000996e02592d6f5216a77464baff2591739b5cb35a8ad930a5424c9099c7e11

Analysis

max time kernel
148s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0df97b99ca90dd92e313196ed212ed8bb7931ed5ff381a3dbce0e0479f820ae3.exe
Size

32KB
MD5

24ac76c507c08cf66d5cd099a4f7a4d8
SHA1

55a327b3070cacb24f40ce9345da31ac7f130517
SHA256

0df97b99ca90dd92e313196ed212ed8bb7931ed5ff381a3dbce0e0479f820ae3
SHA512

61b897e211b50c1e7d225abd53af1f438052bdd5dead0549193a516f53025a1026ba1bb90b2d2f965a9a69b0efe848616cb9258c01a4ba536ba4f8c49f3efc81
SSDEEP

384:DTOnlqWJCo8BKsVv6GlWdWthCwClnc9ni2WOvYGcFHr+85/RfDH4e5mpaQEh5eEj:WnCBBKs0GcUUlcVBWOvYvbL/0Ebllcw

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5824_1122766597\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5824_274181965\LICENSE	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5824_1628179549\typosquatting_list.pb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5824_1122766597\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5824_1122766597\_metadata\verified_contents.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5824_274181965\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5824_248080588\data.txt	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5824_1122766597\sets.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5824_274181965\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5824_248080588\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5824_248080588\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5824_1628179549\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5824_274181965\keys.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5824_274181965\_metadata\verified_contents.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5824_1628179549\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5824_1122766597\LICENSE	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0df97b99ca90dd92e313196ed212ed8bb7931ed5ff381a3dbce0e0479f820ae3.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133870973783756806"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1062200478-553497403-3857448183-1000\{ECB55918-C24A-491A-BFAF-E7F0F6E5F538}	msedge.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2736	msedge.exe
2736	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
5824	msedge.exe
5824	msedge.exe
5824	msedge.exe
5824	msedge.exe
5824	msedge.exe
5824	msedge.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5824	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4296 wrote to memory of 5824	4296	0df97b99ca90dd92e313196ed212ed8bb7931ed5ff381a3dbce0e0479f820ae3.exe	90
PID 4296 wrote to memory of 5824	4296	0df97b99ca90dd92e313196ed212ed8bb7931ed5ff381a3dbce0e0479f820ae3.exe	90
PID 5824 wrote to memory of 5508	5824	msedge.exe	91
PID 5824 wrote to memory of 5508	5824	msedge.exe	91
PID 5824 wrote to memory of 4828	5824	msedge.exe	92
PID 5824 wrote to memory of 4828	5824	msedge.exe	92
PID 5824 wrote to memory of 4888	5824	msedge.exe	93
PID 5824 wrote to memory of 4888	5824	msedge.exe	93
PID 5824 wrote to memory of 4888	5824	msedge.exe	93
PID 5824 wrote to memory of 4888	5824	msedge.exe	93
PID 5824 wrote to memory of 4888	5824	msedge.exe	93
PID 5824 wrote to memory of 4888	5824	msedge.exe	93
PID 5824 wrote to memory of 4888	5824	msedge.exe	93
PID 5824 wrote to memory of 4888	5824	msedge.exe	93
PID 5824 wrote to memory of 4888	5824	msedge.exe	93
PID 5824 wrote to memory of 4888	5824	msedge.exe	93
PID 5824 wrote to memory of 4888	5824	msedge.exe	93
PID 5824 wrote to memory of 4888	5824	msedge.exe	93
PID 5824 wrote to memory of 4888	5824	msedge.exe	93
PID 5824 wrote to memory of 4888	5824	msedge.exe	93
PID 5824 wrote to memory of 4888	5824	msedge.exe	93
PID 5824 wrote to memory of 4888	5824	msedge.exe	93
PID 5824 wrote to memory of 4888	5824	msedge.exe	93
PID 5824 wrote to memory of 4888	5824	msedge.exe	93
PID 5824 wrote to memory of 4888	5824	msedge.exe	93
PID 5824 wrote to memory of 4888	5824	msedge.exe	93
PID 5824 wrote to memory of 4888	5824	msedge.exe	93
PID 5824 wrote to memory of 4888	5824	msedge.exe	93
PID 5824 wrote to memory of 4888	5824	msedge.exe	93
PID 5824 wrote to memory of 4888	5824	msedge.exe	93
PID 5824 wrote to memory of 4888	5824	msedge.exe	93
PID 5824 wrote to memory of 4888	5824	msedge.exe	93
PID 5824 wrote to memory of 4888	5824	msedge.exe	93
PID 5824 wrote to memory of 4888	5824	msedge.exe	93
PID 5824 wrote to memory of 4888	5824	msedge.exe	93
PID 5824 wrote to memory of 4888	5824	msedge.exe	93
PID 5824 wrote to memory of 4888	5824	msedge.exe	93
PID 5824 wrote to memory of 4888	5824	msedge.exe	93
PID 5824 wrote to memory of 4888	5824	msedge.exe	93
PID 5824 wrote to memory of 4888	5824	msedge.exe	93
PID 5824 wrote to memory of 4888	5824	msedge.exe	93
PID 5824 wrote to memory of 4888	5824	msedge.exe	93
PID 5824 wrote to memory of 4888	5824	msedge.exe	93
PID 5824 wrote to memory of 4888	5824	msedge.exe	93
PID 5824 wrote to memory of 4888	5824	msedge.exe	93
PID 5824 wrote to memory of 4888	5824	msedge.exe	93
PID 5824 wrote to memory of 4888	5824	msedge.exe	93
PID 5824 wrote to memory of 4888	5824	msedge.exe	93
PID 5824 wrote to memory of 4888	5824	msedge.exe	93
PID 5824 wrote to memory of 4888	5824	msedge.exe	93
PID 5824 wrote to memory of 4888	5824	msedge.exe	93
PID 5824 wrote to memory of 4888	5824	msedge.exe	93
PID 5824 wrote to memory of 4888	5824	msedge.exe	93
PID 5824 wrote to memory of 4888	5824	msedge.exe	93
PID 5824 wrote to memory of 4888	5824	msedge.exe	93
PID 5824 wrote to memory of 4888	5824	msedge.exe	93
PID 5824 wrote to memory of 4888	5824	msedge.exe	93
PID 5824 wrote to memory of 4596	5824	msedge.exe	94
PID 5824 wrote to memory of 4596	5824	msedge.exe	94
PID 5824 wrote to memory of 4596	5824	msedge.exe	94
PID 5824 wrote to memory of 4596	5824	msedge.exe	94
PID 5824 wrote to memory of 4596	5824	msedge.exe	94
PID 5824 wrote to memory of 4596	5824	msedge.exe	94
PID 5824 wrote to memory of 4596	5824	msedge.exe	94

C:\Users\Admin\AppData\Local\Temp\0df97b99ca90dd92e313196ed212ed8bb7931ed5ff381a3dbce0e0479f820ae3.exe
"C:\Users\Admin\AppData\Local\Temp\0df97b99ca90dd92e313196ed212ed8bb7931ed5ff381a3dbce0e0479f820ae3.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=0df97b99ca90dd92e313196ed212ed8bb7931ed5ff381a3dbce0e0479f820ae3.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
  2⤵
  - Drops file in Program Files directory
  - Checks processor information in registry
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:5824
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2c8,0x2cc,0x2d0,0x2c4,0x2d8,0x7ff81543f208,0x7ff81543f214,0x7ff81543f220
    3⤵
    PID:5508
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1880,i,15097374384528725973,7325597808442944009,262144 --variations-seed-version --mojo-platform-channel-handle=2284 /prefetch:3
    3⤵
    PID:4828
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2256,i,15097374384528725973,7325597808442944009,262144 --variations-seed-version --mojo-platform-channel-handle=2252 /prefetch:2
    3⤵
    PID:4888
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2608,i,15097374384528725973,7325597808442944009,262144 --variations-seed-version --mojo-platform-channel-handle=2740 /prefetch:8
    3⤵
    PID:4596
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3500,i,15097374384528725973,7325597808442944009,262144 --variations-seed-version --mojo-platform-channel-handle=3548 /prefetch:1
    3⤵
    PID:3944
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3532,i,15097374384528725973,7325597808442944009,262144 --variations-seed-version --mojo-platform-channel-handle=3552 /prefetch:1
    3⤵
    PID:3048
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4348,i,15097374384528725973,7325597808442944009,262144 --variations-seed-version --mojo-platform-channel-handle=5004 /prefetch:8
    3⤵
    PID:3796
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3484,i,15097374384528725973,7325597808442944009,262144 --variations-seed-version --mojo-platform-channel-handle=5036 /prefetch:8
    3⤵
    PID:3724
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --always-read-main-dll --field-trial-handle=5364,i,15097374384528725973,7325597808442944009,262144 --variations-seed-version --mojo-platform-channel-handle=5412 /prefetch:1
    3⤵
    PID:4044
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5560,i,15097374384528725973,7325597808442944009,262144 --variations-seed-version --mojo-platform-channel-handle=5396 /prefetch:8
    3⤵
    PID:5904
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5932,i,15097374384528725973,7325597808442944009,262144 --variations-seed-version --mojo-platform-channel-handle=5620 /prefetch:8
    3⤵
    PID:4184
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5932,i,15097374384528725973,7325597808442944009,262144 --variations-seed-version --mojo-platform-channel-handle=5620 /prefetch:8
    3⤵
    PID:3228
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --always-read-main-dll --field-trial-handle=5992,i,15097374384528725973,7325597808442944009,262144 --variations-seed-version --mojo-platform-channel-handle=5976 /prefetch:1
    3⤵
    PID:2168
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --always-read-main-dll --field-trial-handle=6244,i,15097374384528725973,7325597808442944009,262144 --variations-seed-version --mojo-platform-channel-handle=6224 /prefetch:1
    3⤵
    PID:5360
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5456,i,15097374384528725973,7325597808442944009,262144 --variations-seed-version --mojo-platform-channel-handle=6240 /prefetch:8
    3⤵
    PID:388
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6424,i,15097374384528725973,7325597808442944009,262144 --variations-seed-version --mojo-platform-channel-handle=6448 /prefetch:8
    3⤵
    PID:920
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5496,i,15097374384528725973,7325597808442944009,262144 --variations-seed-version --mojo-platform-channel-handle=5500 /prefetch:8
    3⤵
    PID:3060
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3656,i,15097374384528725973,7325597808442944009,262144 --variations-seed-version --mojo-platform-channel-handle=5252 /prefetch:8
    3⤵
    PID:736
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5104,i,15097374384528725973,7325597808442944009,262144 --variations-seed-version --mojo-platform-channel-handle=5192 /prefetch:8
    3⤵
    PID:1700
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5568,i,15097374384528725973,7325597808442944009,262144 --variations-seed-version --mojo-platform-channel-handle=5128 /prefetch:8
    3⤵
    PID:3208
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=828,i,15097374384528725973,7325597808442944009,262144 --variations-seed-version --mojo-platform-channel-handle=3412 /prefetch:8
    3⤵
    PID:1496
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5144,i,15097374384528725973,7325597808442944009,262144 --variations-seed-version --mojo-platform-channel-handle=6616 /prefetch:8
    3⤵
    PID:5632
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=5372,i,15097374384528725973,7325597808442944009,262144 --variations-seed-version --mojo-platform-channel-handle=3412 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=0df97b99ca90dd92e313196ed212ed8bb7931ed5ff381a3dbce0e0479f820ae3.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
  2⤵
  PID:2324

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:4328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\chrome_Unpacker_BeginUnzipping5824_1122766597\LICENSE

Filesize
1KB

MD5
ee002cb9e51bb8dfa89640a406a1090a

SHA1
49ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2

SHA256
3dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b

SHA512
d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping5824_1122766597\manifest.json

Filesize
85B

MD5
c3419069a1c30140b77045aba38f12cf

SHA1
11920f0c1e55cadc7d2893d1eebb268b3459762a

SHA256
db9a702209807ba039871e542e8356219f342a8d9c9ca34bcd9a86727f4a3a0f

SHA512
c5e95a4e9f5919cb14f4127539c4353a55c5f68062bf6f95e1843b6690cebed3c93170badb2412b7fb9f109a620385b0ae74783227d6813f26ff8c29074758a1

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping5824_1628179549\manifest.json

Filesize
118B

MD5
6e8ea78b63bbcf8e6076d56a4b13a200

SHA1
4ed655b43d639a095f5dc5aa6b4aa2bc0e97f031

SHA256
c6906891b0fc56f40719778327f64e28165fd3f86fa9c199ec2a33bcd647ccf1

SHA512
c015babbeb7f94358e4f48bb2e2157e27f7d6266463cdfc826ffe86f6271fd1198bad91dfd5ce1dde2e0412358136138982c38e2c3161616804963da34ca817d

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping5824_248080588\manifest.json

Filesize
53B

MD5
22b68a088a69906d96dc6d47246880d2

SHA1
06491f3fd9c4903ac64980f8d655b79082545f82

SHA256
94be212fe6bcf42d4b13fabd22da97d6a7ef8fdf28739989aba90a7cf181ac88

SHA512
8c755fdc617fa3a196e048e222a2562622f43362b8ef60c047e540e997153a446a448e55e062b14ed4d0adce7230df643a1bd0b06a702dc1e6f78e2553aadfff

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping5824_274181965\manifest.json

Filesize
79B

MD5
7f4b594a35d631af0e37fea02df71e72

SHA1
f7bc71621ea0c176ca1ab0a3c9fe52dbca116f57

SHA256
530882d7f535ae57a4906ca735b119c9e36480cbb780c7e8ad37c9c8fdf3d9b1

SHA512
bf3f92f5023f0fbad88526d919252a98db6d167e9ca3e15b94f7d71ded38a2cfb0409f57ef24708284ddd965bda2d3207cd99c008b1c9c8c93705fd66ac86360

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
690f9d619434781cadb75580a074a84d

SHA1
9c952a5597941ab800cae7262842ab6ac0b82ab1

SHA256
fc2e4954dbe6b72d5b09e1dc6360ea699437a2551355c2950da0b3d3a4779fc1

SHA512
d6b1da8e7febf926e8b6c316164efbbac22c7c3d9e4933a19fffba3d1667e1993cdeb5064aa53816c0c53f9d2c53e204772de987eb18adbb094a0fb84ae61fa9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
b5d144fcd5ec2bace8d63cf1b0cc9422

SHA1
45b576ec3a1c6c8143fe262f2d5f3339119c2ce0

SHA256
6f45f6952cfe8604d401f13c79cb9cbb6e9d0f78667a261cb456b59c7d064f12

SHA512
945d197a6cd2fcb09d42a5cb363fcc212b32d345cb8cea2d2ae72c7781980028a1d40310557b706fad7934af12170c80ebf90e768fccc9c4fdee7eced000cd03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe584ca4.TMP

Filesize
3KB

MD5
4c3e13b87e73d9b894bc9436b31182a3

SHA1
3cbc4d48751ff22c089edc2e610171fd10216e8f

SHA256
6efc0402e8c3edabc3b15b027490ce73daf4ad2abde41508716f378b876e0b28

SHA512
5e82f58dd4556270a3f9049223c47ee7f8e72c8b01a17e37407e69f20b9e0d57af60e89b27c966d6d2bf5ea71c7965ad4b35ed61d22191392d572aff746335d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
40e2018187b61af5be8caf035fb72882

SHA1
72a0b7bcb454b6b727bf90da35879b3e9a70621e

SHA256
b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5

SHA512
a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
1ca96d2a4c6af898b0b452beafad4772

SHA1
e33ed619fa190719ee4784748394a72033a00f20

SHA256
7bb718fdf1f4a99ff721bb7dc4d61a436381054d85afe64af0f30b316768d26f

SHA512
c5502ba082b7ea40d0047f902003ae05da53bc6a2425003a10c60329376602812136e40efb945781e20a3a2aacca733ce9784c22c2d22956fb5aaa86f1c4053d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
a22861ce39b8c04f52d6906d9a47ec96

SHA1
a91d81e1a33c4ba22e81695e1edce49f732d4fc2

SHA256
bf921344fbe4b73481df6c34cfd7dab54ba041d1396825b8722aa2518a45ef37

SHA512
8da5cdbd995a9948f90d23afc932af03e6a58705dd8a4b423dcdf4b7d18c034dec99c67434307d6f15926cc1943cb4538a8492412b386d9145850035744eec3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
4706a9718092eb81c6dd53e6da638643

SHA1
13424b7d0c5cd727fd91b4d7394716a4b99cbe60

SHA256
420fae5e9c9d870b2498b5be5d6ad2015ec3dcdf1bf3e6cf5e6a0783938b6a18

SHA512
ff77c50ab779ceafb7044575cd54ab4bafe2cd9fae7af7b18d34e5f28c67c5017e8173e87ebf632138da11682d4dc7c817b3dc1618486ac4f5a64ed09dc4eae4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
5d10bb8c06c500975a65f4c2b561179c

SHA1
b4181e2c66e91a919402c3d7d3ee0bce6f823e5b

SHA256
6585da6f6cb5a3e2f66d82be6115ed9f9761948f1e30da0655ef932baf99144e

SHA512
10c1ce7c05b553263a4b158402f04127be067bee626b735bf5d66ff1f07653837c0888bdb06c96774db0a3f3cba2f8b29782b8200314b5d7f9b148c044211013

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
170f3c6015c19512b2604a32f7018137

SHA1
5497da8a227566f63f33377cab0c174112ddf60b

SHA256
ab98bdb3f7ea2de955523a6932b71a78f8c16932e570cf26770d831003b0ddbf

SHA512
90e522ff03f28ca3a51d78ef67b36315aea16fe6ce9ec243ab0f6dc5ce4af5f99955ee80cbdda7386b6c6e71dc9b024d5da471ebeb5bf64ee01a27a5e2fb1e23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
36KB

MD5
9da490d9ed8b92024c3159689bf2b8df

SHA1
fc2bf72d3bf5a8243d587744026790b97d77b77f

SHA256
9e936ccd9d4ac8948392a97fc479d9b92205a1b2a0d65533cc0386ae6f4bc66e

SHA512
9565c857ae1fcd8ae6f774abcacb511d2132521184f19749544a87d1aab09d16100c531c1820a42f6d97fdebfc462a6a0a7d4d02341e8f9d033b7adf431e4a2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
23KB

MD5
7273d74f1a015964d39c91c78d49c0d7

SHA1
2c16c01d87dbd36f0eef2ab45f578e535740e242

SHA256
dcf587fbe58f7bd8722eb057c13f8bfaa4f7a3ce73ad8641bd5bdd5c508edbe3

SHA512
ad8fd4f4314b9c2f8f057110736aae0127f1cbbc06f6bef392bfc3d538df30eb59b3da3a21f32b7c649070f7fe88811cadec7bea6423fc358f6bd92f4268e658

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\EADPData Component\4.0.3.10\data.txt

Filesize
113KB

MD5
60beb7140ed66301648ef420cbaad02d

SHA1
7fac669b6758bb7b8e96e92a53569cf4360ab1aa

SHA256
95276c09f44b28100c0a21c161766eda784a983f019fc471290b1381e7ed9985

SHA512
6dfa4eca42aea86fba18bc4a3ab0eed87948ea1831e33d43426b3aca1816070ecb7fd024856ad571ca2734214a98cc55e413502b3deef2c4a101228a7377e9d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
900B

MD5
32d47eaa847170130f3f05e14de1ec7d

SHA1
b9e1b852acd3b7a4c32859b059667306d3cd3cfd

SHA256
55f03933d56c514c152fafd98707f641449f390d042f98847984a7e16015ebee

SHA512
64db114235f2c367d85404e46bb79640f0bb576f71f8404cee9eb22ba405c69086604c992ce97d1cf79615529e36c0d1c628df6c17be62706f2cc9c1eb0fd133

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
467B

MD5
520d8a4b6b7c6909c2d39858deae3f39

SHA1
e30a376e54cfe6018bd49347ace7b267f29fde0b

SHA256
d2d8924f821182ec7fb2dd7154e1f4ba4830a4f58b7bc8fce4f6ba4d7654a171

SHA512
19e49d87ad4d38cfbd44d12409e71a616ca793f49dda3dc43b120b28d0a9ae0ca49428421da66cfea282ed7aae38b6dafd96ce0a31047c2e0c942a45a28d6310

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
22KB

MD5
fca08e74fd037e11110ec3917e13e960

SHA1
79246568aafaea1b8409d96333fe675e0df1f82f

SHA256
79d087febe83dbe1f12b1bfd3791171534a03e3b4980fc63b6aa4cf54e9b81ba

SHA512
4ce0261c1e0e0aa1a817251d36304aaec857223b1feb440212fce34a9154ec55a32f5b5368a257c7ee1a78a14b4bb2f813f3efaa64d641e170a05cc6b8f5462b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig

Filesize
19KB

MD5
41c1930548d8b99ff1dbb64ba7fecb3d

SHA1
d8acfeaf7c74e2b289be37687f886f50c01d4f2f

SHA256
16cee17a989167242dd7ee2755721e357dd23bcfcb61f5789cc19deafe7ca502

SHA512
a684d61324c71ac15f3a907788ab2150f61e7e2b2bf13ca08c14e9822b22336d0d45d9ff2a2a145aa7321d28d6b71408f9515131f8a1bd9f4927b105e6471b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
49KB

MD5
e7f7a7ac466b17ef663cb854f394c40b

SHA1
c585e43d963e1d16dd58910c494686b46c446113

SHA256
543d53d772a9a8850cef3e7932e6392c1bebbd8ee937a3b4287afaf791c91a6f

SHA512
d94ec3befc69056fb5093934bd38017aed460689b74198fb9bbfe09b55c5251471e820805cd47fcd856b15813acefb7f8b22853202b13cb819d665ee9af86c08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
37a157e157483bcefbf3037bdefda830

SHA1
04dab2beab8c7977794884fc53aa781c0267b61c

SHA256
2b5f9786520c31ea2d31624f6df0bda40988e30ceea538f45b19f5d18473722a

SHA512
8e309aa630579bef7105ef093a6fe9c3a29ff9b5a8013d52531c27d67bae8be234d5810f55e88fa0f98ef0238fd0cfeb21dae4d85853a71d6bc299102f1b3fe9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
54KB

MD5
9077a962f76ac88d2743b3d4d6c82f86

SHA1
74017fb983c7cab3e78e5a5fd55297aebdd791be

SHA256
ac15012b01b104a1bb977a75432ca73ebc1e9f8eba70668b7b8d5b150ea95a87

SHA512
aef0d583f892bcde6507acf8e01237345c23994721a86e06c49e3a69f7bc5251ab6e6248605155e2c3773dae71037b02022f393d00d15cd4e5c27f0117005536

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\TrustTokenKeyCommitments\2025.1.17.1\keys.json

Filesize
6KB

MD5
bef4f9f856321c6dccb47a61f605e823

SHA1
8e60af5b17ed70db0505d7e1647a8bc9f7612939

SHA256
fd1847df25032c4eef34e045ba0333f9bd3cb38c14344f1c01b48f61f0cfd5c5

SHA512
bdec3e243a6f39bfea4130c85b162ea00a4974c6057cd06a05348ac54517201bbf595fcc7c22a4ab2c16212c6009f58df7445c40c82722ab4fa1c8d49d39755c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Typosquatting\2025.3.21.1\typosquatting_list.pb

Filesize
638KB

MD5
a1fbb0296814e30fa4e6710376dc2cd0

SHA1
1720d466dccd6b64bb839580c6c36c08f74b9c2e

SHA256
7c4c71093987705407cdc53acf99584947eeffc828e933a47bfc6b335d646f12

SHA512
d514eadd3711fa5c1e51d3128b5c89de7a0f966d767b689bcf6cb1e4b9ce278d5f3d49cb9f0867d4c022c604bd04fe113be67449123974565d35ff47d1f7dc11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
3e24fe4b4e647e998b381dd9c8000e15

SHA1
c327a6e0f2ce0fc751a4bbf2bfdfaf912594f1a9

SHA256
2281bb0ee609fad0b446bff6bb2f989a05c50d2d5d722c8618f23976a62631ac

SHA512
0fe21008d22cb6a8e6549867b1a7e45e57efb72f991d9e22633d0a536379142d093629c99a8a568a8bb7a14ad0eb7cac8ae5fa8468fe37418cadb737dcd34d97

Download Submit