fad398fd1100f4afa63068f3d41a7c9be46102b9229c8e43ea6335ad59ac55fb

Analysis

max time kernel
146s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
15/03/2025, 15:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

R.E.P.O/OnlineFix.url
Size

46B
MD5

59bf167dc52a52f6e45f418f8c73ffa1
SHA1

fa006950a6a971e89d4a1c23070d458a30463999
SHA256

3cb526cccccc54af4c006fff00d1f48f830d08cdd4a2f21213856065666ef38e
SHA512

00005820f0418d4a3b802de4a7055475c88d79c2ee3ebfa580b7ae66a12c6966e5b092a02dc0f40db0fd3b821ea28d4aec14d7d404ead4ea88dc54a1815ffe26

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
58	discord.com
59	discord.com

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4068_817212143\sets.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4068_817212143\_metadata\verified_contents.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4068_185910610\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4068_2036273669\crs.pb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4068_2036273669\kp_pinslist.pb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4068_2036273669\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4068_817212143\LICENSE	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4068_817212143\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4068_185910610\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4068_185910610\typosquatting_list.pb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4068_2036273669\ct_config.pb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4068_2036273669\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4068_817212143\manifest.json	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133865259039616439"	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1062200478-553497403-3857448183-1000\{90B027DC-4530-44AD-9F97-F549A1C811DD}	msedge.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5856	msedge.exe
5856	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4068	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5320 wrote to memory of 4068	5320	rundll32.exe	85
PID 5320 wrote to memory of 4068	5320	rundll32.exe	85
PID 4068 wrote to memory of 4232	4068	msedge.exe	87
PID 4068 wrote to memory of 4232	4068	msedge.exe	87
PID 4068 wrote to memory of 4532	4068	msedge.exe	88
PID 4068 wrote to memory of 4532	4068	msedge.exe	88
PID 4068 wrote to memory of 4488	4068	msedge.exe	89
PID 4068 wrote to memory of 4488	4068	msedge.exe	89
PID 4068 wrote to memory of 4488	4068	msedge.exe	89
PID 4068 wrote to memory of 4488	4068	msedge.exe	89
PID 4068 wrote to memory of 4488	4068	msedge.exe	89
PID 4068 wrote to memory of 4488	4068	msedge.exe	89
PID 4068 wrote to memory of 4488	4068	msedge.exe	89
PID 4068 wrote to memory of 4488	4068	msedge.exe	89
PID 4068 wrote to memory of 4488	4068	msedge.exe	89
PID 4068 wrote to memory of 4488	4068	msedge.exe	89
PID 4068 wrote to memory of 4488	4068	msedge.exe	89
PID 4068 wrote to memory of 4488	4068	msedge.exe	89
PID 4068 wrote to memory of 4488	4068	msedge.exe	89
PID 4068 wrote to memory of 4488	4068	msedge.exe	89
PID 4068 wrote to memory of 4488	4068	msedge.exe	89
PID 4068 wrote to memory of 4488	4068	msedge.exe	89
PID 4068 wrote to memory of 4488	4068	msedge.exe	89
PID 4068 wrote to memory of 4488	4068	msedge.exe	89
PID 4068 wrote to memory of 4488	4068	msedge.exe	89
PID 4068 wrote to memory of 4488	4068	msedge.exe	89
PID 4068 wrote to memory of 4488	4068	msedge.exe	89
PID 4068 wrote to memory of 4488	4068	msedge.exe	89
PID 4068 wrote to memory of 4488	4068	msedge.exe	89
PID 4068 wrote to memory of 4488	4068	msedge.exe	89
PID 4068 wrote to memory of 4488	4068	msedge.exe	89
PID 4068 wrote to memory of 4488	4068	msedge.exe	89
PID 4068 wrote to memory of 4488	4068	msedge.exe	89
PID 4068 wrote to memory of 4488	4068	msedge.exe	89
PID 4068 wrote to memory of 4488	4068	msedge.exe	89
PID 4068 wrote to memory of 4488	4068	msedge.exe	89
PID 4068 wrote to memory of 4488	4068	msedge.exe	89
PID 4068 wrote to memory of 4488	4068	msedge.exe	89
PID 4068 wrote to memory of 4488	4068	msedge.exe	89
PID 4068 wrote to memory of 4488	4068	msedge.exe	89
PID 4068 wrote to memory of 4488	4068	msedge.exe	89
PID 4068 wrote to memory of 4488	4068	msedge.exe	89
PID 4068 wrote to memory of 4488	4068	msedge.exe	89
PID 4068 wrote to memory of 4488	4068	msedge.exe	89
PID 4068 wrote to memory of 4488	4068	msedge.exe	89
PID 4068 wrote to memory of 4488	4068	msedge.exe	89
PID 4068 wrote to memory of 4488	4068	msedge.exe	89
PID 4068 wrote to memory of 4488	4068	msedge.exe	89
PID 4068 wrote to memory of 4488	4068	msedge.exe	89
PID 4068 wrote to memory of 4488	4068	msedge.exe	89
PID 4068 wrote to memory of 4488	4068	msedge.exe	89
PID 4068 wrote to memory of 4488	4068	msedge.exe	89
PID 4068 wrote to memory of 4488	4068	msedge.exe	89
PID 4068 wrote to memory of 4488	4068	msedge.exe	89
PID 4068 wrote to memory of 4488	4068	msedge.exe	89
PID 4068 wrote to memory of 4488	4068	msedge.exe	89
PID 4068 wrote to memory of 4488	4068	msedge.exe	89
PID 4068 wrote to memory of 4548	4068	msedge.exe	90
PID 4068 wrote to memory of 4548	4068	msedge.exe	90
PID 4068 wrote to memory of 4548	4068	msedge.exe	90
PID 4068 wrote to memory of 4548	4068	msedge.exe	90
PID 4068 wrote to memory of 4548	4068	msedge.exe	90
PID 4068 wrote to memory of 4548	4068	msedge.exe	90
PID 4068 wrote to memory of 4548	4068	msedge.exe	90

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\R.E.P.O\OnlineFix.url
1⤵
- Suspicious use of WriteProcessMemory
PID:5320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://online-fix.me/
  2⤵
  - Drops file in Program Files directory
  - Checks processor information in registry
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4068
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2c8,0x2cc,0x2d0,0x2a4,0x2ec,0x7ffb158ff208,0x7ffb158ff214,0x7ffb158ff220
    3⤵
    PID:4232
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1976,i,4132212003621535788,13001839195526704809,262144 --variations-seed-version --mojo-platform-channel-handle=2244 /prefetch:3
    3⤵
    PID:4532
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2216,i,4132212003621535788,13001839195526704809,262144 --variations-seed-version --mojo-platform-channel-handle=2212 /prefetch:2
    3⤵
    PID:4488
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=1952,i,4132212003621535788,13001839195526704809,262144 --variations-seed-version --mojo-platform-channel-handle=2712 /prefetch:8
    3⤵
    PID:4548
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3520,i,4132212003621535788,13001839195526704809,262144 --variations-seed-version --mojo-platform-channel-handle=3556 /prefetch:1
    3⤵
    PID:4608
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3524,i,4132212003621535788,13001839195526704809,262144 --variations-seed-version --mojo-platform-channel-handle=3560 /prefetch:1
    3⤵
    PID:4652
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=1724,i,4132212003621535788,13001839195526704809,262144 --variations-seed-version --mojo-platform-channel-handle=4944 /prefetch:1
    3⤵
    PID:5640
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=5256,i,4132212003621535788,13001839195526704809,262144 --variations-seed-version --mojo-platform-channel-handle=5312 /prefetch:1
    3⤵
    PID:3276
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --always-read-main-dll --field-trial-handle=5640,i,4132212003621535788,13001839195526704809,262144 --variations-seed-version --mojo-platform-channel-handle=5904 /prefetch:1
    3⤵
    PID:4360
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5516,i,4132212003621535788,13001839195526704809,262144 --variations-seed-version --mojo-platform-channel-handle=5028 /prefetch:8
    3⤵
    PID:1952
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --always-read-main-dll --field-trial-handle=6092,i,4132212003621535788,13001839195526704809,262144 --variations-seed-version --mojo-platform-channel-handle=6104 /prefetch:1
    3⤵
    PID:5320
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5800,i,4132212003621535788,13001839195526704809,262144 --variations-seed-version --mojo-platform-channel-handle=5804 /prefetch:8
    3⤵
    PID:3464
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5828,i,4132212003621535788,13001839195526704809,262144 --variations-seed-version --mojo-platform-channel-handle=5748 /prefetch:8
    3⤵
    PID:964
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5680,i,4132212003621535788,13001839195526704809,262144 --variations-seed-version --mojo-platform-channel-handle=4996 /prefetch:8
    3⤵
    PID:1520
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6564,i,4132212003621535788,13001839195526704809,262144 --variations-seed-version --mojo-platform-channel-handle=6580 /prefetch:8
    3⤵
    PID:5560
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6624,i,4132212003621535788,13001839195526704809,262144 --variations-seed-version --mojo-platform-channel-handle=6636 /prefetch:8
    3⤵
    PID:760
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6564,i,4132212003621535788,13001839195526704809,262144 --variations-seed-version --mojo-platform-channel-handle=6580 /prefetch:8
    3⤵
    PID:2240
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --always-read-main-dll --field-trial-handle=6580,i,4132212003621535788,13001839195526704809,262144 --variations-seed-version --mojo-platform-channel-handle=6924 /prefetch:1
    3⤵
    PID:4128
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=708,i,4132212003621535788,13001839195526704809,262144 --variations-seed-version --mojo-platform-channel-handle=7164 /prefetch:8
    3⤵
    PID:5528
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7100,i,4132212003621535788,13001839195526704809,262144 --variations-seed-version --mojo-platform-channel-handle=6792 /prefetch:8
    3⤵
    PID:4976
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7044,i,4132212003621535788,13001839195526704809,262144 --variations-seed-version --mojo-platform-channel-handle=6100 /prefetch:8
    3⤵
    PID:4788
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5352,i,4132212003621535788,13001839195526704809,262144 --variations-seed-version --mojo-platform-channel-handle=5856 /prefetch:8
    3⤵
    PID:760
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6488,i,4132212003621535788,13001839195526704809,262144 --variations-seed-version --mojo-platform-channel-handle=5660 /prefetch:8
    3⤵
    PID:2796
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6520,i,4132212003621535788,13001839195526704809,262144 --variations-seed-version --mojo-platform-channel-handle=7144 /prefetch:8
    3⤵
    PID:3612
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2472,i,4132212003621535788,13001839195526704809,262144 --variations-seed-version --mojo-platform-channel-handle=6740 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5856
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6348,i,4132212003621535788,13001839195526704809,262144 --variations-seed-version --mojo-platform-channel-handle=7152 /prefetch:8
    3⤵
    PID:4876

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:1492

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x338 0x4b4
1⤵
PID:4340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\chrome_Unpacker_BeginUnzipping4068_185910610\manifest.fingerprint

Filesize
66B

MD5
04ff014493f0809f18628dc62c12df79

SHA1
beaa359e23b7ed4a62d6e332ff565a1c72e5cc85

SHA256
429e9dc8b412befa7725b92e82a19a1c5c77dbb1e50289257fe50f206b88544c

SHA512
800c650bceb7b9a373e376ea056ae954f8e3d569c4751f0a27c6885ef285da64d5874930148d8e08a0d4591d5edd63500834358fe89f141d357adb187bf1537a

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping4068_185910610\manifest.json

Filesize
118B

MD5
56decbaf515f574521f86e481e880496

SHA1
cf86b7e930bccc9168458b7202ff89b50a41a8e3

SHA256
4aa32c5d74a694c56869211d6ff4a3d61334b9b61659dab631eb6c285416c608

SHA512
669804a28a9e1adde2e259c2a0442f2d8c054908fb1c382db27d6f08353f1d8e3ba495ac18ad4746aac4d19eeac67594f3b2b0789a607ceae70c445d07ba3196

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping4068_2036273669\manifest.json

Filesize
102B

MD5
a64e2a4236e705215a3fd5cb2697a71f

SHA1
1c73e6aad8f44ade36df31a23eaaf8cd0cae826d

SHA256
014e9fc1219beefc428ec749633125c9bff7febc3be73a14a8f18a6691cd2846

SHA512
75b30c0c8cef490aaf923afbdb5385d4770de82e698f71f8f126a6af5ef16f3a90d0c27687f405274177b1a5250436efddd228a6d2949651f43bd926e8a1cc99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
690f9d619434781cadb75580a074a84d

SHA1
9c952a5597941ab800cae7262842ab6ac0b82ab1

SHA256
fc2e4954dbe6b72d5b09e1dc6360ea699437a2551355c2950da0b3d3a4779fc1

SHA512
d6b1da8e7febf926e8b6c316164efbbac22c7c3d9e4933a19fffba3d1667e1993cdeb5064aa53816c0c53f9d2c53e204772de987eb18adbb094a0fb84ae61fa9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\50f75391-b25d-4d89-ac79-d998fbb8e735.tmp

Filesize
16KB

MD5
374ff304a590b8eaeab94644a1249f15

SHA1
dc8be11020cba8051ed2142cd147f7922e1fdce2

SHA256
813f628cb2f698cb0d6036fddea980460e8d6535542095f5b8f607ea0e67274b

SHA512
4c45bc78ad601f058271b83bb34d0d85e0a944e09950e357e7ad64b5a13e2bfbf6b702a7bb22d3419f0258b8e73a297e99140c8105388e69bf8e73288bca8d8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\AdPlatform\auto_show_data.db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
9e08b0693706cc5274893be08fc71210

SHA1
8d0424a1d0cbc8a9a7ce41017eb3408302893c2b

SHA256
3b9279d8d9741670e924cd1375978faf726eb333e91f327484e30f36d2adba55

SHA512
ab53fc671c98e30eae9b4654d9587ea180bbcca87223bd0df52e2add383712fd77b1cac59f19f26b6dfbcd01e8b8b4721f7fe349fe79f13beef52fb264b37c74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
02856b2dc6bd9f57fbca3b0d4894a051

SHA1
f05665b7d20df24e043e3fa80348d3e8382266af

SHA256
882b87e5066ac9bbb37a36a995f347d16b1e283b6b292b8422378dd9382c3ee6

SHA512
42292884d9fa110d528e9cf809efde9fc754874e06668df56916bb7c9f301cda7c539c0a6c9b0eb0648fe4515b57524dd9895501a7b84f38433230315ab47480

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe57f51e.TMP

Filesize
3KB

MD5
c040ef2b6d13d401909b897a21aa8238

SHA1
9531e0e8422976ba99b75f40e793bbc7692197e0

SHA256
683e670f95ab1a13ceabd24bfdde3e2f29693b23628891f758781e50c4cf46d2

SHA512
e09ffb95eaf4ad9ced5eb5cb485c4263d731c6c2caf8725f0bdc9151734a1d64ab4ba1697b5d03ebe505224ef5a10a17fa29c49a84d116c008999cb1458971d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
40e2018187b61af5be8caf035fb72882

SHA1
72a0b7bcb454b6b727bf90da35879b3e9a70621e

SHA256
b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5

SHA512
a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
8KB

MD5
74eb4ef520cb7b84a6d5c853f2c240e4

SHA1
9682f80727c3fb6a32a17cc51723d065d6074680

SHA256
42b383b36818dd152ea54636f9f2929bc16e3e34723cb04a0cff5f3716ae146a

SHA512
32613da7eb351cc8091d27f25cd44d5d19888255390c82751838c3fbdbb7981c0c5aaaac9688529eabe4c5ae54d43900cd33f1d33a802c1babb7dda226398d11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
8KB

MD5
742aeb1cc5f4b1dff50264c9d1228d39

SHA1
a7610ce62e3bfc7251fc9c04f8f449b2d72fda85

SHA256
ee6fea6e3a3bb97e4381a839c9d3b36fc9d5301266ea8992b5704927dc87d2ab

SHA512
d92fb04bb659b6fead4c1117a438694267765aec6496a43a8303cf8dff0da8260255b22190b49b5ec6429b6ab2c58bb02e3a38e13ddd321002f80e9f702acf7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
8e37edb27863a777d84d5edc461dd398

SHA1
8afa3b62a6a2778bd1463ba9506beb22850916a2

SHA256
a90a409d142d92d0e088b8c1dd5001f3e1098ef71b16580335233604b6139435

SHA512
fc3c0bf4d7cac19d1bf0fea3773a7bf05ca4d1fd05ef0841ed76a965b46b8d4ae7595a65bad76b86a4a420a6126903674862faf80507b40acbe87b16b4190cf6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
36KB

MD5
0b57ba2ef7ec06b26632c3f16a6c2238

SHA1
1102bed2002af22edb2c5cf28f63ad7a0f96368e

SHA256
77ab20c80d3d758c4a96119610fdfaf776f050006f79c5e110a3325beb32bca6

SHA512
2132d585f390640b1d6a00cebcd9edcf65afb8292e80001bd721bbd0ed003761d489d1821cdce8ff5c1de2ec371e0707feaaa3b49b9d8ec47de932f3fd9a2f63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
22KB

MD5
93336036e42fe570a5c89e95aa4c9423

SHA1
75457bd119102200363e1dcefaaf5a589c4c2a51

SHA256
240fa3600b8ef7602af774b07dbffe86045a9255a239742554b13a131be091c3

SHA512
278f8fe00976ca337dccf849e77b6dcd4ee7e5373ebd09cfdaacd3bdc6fa8850f00d1556f5ef74d777efb2a1f4c70f9ae2dbfc1adec4cae7d6ab4ee7d3c0906b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
462B

MD5
ef30a639bb33717d7aa15b81f03bd21a

SHA1
10ece47a38d76e56dcc8a6ae69e906f65ee68445

SHA256
ba700e8e172bc92f9027712bd558bc2be56570b613d92214a38581794f6ef915

SHA512
f29fbe6988f06b7629347a3815a1c2efd048a4c32d76319d0641d1bda6aeca01027b9d187ba77d3179829ac78794a4d4ac06274388ab6d33cba9dc799a87f3dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
49KB

MD5
8c2ab398be93beaaaee53413b9d159d7

SHA1
f65e9d0982005c1d31c4ecb3053dd49524166956

SHA256
c92e8a8c6bbb871d5bc391d6ba9b6cd9e9012fc5f4ee42a23626b850bb4b17c2

SHA512
c0c2fb961fd0f034d93da3e23e4bab08456054d6957506b683525741ccac693b7d2b7078b8f57ac89f32a9da967cb897e4b24acabe79153d84d535aabebc8be8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
b68039139befb85a9b198ccd3c00dbdd

SHA1
8c255e4b89e6875d5bb3a0ee22f766c55172806c

SHA256
1ce3d7af9bab17c26d9018d92f85a2634b984a7a62d259d05c3c8c139ebf3d27

SHA512
74029fc839ad335da59ce3916ded321ed8f5f24b46dff5fc93d99f3765660dd273068f07ae031b7643542115b8beb9af5dabdfbc5292d8a7c521d4ea544f3462

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
54KB

MD5
d81583799a18540616dcd585c29ab187

SHA1
52eb17e9398b581aba6c33f3326ba9b11b6982b6

SHA256
c31382e53061829e59e349be188395205b6c98b8594d75fa9da900d255e8d446

SHA512
935ad0ed53aac3633ae595bf38922f810ed929ba88762ea190368836aee7a8b4dacdf2c4c54ad5ddd9bff0c85fa755bdcbddecd95c59148f12317ede1c2edde8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\PKIMetadata\22.0.0.0\crs.pb

Filesize
289KB

MD5
2b59269e7efdd95ba14eeb780dfb98c2

SHA1
b3f84cbc37a79eeecb8f1f39b615577d78600096

SHA256
ff2ced650772249abb57f6f19c5d0322d6df22c85c7cf2be193b6134e1b95172

SHA512
e4b454db2248021e0d198805ea54f1c0cfd84b9716a9348b1d0e0acb7c6fb5dd0839e532a5eb6d4410ab759d6688dd6cce8375ad55a150d738d280993142e9d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\PKIMetadata\22.0.0.0\ct_config.pb

Filesize
8KB

MD5
811b65320a82ebd6686fabf4bb1cb81a

SHA1
c660d448114043babec5d1c9c2584df6fab7f69b

SHA256
52687dd0c06f86a2298a4442ab8afa9b608271ec01a67217d7b58dab7e507bdf

SHA512
33350cce447508269b7714d9e551560553e020d6acf37a6a6021dc497d4008ce9e532dd615ad68872d75da22ac2039ef0b4fa70c23ec4b58043c468d5d75fd81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\PKIMetadata\22.0.0.0\kp_pinslist.pb

Filesize
11KB

MD5
0779206f78d8b0d540445a10cb51670c

SHA1
67f0f916be73bf5cffd3f4c4aa8d122c7d73ad54

SHA256
bf0945921058b9e67db61e6a559531af2f9b78d5fbedb0b411384225bdd366ec

SHA512
4140b2debe9c0b04e1e59be1387dca0e8e2f3cbc1f67830cbc723864acc2276cde9529295dcb4138fa0e2e116416658753fe46901dfa572bdfe6c7fb67bd8478

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Typosquatting\2025.3.15.1\typosquatting_list.pb

Filesize
631KB

MD5
ad013f0723d332e26a9101a81483661e

SHA1
a3db6536228681288dbf39d4a94d2d8f11e77d3f

SHA256
96fb259d4c8d3ed7d7c657b6aecc8ccd2b0730b11244a83499c0d8dab91087d5

SHA512
b2c700ac36657d288cbe0bdbbe7856299d6af24e00fce8f9d78434ac2f10fc82f9399b03cd5995817721a0d252976f99424062e5b79d0281d8163aa5af330f32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
462885c0376e1cbf28ae0ed2697e738c

SHA1
ab152fcdfea7abea2e80b50c9be9f0d2551d139a

SHA256
7ff11fd9aaa942dfdce5edaac4403d3c517274f9f629ec0031e90d01878bcb61

SHA512
35dad8a026afcb3d04029be7b386523f35864ba8fb4aa7db97f340a2994923743dd80eebab43299c0703e459e2f6fcc868547343125e6cd3999b782500792ecd

Download Submit