000996e02592d6f5216a77464baff2591739b5cb35a8ad930a5424c9099c7e11

Analysis

max time kernel
143s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0df97b99ca90dd92e313196ed212ed8bb7931ed5ff381a3dbce0e0479f820ae3.exe
Size

32KB
MD5

24ac76c507c08cf66d5cd099a4f7a4d8
SHA1

55a327b3070cacb24f40ce9345da31ac7f130517
SHA256

0df97b99ca90dd92e313196ed212ed8bb7931ed5ff381a3dbce0e0479f820ae3
SHA512

61b897e211b50c1e7d225abd53af1f438052bdd5dead0549193a516f53025a1026ba1bb90b2d2f965a9a69b0efe848616cb9258c01a4ba536ba4f8c49f3efc81
SSDEEP

384:DTOnlqWJCo8BKsVv6GlWdWthCwClnc9ni2WOvYGcFHr+85/RfDH4e5mpaQEh5eEj:WnCBBKs0GcUUlcVBWOvYvbL/0Ebllcw

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3244_1463095746\keys.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3244_605310590\data.txt	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3244_605310590\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3244_1859864517\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3244_1463095746\_metadata\verified_contents.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3244_1240766085\typosquatting_list.pb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3244_1240766085\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3244_1859864517\LICENSE	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3244_1859864517\_metadata\verified_contents.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3244_1463095746\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3244_605310590\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3244_1240766085\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3244_1859864517\sets.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3244_1859864517\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3244_1463095746\LICENSE	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3244_1463095746\manifest.fingerprint	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0df97b99ca90dd92e313196ed212ed8bb7931ed5ff381a3dbce0e0479f820ae3.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133870988681013089"	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3446877943-4095308722-756223633-1000\{6E9C16D1-E132-425D-98D5-63A49C3E371A}	msedge.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3472	msedge.exe
3472	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3244	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 3244	2172	0df97b99ca90dd92e313196ed212ed8bb7931ed5ff381a3dbce0e0479f820ae3.exe	96
PID 2172 wrote to memory of 3244	2172	0df97b99ca90dd92e313196ed212ed8bb7931ed5ff381a3dbce0e0479f820ae3.exe	96
PID 3244 wrote to memory of 4988	3244	msedge.exe	97
PID 3244 wrote to memory of 4988	3244	msedge.exe	97
PID 3244 wrote to memory of 1468	3244	msedge.exe	98
PID 3244 wrote to memory of 1468	3244	msedge.exe	98
PID 3244 wrote to memory of 2336	3244	msedge.exe	99
PID 3244 wrote to memory of 2336	3244	msedge.exe	99
PID 3244 wrote to memory of 2336	3244	msedge.exe	99
PID 3244 wrote to memory of 2336	3244	msedge.exe	99
PID 3244 wrote to memory of 2336	3244	msedge.exe	99
PID 3244 wrote to memory of 2336	3244	msedge.exe	99
PID 3244 wrote to memory of 2336	3244	msedge.exe	99
PID 3244 wrote to memory of 2336	3244	msedge.exe	99
PID 3244 wrote to memory of 2336	3244	msedge.exe	99
PID 3244 wrote to memory of 2336	3244	msedge.exe	99
PID 3244 wrote to memory of 2336	3244	msedge.exe	99
PID 3244 wrote to memory of 2336	3244	msedge.exe	99
PID 3244 wrote to memory of 2336	3244	msedge.exe	99
PID 3244 wrote to memory of 2336	3244	msedge.exe	99
PID 3244 wrote to memory of 2336	3244	msedge.exe	99
PID 3244 wrote to memory of 2336	3244	msedge.exe	99
PID 3244 wrote to memory of 2336	3244	msedge.exe	99
PID 3244 wrote to memory of 2336	3244	msedge.exe	99
PID 3244 wrote to memory of 2336	3244	msedge.exe	99
PID 3244 wrote to memory of 2336	3244	msedge.exe	99
PID 3244 wrote to memory of 2336	3244	msedge.exe	99
PID 3244 wrote to memory of 2336	3244	msedge.exe	99
PID 3244 wrote to memory of 2336	3244	msedge.exe	99
PID 3244 wrote to memory of 2336	3244	msedge.exe	99
PID 3244 wrote to memory of 2336	3244	msedge.exe	99
PID 3244 wrote to memory of 2336	3244	msedge.exe	99
PID 3244 wrote to memory of 2336	3244	msedge.exe	99
PID 3244 wrote to memory of 2336	3244	msedge.exe	99
PID 3244 wrote to memory of 2336	3244	msedge.exe	99
PID 3244 wrote to memory of 2336	3244	msedge.exe	99
PID 3244 wrote to memory of 2336	3244	msedge.exe	99
PID 3244 wrote to memory of 2336	3244	msedge.exe	99
PID 3244 wrote to memory of 2336	3244	msedge.exe	99
PID 3244 wrote to memory of 2336	3244	msedge.exe	99
PID 3244 wrote to memory of 2336	3244	msedge.exe	99
PID 3244 wrote to memory of 2336	3244	msedge.exe	99
PID 3244 wrote to memory of 2336	3244	msedge.exe	99
PID 3244 wrote to memory of 2336	3244	msedge.exe	99
PID 3244 wrote to memory of 2336	3244	msedge.exe	99
PID 3244 wrote to memory of 2336	3244	msedge.exe	99
PID 3244 wrote to memory of 2336	3244	msedge.exe	99
PID 3244 wrote to memory of 2336	3244	msedge.exe	99
PID 3244 wrote to memory of 2336	3244	msedge.exe	99
PID 3244 wrote to memory of 2336	3244	msedge.exe	99
PID 3244 wrote to memory of 2336	3244	msedge.exe	99
PID 3244 wrote to memory of 2336	3244	msedge.exe	99
PID 3244 wrote to memory of 2336	3244	msedge.exe	99
PID 3244 wrote to memory of 2336	3244	msedge.exe	99
PID 3244 wrote to memory of 2336	3244	msedge.exe	99
PID 3244 wrote to memory of 2336	3244	msedge.exe	99
PID 3244 wrote to memory of 2336	3244	msedge.exe	99
PID 3244 wrote to memory of 1004	3244	msedge.exe	100
PID 3244 wrote to memory of 1004	3244	msedge.exe	100
PID 3244 wrote to memory of 1004	3244	msedge.exe	100
PID 3244 wrote to memory of 1004	3244	msedge.exe	100
PID 3244 wrote to memory of 1004	3244	msedge.exe	100
PID 3244 wrote to memory of 1004	3244	msedge.exe	100
PID 3244 wrote to memory of 1004	3244	msedge.exe	100

C:\Users\Admin\AppData\Local\Temp\0df97b99ca90dd92e313196ed212ed8bb7931ed5ff381a3dbce0e0479f820ae3.exe
"C:\Users\Admin\AppData\Local\Temp\0df97b99ca90dd92e313196ed212ed8bb7931ed5ff381a3dbce0e0479f820ae3.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=0df97b99ca90dd92e313196ed212ed8bb7931ed5ff381a3dbce0e0479f820ae3.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
  2⤵
  - Drops file in Program Files directory
  - Checks processor information in registry
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3244
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2c8,0x2cc,0x2d0,0x2c4,0x2d8,0x7ff8563ff208,0x7ff8563ff214,0x7ff8563ff220
    3⤵
    PID:4988
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1856,i,6878281131433049861,8279462597891000143,262144 --variations-seed-version --mojo-platform-channel-handle=2356 /prefetch:3
    3⤵
    PID:1468
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2328,i,6878281131433049861,8279462597891000143,262144 --variations-seed-version --mojo-platform-channel-handle=2324 /prefetch:2
    3⤵
    PID:2336
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2488,i,6878281131433049861,8279462597891000143,262144 --variations-seed-version --mojo-platform-channel-handle=2516 /prefetch:8
    3⤵
    PID:1004
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3428,i,6878281131433049861,8279462597891000143,262144 --variations-seed-version --mojo-platform-channel-handle=3492 /prefetch:1
    3⤵
    PID:1672
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3408,i,6878281131433049861,8279462597891000143,262144 --variations-seed-version --mojo-platform-channel-handle=3456 /prefetch:1
    3⤵
    PID:1720
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4996,i,6878281131433049861,8279462597891000143,262144 --variations-seed-version --mojo-platform-channel-handle=4860 /prefetch:1
    3⤵
    PID:2368
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4348,i,6878281131433049861,8279462597891000143,262144 --variations-seed-version --mojo-platform-channel-handle=5164 /prefetch:8
    3⤵
    PID:3116
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4296,i,6878281131433049861,8279462597891000143,262144 --variations-seed-version --mojo-platform-channel-handle=4896 /prefetch:8
    3⤵
    PID:5052
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5468,i,6878281131433049861,8279462597891000143,262144 --variations-seed-version --mojo-platform-channel-handle=5480 /prefetch:8
    3⤵
    PID:3132
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5540,i,6878281131433049861,8279462597891000143,262144 --variations-seed-version --mojo-platform-channel-handle=5544 /prefetch:8
    3⤵
    PID:5572
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5540,i,6878281131433049861,8279462597891000143,262144 --variations-seed-version --mojo-platform-channel-handle=5544 /prefetch:8
    3⤵
    PID:3104
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --always-read-main-dll --field-trial-handle=3656,i,6878281131433049861,8279462597891000143,262144 --variations-seed-version --mojo-platform-channel-handle=6012 /prefetch:1
    3⤵
    PID:4772
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --always-read-main-dll --field-trial-handle=6332,i,6878281131433049861,8279462597891000143,262144 --variations-seed-version --mojo-platform-channel-handle=6264 /prefetch:1
    3⤵
    PID:2588
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5544,i,6878281131433049861,8279462597891000143,262144 --variations-seed-version --mojo-platform-channel-handle=6304 /prefetch:8
    3⤵
    PID:3952
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6060,i,6878281131433049861,8279462597891000143,262144 --variations-seed-version --mojo-platform-channel-handle=5520 /prefetch:8
    3⤵
    PID:3968
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=120,i,6878281131433049861,8279462597891000143,262144 --variations-seed-version --mojo-platform-channel-handle=5096 /prefetch:8
    3⤵
    PID:4508
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5096,i,6878281131433049861,8279462597891000143,262144 --variations-seed-version --mojo-platform-channel-handle=5272 /prefetch:8
    3⤵
    PID:2636
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5492,i,6878281131433049861,8279462597891000143,262144 --variations-seed-version --mojo-platform-channel-handle=5236 /prefetch:8
    3⤵
    PID:1220
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5388,i,6878281131433049861,8279462597891000143,262144 --variations-seed-version --mojo-platform-channel-handle=5488 /prefetch:8
    3⤵
    PID:3200
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6140,i,6878281131433049861,8279462597891000143,262144 --variations-seed-version --mojo-platform-channel-handle=5616 /prefetch:8
    3⤵
    PID:116
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=868,i,6878281131433049861,8279462597891000143,262144 --variations-seed-version --mojo-platform-channel-handle=6748 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3472
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5648,i,6878281131433049861,8279462597891000143,262144 --variations-seed-version --mojo-platform-channel-handle=3228 /prefetch:8
    3⤵
    PID:4648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=0df97b99ca90dd92e313196ed212ed8bb7931ed5ff381a3dbce0e0479f820ae3.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
  2⤵
  PID:3624

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:5264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\chrome_Unpacker_BeginUnzipping3244_1240766085\manifest.json

Filesize
118B

MD5
6e8ea78b63bbcf8e6076d56a4b13a200

SHA1
4ed655b43d639a095f5dc5aa6b4aa2bc0e97f031

SHA256
c6906891b0fc56f40719778327f64e28165fd3f86fa9c199ec2a33bcd647ccf1

SHA512
c015babbeb7f94358e4f48bb2e2157e27f7d6266463cdfc826ffe86f6271fd1198bad91dfd5ce1dde2e0412358136138982c38e2c3161616804963da34ca817d

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping3244_1463095746\LICENSE

Filesize
1KB

MD5
ee002cb9e51bb8dfa89640a406a1090a

SHA1
49ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2

SHA256
3dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b

SHA512
d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping3244_1463095746\manifest.json

Filesize
79B

MD5
7f4b594a35d631af0e37fea02df71e72

SHA1
f7bc71621ea0c176ca1ab0a3c9fe52dbca116f57

SHA256
530882d7f535ae57a4906ca735b119c9e36480cbb780c7e8ad37c9c8fdf3d9b1

SHA512
bf3f92f5023f0fbad88526d919252a98db6d167e9ca3e15b94f7d71ded38a2cfb0409f57ef24708284ddd965bda2d3207cd99c008b1c9c8c93705fd66ac86360

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping3244_605310590\manifest.json

Filesize
53B

MD5
22b68a088a69906d96dc6d47246880d2

SHA1
06491f3fd9c4903ac64980f8d655b79082545f82

SHA256
94be212fe6bcf42d4b13fabd22da97d6a7ef8fdf28739989aba90a7cf181ac88

SHA512
8c755fdc617fa3a196e048e222a2562622f43362b8ef60c047e540e997153a446a448e55e062b14ed4d0adce7230df643a1bd0b06a702dc1e6f78e2553aadfff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
7b0736a36bad51260e5db322736df2e9

SHA1
30af14ed09d3f769230d67f51e0adb955833673e

SHA256
0d2adfd06d505b9020c292d30597083d808bfd90ddc0fe173def5db96832a087

SHA512
caabdc6a8601b93f3c082e6506b3c9efe2242b90e92e86306dc0bd4857d33343ba395325fabb21f5db562d3e3932f52f77de547f379072d0154efd5f1b1cdeb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
83164021141f831028f4fb19b5c73e0d

SHA1
96c44749fece2d5d0f1093bcc5c7cec4e776beda

SHA256
3c158e750596ab1fedfbcf479c7b081d465c5ded7ecccec1b2f1fb450809d1f7

SHA512
522163f57b3d8d166f9d86c4801765c7dddf1ceb105021b190d6b2c2e0667c75d44f80c40599d1a4f53ada23a4da488f7b039a64e78375368011178389465519

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe580913.TMP

Filesize
3KB

MD5
a1d8a112c67a9d124fea260149c4c8f3

SHA1
5cf9855b0f28658d98e14e55c7a97f18f576f8b2

SHA256
94ef17fd9a1f6a61af642eb20b1fc0cd28042c43dfbaf29b6c93355b20e31281

SHA512
55755c568cee5ac303ff5ccc78397d3a549122ccf04a80adf4a36041b490c54e270edc3c313a986324b7191496a2a502828d7ebd910e43963867ede6b6753e63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
40e2018187b61af5be8caf035fb72882

SHA1
72a0b7bcb454b6b727bf90da35879b3e9a70621e

SHA256
b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5

SHA512
a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
a064bbc043b519dd356bec7dda74189f

SHA1
63eef318b49270c6a615f3544706b01d23096eb9

SHA256
b65284d6d6055d651992fe2b320fd47a0f326df2eebe56e4ca25f1e44171e293

SHA512
9a562f6c6cf71fda9d4a4ff89a07aeb3288bfa425d5524016cbd96dd4309fa39f3990a5b63d200b6a4c55d5316d79cb40ebf183adb44323178ebdc55687a4534

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
22b96a4b5d12eca2fc714a4b4fa38d17

SHA1
5fc6303408ff62373a5ce55e19bd0900aefa17f7

SHA256
b38420471addd53522cef53d214c51d0470ec92845ba8f06b0af00bcc459b65f

SHA512
f77be5a88a08b7b100f324dbb01c4b9899382917d2ad4463e0a40c8e6e3eb589fc74d9e7de226c924ca039bf7358f32bbb58613b9fb91d65d14a2ed26a16cd1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
238d80be41a681f253a65c715fc46a54

SHA1
205e74dbe0445ecc92946572b493fb0cad21fefe

SHA256
6f1b4a553f0f07e6295aa174cfd21bf5ab50094f840dab9326ff13132be08ecd

SHA512
99822d9ab0ae02a9b5dead1cff32d85fb05b1366fb4453016b7323ef144414d833ec48987f0d0b9cbade8e80e15588bac53b97ef3180a639197d50fdb0ce7728

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
59b9ebc5de88a5873ae4ac921a7a1784

SHA1
252ebb52dd188e7631f4092adf8a4b43f116f39c

SHA256
a8312fa21b1013ddb21db60a6b7d2c8811f276685700cedf3428a025376a6d02

SHA512
f3eebf0ef8ad7a5218586be3bc36f4746a6fd8cd4d5388749f29db57ce1a2814a4f0a7d0fc75c3db60a583e22b3e6a253f05cb2839160378b14ee88f21e48769

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
36KB

MD5
0d927a43b5cf1839b96951c85c0aaab0

SHA1
cdf238e49c377906f48204de59dd768f9ed11e60

SHA256
0bab84878dbad39f1eedc16d0c28d5b60e076171457ac0cd6aeda2228189c501

SHA512
69d9bae37d079231d5378d18b7b1de12b4a9fcfc6f61a19b496eaad69484065a67868d3f18a407e06d192a749f1c58afd6af5f0f8258cff7fc63eb65ba9dcad7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
22KB

MD5
454f973db7ed0e45699170ef10cbbfcc

SHA1
23ec52f7c23deee83853c4df112d779a86f43e86

SHA256
6d213268c8922c6be8cdd967076bdafc47c8557683c0d5645ec7783a0393b2c6

SHA512
e22dbe54ea53e51edf32c8dfdf944ea4b2a7ed320536167130c5aa2e01b19ea5e55af1266ec4cc2dc56e8b83730cd0a8451631ada46e66c2a827111446d320f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\EADPData Component\4.0.3.10\data.txt

Filesize
113KB

MD5
60beb7140ed66301648ef420cbaad02d

SHA1
7fac669b6758bb7b8e96e92a53569cf4360ab1aa

SHA256
95276c09f44b28100c0a21c161766eda784a983f019fc471290b1381e7ed9985

SHA512
6dfa4eca42aea86fba18bc4a3ab0eed87948ea1831e33d43426b3aca1816070ecb7fd024856ad571ca2734214a98cc55e413502b3deef2c4a101228a7377e9d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
467B

MD5
cd3c5c6ee3e1881450acf667dbf0cd7d

SHA1
70c137f2927d8da01fdefecdaa794e1665ef3884

SHA256
efb683356e85e47cd2dbcd618c7ab17bc4a3f1276da511e943b4c5b1fb70cb7a

SHA512
1e078e20bd0c1f8b2db3010002b8a6311e7f504e4ea7ea70308407a5e788b5e70be4d9eb70fc701198df248db0b68197a2ce27a2ab8afccc9fb1a8bf7731d2c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
22KB

MD5
ef6e4fc168db65c29c2d2f57067ef0f5

SHA1
f76faeb9b1a5c90f5e2f7e34876c502db88209e2

SHA256
578e601e2f66fcb3ffde13d3f3fbde3f9a30e75f9b8b221445717f9d7e6abfe2

SHA512
993b4deb0076173968966bb126ab893f01a883af0f7ad4f9dc0a9d2192b9b069796e7a83dd575074408e93d919ec14c11a16f1efbd7d589574217c7cbb361cfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
900B

MD5
95d29046baef29692d5b0341849ce7e4

SHA1
ecb46c782e5de0df414e478d1b86897553a40f74

SHA256
a4da3112948bf05a20b248e827a9ccac3a40e5dbdeefcc2113facce1a73f00bb

SHA512
de4bff5b7fa59aeab436d586213e41479904bbf92c21c1ed39eddbf9be074aec9e99fafe3888dcd575a0b7ab00c8b63b3eb9d825a6a770ff30427bc0179e3086

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig

Filesize
19KB

MD5
41c1930548d8b99ff1dbb64ba7fecb3d

SHA1
d8acfeaf7c74e2b289be37687f886f50c01d4f2f

SHA256
16cee17a989167242dd7ee2755721e357dd23bcfcb61f5789cc19deafe7ca502

SHA512
a684d61324c71ac15f3a907788ab2150f61e7e2b2bf13ca08c14e9822b22336d0d45d9ff2a2a145aa7321d28d6b71408f9515131f8a1bd9f4927b105e6471b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
2fbd848931243b9cf12cb01d256c32ba

SHA1
91ff4bf12baba750fc1b543861ed0cd5080556bd

SHA256
cdf3452de7a85607662360ec0e58b75fe9b1d4a123609085196a34cb757d6f73

SHA512
789639ca64f3885fbba275ba5ffa0494cba6bfb792464bcfa83411b5f7a18dc2e7c4d234030b8d89e9bb4104816aa2c8b4300a4e52bc46d4635841112509b3d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
49KB

MD5
6a4fe494ed353ee46afcdecd53503484

SHA1
f39a5a95bbe0db2f42bdc5203b5a6ecf1b8b8d43

SHA256
262d560ab6b32d723dcccfa77d8796f7768f53803721438723913e890b2ccb1f

SHA512
1b0a7548501059f8cd2d3dabdf51a7c303be9d1c3ee43486b2880d5ae00ee8808cc7c8c07592cb78c12c24d976f77da779a5f91dd2995f90f2a62778eb712967

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
54KB

MD5
d18c10bc485bcacf39534f2acb4f4fb3

SHA1
7730f2329bd325953ad5eb0529eac8ef7b585a76

SHA256
f673591e6902f070363a87f5d72ebbf994634a347e091d0f55f664555add6f92

SHA512
ef9879369d618d66c0a5c262e6179d9ffbde3c50ea25a306574f1787256c14dc69c97977460c5336be0cb9e835e4d7b00187dadd1ac77f6516619c9bd9851e7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\TrustTokenKeyCommitments\2025.1.17.1\keys.json

Filesize
6KB

MD5
bef4f9f856321c6dccb47a61f605e823

SHA1
8e60af5b17ed70db0505d7e1647a8bc9f7612939

SHA256
fd1847df25032c4eef34e045ba0333f9bd3cb38c14344f1c01b48f61f0cfd5c5

SHA512
bdec3e243a6f39bfea4130c85b162ea00a4974c6057cd06a05348ac54517201bbf595fcc7c22a4ab2c16212c6009f58df7445c40c82722ab4fa1c8d49d39755c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Typosquatting\2025.3.21.1\typosquatting_list.pb

Filesize
638KB

MD5
a1fbb0296814e30fa4e6710376dc2cd0

SHA1
1720d466dccd6b64bb839580c6c36c08f74b9c2e

SHA256
7c4c71093987705407cdc53acf99584947eeffc828e933a47bfc6b335d646f12

SHA512
d514eadd3711fa5c1e51d3128b5c89de7a0f966d767b689bcf6cb1e4b9ce278d5f3d49cb9f0867d4c022c604bd04fe113be67449123974565d35ff47d1f7dc11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
75bb4baa55cfe613d50be61fb66a39b3

SHA1
99c6453e2e4f1890e8ce9ba5f6656c0dc71e8d28

SHA256
3ab08bf69555c7c53191a6015c718fb3211dfbfa13f7e0eff254bb220bd75378

SHA512
438d317ad5e7cd635644c5229d9f0ecb5107ad1eb629090f1b31c8cd613faf9008e69e01a6a2d690b1392050d14fdac2d5cea98ae42bd93438301f7659d80ce2

Download Submit