e36962c7613c7cec9e09e4e20d044d59f48fd5b7f969bdc0251703f2dd0998bd

Analysis

max time kernel
145s
max time network
168s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
26/03/2025, 13:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

R.E.P.O/OnlineFix.url
Size

46B
MD5

59bf167dc52a52f6e45f418f8c73ffa1
SHA1

fa006950a6a971e89d4a1c23070d458a30463999
SHA256

3cb526cccccc54af4c006fff00d1f48f830d08cdd4a2f21213856065666ef38e
SHA512

00005820f0418d4a3b802de4a7055475c88d79c2ee3ebfa580b7ae66a12c6966e5b092a02dc0f40db0fd3b821ea28d4aec14d7d404ead4ea88dc54a1815ffe26

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
64	discord.com
65	discord.com

Drops file in Windows directory 17 IoCs

description	ioc	Process
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3740_1953996303\keys.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3740_1953996303\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3740_1953996303\_metadata\verified_contents.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3740_1262341845\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3740_1262341845\typosquatting_list.pb	msedge.exe
File opened for modification	C:\Windows\SystemTemp	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3740_335379362\data.txt	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3740_335379362\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3740_134615492\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3740_134615492\_metadata\verified_contents.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3740_134615492\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3740_1953996303\LICENSE	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3740_1953996303\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3740_335379362\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3740_1262341845\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3740_134615492\LICENSE	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3740_134615492\sets.json	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133874700334767176"	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-73851796-4078923053-1419757224-1000\{1F4B1137-8DB1-4221-A7FD-C07976812CDA}	msedge.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3592	msedge.exe
3592	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3740	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1204 wrote to memory of 3740	1204	rundll32.exe	86
PID 1204 wrote to memory of 3740	1204	rundll32.exe	86
PID 3740 wrote to memory of 3156	3740	msedge.exe	88
PID 3740 wrote to memory of 3156	3740	msedge.exe	88
PID 3740 wrote to memory of 4852	3740	msedge.exe	89
PID 3740 wrote to memory of 4852	3740	msedge.exe	89
PID 3740 wrote to memory of 4864	3740	msedge.exe	90
PID 3740 wrote to memory of 4864	3740	msedge.exe	90
PID 3740 wrote to memory of 4864	3740	msedge.exe	90
PID 3740 wrote to memory of 4864	3740	msedge.exe	90
PID 3740 wrote to memory of 4864	3740	msedge.exe	90
PID 3740 wrote to memory of 4864	3740	msedge.exe	90
PID 3740 wrote to memory of 4864	3740	msedge.exe	90
PID 3740 wrote to memory of 4864	3740	msedge.exe	90
PID 3740 wrote to memory of 4864	3740	msedge.exe	90
PID 3740 wrote to memory of 4864	3740	msedge.exe	90
PID 3740 wrote to memory of 4864	3740	msedge.exe	90
PID 3740 wrote to memory of 4864	3740	msedge.exe	90
PID 3740 wrote to memory of 4864	3740	msedge.exe	90
PID 3740 wrote to memory of 4864	3740	msedge.exe	90
PID 3740 wrote to memory of 4864	3740	msedge.exe	90
PID 3740 wrote to memory of 4864	3740	msedge.exe	90
PID 3740 wrote to memory of 4864	3740	msedge.exe	90
PID 3740 wrote to memory of 4864	3740	msedge.exe	90
PID 3740 wrote to memory of 4864	3740	msedge.exe	90
PID 3740 wrote to memory of 4864	3740	msedge.exe	90
PID 3740 wrote to memory of 4864	3740	msedge.exe	90
PID 3740 wrote to memory of 4864	3740	msedge.exe	90
PID 3740 wrote to memory of 4864	3740	msedge.exe	90
PID 3740 wrote to memory of 4864	3740	msedge.exe	90
PID 3740 wrote to memory of 4864	3740	msedge.exe	90
PID 3740 wrote to memory of 4864	3740	msedge.exe	90
PID 3740 wrote to memory of 4864	3740	msedge.exe	90
PID 3740 wrote to memory of 4864	3740	msedge.exe	90
PID 3740 wrote to memory of 4864	3740	msedge.exe	90
PID 3740 wrote to memory of 4864	3740	msedge.exe	90
PID 3740 wrote to memory of 4864	3740	msedge.exe	90
PID 3740 wrote to memory of 4864	3740	msedge.exe	90
PID 3740 wrote to memory of 4864	3740	msedge.exe	90
PID 3740 wrote to memory of 4864	3740	msedge.exe	90
PID 3740 wrote to memory of 4864	3740	msedge.exe	90
PID 3740 wrote to memory of 4864	3740	msedge.exe	90
PID 3740 wrote to memory of 4864	3740	msedge.exe	90
PID 3740 wrote to memory of 4864	3740	msedge.exe	90
PID 3740 wrote to memory of 4864	3740	msedge.exe	90
PID 3740 wrote to memory of 4864	3740	msedge.exe	90
PID 3740 wrote to memory of 4864	3740	msedge.exe	90
PID 3740 wrote to memory of 4864	3740	msedge.exe	90
PID 3740 wrote to memory of 4864	3740	msedge.exe	90
PID 3740 wrote to memory of 4864	3740	msedge.exe	90
PID 3740 wrote to memory of 4864	3740	msedge.exe	90
PID 3740 wrote to memory of 4864	3740	msedge.exe	90
PID 3740 wrote to memory of 4864	3740	msedge.exe	90
PID 3740 wrote to memory of 4864	3740	msedge.exe	90
PID 3740 wrote to memory of 4864	3740	msedge.exe	90
PID 3740 wrote to memory of 4864	3740	msedge.exe	90
PID 3740 wrote to memory of 4864	3740	msedge.exe	90
PID 3740 wrote to memory of 2408	3740	msedge.exe	93
PID 3740 wrote to memory of 2408	3740	msedge.exe	93
PID 3740 wrote to memory of 2408	3740	msedge.exe	93
PID 3740 wrote to memory of 2408	3740	msedge.exe	93
PID 3740 wrote to memory of 2408	3740	msedge.exe	93
PID 3740 wrote to memory of 2408	3740	msedge.exe	93
PID 3740 wrote to memory of 2408	3740	msedge.exe	93

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\R.E.P.O\OnlineFix.url
1⤵
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://online-fix.me/
  2⤵
  - Drops file in Windows directory
  - Checks processor information in registry
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3740
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2f0,0x2f4,0x2f8,0x2ec,0x35c,0x7ffbf1d0f208,0x7ffbf1d0f214,0x7ffbf1d0f220
    3⤵
    PID:3156
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1908,i,8384217836220340422,896594887958462452,262144 --variations-seed-version --mojo-platform-channel-handle=2360 /prefetch:3
    3⤵
    PID:4852
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2240,i,8384217836220340422,896594887958462452,262144 --variations-seed-version --mojo-platform-channel-handle=2228 /prefetch:2
    3⤵
    PID:4864
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=1712,i,8384217836220340422,896594887958462452,262144 --variations-seed-version --mojo-platform-channel-handle=2648 /prefetch:8
    3⤵
    PID:2408
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3448,i,8384217836220340422,896594887958462452,262144 --variations-seed-version --mojo-platform-channel-handle=3540 /prefetch:1
    3⤵
    PID:2308
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3476,i,8384217836220340422,896594887958462452,262144 --variations-seed-version --mojo-platform-channel-handle=3592 /prefetch:1
    3⤵
    PID:5380
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=5004,i,8384217836220340422,896594887958462452,262144 --variations-seed-version --mojo-platform-channel-handle=4992 /prefetch:1
    3⤵
    PID:4720
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=5276,i,8384217836220340422,896594887958462452,262144 --variations-seed-version --mojo-platform-channel-handle=5300 /prefetch:1
    3⤵
    PID:1888
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --always-read-main-dll --field-trial-handle=5788,i,8384217836220340422,896594887958462452,262144 --variations-seed-version --mojo-platform-channel-handle=5756 /prefetch:1
    3⤵
    PID:4144
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5576,i,8384217836220340422,896594887958462452,262144 --variations-seed-version --mojo-platform-channel-handle=4848 /prefetch:8
    3⤵
    PID:1480
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --always-read-main-dll --field-trial-handle=5916,i,8384217836220340422,896594887958462452,262144 --variations-seed-version --mojo-platform-channel-handle=5644 /prefetch:1
    3⤵
    PID:4428
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6076,i,8384217836220340422,896594887958462452,262144 --variations-seed-version --mojo-platform-channel-handle=6092 /prefetch:8
    3⤵
    PID:1544
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5960,i,8384217836220340422,896594887958462452,262144 --variations-seed-version --mojo-platform-channel-handle=5076 /prefetch:8
    3⤵
    PID:1736
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5968,i,8384217836220340422,896594887958462452,262144 --variations-seed-version --mojo-platform-channel-handle=5092 /prefetch:8
    3⤵
    PID:3788
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6248,i,8384217836220340422,896594887958462452,262144 --variations-seed-version --mojo-platform-channel-handle=6424 /prefetch:8
    3⤵
    PID:1304
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6588,i,8384217836220340422,896594887958462452,262144 --variations-seed-version --mojo-platform-channel-handle=6436 /prefetch:8
    3⤵
    PID:5820
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6588,i,8384217836220340422,896594887958462452,262144 --variations-seed-version --mojo-platform-channel-handle=6436 /prefetch:8
    3⤵
    PID:1572
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --always-read-main-dll --field-trial-handle=6768,i,8384217836220340422,896594887958462452,262144 --variations-seed-version --mojo-platform-channel-handle=6788 /prefetch:1
    3⤵
    PID:3480
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=744,i,8384217836220340422,896594887958462452,262144 --variations-seed-version --mojo-platform-channel-handle=6644 /prefetch:8
    3⤵
    PID:3468
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5180,i,8384217836220340422,896594887958462452,262144 --variations-seed-version --mojo-platform-channel-handle=6512 /prefetch:8
    3⤵
    PID:3020
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6540,i,8384217836220340422,896594887958462452,262144 --variations-seed-version --mojo-platform-channel-handle=6988 /prefetch:8
    3⤵
    PID:2936
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5420,i,8384217836220340422,896594887958462452,262144 --variations-seed-version --mojo-platform-channel-handle=4956 /prefetch:8
    3⤵
    PID:2340
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6688,i,8384217836220340422,896594887958462452,262144 --variations-seed-version --mojo-platform-channel-handle=6620 /prefetch:8
    3⤵
    PID:4664
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6496,i,8384217836220340422,896594887958462452,262144 --variations-seed-version --mojo-platform-channel-handle=6072 /prefetch:8
    3⤵
    PID:1764
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=2564,i,8384217836220340422,896594887958462452,262144 --variations-seed-version --mojo-platform-channel-handle=6936 /prefetch:8
    3⤵
    PID:5252
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=6140,i,8384217836220340422,896594887958462452,262144 --variations-seed-version --mojo-platform-channel-handle=4804 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3592
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=1204,i,8384217836220340422,896594887958462452,262144 --variations-seed-version --mojo-platform-channel-handle=1728 /prefetch:8
    3⤵
    PID:3208

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:4920

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x448 0x450
1⤵
PID:3712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
aad9ef568b38aa2ab42b57a3cbd8d8eb

SHA1
efe601b188069ca6b54ba6bd63866687c5574780

SHA256
ef0ca3af55b0eb83ea83d3376038feecaef97236df7c556f821c93bd08e86a9a

SHA512
5a3e66a1f995ed2779c7260787a2688118406190312d31e7a77bbfef233d81bbc17dd1bbf77a08ba73e390e22dd973c173b5eb39851b359a9196f48bb6fea963

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\1a3eb8b8-3934-462b-85e9-b70d100b0c6d.tmp

Filesize
18KB

MD5
08fd386908272bb49a397dc1a46f729c

SHA1
a2c7737fe93b3967c7226a7da65a593e9efa1e20

SHA256
5da455e8e5e0a65478179e03f937b503f2b5f73e27b2e3e75bfc3eb9a5484ded

SHA512
349ea00a7e83e936bea9826cc242539d5457d72482e5ebab837a6b615815fb8a08fedff28e942e8b81110353ffea8d44aa03a48249bda97734712ea0b62e91c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\AdPlatform\auto_show_data.db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
38968e92102bbd20c9272eb869f62ff1

SHA1
f1ea58b4eea8f6a00e4e84fc8d002227a56de23c

SHA256
9bde7aa9c69e48ce3fb223ef015dbd362ef73c8090668a71d56c29aa6c47e0d4

SHA512
4535a0a4dfa82905a9eca5fefc31504f6364d034680f0fef59515cf285d7d1ea3744a55938cba2b1881d915802a5c9337551d138737e212b5492d012fd90b256

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
34fda2b6212ea32c22373f28746e272b

SHA1
ee032f1f0469d21f4197951956a1d8ae66c1dafe

SHA256
fd6ae5e52b7742eb680fce2015e0a9f99fbef097207d9a67535a40ac5c48cb2a

SHA512
191250e81e892bdae118bd6546c688d08b00fa70fc23858e6478a0e4c1665be2369105d71860b24711382616c8befc14e33a58d91e89b8b3f3087efba5b59e82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe580b26.TMP

Filesize
3KB

MD5
383a98cf0d4acfbc7746c0dc1c758906

SHA1
56ddc089187526d6209ee18f712ee7628da01186

SHA256
1043b35be9a75901f0e3fc126febeba73c13045a69422faf2aaf14b0e69992ac

SHA512
7fcfef668313056620749db781f25040b831bbaa3158d153300e929fc21adff3ea045fa13d5ce5c4d26527d5baa4ecdacdea1858359b47fdc7a17c87f8bd0b7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
40e2018187b61af5be8caf035fb72882

SHA1
72a0b7bcb454b6b727bf90da35879b3e9a70621e

SHA256
b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5

SHA512
a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
8KB

MD5
62f4016c1160dc4c45d8a822e24d50d8

SHA1
8d0d2cb5498020aaafc10bcaf216ab2de5f17558

SHA256
3f6f90379434c27768505e340651d9bfa1c8f7d21b34f7d2a44a519337a12bff

SHA512
38fa0c25cfbc6457c2d70145cd571dda40d469dda1d1152cbbd7d8f71baf231b0488e94bae1303bb7d98781f6d4c2fedc46ee5db0f0db8924c7d1e84cc978b53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
8KB

MD5
6cc4041c1b803e198343571a6cd326ad

SHA1
593c10b78d34f27565d73a515be4859f8279ca6a

SHA256
3ab823ebd651b6258602b14803064f2bbe081271c25cf4689bd193f2d5c637c7

SHA512
1e628fda90dc974095e40a1d85f8c40db99098ad7658a459e00adcc605ddb8a3a3b7940bb6c19ad43d412c492414666d6500789671862a4fa51b0be636087f14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
18KB

MD5
d88444f55b2edd50db80d9d3b5d43785

SHA1
99ed97f7d100a719ccec4250d62fb63c5f29e2ff

SHA256
ba69ad9c658ef335ce071dcb32067072a169e7f0b583e9d3e28b51f73866b70b

SHA512
5d4f3be54f9602621692bdcd750fd1c73318f2c7412c4d3de0205767838063563565662c3b31d82283baf037cc3a8fcabac39c5638caa384826ce34a6c8fb899

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
36KB

MD5
b9e56b7c61621784da88068c2b8c9ea4

SHA1
16eb89c1ce209bcd177fd79618bc386554a322e0

SHA256
04d707ff4a44ff96213c96c2a5ad108e5b2d7de3e27f03bbe6507cdf5004702e

SHA512
251a58de1a6a48d2ab6ac55ac07c9058fafe8048cd04b60b5e49f23ff188568c741a1b756e1c09cdee6897fbd337a231422d3c7642d7361277980fd904e940d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
22KB

MD5
ff4b4154cf18ded10f4495037cc034df

SHA1
6b6cada53f03e880c96e439a4dcbaba8dc0de395

SHA256
2a5da9bd17bfe68e48c71eab597cfde96c67d67527f9ee1407dfc90c900f244e

SHA512
288891a9428803b002d1a936b272d7354e886bff168654b4dceb7f312f9320c7cdd2237b9b83081dcc5dfc3d994edb9217933fc91eba9fea6e81a95d6458e43e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
469B

MD5
e7192e33293e2242844dee5a0ff4f6c8

SHA1
01f013ea32e1226638e6290b8f91dc0800d10d6e

SHA256
a6c898af2dd5941d36ff5c9637ab71d384c249a5d6dc82eb956aea528f509189

SHA512
7fd4eb8513eb5cdbb68b21d8919466152c558e8a40d7502bcb7596611ee14c8c0b6364b6d0aa884e9fc609aa6da4c6846da51fdcb5bf138347eb844b342350be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
23KB

MD5
9b28204c40492797ad90485f876ff6b8

SHA1
3637c6d3e53184c8678f9ee537f1fbfd9c2963d8

SHA256
33e8bd460426a0e0238fe3c05fb296a8a6dd2f904d19adba08a2b61a9317cd3e

SHA512
bb782d157734ba36b958ebe60994ff726345cbfda728c04c32280324688b402b9a5147e4f80404dded8fa5f614e17e968f7e3f61b6a15340f48e77f9d90d2d93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
904B

MD5
c735cdd8e8b54df8cffb062d3aa52106

SHA1
46d740c465257da5c7b8029ba02dc27ac6630aef

SHA256
e606a913c1f4641b4195a1eb94b33b47af24ae2415e7e3eaa8a815f8c5f83e30

SHA512
4b9d2e312879f36ebee217377836850663152e275c910fa1accbd14608be23751934337ee917686a0dc83f04a0e4859e4861eea244061b6ba7ba986d01f1bc0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig

Filesize
19KB

MD5
41c1930548d8b99ff1dbb64ba7fecb3d

SHA1
d8acfeaf7c74e2b289be37687f886f50c01d4f2f

SHA256
16cee17a989167242dd7ee2755721e357dd23bcfcb61f5789cc19deafe7ca502

SHA512
a684d61324c71ac15f3a907788ab2150f61e7e2b2bf13ca08c14e9822b22336d0d45d9ff2a2a145aa7321d28d6b71408f9515131f8a1bd9f4927b105e6471b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
55KB

MD5
e33ffb86d15bdfe9f4568f7b80e469f9

SHA1
5db12e8f272eaf132d7b20b8f7fff42439563e3a

SHA256
08021452746eb86c93decfdab2ac5c81325a1499ec63dac6bfb89481fe92818f

SHA512
29741b8fda0f8dcf6924370fc05025f3921463e24ae890dd066cd8a11e485a1a461b18ae5ffcfffd20765d956363f4c85f59ea14ed94f1f2e2d09f963a77e0d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
41KB

MD5
96a40aa7da24673a205cec30ff59b55f

SHA1
114cc4020dde5d142dbdedbcd72406c3813133d8

SHA256
13cd23ab13ab070a5d71ed538d6d8ffd9cb459e0a89bcb36ad0f27a20d770a7d

SHA512
4ae1cb2f5779cb5c6080964863497fa5415d8e9e39d1ec758291905adf1777e2302a66a3d55332aab626b6bd1340926d2e652a7192760f855fc0d986657ec3a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
50KB

MD5
ff619545a92b191260697a7c33c895f4

SHA1
2cf183d9cda60d6d1cb1b777f23ac1f173c049ae

SHA256
fb9c97d0df29e1df7edcd9c458bb130cf6c395a92b0cee8af1105b3088f61182

SHA512
ca2aac181e93677b5038c4ed475e6f79d09afc8d33625a8a3e12522d61c5d36744087e127b49076520928298c47fe6531b954f89c683b231154910a2d95c8e45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
c9337bd3e4f4f96bd3020a34ba08a0bb

SHA1
07ad18584f6b3b075e69c9079bd69b0751686d00

SHA256
973793e796de6d484849d856885756395805652aad0f3fd99fe2a031492b6538

SHA512
18700df1907bc102cd06760eec0ae2080bcf28ec6c8e2aaef85eb0734a02ab2be96083a802c02a960a4949c2bdaaad614d0b40360f05b939ea0d4f35d2f18a8d

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3740_1953996303\LICENSE

Filesize
1KB

MD5
ee002cb9e51bb8dfa89640a406a1090a

SHA1
49ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2

SHA256
3dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b

SHA512
d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c

Download Submit