adf56f3ecfe4c24602fa46f3d844160218b6851cbdfadbf9bd0c26cdcac972ff

Analysis

max time kernel
148s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20250210-en
resource tags

arch:x64arch:x86image:win11-20250210-enlocale:en-usos:windows11-21h2-x64system
submitted
10/02/2025, 20:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

email-html-1.html
Size

29KB
MD5

9faaa98c874aad1ffb728ad4742ac742
SHA1

2d19e9db61931b603f7a73576bdb215d7c453aaa
SHA256

98978f7f19737b9781bd94970ae83a388a3aec6d9133899c20769ee90e253977
SHA512

5598a2c288e9c69c6a1c45298c6a06bcf7fd247b5e428bb5061a53e5502eaaa9cb45fbca5eecb4b0f3a109d8b96f9b9af418a5c9cfcaa8cfbcbf2103b223be9c
SSDEEP

768:IyoLQVLsz0qdOYm5T/sCEn75+NtWtXdCH+jDfRYEFEYQ:Ix8xwALT057ENUKHaGcQ

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file 1 IoCs

flow	pid	Process
20	4708	Process not Found

Executes dropped EXE 2 IoCs

pid	Process
4676	setup.exe
4072	setup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AF44DDD0-C0CD-45FC-98F5-2E5D0FA01DB4}\EDGEMITMP_252F4.tmp\SETUP.EX_	MicrosoftEdge_X64_133.0.3065.59.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AF44DDD0-C0CD-45FC-98F5-2E5D0FA01DB4}\EDGEMITMP_252F4.tmp\setup.exe	MicrosoftEdge_X64_133.0.3065.59.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Temp\source4676_832786185\MSEDGE.7z	setup.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp\msedge_installer.log	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe
File created	C:\Windows\SystemTemp\870e14ac-508a-4722-9485-18fcf74d697c.tmp	setup.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4624	MicrosoftEdgeUpdate.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2780	msedge.exe
2780	msedge.exe
3404	msedge.exe
3404	msedge.exe
564	msedge.exe
564	msedge.exe
3948	identity_helper.exe
3948	identity_helper.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4676	setup.exe
Token: SeIncBasePriorityPrivilege	4676	setup.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3404 wrote to memory of 1964	3404	msedge.exe	82
PID 3404 wrote to memory of 1964	3404	msedge.exe	82
PID 3404 wrote to memory of 2984	3404	msedge.exe	83
PID 3404 wrote to memory of 2984	3404	msedge.exe	83
PID 3404 wrote to memory of 2984	3404	msedge.exe	83
PID 3404 wrote to memory of 2984	3404	msedge.exe	83
PID 3404 wrote to memory of 2984	3404	msedge.exe	83
PID 3404 wrote to memory of 2984	3404	msedge.exe	83
PID 3404 wrote to memory of 2984	3404	msedge.exe	83
PID 3404 wrote to memory of 2984	3404	msedge.exe	83
PID 3404 wrote to memory of 2984	3404	msedge.exe	83
PID 3404 wrote to memory of 2984	3404	msedge.exe	83
PID 3404 wrote to memory of 2984	3404	msedge.exe	83
PID 3404 wrote to memory of 2984	3404	msedge.exe	83
PID 3404 wrote to memory of 2984	3404	msedge.exe	83
PID 3404 wrote to memory of 2984	3404	msedge.exe	83
PID 3404 wrote to memory of 2984	3404	msedge.exe	83
PID 3404 wrote to memory of 2984	3404	msedge.exe	83
PID 3404 wrote to memory of 2984	3404	msedge.exe	83
PID 3404 wrote to memory of 2984	3404	msedge.exe	83
PID 3404 wrote to memory of 2984	3404	msedge.exe	83
PID 3404 wrote to memory of 2984	3404	msedge.exe	83
PID 3404 wrote to memory of 2984	3404	msedge.exe	83
PID 3404 wrote to memory of 2984	3404	msedge.exe	83
PID 3404 wrote to memory of 2984	3404	msedge.exe	83
PID 3404 wrote to memory of 2984	3404	msedge.exe	83
PID 3404 wrote to memory of 2984	3404	msedge.exe	83
PID 3404 wrote to memory of 2984	3404	msedge.exe	83
PID 3404 wrote to memory of 2984	3404	msedge.exe	83
PID 3404 wrote to memory of 2984	3404	msedge.exe	83
PID 3404 wrote to memory of 2984	3404	msedge.exe	83
PID 3404 wrote to memory of 2984	3404	msedge.exe	83
PID 3404 wrote to memory of 2984	3404	msedge.exe	83
PID 3404 wrote to memory of 2984	3404	msedge.exe	83
PID 3404 wrote to memory of 2984	3404	msedge.exe	83
PID 3404 wrote to memory of 2984	3404	msedge.exe	83
PID 3404 wrote to memory of 2984	3404	msedge.exe	83
PID 3404 wrote to memory of 2984	3404	msedge.exe	83
PID 3404 wrote to memory of 2984	3404	msedge.exe	83
PID 3404 wrote to memory of 2984	3404	msedge.exe	83
PID 3404 wrote to memory of 2984	3404	msedge.exe	83
PID 3404 wrote to memory of 2984	3404	msedge.exe	83
PID 3404 wrote to memory of 2780	3404	msedge.exe	84
PID 3404 wrote to memory of 2780	3404	msedge.exe	84
PID 3404 wrote to memory of 3664	3404	msedge.exe	85
PID 3404 wrote to memory of 3664	3404	msedge.exe	85
PID 3404 wrote to memory of 3664	3404	msedge.exe	85
PID 3404 wrote to memory of 3664	3404	msedge.exe	85
PID 3404 wrote to memory of 3664	3404	msedge.exe	85
PID 3404 wrote to memory of 3664	3404	msedge.exe	85
PID 3404 wrote to memory of 3664	3404	msedge.exe	85
PID 3404 wrote to memory of 3664	3404	msedge.exe	85
PID 3404 wrote to memory of 3664	3404	msedge.exe	85
PID 3404 wrote to memory of 3664	3404	msedge.exe	85
PID 3404 wrote to memory of 3664	3404	msedge.exe	85
PID 3404 wrote to memory of 3664	3404	msedge.exe	85
PID 3404 wrote to memory of 3664	3404	msedge.exe	85
PID 3404 wrote to memory of 3664	3404	msedge.exe	85
PID 3404 wrote to memory of 3664	3404	msedge.exe	85
PID 3404 wrote to memory of 3664	3404	msedge.exe	85
PID 3404 wrote to memory of 3664	3404	msedge.exe	85
PID 3404 wrote to memory of 3664	3404	msedge.exe	85
PID 3404 wrote to memory of 3664	3404	msedge.exe	85
PID 3404 wrote to memory of 3664	3404	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\email-html-1.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9d34a3cb8,0x7ff9d34a3cc8,0x7ff9d34a3cd8
  2⤵
  PID:1964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1944,5524343708183632521,9957027375331310199,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1952 /prefetch:2
  2⤵
  PID:2984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1944,5524343708183632521,9957027375331310199,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1944,5524343708183632521,9957027375331310199,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2520 /prefetch:8
  2⤵
  PID:3664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,5524343708183632521,9957027375331310199,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1
  2⤵
  PID:960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,5524343708183632521,9957027375331310199,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:2844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1944,5524343708183632521,9957027375331310199,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4124 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,5524343708183632521,9957027375331310199,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4028 /prefetch:1
  2⤵
  PID:3820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,5524343708183632521,9957027375331310199,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4068 /prefetch:1
  2⤵
  PID:4788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,5524343708183632521,9957027375331310199,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:1
  2⤵
  PID:1308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,5524343708183632521,9957027375331310199,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
  2⤵
  PID:2700
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1944,5524343708183632521,9957027375331310199,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4852 /prefetch:8
  2⤵
  PID:3240
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1944,5524343708183632521,9957027375331310199,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4852 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1944,5524343708183632521,9957027375331310199,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2616 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4836

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4708

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3236

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QUExNjIyQUItQzE0My00OTZELTlENEYtQTNDQzI5N0VFMTY5fSIgdXNlcmlkPSJ7NTc0Q0Q0NTktMjNBNy00OEU4LTlDREYtMzM4NjYyOTlCOUMxfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MzVBQTRFMEMtRUExNC00QTAxLTk4ODktRTE3RURENkMxNzJFfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RSt4YkF6Nlk2c1UxMjg5YlM2cWw0VlJMYmtqZkJVR1RNSnNqckhyNDRpST0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIzLjAuNjMxMi4xMjMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjAiIGluc3RhbGxkYXRldGltZT0iMTczOTE4NDcxMiIgb29iZV9pbnN0YWxsX3RpbWU9IjEzMzgzNjU1NjY2MDQzMDAwMCI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjIxNzk4NjIiIHN5c3RlbV91cHRpbWVfdGlja3M9IjQ3NzM4MDgzNzMiLz48L2FwcD48L3JlcXVlc3Q-
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:4624

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AF44DDD0-C0CD-45FC-98F5-2E5D0FA01DB4}\MicrosoftEdge_X64_133.0.3065.59.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AF44DDD0-C0CD-45FC-98F5-2E5D0FA01DB4}\MicrosoftEdge_X64_133.0.3065.59.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
1⤵
- Drops file in Program Files directory
PID:2748
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AF44DDD0-C0CD-45FC-98F5-2E5D0FA01DB4}\EDGEMITMP_252F4.tmp\setup.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AF44DDD0-C0CD-45FC-98F5-2E5D0FA01DB4}\EDGEMITMP_252F4.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AF44DDD0-C0CD-45FC-98F5-2E5D0FA01DB4}\MicrosoftEdge_X64_133.0.3065.59.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:4676
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AF44DDD0-C0CD-45FC-98F5-2E5D0FA01DB4}\EDGEMITMP_252F4.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AF44DDD0-C0CD-45FC-98F5-2E5D0FA01DB4}\EDGEMITMP_252F4.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AF44DDD0-C0CD-45FC-98F5-2E5D0FA01DB4}\EDGEMITMP_252F4.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff6e4506a68,0x7ff6e4506a74,0x7ff6e4506a80
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:4072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AF44DDD0-C0CD-45FC-98F5-2E5D0FA01DB4}\EDGEMITMP_252F4.tmp\setup.exe

Filesize
6.8MB

MD5
1b3e9c59f9c7a134ec630ada1eb76a39

SHA1
a7e831d392e99f3d37847dcc561dd2e017065439

SHA256
ce78ccfb0c9cdb06ea61116bc57e50690650b6b5cf37c1aebfb30c19458ee4ae

SHA512
c0e50410dc92d80ff7bc854907774fc551564e078a8d38ca6421f15cea50282c25efac4f357b52b066c4371f9b8d4900fa8122dd80ab06ecbd851c6e049f7a3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
870d929fe21bd15af5fe11695b57375e

SHA1
ca12f7b13f321389cb93608af1090f4a04c87c4d

SHA256
084ac26acceb534c3a03b27a4b6cbeed0061daf120a1ee6034dcd8adf17a25c7

SHA512
216ba421f0b39302ac367bf129f4ac739c1c16573790e952a520ac44ba18fbbc8368f9b9e50f4bb7242af8311d6ef315df2f4bc76d03a40875b76c114d0eb25e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a9af0a550199765b9d07fc346a534cb6

SHA1
d7e9398086687142157ac1b3e90b394ae05650fd

SHA256
12a18b7c47836fafdc6f6eaf17b294adda3278c0ffad645fa9255e31f755e095

SHA512
2dc7686d871496dc4cd386780c918b51c4339018b701dbb17fca298fca8d7d68993e0e43988c2413484a4ac9956acfabf4279895f473889a4f7d681d57df0540

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f2d3cfe453fef92cb3f6f155cd687a15

SHA1
09f024b06432e70fb3ec255ed505ef0369056fd1

SHA256
36d06d3ec323b21bf26cc2f7d030467f25db1c3c64249a8afa151ee91a7a05e1

SHA512
a5356d881c5beea4616fec8f2ef5a1233c4e08e6e81dc493b9f7bf5b542d82539dc73a4deb695f8d0c126ddfa7f5da1b1814b8f7359f809ee965483c600cdd39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6c2381939878de82f852f0e5846272a9

SHA1
e4842b6db0b2e581a54fdd3365a2ec351a30e852

SHA256
90a539a1d5af8772b320516fedb633b2cd257b485d3008f10c73647e1b31191d

SHA512
1da198cfd60ee05fed3c2559a5756ff32360c3af089da434f665a88b7b0b202ca9d09ecda681ef54776fbed55233c22ef1dc289b0dcffbbbb11586ee0c439687

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
554b6a5a8ab1c4a60af76be2bdf96a90

SHA1
f3426d361e09cf22cbdcdfbed6853bf255b11548

SHA256
8c1328a984f64ddd2cf43d7acf08375b5680c73b027294a483ea2754cf06338b

SHA512
67aea7bb9210f9d510ae8b2d64ca7b4ba1b6d033fd4f51cc8debaec85d9ac92ed183e7ba4d861f9a7edbea507a760aa246695bac0ba3538677225d957016dca6

Download Submit