44ab277a6476f1682ce8c527d3fe5d36291261fcbb496a8

SHA512
11518232bd7f87b626f61fa0a2e539ce3e6e5d0ce86ce72c6ac2085da7c8e280ab51e2e590bb5ec7b4f4877c1e4d80e415bcb2db42311b0dee04779439a0f18f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
5KB

MD5
ee739eadd1eba69b3c03f3892d708ded

SHA1
3c0ca5b27e43ec599f3bbd83b6bb675f550175f1

SHA256
788dd368316935aea991910e0754adea5b5d29da991ac2914a0b2442770c3ba5

SHA512
07a6a17db12cbd5251814f74ddfe3433d124313638c40bfe97414cd2c2e0e9c7f6e82521a817d1be86b76471926bea02d42ec3aab178fe8fffb770bfdce8c2cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
af8cd0685da0bd241b4265d27d66943b

SHA1
290bd770181ae61d1ee071950eff7cdf887ee803

SHA256
e11eaf9dbf44f13f8ea36027e01580c2ed36127b045d27578c558d11b9c0bf78

SHA512
0e844c3f3032fc6a880d9c60dbe04896bf51fb15896a391e535d5d4dce5f86acb0b925fa1843afc329db0ce8d8744219313e74da54a4289268913c959cb19445

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
0ae7e68fca58c465b472b4e14632671e

SHA1
f2ec0bdd061e6de307d58673788d9204c76f4635

SHA256
d9339e8a41ff98f543c355b720e2f825e65855cd0c1be112c937072ca227a0c9

SHA512
91ff9deb9f2a890c30e942097957f9d6a268e1e01381945d2cb852adf279dacbf25cb5e85ac161f969598e6dfbe3441211c5657b02d8c30aba4b419215510748

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
fa3b090fff147a6784993a2b44d501c6

SHA1
23bb19f592107a24fa83ed8ad1e2897906f16a96

SHA256
a7f377f4df6932c8b056427c7e6eaa9412a03dc3a4bec04fa0122519c2e43c0c

SHA512
02c52e70bb9e74dd9669897293977a23b15402bb953ed89686cf4df3525c52805d2cf93dde2927c5f6f92769307cecb6251e82c39f761bacccfbf9e634d19d57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
ae08be89db8fc425881d2c5ad92b0765

SHA1
af278c2085818e29b7ba9f062dc332be7d7fbc67

SHA256
a546af1afa83bd85d17fd1283ac66f108a616c614fa03312978a85553bb5190c

SHA512
0680c3ea0c7365cf680aefdcd3b422d680a295d8c47e8939de18088119db891a645609eead7b72a56538c285ff981cbdfd6d6b4d480052260dc57a2f8cafca71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
cf7ae1ef8514117b1cacb7b718662ffc

SHA1
55475e1e7aa96835809b1910b7c8076c105c4d9d

SHA256
d07890f741e32f021da0613db9d9a772784e41a55467e3c1f26607e9d810715d

SHA512
dbfc5a2074058f07657b1cc9382adeff62071066e04691ab0676a4f3200d1dcf633add819740f947f1cd8f863da280b0ea6e933f4b9e18f3b52f1efaef53b3d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
9KB

MD5
592f1f5b859f04889f02126b5b47ddff

SHA1
b55a6a1327b3a9d22f3c1d8f96988f0d7c145b76

SHA256
47ba662f44838f7feb12beb3402b27f9fbc7248fe22337aea6bd8ce3483888fd

SHA512
7b2b0fcafa9868cda0bc5f000aa8df70faf7b4d7a7eebb9bc616681f98c58295cdcdeca27583ca76570ece1bbf5efea965b40fa06e75db6dc7bfc95c089f95a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
72B

