hxxp://lacplesis[.]delfi[.]lv/adsAdmin/redir[.]php?uid=1439888198&cid=c3_26488405&cname=Oli&cimg=hxxp://lacplesis[.]delfi[.]lv/adsAdmin/i/preview_610959355[.]jpeg&u=hxxp://u45399925[.]ct[.]sendgrid[.]net/ls/click?upn=u001[.]P5twhHPZ8ddWUFr7QzBnFwu49oAc39ZGizb-2Bfon967kbcwRt2sNk6JjfNCZEE-2FTF-2FHoiWdYQrm-2BaC52TuWCJej0YI5kfex8VfzUB1a67WbLiT9ohVcNtosyNi9ytLLEcDQXfRBVAA-2FdpgZtDkHQ8xs4SIoBnJAud0U-2FjpMXqFKFlTd0oPucHMBmsfYbr1W1bFPuqjXwvWKhbYIawiZ-2FwOAwiIppc-2BCo-2F8nqqi4BfLzk-3DMqvb_NbKRw1e3eztFxz5vjavcmdoozMVb-2Fr9DO9Yopnv1-2BLKGiSlXTn5tLJ1E7D2gLcuSGQnw2-2Fq4dCGhuTgI-2FCh5wHXEnMeo0XxpcK4Mkyr-2BEvScg-2FUSbGEX9xfg7lbd7-2BEUQV4vzADZ1KbjvJb-2F3jeIzI8hMEWxcR-2FvoUctYwvxe6s8UPP7JWdl8MT6KpZBxyaUh915FMBuvi2lS6-2F8fnrckX9z1kD9sexnkBHRayLfAlh-2ForEpzapShaXRSzAtUpDX0sBB2LbmnEos21q1NyUL3QsMhMVGxXLqUuSt6pUy07V9B9Sh6jRjnbDb6-2BdhXshHy9AJkauhe2uJY5ocKUdgGbRT-2FLzAmQyl1NT1kteHPrWoZ-2FeMfwWZoaws4bMh8gV6TH9XPlpoVe9KPpNrxZoApxusvvksTCG28qqycpgMXINjNOsje7gNMLZggLxa8d-2FF&c=E,1,5bEVim247z1fGhtUhmYwbNu1H8iIZr4NrgaCfUxKZdTyuUxW48gwPUfsoILDy-FCjYA5-2MCgtJlXy5N3PAFAD47XFHidB4K4cNJC7Z-FhFR1P96vPVq&typo=1&sa=D&sntz=1&usg=AOvVaw3M2IK1451r_uQGYiEVyOIF&sa=D&source=editors&ust=1719861584574540&usg=AOvVaw3XnUDNEs0mfujfRThl97w7#Z2V0YXdheUB5b3VyaG91c2UuY29t

Resubmissions

02-07-2024 12:52

240702-p36araxcmm 8

02-07-2024 12:43

240702-px6pbssekb 8

02-07-2024 12:35

240702-pssa5sscpa 8

Analysis

max time kernel
124s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
02-07-2024 12:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://lacplesis.delfi.lv/adsAdmin/redir.php?uid=1439888198&cid=c3_26488405&cname=Oli&cimg=http://lacplesis.delfi.lv/adsAdmin/i/preview_610959355.jpeg&u=http://u45399925.ct.sendgrid.net/ls/click?upn=u001.P5twhHPZ8ddWUFr7QzBnFwu49oAc39ZGizb-2Bfon967kbcwRt2sNk6JjfNCZEE-2FTF-2FHoiWdYQrm-2BaC52TuWCJej0YI5kfex8VfzUB1a67WbLiT9ohVcNtosyNi9ytLLEcDQXfRBVAA-2FdpgZtDkHQ8xs4SIoBnJAud0U-2FjpMXqFKFlTd0oPucHMBmsfYbr1W1bFPuqjXwvWKhbYIawiZ-2FwOAwiIppc-2BCo-2F8nqqi4BfLzk-3DMqvb_NbKRw1e3eztFxz5vjavcmdoozMVb-2Fr9DO9Yopnv1-2BLKGiSlXTn5tLJ1E7D2gLcuSGQnw2-2Fq4dCGhuTgI-2FCh5wHXEnMeo0XxpcK4Mkyr-2BEvScg-2FUSbGEX9xfg7lbd7-2BEUQV4vzADZ1KbjvJb-2F3jeIzI8hMEWxcR-2FvoUctYwvxe6s8UPP7JWdl8MT6KpZBxyaUh915FMBuvi2lS6-2F8fnrckX9z1kD9sexnkBHRayLfAlh-2ForEpzapShaXRSzAtUpDX0sBB2LbmnEos21q1NyUL3QsMhMVGxXLqUuSt6pUy07V9B9Sh6jRjnbDb6-2BdhXshHy9AJkauhe2uJY5ocKUdgGbRT-2FLzAmQyl1NT1kteHPrWoZ-2FeMfwWZoaws4bMh8gV6TH9XPlpoVe9KPpNrxZoApxusvvksTCG28qqycpgMXINjNOsje7gNMLZggLxa8d-2FF&c=E,1,5bEVim247z1fGhtUhmYwbNu1H8iIZr4NrgaCfUxKZdTyuUxW48gwPUfsoILDy-FCjYA5-2MCgtJlXy5N3PAFAD47XFHidB4K4cNJC7Z-FhFR1P96vPVq&typo=1&sa=D&sntz=1&usg=AOvVaw3M2IK1451r_uQGYiEVyOIF&sa=D&source=editors&ust=1719861584574540&usg=AOvVaw3XnUDNEs0mfujfRThl97w7#Z2V0YXdheUB5b3VyaG91c2UuY29t

Score

6^/10

microsoft phishing

Malware Config

Signatures

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

99 ipapi.co
100 ipapi.co
Detected potential entity reuse from brand microsoft.
phishing microsoft

flow	ioc
99	ipapi.co
100	ipapi.co

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe

pid process

3964 msedge.exe
3964 msedge.exe
1824 msedge.exe
1824 msedge.exe
1824 msedge.exe
3780 identity_helper.exe
3780 identity_helper.exe
2584 msedge.exe
2584 msedge.exe
2584 msedge.exe
2584 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

Processes:

msedge.exe

pid process

1824 msedge.exe
1824 msedge.exe
1824 msedge.exe
1824 msedge.exe
1824 msedge.exe
1824 msedge.exe
1824 msedge.exe
1824 msedge.exe
1824 msedge.exe
1824 msedge.exe
1824 msedge.exe
1824 msedge.exe
1824 msedge.exe

pid	process
3964	msedge.exe
3964	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
3780	identity_helper.exe
3780	identity_helper.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1824 wrote to memory of 1092	1824	msedge.exe	msedge.exe
PID 1824 wrote to memory of 1092	1824	msedge.exe	msedge.exe
PID 1824 wrote to memory of 4200	1824	msedge.exe	msedge.exe
PID 1824 wrote to memory of 4200	1824	msedge.exe	msedge.exe
PID 1824 wrote to memory of 4200	1824	msedge.exe	msedge.exe
PID 1824 wrote to memory of 4200	1824	msedge.exe	msedge.exe
PID 1824 wrote to memory of 4200	1824	msedge.exe	msedge.exe
PID 1824 wrote to memory of 4200	1824	msedge.exe	msedge.exe
PID 1824 wrote to memory of 4200	1824	msedge.exe	msedge.exe
PID 1824 wrote to memory of 4200	1824	msedge.exe	msedge.exe
PID 1824 wrote to memory of 4200	1824	msedge.exe	msedge.exe
PID 1824 wrote to memory of 4200	1824	msedge.exe	msedge.exe
PID 1824 wrote to memory of 4200	1824	msedge.exe	msedge.exe
PID 1824 wrote to memory of 4200	1824	msedge.exe	msedge.exe
PID 1824 wrote to memory of 4200	1824	msedge.exe	msedge.exe
PID 1824 wrote to memory of 4200	1824	msedge.exe	msedge.exe
PID 1824 wrote to memory of 4200	1824	msedge.exe	msedge.exe
PID 1824 wrote to memory of 4200	1824	msedge.exe	msedge.exe
PID 1824 wrote to memory of 4200	1824	msedge.exe	msedge.exe
PID 1824 wrote to memory of 4200	1824	msedge.exe	msedge.exe
PID 1824 wrote to memory of 4200	1824	msedge.exe	msedge.exe
PID 1824 wrote to memory of 4200	1824	msedge.exe	msedge.exe
PID 1824 wrote to memory of 4200	1824	msedge.exe	msedge.exe
PID 1824 wrote to memory of 4200	1824	msedge.exe	msedge.exe
PID 1824 wrote to memory of 4200	1824	msedge.exe	msedge.exe
PID 1824 wrote to memory of 4200	1824	msedge.exe	msedge.exe
PID 1824 wrote to memory of 4200	1824	msedge.exe	msedge.exe
PID 1824 wrote to memory of 4200	1824	msedge.exe	msedge.exe
PID 1824 wrote to memory of 4200	1824	msedge.exe	msedge.exe
PID 1824 wrote to memory of 4200	1824	msedge.exe	msedge.exe
PID 1824 wrote to memory of 4200	1824	msedge.exe	msedge.exe
PID 1824 wrote to memory of 4200	1824	msedge.exe	msedge.exe
PID 1824 wrote to memory of 4200	1824	msedge.exe	msedge.exe
PID 1824 wrote to memory of 4200	1824	msedge.exe	msedge.exe
PID 1824 wrote to memory of 4200	1824	msedge.exe	msedge.exe
PID 1824 wrote to memory of 4200	1824	msedge.exe	msedge.exe
PID 1824 wrote to memory of 4200	1824	msedge.exe	msedge.exe
PID 1824 wrote to memory of 4200	1824	msedge.exe	msedge.exe
PID 1824 wrote to memory of 4200	1824	msedge.exe	msedge.exe
PID 1824 wrote to memory of 4200	1824	msedge.exe	msedge.exe
PID 1824 wrote to memory of 4200	1824	msedge.exe	msedge.exe
PID 1824 wrote to memory of 4200	1824	msedge.exe	msedge.exe
PID 1824 wrote to memory of 3964	1824	msedge.exe	msedge.exe
PID 1824 wrote to memory of 3964	1824	msedge.exe	msedge.exe
PID 1824 wrote to memory of 3260	1824	msedge.exe	msedge.exe
PID 1824 wrote to memory of 3260	1824	msedge.exe	msedge.exe
PID 1824 wrote to memory of 3260	1824	msedge.exe	msedge.exe
PID 1824 wrote to memory of 3260	1824	msedge.exe	msedge.exe
PID 1824 wrote to memory of 3260	1824	msedge.exe	msedge.exe
PID 1824 wrote to memory of 3260	1824	msedge.exe	msedge.exe
PID 1824 wrote to memory of 3260	1824	msedge.exe	msedge.exe
PID 1824 wrote to memory of 3260	1824	msedge.exe	msedge.exe
PID 1824 wrote to memory of 3260	1824	msedge.exe	msedge.exe
PID 1824 wrote to memory of 3260	1824	msedge.exe	msedge.exe
PID 1824 wrote to memory of 3260	1824	msedge.exe	msedge.exe
PID 1824 wrote to memory of 3260	1824	msedge.exe	msedge.exe
PID 1824 wrote to memory of 3260	1824	msedge.exe	msedge.exe
PID 1824 wrote to memory of 3260	1824	msedge.exe	msedge.exe
PID 1824 wrote to memory of 3260	1824	msedge.exe	msedge.exe
PID 1824 wrote to memory of 3260	1824	msedge.exe	msedge.exe
PID 1824 wrote to memory of 3260	1824	msedge.exe	msedge.exe
PID 1824 wrote to memory of 3260	1824	msedge.exe	msedge.exe
PID 1824 wrote to memory of 3260	1824	msedge.exe	msedge.exe
PID 1824 wrote to memory of 3260	1824	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://lacplesis.delfi.lv/adsAdmin/redir.php?uid=1439888198&cid=c3_26488405&cname=Oli&cimg=http://lacplesis.delfi.lv/adsAdmin/i/preview_610959355.jpeg&u=http://u45399925.ct.sendgrid.net/ls/click?upn=u001.P5twhHPZ8ddWUFr7QzBnFwu49oAc39ZGizb-2Bfon967kbcwRt2sNk6JjfNCZEE-2FTF-2FHoiWdYQrm-2BaC52TuWCJej0YI5kfex8VfzUB1a67WbLiT9ohVcNtosyNi9ytLLEcDQXfRBVAA-2FdpgZtDkHQ8xs4SIoBnJAud0U-2FjpMXqFKFlTd0oPucHMBmsfYbr1W1bFPuqjXwvWKhbYIawiZ-2FwOAwiIppc-2BCo-2F8nqqi4BfLzk-3DMqvb_NbKRw1e3eztFxz5vjavcmdoozMVb-2Fr9DO9Yopnv1-2BLKGiSlXTn5tLJ1E7D2gLcuSGQnw2-2Fq4dCGhuTgI-2FCh5wHXEnMeo0XxpcK4Mkyr-2BEvScg-2FUSbGEX9xfg7lbd7-2BEUQV4vzADZ1KbjvJb-2F3jeIzI8hMEWxcR-2FvoUctYwvxe6s8UPP7JWdl8MT6KpZBxyaUh915FMBuvi2lS6-2F8fnrckX9z1kD9sexnkBHRayLfAlh-2ForEpzapShaXRSzAtUpDX0sBB2LbmnEos21q1NyUL3QsMhMVGxXLqUuSt6pUy07V9B9Sh6jRjnbDb6-2BdhXshHy9AJkauhe2uJY5ocKUdgGbRT-2FLzAmQyl1NT1kteHPrWoZ-2FeMfwWZoaws4bMh8gV6TH9XPlpoVe9KPpNrxZoApxusvvksTCG28qqycpgMXINjNOsje7gNMLZggLxa8d-2FF&c=E,1,5bEVim247z1fGhtUhmYwbNu1H8iIZr4NrgaCfUxKZdTyuUxW48gwPUfsoILDy-FCjYA5-2MCgtJlXy5N3PAFAD47XFHidB4K4cNJC7Z-FhFR1P96vPVq&typo=1&sa=D&sntz=1&usg=AOvVaw3M2IK1451r_uQGYiEVyOIF&sa=D&source=editors&ust=1719861584574540&usg=AOvVaw3XnUDNEs0mfujfRThl97w7#Z2V0YXdheUB5b3VyaG91c2UuY29t
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff825a646f8,0x7ff825a64708,0x7ff825a64718
2⤵
PID:1092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,85406326483004084,15046797666798358293,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:2
2⤵
PID:4200

