6ab157f8e87b91bfc479878eec2a4fc345f6c9c5ada4b5711c2f96289dc14b8f

Analysis

max time kernel
150s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
15/03/2025, 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

R.E.P.O/OnlineFix.url
Size

46B
MD5

59bf167dc52a52f6e45f418f8c73ffa1
SHA1

fa006950a6a971e89d4a1c23070d458a30463999
SHA256

3cb526cccccc54af4c006fff00d1f48f830d08cdd4a2f21213856065666ef38e
SHA512

00005820f0418d4a3b802de4a7055475c88d79c2ee3ebfa580b7ae66a12c6966e5b092a02dc0f40db0fd3b821ea28d4aec14d7d404ead4ea88dc54a1815ffe26

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
61	discord.com
62	discord.com
63	discord.com

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5456_1826402268\kp_pinslist.pb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5456_1826402268\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5456_1624924626\LICENSE	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5456_223901839\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5456_1826402268\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5456_1624924626\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5456_1339156570\data.txt	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5456_1826402268\crs.pb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5456_1624924626\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5456_1624924626\sets.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5456_1624924626\_metadata\verified_contents.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5456_1339156570\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5456_1339156570\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5456_223901839\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5456_223901839\typosquatting_list.pb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5456_1826402268\ct_config.pb	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133865502732603050"	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1062200478-553497403-3857448183-1000\{503AD799-7286-426F-B295-718F51EDCB89}	msedge.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4296	msedge.exe
4296	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
5456	msedge.exe
5456	msedge.exe
5456	msedge.exe
5456	msedge.exe
5456	msedge.exe
5456	msedge.exe
5456	msedge.exe
5456	msedge.exe
5456	msedge.exe
5456	msedge.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5456	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5612 wrote to memory of 728	5612	rundll32.exe	84
PID 5612 wrote to memory of 728	5612	rundll32.exe	84
PID 728 wrote to memory of 5456	728	msedge.exe	86
PID 728 wrote to memory of 5456	728	msedge.exe	86
PID 5456 wrote to memory of 5728	5456	msedge.exe	87
PID 5456 wrote to memory of 5728	5456	msedge.exe	87
PID 5456 wrote to memory of 4760	5456	msedge.exe	88
PID 5456 wrote to memory of 4760	5456	msedge.exe	88
PID 5456 wrote to memory of 4784	5456	msedge.exe	89
PID 5456 wrote to memory of 4784	5456	msedge.exe	89
PID 5456 wrote to memory of 4784	5456	msedge.exe	89
PID 5456 wrote to memory of 4784	5456	msedge.exe	89
PID 5456 wrote to memory of 4784	5456	msedge.exe	89
PID 5456 wrote to memory of 4784	5456	msedge.exe	89
PID 5456 wrote to memory of 4784	5456	msedge.exe	89
PID 5456 wrote to memory of 4784	5456	msedge.exe	89
PID 5456 wrote to memory of 4784	5456	msedge.exe	89
PID 5456 wrote to memory of 4784	5456	msedge.exe	89
PID 5456 wrote to memory of 4784	5456	msedge.exe	89
PID 5456 wrote to memory of 4784	5456	msedge.exe	89
PID 5456 wrote to memory of 4784	5456	msedge.exe	89
PID 5456 wrote to memory of 4784	5456	msedge.exe	89
PID 5456 wrote to memory of 4784	5456	msedge.exe	89
PID 5456 wrote to memory of 4784	5456	msedge.exe	89
PID 5456 wrote to memory of 4784	5456	msedge.exe	89
PID 5456 wrote to memory of 4784	5456	msedge.exe	89
PID 5456 wrote to memory of 4784	5456	msedge.exe	89
PID 5456 wrote to memory of 4784	5456	msedge.exe	89
PID 5456 wrote to memory of 4784	5456	msedge.exe	89
PID 5456 wrote to memory of 4784	5456	msedge.exe	89
PID 5456 wrote to memory of 4784	5456	msedge.exe	89
PID 5456 wrote to memory of 4784	5456	msedge.exe	89
PID 5456 wrote to memory of 4784	5456	msedge.exe	89
PID 5456 wrote to memory of 4784	5456	msedge.exe	89
PID 5456 wrote to memory of 4784	5456	msedge.exe	89
PID 5456 wrote to memory of 4784	5456	msedge.exe	89
PID 5456 wrote to memory of 4784	5456	msedge.exe	89
PID 5456 wrote to memory of 4784	5456	msedge.exe	89
PID 5456 wrote to memory of 4784	5456	msedge.exe	89
PID 5456 wrote to memory of 4784	5456	msedge.exe	89
PID 5456 wrote to memory of 4784	5456	msedge.exe	89
PID 5456 wrote to memory of 4784	5456	msedge.exe	89
PID 5456 wrote to memory of 4784	5456	msedge.exe	89
PID 5456 wrote to memory of 4784	5456	msedge.exe	89
PID 5456 wrote to memory of 4784	5456	msedge.exe	89
PID 5456 wrote to memory of 4784	5456	msedge.exe	89
PID 5456 wrote to memory of 4784	5456	msedge.exe	89
PID 5456 wrote to memory of 4784	5456	msedge.exe	89
PID 5456 wrote to memory of 4784	5456	msedge.exe	89
PID 5456 wrote to memory of 4784	5456	msedge.exe	89
PID 5456 wrote to memory of 4784	5456	msedge.exe	89
PID 5456 wrote to memory of 4784	5456	msedge.exe	89
PID 5456 wrote to memory of 4784	5456	msedge.exe	89
PID 5456 wrote to memory of 4784	5456	msedge.exe	89
PID 5456 wrote to memory of 4784	5456	msedge.exe	89
PID 5456 wrote to memory of 4784	5456	msedge.exe	89
PID 5456 wrote to memory of 4784	5456	msedge.exe	89
PID 5456 wrote to memory of 4784	5456	msedge.exe	89
PID 5456 wrote to memory of 4784	5456	msedge.exe	89
PID 5456 wrote to memory of 4680	5456	msedge.exe	90
PID 5456 wrote to memory of 4680	5456	msedge.exe	90
PID 5456 wrote to memory of 4680	5456	msedge.exe	90
PID 5456 wrote to memory of 4680	5456	msedge.exe	90
PID 5456 wrote to memory of 4680	5456	msedge.exe	90

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\R.E.P.O\OnlineFix.url
1⤵
- Suspicious use of WriteProcessMemory
PID:5612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://online-fix.me/
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:728
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-skip-compat-layer-relaunch --single-argument https://online-fix.me/
    3⤵
    - Drops file in Program Files directory
    - Checks processor information in registry
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Modifies registry class
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:5456
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x238,0x23c,0x240,0x234,0x25c,0x7ffe67f3f208,0x7ffe67f3f214,0x7ffe67f3f220
      4⤵
      PID:5728
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1752,i,6078434374786054814,12897454727948655654,262144 --variations-seed-version --mojo-platform-channel-handle=2252 /prefetch:3
      4⤵
      PID:4760
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2216,i,6078434374786054814,12897454727948655654,262144 --variations-seed-version --mojo-platform-channel-handle=2212 /prefetch:2
      4⤵
      PID:4784
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2592,i,6078434374786054814,12897454727948655654,262144 --variations-seed-version --mojo-platform-channel-handle=2720 /prefetch:8
      4⤵
      PID:4680
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3512,i,6078434374786054814,12897454727948655654,262144 --variations-seed-version --mojo-platform-channel-handle=3540 /prefetch:1
      4⤵
      PID:4868
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3524,i,6078434374786054814,12897454727948655654,262144 --variations-seed-version --mojo-platform-channel-handle=3556 /prefetch:1
      4⤵
      PID:5000
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4928,i,6078434374786054814,12897454727948655654,262144 --variations-seed-version --mojo-platform-channel-handle=4948 /prefetch:1
      4⤵
      PID:3456
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=5304,i,6078434374786054814,12897454727948655654,262144 --variations-seed-version --mojo-platform-channel-handle=5348 /prefetch:1
      4⤵
      PID:6056
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --always-read-main-dll --field-trial-handle=5472,i,6078434374786054814,12897454727948655654,262144 --variations-seed-version --mojo-platform-channel-handle=5504 /prefetch:1
      4⤵
      PID:3868
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4804,i,6078434374786054814,12897454727948655654,262144 --variations-seed-version --mojo-platform-channel-handle=5956 /prefetch:8
      4⤵
      PID:5652
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --always-read-main-dll --field-trial-handle=5884,i,6078434374786054814,12897454727948655654,262144 --variations-seed-version --mojo-platform-channel-handle=5720 /prefetch:1
      4⤵
      PID:4712
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5064,i,6078434374786054814,12897454727948655654,262144 --variations-seed-version --mojo-platform-channel-handle=5056 /prefetch:8
      4⤵
      PID:212
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --always-read-main-dll --field-trial-handle=5760,i,6078434374786054814,12897454727948655654,262144 --variations-seed-version --mojo-platform-channel-handle=5356 /prefetch:1
      4⤵
      PID:2276
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4796,i,6078434374786054814,12897454727948655654,262144 --variations-seed-version --mojo-platform-channel-handle=6124 /prefetch:8
      4⤵
      PID:3572
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5980,i,6078434374786054814,12897454727948655654,262144 --variations-seed-version --mojo-platform-channel-handle=6148 /prefetch:8
      4⤵
      PID:628
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6856,i,6078434374786054814,12897454727948655654,262144 --variations-seed-version --mojo-platform-channel-handle=6908 /prefetch:8
      4⤵
      PID:1908
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6856,i,6078434374786054814,12897454727948655654,262144 --variations-seed-version --mojo-platform-channel-handle=6908 /prefetch:8
      4⤵
      PID:980
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7024,i,6078434374786054814,12897454727948655654,262144 --variations-seed-version --mojo-platform-channel-handle=7036 /prefetch:8
      4⤵
      PID:4080
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=560,i,6078434374786054814,12897454727948655654,262144 --variations-seed-version --mojo-platform-channel-handle=7316 /prefetch:8
      4⤵
      PID:680
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7292,i,6078434374786054814,12897454727948655654,262144 --variations-seed-version --mojo-platform-channel-handle=7360 /prefetch:8
      4⤵
      PID:5640
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7300,i,6078434374786054814,12897454727948655654,262144 --variations-seed-version --mojo-platform-channel-handle=7404 /prefetch:8
      4⤵
      PID:5332
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --always-read-main-dll --field-trial-handle=6184,i,6078434374786054814,12897454727948655654,262144 --variations-seed-version --mojo-platform-channel-handle=6308 /prefetch:1
      4⤵
      PID:4284
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6396,i,6078434374786054814,12897454727948655654,262144 --variations-seed-version --mojo-platform-channel-handle=6404 /prefetch:8
      4⤵
      PID:4128
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5556,i,6078434374786054814,12897454727948655654,262144 --variations-seed-version --mojo-platform-channel-handle=6816 /prefetch:8
      4⤵
      PID:1568
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6912,i,6078434374786054814,12897454727948655654,262144 --variations-seed-version --mojo-platform-channel-handle=6968 /prefetch:8
      4⤵
      PID:6020
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7216,i,6078434374786054814,12897454727948655654,262144 --variations-seed-version --mojo-platform-channel-handle=5476 /prefetch:8
      4⤵
      PID:1036
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2084,i,6078434374786054814,12897454727948655654,262144 --variations-seed-version --mojo-platform-channel-handle=6876 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4296
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --always-read-main-dll --field-trial-handle=1988,i,6078434374786054814,12897454727948655654,262144 --variations-seed-version --mojo-platform-channel-handle=6028 /prefetch:1
      4⤵
      PID:4044
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6468,i,6078434374786054814,12897454727948655654,262144 --variations-seed-version --mojo-platform-channel-handle=6460 /prefetch:8
      4⤵
      PID:4512

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:5636

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x300 0x4a0
1⤵
PID:436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\chrome_Unpacker_BeginUnzipping5456_1339156570\data.txt

Filesize
112KB

MD5
fd8717bad7cd0f60163e7c2b05210aaa

SHA1
1dd620b2a4b49d16a63d3b73495bbb0388cbdbc9

SHA256
d5facea6ed705ea08962d52a30ebf38f6d42aea50a7af21b103d0388b7dae34a

SHA512
7b3d3867977b04efce86c5cce45ae0125d25344fa85347a83977faaa9ecd205774a976be63d6af48b953b4ca355405aa090d6db482073f77d71607c948acb5ad

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping5456_1339156570\manifest.json

Filesize
52B

MD5
8c32b9f390fcc4f061885661dbe797bd

SHA1
c681595df03f9f74ec600e70069c879daf2ca923

SHA256
1431c36e66b4fc53ca74e9b10ea0213245631ad7543fef183a8dd2720a5b4ab4

SHA512
e8bbde18d5de7fe2a8162951d3fe75460efbee71afffb4c0c22f2088dee146fb6bfcccae18d4955608e60a7df716eeb47c0687f45344b45130b368eeaf316418

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping5456_1826402268\manifest.json

Filesize
102B

MD5
a64e2a4236e705215a3fd5cb2697a71f

SHA1
1c73e6aad8f44ade36df31a23eaaf8cd0cae826d

SHA256
014e9fc1219beefc428ec749633125c9bff7febc3be73a14a8f18a6691cd2846

SHA512
75b30c0c8cef490aaf923afbdb5385d4770de82e698f71f8f126a6af5ef16f3a90d0c27687f405274177b1a5250436efddd228a6d2949651f43bd926e8a1cc99

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping5456_223901839\manifest.json

Filesize
118B

MD5
56decbaf515f574521f86e481e880496

SHA1
cf86b7e930bccc9168458b7202ff89b50a41a8e3

SHA256
4aa32c5d74a694c56869211d6ff4a3d61334b9b61659dab631eb6c285416c608

SHA512
669804a28a9e1adde2e259c2a0442f2d8c054908fb1c382db27d6f08353f1d8e3ba495ac18ad4746aac4d19eeac67594f3b2b0789a607ceae70c445d07ba3196

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
690f9d619434781cadb75580a074a84d

SHA1
9c952a5597941ab800cae7262842ab6ac0b82ab1

SHA256
fc2e4954dbe6b72d5b09e1dc6360ea699437a2551355c2950da0b3d3a4779fc1

SHA512
d6b1da8e7febf926e8b6c316164efbbac22c7c3d9e4933a19fffba3d1667e1993cdeb5064aa53816c0c53f9d2c53e204772de987eb18adbb094a0fb84ae61fa9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\AdPlatform\auto_show_data.db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000eb

Filesize
255KB

MD5
e80cdded42978faae0ba033638a524ef

SHA1
4bc7ca1769ae8f7d4ae1abbe58776aefb4d0beb1

SHA256
f53ea4b855088dce71229d9760b4c6afef96a764daf95b5e3852cfdcc38e69cb

SHA512
b02648b654c1223ebecba8fbb8509b8e608760f6f8063acc3bc39511e9bf58d20a47d3f81cb627e9cd0d3a86a6ac554a51aff1648723cf20e61775e79982a999

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
0d3f2e227f7905b7891c32fda54de9f1

SHA1
eebc5c4863c32d416e64241e80dee4e6ebe32e72

SHA256
aa23e567e1dadc65c6c0bc747c88b969dee32c69d914db53a66a671110fb509b

SHA512
beb4c5e093ca1f27c5dd894f9f146ea3b2f4569eb449031bba0aa9918c3e44c8bdb15f100bbbce752da9ca51aa5650eeee15394b85a8309350f433242a0fc996

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
032070a31ffc438f0a282e28159a35a4

SHA1
b3a98d172eed5c85456d8d3dda2b1ad15b4980e7

SHA256
ab170a50f45056e5c01057a46f7fdab4f40368f93d1208477cecbc9446b38c14

SHA512
360bcecb0b1ab31755b00d58230366205be95cffb7d5683eab9a3b61172a9501cf9f84334f0218d2237931ca8e84a7f3cfea8530f23a1d04bd1fbc05d9a29fe8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe589a95.TMP

Filesize
3KB

MD5
bcca4a15634981106d7706ecf77b327c

SHA1
f088d04d5fa141ee5d31d032e192d598cfed2855

SHA256
80eda26f09c12cecf0c2eaa32c3843320e650eda1a449e8ff6acf6444eca79d5

SHA512
a01ad2546c3761f42e95fdc320c6bb8d42a1109c43e3ffc09748125378716097281dc670ea13497b3712cd35dca5775949d63825f6717a8377115426ecd8e2bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
40e2018187b61af5be8caf035fb72882

SHA1
72a0b7bcb454b6b727bf90da35879b3e9a70621e

SHA256
b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5

SHA512
a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
9KB

MD5
21df78af55cf07ad57917d025ff1bae2

SHA1
44a1d4010c03ca369dc14cb8bdf8ba04c46ccf60

SHA256
454e5fd38749eb8c47c5bc3a079b8fe97f33d55388bd88aaeb7368ae02e64ce2

SHA512
08df3646286ff910bbb0fc335b8a16a63fc0f030bc7ce302672cd61daeac0b3b3e19534cd79cb3ebce1e25c318ed90804878808ab7445d754d238c70ef165411

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
18KB

MD5
07ad9e29ebd56565be94972769780d18

SHA1
52939c4b3693a3ce2b061025aceae41ca18d6971

SHA256
8ea417c824b4d9ef659d21cb84ee9449ac67e7eba2633ed7224044e9994fe9aa

SHA512
3b7e94092b36755ea78f5e8e1c2d8452883ff07568fd1d5ef7fa95879d2bec7fbfbb9d286ead8388bf7434fbcad6253c0481aa43053684f8e6001d65cc916005

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
18KB

MD5
efc5d8c0e4fc16480560465729aaa8e1

SHA1
e2e66df5e6b52625c6324625ed35b34e4a80de85

SHA256
e915ff6f0df3e04be84037dde6ca223c9a12d5f4c7b6b03b69cb5690a0bb627a

SHA512
7ea4842ee0299b365883e0f8b58f2bd7908f4d2b0579d41547e80391188b628162993ea3f3fc40e49e23d0d8482de83ad9074c294eaf437ec1898a437a5225bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
b4d107ca4f93588b3cedb393368f5cb2

SHA1
097dac7ce30fa4c8d83e7fd8ee91cf3eeaa446b8

SHA256
3d47575a380973bde301a666be5c41fe8591ea1c9dea53ca7b37eb1adfcc71af

SHA512
7001c56a405483b1b4f79f6b6aad5e5f2027cf5bbd906f296adbc862388dfc7a7eea73cabd42c5fcad73b4bfab237ad9f17656bab9c5f35952d49330c508edb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
36KB

MD5
d8094e8e905b8bfef9df3ac421b69a3b

SHA1
a58de44b9acca096f5209acc46583b1eea10cfba

SHA256
cff32a3e913cf6659b7cd37ebe98797ce020e4f02b2331f384b6d2b08f485fcc

SHA512
1860ac97e2ab0c1b1bbb97e9698bda9de80ea0ada08e26198b93950e9384c1b143128763abd109e34cf9d0028f5bceab4ca9bc4c2ced0f42be092bea41754795

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
22KB

MD5
588a8598c5dae6e3210290189d511b5b

SHA1
250d225baa4ab1fb2c2468bad2dd5793fb2a4a1b

SHA256
b0b99ead86f72a499ee26d2a3ae51e0635deedd366d4f92e3e00a6a0309f7aee

SHA512
59923c26465e5c82c0fefd31a8bf97ed2aaab6a5398c9a1bbae285e8af28eb7feaf86a7c81a99552178f72695523798176a2983e7de865acb2f1997149b7cab0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
462B

MD5
8936b7c74d89d73f85786829bf6d8be9

SHA1
c8deb955d0feb4ff17a025bc35255322f8ab6ce7

SHA256
06363e5dbc3b3dfc0cd92d01efcb9de39fc0403a319f84843c63ee14c51955d3

SHA512
bf2c089c13d0785b625d8c54021ff0a46a7f76696472344cf7789bf99dae59932fa64d6cb828a97279d937af1555b967fb7b299a1ff9210508b36b5ddf805f82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
49KB

MD5
4a8e5499c267f980010e4ab988e87ed5

SHA1
7172005d8696c7494a63376e5cba6491ca2c0566

SHA256
ba37d842a72d5a55babda6450e39be61d6d3f4f7c0acbca4add469a7e4b9000b

SHA512
5f0d0f0e130ff7edf4a458e2e1dbd7dfd9286b9d73d76ea9521ade60bdc1d55891827cac5547c3ad176b4c92b036fa9f0ea8869f66bf89ea2fab8d458d69dacc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
7c1ad820094057fdbc026b495fe0dc34

SHA1
ef566283372e589bd1f66ba3c74968fda0078cc8

SHA256
7472a479e919337e2cd70353e874c0f499da20635064a2b09c4412514db77ceb

SHA512
8a993d8491364c48948fa8e6e85afb31b2b1f72affa4f430bb53182806b5380cad90416d4f0f6a7706ff55950437804af83e98eeaf85313060ee28c4a8f16cd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
54KB

MD5
3df5d1b44c74b6fb1251f59569ffc6ee

SHA1
196a8a064555539ff3d621360ef9fdfdc8879dab

SHA256
f9ce61429fd4c3075c1a3524e61aac36fd164c4d27ed4cb332bc06bc1a4f183d

SHA512
637ad84cdea065132e3e35fa86dd4ad51bd95657bc5f6128f1dc568f2c84ce7fe618228db22ad9270fd26616a4371d3f56fa6ab63c133ea826bb76bc0849aca3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\PKIMetadata\22.0.0.0\crs.pb

Filesize
289KB

MD5
2b59269e7efdd95ba14eeb780dfb98c2

SHA1
b3f84cbc37a79eeecb8f1f39b615577d78600096

SHA256
ff2ced650772249abb57f6f19c5d0322d6df22c85c7cf2be193b6134e1b95172

SHA512
e4b454db2248021e0d198805ea54f1c0cfd84b9716a9348b1d0e0acb7c6fb5dd0839e532a5eb6d4410ab759d6688dd6cce8375ad55a150d738d280993142e9d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\PKIMetadata\22.0.0.0\ct_config.pb

Filesize
8KB

MD5
811b65320a82ebd6686fabf4bb1cb81a

SHA1
c660d448114043babec5d1c9c2584df6fab7f69b

SHA256
52687dd0c06f86a2298a4442ab8afa9b608271ec01a67217d7b58dab7e507bdf

SHA512
33350cce447508269b7714d9e551560553e020d6acf37a6a6021dc497d4008ce9e532dd615ad68872d75da22ac2039ef0b4fa70c23ec4b58043c468d5d75fd81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\PKIMetadata\22.0.0.0\kp_pinslist.pb

Filesize
11KB

MD5
0779206f78d8b0d540445a10cb51670c

SHA1
67f0f916be73bf5cffd3f4c4aa8d122c7d73ad54

SHA256
bf0945921058b9e67db61e6a559531af2f9b78d5fbedb0b411384225bdd366ec

SHA512
4140b2debe9c0b04e1e59be1387dca0e8e2f3cbc1f67830cbc723864acc2276cde9529295dcb4138fa0e2e116416658753fe46901dfa572bdfe6c7fb67bd8478

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Typosquatting\2025.3.15.1\typosquatting_list.pb

Filesize
631KB

MD5
ad013f0723d332e26a9101a81483661e

SHA1
a3db6536228681288dbf39d4a94d2d8f11e77d3f

SHA256
96fb259d4c8d3ed7d7c657b6aecc8ccd2b0730b11244a83499c0d8dab91087d5

SHA512
b2c700ac36657d288cbe0bdbbe7856299d6af24e00fce8f9d78434ac2f10fc82f9399b03cd5995817721a0d252976f99424062e5b79d0281d8163aa5af330f32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
618a481573a7bbbe4312b4f4461ff99e

SHA1
d99816f823fc56f1d1cc159fdaf7945a5ab08882

SHA256
5dcaad07cc120c41edd10bb9d6d152934970a47239c748ab710d8973d0e40542

SHA512
4dc9d94af8395f71500e0396c36953aa17ba82dcc917cd9d1bdb3ddd4b0120cb1281dbaed3bcaecba4f0848fdf63670d0eaaa394eadf2d6b993ddcfd224698f6

Download Submit