MD5
d788a7e112b398e4ba2509a487f86d32

SHA1
bf3c8b00ca6048d205d018d4b4c6c6d8a3dc5cad

SHA256
c1e4d8490c7d0c8fb523fb7e4eaf598f8ea18ea07b118d0d20773238da7733aa

SHA512
1baaac47acce04b5685dcf405fba9dbbe64dd1a134006bf6c8762c7e340770ddb17918cc63571f2915bbd007469e09869fcc4ad05e3a561f4dae9e02d40398cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58755a.TMP
Filesize
48B

MD5
670912052cdb9ec778375e6db070d54d

SHA1
aa61d90c000dadb4c2400aa623d05107e9ed5623

SHA256
bcfb5ec718d7a50ba441ba6259e8dcf1d17de756fd636b57294ef03a0015e46f

SHA512
ddec5d07873354a4a207a641134d6d88e4490d79b2b53ae2434e2bea393e05ba16c24b80f3b7fbce573bf61ad31865f2d63c4ca7af6102f0e4360126ba2e4fce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
874B

MD5
8bc455d41121c8a8461f14efb036b3f3

SHA1
971435eb984ccb2b51ab14c04eb3940ea33fdbd8

SHA256
2faa3812bb3f1f77ae2da9323cedba965ca222c3e5c7a12c5e465748d96047ca

SHA512
e9c30efe5ed050344c21363b23445c08c55f2bf905fefb714187b6bee3d000732ae468acd48b4f72acb130e61b353b006e629fe4d26febfd51185c21acf7f899

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
52e9a4b58eab8a68989512ccd8a7441d

SHA1
5d893badf4961a1f616820bc85e7dea45201927b

SHA256
b29bd8510b564ba47ee0802e04454c9c7600865ac3bb8ddd2acffe44afd53ded

SHA512
58a4b5d66c03c5e946c51edc6dbe7daab601a53152c4e72f0e32beb39d308cbc3ddee102d970ee5f9a0a38a0814fca0bed2a7f1382c3dc4b36f0aa7698bd78bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
72a129b29ad4b167a553f337457165b5

SHA1
d46ebc06e72fd9f308085b444502b9758aaf1a2a

SHA256
aed78b2d831be145c2b92011498308c0fec6a8900de39ce6e22679392f217630

SHA512
3d1d2187e56c1cf89b0d6c08205ea937904d6babad12e16968a9de1748435f3bc781881c4af21e288906fb0afc90005a54018ae6a8803f72b923fc9f09fb3854

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
ab7049bc57c3838bff4a34e6199569a4

SHA1
13aef4aa3b7646ea7439a1dac5626952c91af5e0

SHA256
8605d501745c4677c8aed6ab0cda4097464007e81a29389c097555d54afb0ce6

SHA512
748ef53771404a873a4d5e991b8a549e508d9123e64b243b033e9981b6c950b9a5501624c07661d811b4c6de8f3e544c53dd17be5cb9b6bf3408dccf752f9a23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe579b75.TMP
Filesize
371B

MD5
a938b346512a57457d6bea6ad9e1a650

SHA1
7d1f6e5efa50fd9368a3acaab4133c06d41d0fb1

SHA256
4eefe3fff94a1b9946f122b3884616fbabd3445789358b4b68bc3a70713b3919

SHA512
d4e42e0ba3e86dfd9237c64d74055d3cc023ad03f8075876d07a8527976181e033d48837f9d413a8d3c6aed9edfefd5a90592fc64df3f5915ca841b4b314cf48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
0846681752f3665fdae086f68db2c594

SHA1
d00232e9afb9c98e751c553ae8abe3cea395b8c9

SHA256
b082bb7c4a3e8546d0a4bb1ece3c52ac28c1df427720cd9436807e1bf61476ad

SHA512
d0c432e93ea3bc10f8668632be77067d8c0a3feeb2e15210d16ef4c30275658ad2aeadc503b453fffe83d19161406928604479b33a00c71c198fe49f6637c1c2

Download Submit
\??\pipe\LOCAL\crashpad_4668_EVOGYVRSGOJPWFJM
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit