13998cf5ce3fc1b1fb20635ef2c1e476c880d72eec7afb7e8ec74808928700da

Analysis

max time kernel
148s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a731427f52bd2af065c7544d7f9ea804.exe
Size

8.4MB
MD5

a731427f52bd2af065c7544d7f9ea804
SHA1

7cd9c953fda6cb5c596e2d411e1892bd46c28b20
SHA256

03fa272e3f65c52dbfc39fde14d51c9af1dadda3e520474e30858163543c21a7
SHA512

aa8557636f7b1ceda7a2fa47f9fe921d6bfb02b3127254c249955090b9734a4d8b61c9a3a6f7940dc0604b8863a911a9b05855bbc4d1052250fb4c2ae08dd6e7
SSDEEP

196608:YX25M7WcFX25M7WcAxwSNZAk/vUkLAHjT0de:YOM7WoOM7WN5NZAGt0Hj

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
144	discord.com
145	discord.com
42	discord.com
43	discord.com
78	raw.githubusercontent.com
80	raw.githubusercontent.com

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3860_572920628\LICENSE	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3860_572920628\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3860_572920628\_metadata\verified_contents.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3860_2075505301\keys.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3860_2075505301\LICENSE	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3860_857417715\data.txt	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3860_857417715\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3860_857417715\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3860_572920628\sets.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3860_572920628\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3860_2075505301\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3860_2075505301\_metadata\verified_contents.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3860_2075505301\manifest.fingerprint	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133870985644909818"	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1062200478-553497403-3857448183-1000\{861EB33F-20DF-42EC-A6C5-38ECC6CB2D2C}	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1062200478-553497403-3857448183-1000\{A7551DEC-E93F-4561-95BD-CC5E042D54BE}	msedge.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2712	msedge.exe
2712	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3100	a731427f52bd2af065c7544d7f9ea804.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3860	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3100 wrote to memory of 3860	3100	a731427f52bd2af065c7544d7f9ea804.exe	86
PID 3100 wrote to memory of 3860	3100	a731427f52bd2af065c7544d7f9ea804.exe	86
PID 3860 wrote to memory of 4388	3860	msedge.exe	87
PID 3860 wrote to memory of 4388	3860	msedge.exe	87
PID 3860 wrote to memory of 4456	3860	msedge.exe	88
PID 3860 wrote to memory of 4456	3860	msedge.exe	88
PID 3860 wrote to memory of 4592	3860	msedge.exe	89
PID 3860 wrote to memory of 4592	3860	msedge.exe	89
PID 3860 wrote to memory of 4592	3860	msedge.exe	89
PID 3860 wrote to memory of 4592	3860	msedge.exe	89
PID 3860 wrote to memory of 4592	3860	msedge.exe	89
PID 3860 wrote to memory of 4592	3860	msedge.exe	89
PID 3860 wrote to memory of 4592	3860	msedge.exe	89
PID 3860 wrote to memory of 4592	3860	msedge.exe	89
PID 3860 wrote to memory of 4592	3860	msedge.exe	89
PID 3860 wrote to memory of 4592	3860	msedge.exe	89
PID 3860 wrote to memory of 4592	3860	msedge.exe	89
PID 3860 wrote to memory of 4592	3860	msedge.exe	89
PID 3860 wrote to memory of 4592	3860	msedge.exe	89
PID 3860 wrote to memory of 4592	3860	msedge.exe	89
PID 3860 wrote to memory of 4592	3860	msedge.exe	89
PID 3860 wrote to memory of 4592	3860	msedge.exe	89
PID 3860 wrote to memory of 4592	3860	msedge.exe	89
PID 3860 wrote to memory of 4592	3860	msedge.exe	89
PID 3860 wrote to memory of 4592	3860	msedge.exe	89
PID 3860 wrote to memory of 4592	3860	msedge.exe	89
PID 3860 wrote to memory of 4592	3860	msedge.exe	89
PID 3860 wrote to memory of 4592	3860	msedge.exe	89
PID 3860 wrote to memory of 4592	3860	msedge.exe	89
PID 3860 wrote to memory of 4592	3860	msedge.exe	89
PID 3860 wrote to memory of 4592	3860	msedge.exe	89
PID 3860 wrote to memory of 4592	3860	msedge.exe	89
PID 3860 wrote to memory of 4592	3860	msedge.exe	89
PID 3860 wrote to memory of 4592	3860	msedge.exe	89
PID 3860 wrote to memory of 4592	3860	msedge.exe	89
PID 3860 wrote to memory of 4592	3860	msedge.exe	89
PID 3860 wrote to memory of 4592	3860	msedge.exe	89
PID 3860 wrote to memory of 4592	3860	msedge.exe	89
PID 3860 wrote to memory of 4592	3860	msedge.exe	89
PID 3860 wrote to memory of 4592	3860	msedge.exe	89
PID 3860 wrote to memory of 4592	3860	msedge.exe	89
PID 3860 wrote to memory of 4592	3860	msedge.exe	89
PID 3860 wrote to memory of 4592	3860	msedge.exe	89
PID 3860 wrote to memory of 4592	3860	msedge.exe	89
PID 3860 wrote to memory of 4592	3860	msedge.exe	89
PID 3860 wrote to memory of 4592	3860	msedge.exe	89
PID 3860 wrote to memory of 4592	3860	msedge.exe	89
PID 3860 wrote to memory of 4592	3860	msedge.exe	89
PID 3860 wrote to memory of 4592	3860	msedge.exe	89
PID 3860 wrote to memory of 4592	3860	msedge.exe	89
PID 3860 wrote to memory of 4592	3860	msedge.exe	89
PID 3860 wrote to memory of 4592	3860	msedge.exe	89
PID 3860 wrote to memory of 4592	3860	msedge.exe	89
PID 3860 wrote to memory of 4592	3860	msedge.exe	89
PID 3860 wrote to memory of 4592	3860	msedge.exe	89
PID 3860 wrote to memory of 4592	3860	msedge.exe	89
PID 3860 wrote to memory of 4592	3860	msedge.exe	89
PID 3860 wrote to memory of 4708	3860	msedge.exe	91
PID 3860 wrote to memory of 4708	3860	msedge.exe	91
PID 3860 wrote to memory of 4708	3860	msedge.exe	91
PID 3860 wrote to memory of 4708	3860	msedge.exe	91
PID 3860 wrote to memory of 4708	3860	msedge.exe	91
PID 3860 wrote to memory of 4708	3860	msedge.exe	91
PID 3860 wrote to memory of 4708	3860	msedge.exe	91

C:\Users\Admin\AppData\Local\Temp\a731427f52bd2af065c7544d7f9ea804.exe
"C:\Users\Admin\AppData\Local\Temp\a731427f52bd2af065c7544d7f9ea804.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/ronix
  2⤵
  - Drops file in Program Files directory
  - Checks processor information in registry
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3860
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2c8,0x2cc,0x2d0,0x2c4,0x360,0x7ff97366f208,0x7ff97366f214,0x7ff97366f220
    3⤵
    PID:4388
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1856,i,355767160243102127,2646220837211917399,262144 --variations-seed-version --mojo-platform-channel-handle=2276 /prefetch:3
    3⤵
    PID:4456
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2248,i,355767160243102127,2646220837211917399,262144 --variations-seed-version --mojo-platform-channel-handle=2244 /prefetch:2
    3⤵
    PID:4592
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2664,i,355767160243102127,2646220837211917399,262144 --variations-seed-version --mojo-platform-channel-handle=2800 /prefetch:8
    3⤵
    PID:4708
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3492,i,355767160243102127,2646220837211917399,262144 --variations-seed-version --mojo-platform-channel-handle=3512 /prefetch:1
    3⤵
    PID:4956
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3500,i,355767160243102127,2646220837211917399,262144 --variations-seed-version --mojo-platform-channel-handle=3556 /prefetch:1
    3⤵
    PID:632
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4908,i,355767160243102127,2646220837211917399,262144 --variations-seed-version --mojo-platform-channel-handle=4896 /prefetch:1
    3⤵
    PID:3172
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3480,i,355767160243102127,2646220837211917399,262144 --variations-seed-version --mojo-platform-channel-handle=4832 /prefetch:8
    3⤵
    PID:5132
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4864,i,355767160243102127,2646220837211917399,262144 --variations-seed-version --mojo-platform-channel-handle=3612 /prefetch:8
    3⤵
    - Modifies registry class
    PID:5160
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5320,i,355767160243102127,2646220837211917399,262144 --variations-seed-version --mojo-platform-channel-handle=5708 /prefetch:8
    3⤵
    PID:4672
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5324,i,355767160243102127,2646220837211917399,262144 --variations-seed-version --mojo-platform-channel-handle=5692 /prefetch:8
    3⤵
    PID:4680
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6220,i,355767160243102127,2646220837211917399,262144 --variations-seed-version --mojo-platform-channel-handle=6240 /prefetch:8
    3⤵
    PID:2088
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6220,i,355767160243102127,2646220837211917399,262144 --variations-seed-version --mojo-platform-channel-handle=6240 /prefetch:8
    3⤵
    PID:2768
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6180,i,355767160243102127,2646220837211917399,262144 --variations-seed-version --mojo-platform-channel-handle=6244 /prefetch:8
    3⤵
    PID:1416
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6240,i,355767160243102127,2646220837211917399,262144 --variations-seed-version --mojo-platform-channel-handle=6328 /prefetch:8
    3⤵
    PID:3736
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=128,i,355767160243102127,2646220837211917399,262144 --variations-seed-version --mojo-platform-channel-handle=6276 /prefetch:8
    3⤵
    PID:2992
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6432,i,355767160243102127,2646220837211917399,262144 --variations-seed-version --mojo-platform-channel-handle=6404 /prefetch:8
    3⤵
    PID:1556
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5812,i,355767160243102127,2646220837211917399,262144 --variations-seed-version --mojo-platform-channel-handle=5804 /prefetch:8
    3⤵
    PID:5756
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5752,i,355767160243102127,2646220837211917399,262144 --variations-seed-version --mojo-platform-channel-handle=5644 /prefetch:8
    3⤵
    PID:2408
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5764,i,355767160243102127,2646220837211917399,262144 --variations-seed-version --mojo-platform-channel-handle=2420 /prefetch:8
    3⤵
    PID:4028
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=5708,i,355767160243102127,2646220837211917399,262144 --variations-seed-version --mojo-platform-channel-handle=6608 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2712
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=2012,i,355767160243102127,2646220837211917399,262144 --variations-seed-version --mojo-platform-channel-handle=5388 /prefetch:8
    3⤵
    PID:2140

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\chrome_Unpacker_BeginUnzipping3860_2075505301\manifest.json

Filesize
79B

MD5
7f4b594a35d631af0e37fea02df71e72

SHA1
f7bc71621ea0c176ca1ab0a3c9fe52dbca116f57

SHA256
530882d7f535ae57a4906ca735b119c9e36480cbb780c7e8ad37c9c8fdf3d9b1

SHA512
bf3f92f5023f0fbad88526d919252a98db6d167e9ca3e15b94f7d71ded38a2cfb0409f57ef24708284ddd965bda2d3207cd99c008b1c9c8c93705fd66ac86360

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping3860_572920628\LICENSE

Filesize
1KB

MD5
ee002cb9e51bb8dfa89640a406a1090a

SHA1
49ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2

SHA256
3dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b

SHA512
d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping3860_572920628\manifest.json

Filesize
85B

MD5
c3419069a1c30140b77045aba38f12cf

SHA1
11920f0c1e55cadc7d2893d1eebb268b3459762a

SHA256
db9a702209807ba039871e542e8356219f342a8d9c9ca34bcd9a86727f4a3a0f

SHA512
c5e95a4e9f5919cb14f4127539c4353a55c5f68062bf6f95e1843b6690cebed3c93170badb2412b7fb9f109a620385b0ae74783227d6813f26ff8c29074758a1

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping3860_857417715\manifest.json

Filesize
53B

MD5
22b68a088a69906d96dc6d47246880d2

SHA1
06491f3fd9c4903ac64980f8d655b79082545f82

SHA256
94be212fe6bcf42d4b13fabd22da97d6a7ef8fdf28739989aba90a7cf181ac88

SHA512
8c755fdc617fa3a196e048e222a2562622f43362b8ef60c047e540e997153a446a448e55e062b14ed4d0adce7230df643a1bd0b06a702dc1e6f78e2553aadfff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
690f9d619434781cadb75580a074a84d

SHA1
9c952a5597941ab800cae7262842ab6ac0b82ab1

SHA256
fc2e4954dbe6b72d5b09e1dc6360ea699437a2551355c2950da0b3d3a4779fc1

SHA512
d6b1da8e7febf926e8b6c316164efbbac22c7c3d9e4933a19fffba3d1667e1993cdeb5064aa53816c0c53f9d2c53e204772de987eb18adbb094a0fb84ae61fa9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
017f9176af9951b63d887c44ce1ba591

SHA1
75bacdfe67cf96210ec8e332dad51ae364fef423

SHA256
400f30fa118a16a10594c74f2ba3923dac8b5c0b0ed82d4335968e3847c46964

SHA512
b51e3523ced29d7300c9f1eb8e342eaac7df1454b546f3ff6727ba563b0f7af17223aeac331e238052e6eea3f4efdf5bb1a41f62a102e05a2f47f07059d0d947

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe57d060.TMP

Filesize
3KB

MD5
9da5e54eedbb26c458decd3b6e407c2d

SHA1
c55118bc92e64c605b78b719cc6818bb6e9ea9d3

SHA256
db677fb690dc3ac0f3730693cdfbea4d72f285c05088744597e24f56dd7a6359

SHA512
83efa81ea47360bb0f7b2c40faa03e139c00f99511f63d61a7d56da4044127af626ff2e9f987ca0ba7d3e03cfe893e7dde856cc8009d7aeb407ce98217abb067

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
1c8b70883f621e8d83047ca6c4056b9f

SHA1
573a4cdfe8de702a97800c067caaed301de96f90

SHA256
7d9ff31a5a33ee7b0c3e3ce2f9fccb42f1f6ded0e1792c2f984dfce1e1789726

SHA512
254908d30be2db0a308f50354fc18223acf56e76db3f5be8040aea74add86371e13723eb5b852354022a4f52317d7e4cb3f171a0934acb76f030fb51023458ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\c290fcae-7799-4c83-8617-7a79e0e945d8.tmp

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
861eb6cb2856bff9d401c371df3b5400

SHA1
97725308ff1b09e187ec05a39f535288f119e62f

SHA256
04fda1cae8baf6ec155bfe6062ca914de32f0f2d7893ce779a8b4a8f98e391e8

SHA512
1ba912f5844901fc75148d065fbccd221ae8201162edbe5753c8b7ba0bf43d166d51b19a6e9986d80771b72f577f2e7ab4a53e63fc6b80d816087ddad67817bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
9a44fd44a9e5f1bccccbbe81ed150429

SHA1
88044ae4b1d75cd128be6d362d25910b65e8ccc9

SHA256
67a5cf5d00d38a969fa67229c1dcc6c0027a3e2df8841e46f1b34af06475974c

SHA512
3c07ec7b79bb264049513b988f49317d0fc4a5ae84764a8b067b08e345b8b342ee6ed45201411ec12c31cffd108ecfbf448041542c6abbf653d1d0e623588e94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
36KB

MD5
35d13051dcf244761081963ed08ae35b

SHA1
d6ed323d6efcda9d27aecc0756b7c8edc6acee84

SHA256
6de64971aad9d84194c84e162a99af4239271e9e82be34c75447d8be2fd8b4ad

SHA512
f299294bc30083c10f8776989defdda47ec2c3b7762f904bc84748e8700081600f19ac05c25b94bbf1631fec418ec8e3f933b3e120dceb65a923a87cad4f8249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
23KB

MD5
3ce65b897ee4fd050f94fc911135ffb6

SHA1
517f3ba7aed7fbd3581cdf87827d246d4d2f6948

SHA256
fe5cc4a8de229402a7c31f66783fbb9e33418b1e4822d3b73ca279bb59c07dc8

SHA512
a515fd2a485b9d66d1c645a099ceaa5af56624e9620796b4b34120d4976963175bb1398f9db4c342cdd7879ec235c7ce29af4274b930ab14cd389be6722c29d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\c8bda296-a56a-4633-a683-7e22ef5d5c06.tmp

Filesize
107KB

MD5
40e2018187b61af5be8caf035fb72882

SHA1
72a0b7bcb454b6b727bf90da35879b3e9a70621e

SHA256
b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5

SHA512
a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\EADPData Component\4.0.3.10\data.txt

Filesize
113KB

MD5
60beb7140ed66301648ef420cbaad02d

SHA1
7fac669b6758bb7b8e96e92a53569cf4360ab1aa

SHA256
95276c09f44b28100c0a21c161766eda784a983f019fc471290b1381e7ed9985

SHA512
6dfa4eca42aea86fba18bc4a3ab0eed87948ea1831e33d43426b3aca1816070ecb7fd024856ad571ca2734214a98cc55e413502b3deef2c4a101228a7377e9d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\00cbfa4a-e716-4596-b4c5-4f6c3ad7d821.tmp

Filesize
465B

MD5
0c83a24247dd861c6f22d5f039d3bffa

SHA1
059195e732ab477061d8e56148b7204f37520591

SHA256
7ff498081124229918c7c7dad7a76fed9e58dcb5e34a8cb9f5f36fca962207d3

SHA512
deb74877ed5a4b63700d88d752c1579a6bda9bf793d9e9d296a0e69bec8dfb509139b557d1fe042c428e525ea0d31adba8bcc17b8f86889857b83b1f6f3dcfbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
896B

MD5
c8f8e6eea7066b693d7e65b8a2031c2b

SHA1
5a607ecd5bf4a97443ec739b37dbc311cb2f8858

SHA256
ef8ae3c4ff7f49fd1c1e0860861f0cca6b3aea7e7cc006c1fa5332da578d5ccf

SHA512
83bced3f315f27b5f07ea019764d8bea133f9dad8d302115aecd13d3a38092389938d9577b372ed5ecdded34fdd4c0132c6700647e8c8e9323125118ebb38214

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
22KB

MD5
e5efbe673f7c65d00655681658a4c78a

SHA1
4577214e1788d27e54bfb1b0cfd25ff97aa81e11

SHA256
3bc68fd15339f29441671c73605a8e4672b2b679c940225285fd3b24c428fa95

SHA512
c2f2d9116a46ff7024ff9b636997de7553e11977c593a25c9810595dafab224760221713bd4ae22268860f1207b878a57fc51d5224fda9fca4baffe0850ce11b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig

Filesize
19KB

MD5
41c1930548d8b99ff1dbb64ba7fecb3d

SHA1
d8acfeaf7c74e2b289be37687f886f50c01d4f2f

SHA256
16cee17a989167242dd7ee2755721e357dd23bcfcb61f5789cc19deafe7ca502

SHA512
a684d61324c71ac15f3a907788ab2150f61e7e2b2bf13ca08c14e9822b22336d0d45d9ff2a2a145aa7321d28d6b71408f9515131f8a1bd9f4927b105e6471b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
49KB

MD5
00afb3977ac9bba747952aeadbf67b6c

SHA1
308b17198325ec4e217f26ecc966e32a7c33dc6a

SHA256
420da6b364e1a80463ae379ae8ec835a71b2cfcaaa25da1dd47440dae1fe67c8

SHA512
67271403758d4d9d86538cd6e26d1923f9524c625571c9f661cc3e63f3b94cda9c46549944762482fe96b05dd61c51095c3112c8c12db0717ce544546d580d24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
571a3b0e3e63e1a2dc8df1971a46c0d3

SHA1
bbee166f5c1ceece9a5262ce7727bb552a9c78b4

SHA256
f7ceb56e025ba002c02b6fa7943b7dadab624d8bb818bc724ebdeccfcc7aacbe

SHA512
493bd3f4ffad008204dfdfbbbe0b22d7319d9bc051f12e0cb411e9b5826cc92025001a56fe00052769192837122918f1746f3a47cc740b48ce876e6aa049de41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
54KB

MD5
5c3af1d0e2d9ebc17122ed98f3eaa4f0

SHA1
6a496cf6ff0464239fb04323bc4e2f3563fe5f8c

SHA256
dfd897c9bbe1e49b48918d46090f31e3d6302b3dde127add331c4cab7bd87c34

SHA512
a61b9832afe1f48b2dfd08bbab592679f437a747cdcc40270c46de0ccbcede8a1808a907b6590dc809a9f0e24a766569c14eb509d956751d91440d7a7f16e776

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\TrustTokenKeyCommitments\2025.1.17.1\keys.json

Filesize
6KB

MD5
bef4f9f856321c6dccb47a61f605e823

SHA1
8e60af5b17ed70db0505d7e1647a8bc9f7612939

SHA256
fd1847df25032c4eef34e045ba0333f9bd3cb38c14344f1c01b48f61f0cfd5c5

SHA512
bdec3e243a6f39bfea4130c85b162ea00a4974c6057cd06a05348ac54517201bbf595fcc7c22a4ab2c16212c6009f58df7445c40c82722ab4fa1c8d49d39755c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
1ee328f0de75893b4aa971ced70f4671

SHA1
f632fc98b6c174b37c735790e8d1ee64bfa47ff5

SHA256
2301cb5674e5b000731421d2be46c1f7de2afe5c83a960336284c9f03cb8814b

SHA512
70cb01e1ea75e63418c0f0cbedf77c50e44c224334097fcb0bc9dc9bd894ec17f61d9ed2760a11f4a61b207d2ff4f0a897227a870bf19ee354a143a6173ebbb2

Download Submit
memory/3100-9-0x00007FF97A330000-0x00007FF97ADF1000-memory.dmp

Filesize
10.8MB

Download
memory/3100-8-0x000001FFAC860000-0x000001FFAC86E000-memory.dmp

Filesize
56KB

Download
memory/3100-444-0x00007FF97A330000-0x00007FF97ADF1000-memory.dmp

Filesize
10.8MB

Download
memory/3100-7-0x000001FFAC890000-0x000001FFAC8C8000-memory.dmp

Filesize
224KB

Download
memory/3100-0-0x00007FF97A333000-0x00007FF97A335000-memory.dmp

Filesize
8KB

Download
memory/3100-6-0x00007FF97A330000-0x00007FF97ADF1000-memory.dmp

Filesize
10.8MB

Download
memory/3100-4-0x00007FF97A330000-0x00007FF97ADF1000-memory.dmp

Filesize
10.8MB

Download
memory/3100-3-0x000001FFAC440000-0x000001FFAC448000-memory.dmp

Filesize
32KB

Download
memory/3100-2-0x00007FF97A330000-0x00007FF97ADF1000-memory.dmp

Filesize
10.8MB

Download
memory/3100-353-0x00007FF97A330000-0x00007FF97ADF1000-memory.dmp

Filesize
10.8MB

Download
memory/3100-1-0x000001FF8C040000-0x000001FF8C8A4000-memory.dmp

Filesize
8.4MB

Download
memory/3100-352-0x00007FF97A330000-0x00007FF97ADF1000-memory.dmp

Filesize
10.8MB

Download
memory/3100-274-0x00007FF97A333000-0x00007FF97A335000-memory.dmp

Filesize
8KB

Download