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,85406326483004084,15046797666798358293,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,85406326483004084,15046797666798358293,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:8
2⤵
PID:3260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,85406326483004084,15046797666798358293,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
2⤵
PID:4424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,85406326483004084,15046797666798358293,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
2⤵
PID:3520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,85406326483004084,15046797666798358293,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4668 /prefetch:1
2⤵
PID:4896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,85406326483004084,15046797666798358293,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4648 /prefetch:1
2⤵
PID:1520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,85406326483004084,15046797666798358293,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4672 /prefetch:1
2⤵
PID:1720

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,85406326483004084,15046797666798358293,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
2⤵
PID:5096

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,85406326483004084,15046797666798358293,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5716 /prefetch:8
2⤵
PID:3040

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,85406326483004084,15046797666798358293,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5716 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,85406326483004084,15046797666798358293,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:1
2⤵
PID:2304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,85406326483004084,15046797666798358293,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3548 /prefetch:1
2⤵
PID:4864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,85406326483004084,15046797666798358293,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
2⤵
PID:1612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,85406326483004084,15046797666798358293,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1
2⤵
PID:2464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,85406326483004084,15046797666798358293,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4812 /prefetch:1
2⤵
PID:4800

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,85406326483004084,15046797666798358293,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:1
2⤵
PID:1448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,85406326483004084,15046797666798358293,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4572 /prefetch:1
2⤵
PID:3660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,85406326483004084,15046797666798358293,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2584

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4672

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3204

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
a8e767fd33edd97d306efb6905f93252

SHA1
a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

SHA256
c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

SHA512
07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
439b5e04ca18c7fb02cf406e6eb24167

SHA1
e0c5bb6216903934726e3570b7d63295b9d28987

SHA256
247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

SHA512
d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
264B

MD5
9b59f443544cf59405afacdb91124540

SHA1
5d953cf028edba2e600b15c904764b6b5a6b2d08

SHA256
29556ff1ef7101ebde7e22689d6da9d5746c2bdb5eb534ab2f5505196991bca1

SHA512
43cf657194d9ee5c5e5e623932b733c4708a5724f28fefb0a670bd8c91fe0554e0cb69ce15277c434038a59b96daaebcf05efaef002b395435d005159c314eb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1KB

MD5
d2da90bfbd8db849c235dacda731b9c4

SHA1
1e71b0b4bb038ccd7e40f2a67d5f55d9857022c1

SHA256
f3fc2ee94cb6e0ea23e9690df1eb9f370d85b940c62854b09492cbbe7b6d5f9b

SHA512
c49ad7249f942cb1c8f09364cf5563c98f644e2399bb4f86d05634df57ed8015a880a043f4f5fcb68fc3ddedee2b56676df98d63e08914424070e0e80373cee1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
9KB

MD5
5667116b362d9afdf36a38995c03d864

SHA1
2350ac506478fe3b9feba19f0a1fbf8d0bc17b09

SHA256
9b0b71813b9d89a9b3b7855dcf612829f4233bc927207a23f7fe3d123563617f

SHA512
a6a73748565a4d4b28e775bab965a4447fdc631950c41d68236f76290459be114e562c490743749e4e6c1e1e95c4d9e569d8f8de5554feeac6c55db41f72f697

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
10KB

MD5
850ae52f54a65bf7842c6d5712a77732

SHA1
6f7b9216cdab0462cca3326b95b1233be8b165e0

SHA256
353649628cb1b136b9137ba2329c5d9a6bc5e5ea397f7d9af4a868232368fe9f

SHA512
4cffc83c3899f39703056917a1ece1da4e34139211f27f0a6fb454d62f0543c6f94688b64fd30af3afd9b9efe88a95bbab053bba2b7796ee683b423430cb9c4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
94f3ffead2ec6c69c9752001a01f65c2

SHA1
e09c6c70633d7194f8156824639356614166cf19

SHA256
65da4ff5e537e7dc9faddbe3f6bac98746db071f957b97adf1e0fb73aa568a3a

SHA512
5267185ed37b85bab57d7822b9818ffb3bac39f29e82116585030c41745318b006c82bee6c3bf34de5923f3d96716b044e81f574ac08893e6be366f82f136902

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
9KB

MD5
5f4f487c1f3f9e4358ef789ae8be1e06

SHA1
e8e4a9d07a65067bd94f97e9b5e0b4056257768c

SHA256
04e4e31a670c30e0eb2380f8542b54ffdce02b5dd9ed9e06ad394197cf052073

SHA512
bf4dfd06cba63dbb41511f8b158895d96fd46986ea1ce75196c728c627a13c7d2413b3ea9e498ef1ad5765fdda269103357a58a5187713ae8cbf6159da6f3efa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
7ff89dbbbe5476dc8fef8f5cf8393538

SHA1
53c5cb512420e07cff3d3533a1bf668abc28841b

SHA256
74e5f34d3522c33bd885e7fd8374a7bd6829a017828aba1c2507cc801a33c249

SHA512
bedccf80032bf48d5a5f2b7f75d0fdeadd6b6dc4a3cb3b6ba9136b83954f32e06832a52b61eb5cb2d4a2fa72653657d8a2f69fe43b4a99f29b76272be61b97b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
9KB

MD5
f0b58021f4c837fdc778000e29868e8a

SHA1
45ab4aa4b5c9a2274761b8dc2b92b3970f983679

SHA256
d7825ce730bf7bede4ab6e155caf63f65bf8959dd40aabf10a388cd754752680

SHA512
26fe77699a5b1f83d2593614cfd09815439273b7dd8500ecaff4b3b52279acd389b83c5d596e4a1952deded603609778f5a266a30a9e6d8f337e292b67b7ea72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
04f9556bb32839189b124b678d986b18

SHA1
917c9586a4decfec01534ce46f18b1432f35cc80

SHA256
b2a1c1841916cd879f2fc7d8c0777fd99a8899353a7ae33efb86fa5d9d366cbb

SHA512
cf2c771a2508fc834da5e839db935a1a0f79ba6d2a6943b77cadd1d8ce6aa81ca85cfe620a4d0102144c852cc04edc7bc170d8c11bfd25108725198a4007588a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57a836.TMP
Filesize
1KB

MD5
fa52f739d0fa91d422c339a06e5acbf6

SHA1
99d82900782f4af7b4abf67e5ee827b9e79bfefa

SHA256
514710d54c2470a597005d38480d0bfb46b34d9cba3cb8410dafad0f726c8659

SHA512
2116b0bcdf465ba215cfce54c5cdd86ba432d3cfbf5e4a984f2e2ff6bedf1feecdf9587e46c0c3a2da0526f93e2276f6af6b86beef4e94af263f306ac1591991

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
ed4e50b530bc2ef198f606a0cf801b43

SHA1
6a6e2896aba08f3f3c652698c6a36a122d6ad529

SHA256
7dfe6c2b810b92b9df83b911e8100484782b44af49fb98fc481563b29a634dc6

SHA512
f1fbecbc0ec46f4d1b675083bc67ec5f0c71e91c36dbffc5e8270626b28ac74c782e388cc7ba0d44879a8882b6111a9155e57854057c2ced05a85db086863966

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.exc
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\??\pipe\LOCAL\crashpad_1824_FXOWAUWPCYJEULLB
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit