b7cbbb0e37b40bb4724d1448b40f27d97ae1b37a89a7d8e01d3cfebcd7aeac14

Analysis

max time kernel
144s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2025, 04:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

StartPage/Local/iframe_wk.html
Size

2KB
MD5

388c90fc50e3e7399da677c10fd108c8
SHA1

6c1e457174aeba2bb60c1da4e88deba7baf74364
SHA256

209dba04648f85caf01b72d112d3312f32731555cb984771f24dbeda542d994c
SHA512

5a70d2fde39626e145f74b3a94aa397b79b6f534d3da37f6db7fd5465ebfc881062003b97f6b74a9ca67799e6dcc5c31b8419bca4b2c18c3737978e1429da44b

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2928_54437490\_locales\ka\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2928_54437490\_locales\pa\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2928_54437490\_locales\sl\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2928_54437490\_locales\hy\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2928_54437490\_locales\is\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2928_1437305629\sets.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2928_153931405\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2928_54437490\_locales\pl\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2928_54437490\_locales\kk\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2928_54437490\_locales\es\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2928_1275585534\protocols.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2928_153931405\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2928_1911491945\deny_full_domains.list	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2928_54437490\_locales\fr_CA\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2928_54437490\_locales\th\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2928_54437490\_locales\el\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2928_54437490\_locales\si\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2928_54437490\_locales\ms\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2928_54437490\_locales\ca\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2928_54437490\_locales\cy\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2928_54437490\_locales\hi\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2928_54437490\_locales\ja\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2928_54437490\_locales\gl\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2928_54437490\_locales\am\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2928_54437490\_locales\ar\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2928_54437490\_locales\az\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2928_1275585534\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2928_54437490\service_worker_bin_prod.js	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2928_54437490\_locales\es_419\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2928_54437490\_locales\te\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2928_54437490\_locales\pt_BR\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2928_54437490\_locales\be\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2928_54437490\_locales\id\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2928_1911491945\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2928_54437490\_locales\no\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2928_54437490\_locales\en_US\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2928_54437490\_locales\ur\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2928_54437490\_locales\bn\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2928_54437490\_locales\lv\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2928_54437490\_locales\hu\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2928_1437305629\manifest.json	msedge.exe
File created	C:\Program Files\msedge_url_fetcher_2928_1318876208\GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_90_1_0.crx	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2928_54437490\_locales\ro\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2928_54437490\_locales\ko\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2928_54437490\_locales\kn\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2928_54437490\_locales\en_GB\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2928_54437490\offscreendocument_main.js	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2928_54437490\offscreendocument.html	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2928_54437490\_locales\sr\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2928_54437490\_locales\zh_HK\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2928_54437490\_locales\tr\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2928_54437490\_locales\zh_CN\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2928_54437490\_locales\zu\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2928_54437490\_locales\gu\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2928_54437490\dasherSettingSchema.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2928_54437490\_locales\ml\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2928_54437490\_locales\bg\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2928_54437490\_locales\et\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2928_54437490\_locales\en\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2928_54437490\_locales\ru\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2928_54437490\_locales\sk\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2928_54437490\128.png	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2928_54437490\_locales\hr\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2928_54437490\_locales\km\messages.json	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133876101178950755"	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-446031748-3036493239-2009529691-1000\{7F71D3CF-E21E-45B0-8F01-FDCBE14BC821}	msedge.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
6020	msedge.exe
6020	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2928 wrote to memory of 4960	2928	msedge.exe	85
PID 2928 wrote to memory of 4960	2928	msedge.exe	85
PID 2928 wrote to memory of 2688	2928	msedge.exe	86
PID 2928 wrote to memory of 2688	2928	msedge.exe	86
PID 2928 wrote to memory of 5908	2928	msedge.exe	87
PID 2928 wrote to memory of 5908	2928	msedge.exe	87
PID 2928 wrote to memory of 5908	2928	msedge.exe	87
PID 2928 wrote to memory of 5908	2928	msedge.exe	87
PID 2928 wrote to memory of 5908	2928	msedge.exe	87
PID 2928 wrote to memory of 5908	2928	msedge.exe	87
PID 2928 wrote to memory of 5908	2928	msedge.exe	87
PID 2928 wrote to memory of 5908	2928	msedge.exe	87
PID 2928 wrote to memory of 5908	2928	msedge.exe	87
PID 2928 wrote to memory of 5908	2928	msedge.exe	87
PID 2928 wrote to memory of 5908	2928	msedge.exe	87
PID 2928 wrote to memory of 5908	2928	msedge.exe	87
PID 2928 wrote to memory of 5908	2928	msedge.exe	87
PID 2928 wrote to memory of 5908	2928	msedge.exe	87
PID 2928 wrote to memory of 5908	2928	msedge.exe	87
PID 2928 wrote to memory of 5908	2928	msedge.exe	87
PID 2928 wrote to memory of 5908	2928	msedge.exe	87
PID 2928 wrote to memory of 5908	2928	msedge.exe	87
PID 2928 wrote to memory of 5908	2928	msedge.exe	87
PID 2928 wrote to memory of 5908	2928	msedge.exe	87
PID 2928 wrote to memory of 5908	2928	msedge.exe	87
PID 2928 wrote to memory of 5908	2928	msedge.exe	87
PID 2928 wrote to memory of 5908	2928	msedge.exe	87
PID 2928 wrote to memory of 5908	2928	msedge.exe	87
PID 2928 wrote to memory of 5908	2928	msedge.exe	87
PID 2928 wrote to memory of 5908	2928	msedge.exe	87
PID 2928 wrote to memory of 5908	2928	msedge.exe	87
PID 2928 wrote to memory of 5908	2928	msedge.exe	87
PID 2928 wrote to memory of 5908	2928	msedge.exe	87
PID 2928 wrote to memory of 5908	2928	msedge.exe	87
PID 2928 wrote to memory of 5908	2928	msedge.exe	87
PID 2928 wrote to memory of 5908	2928	msedge.exe	87
PID 2928 wrote to memory of 5908	2928	msedge.exe	87
PID 2928 wrote to memory of 5908	2928	msedge.exe	87
PID 2928 wrote to memory of 5908	2928	msedge.exe	87
PID 2928 wrote to memory of 5908	2928	msedge.exe	87
PID 2928 wrote to memory of 5908	2928	msedge.exe	87
PID 2928 wrote to memory of 5908	2928	msedge.exe	87
PID 2928 wrote to memory of 5908	2928	msedge.exe	87
PID 2928 wrote to memory of 5908	2928	msedge.exe	87
PID 2928 wrote to memory of 5908	2928	msedge.exe	87
PID 2928 wrote to memory of 5908	2928	msedge.exe	87
PID 2928 wrote to memory of 5908	2928	msedge.exe	87
PID 2928 wrote to memory of 5908	2928	msedge.exe	87
PID 2928 wrote to memory of 5908	2928	msedge.exe	87
PID 2928 wrote to memory of 5908	2928	msedge.exe	87
PID 2928 wrote to memory of 5908	2928	msedge.exe	87
PID 2928 wrote to memory of 5908	2928	msedge.exe	87
PID 2928 wrote to memory of 5908	2928	msedge.exe	87
PID 2928 wrote to memory of 5908	2928	msedge.exe	87
PID 2928 wrote to memory of 5908	2928	msedge.exe	87
PID 2928 wrote to memory of 5784	2928	msedge.exe	88
PID 2928 wrote to memory of 5784	2928	msedge.exe	88
PID 2928 wrote to memory of 5784	2928	msedge.exe	88
PID 2928 wrote to memory of 5784	2928	msedge.exe	88
PID 2928 wrote to memory of 5784	2928	msedge.exe	88
PID 2928 wrote to memory of 5784	2928	msedge.exe	88
PID 2928 wrote to memory of 5784	2928	msedge.exe	88
PID 2928 wrote to memory of 5784	2928	msedge.exe	88
PID 2928 wrote to memory of 5784	2928	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\StartPage\Local\iframe_wk.html
1⤵
- Drops file in Program Files directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x2ac,0x7ff8c1e4f208,0x7ff8c1e4f214,0x7ff8c1e4f220
  2⤵
  PID:4960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1904,i,11910822221854997808,8682734815397874092,262144 --variations-seed-version --mojo-platform-channel-handle=2272 /prefetch:3
  2⤵
  PID:2688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2240,i,11910822221854997808,8682734815397874092,262144 --variations-seed-version --mojo-platform-channel-handle=2232 /prefetch:2
  2⤵
  PID:5908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2444,i,11910822221854997808,8682734815397874092,262144 --variations-seed-version --mojo-platform-channel-handle=2588 /prefetch:8
  2⤵
  PID:5784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3456,i,11910822221854997808,8682734815397874092,262144 --variations-seed-version --mojo-platform-channel-handle=3460 /prefetch:1
  2⤵
  PID:3604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3468,i,11910822221854997808,8682734815397874092,262144 --variations-seed-version --mojo-platform-channel-handle=3552 /prefetch:1
  2⤵
  PID:652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4808,i,11910822221854997808,8682734815397874092,262144 --variations-seed-version --mojo-platform-channel-handle=5032 /prefetch:8
  2⤵
  PID:4540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4936,i,11910822221854997808,8682734815397874092,262144 --variations-seed-version --mojo-platform-channel-handle=4988 /prefetch:8
  2⤵
  PID:1548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5476,i,11910822221854997808,8682734815397874092,262144 --variations-seed-version --mojo-platform-channel-handle=5468 /prefetch:8
  2⤵
  PID:5532
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5720,i,11910822221854997808,8682734815397874092,262144 --variations-seed-version --mojo-platform-channel-handle=5740 /prefetch:8
  2⤵
  PID:5140
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5720,i,11910822221854997808,8682734815397874092,262144 --variations-seed-version --mojo-platform-channel-handle=5740 /prefetch:8
  2⤵
  PID:672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5968,i,11910822221854997808,8682734815397874092,262144 --variations-seed-version --mojo-platform-channel-handle=5976 /prefetch:8
  2⤵
  PID:2156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5964,i,11910822221854997808,8682734815397874092,262144 --variations-seed-version --mojo-platform-channel-handle=6044 /prefetch:8
  2⤵
  PID:2376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=564,i,11910822221854997808,8682734815397874092,262144 --variations-seed-version --mojo-platform-channel-handle=6224 /prefetch:8
  2⤵
  PID:3928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5736,i,11910822221854997808,8682734815397874092,262144 --variations-seed-version --mojo-platform-channel-handle=6252 /prefetch:8
  2⤵
  PID:5372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6284,i,11910822221854997808,8682734815397874092,262144 --variations-seed-version --mojo-platform-channel-handle=6212 /prefetch:8
  2⤵
  PID:1012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4636,i,11910822221854997808,8682734815397874092,262144 --variations-seed-version --mojo-platform-channel-handle=5048 /prefetch:8
  2⤵
  PID:5172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6236,i,11910822221854997808,8682734815397874092,262144 --variations-seed-version --mojo-platform-channel-handle=6264 /prefetch:8
  2⤵
  PID:4652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6264,i,11910822221854997808,8682734815397874092,262144 --variations-seed-version --mojo-platform-channel-handle=6300 /prefetch:8
  2⤵
  PID:1056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6248,i,11910822221854997808,8682734815397874092,262144 --variations-seed-version --mojo-platform-channel-handle=6412 /prefetch:8
  2⤵
  PID:4344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=5872,i,11910822221854997808,8682734815397874092,262144 --variations-seed-version --mojo-platform-channel-handle=6228 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5444,i,11910822221854997808,8682734815397874092,262144 --variations-seed-version --mojo-platform-channel-handle=1044 /prefetch:8
  2⤵
  PID:5316

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:5692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
1⤵
PID:5004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
  2⤵
  PID:8

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\chrome_Unpacker_BeginUnzipping2928_1275585534\manifest.fingerprint

Filesize
66B

MD5
496b05677135db1c74d82f948538c21c

SHA1
e736e675ca5195b5fc16e59fb7de582437fb9f9a

SHA256
df55a9464ee22a0f860c0f3b4a75ec62471d37b4d8cb7a0e460eef98cb83ebe7

SHA512
8bd1b683e24a8c8c03b0bc041288296448f799a6f431bacbd62cb33e621672991141c7151d9424ad60ab65a7a6a30298243b8b71d281f9e99b8abb79fe16bd3c

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping2928_1275585534\manifest.json

Filesize
134B

MD5
049c307f30407da557545d34db8ced16

SHA1
f10b86ebfe8d30d0dc36210939ca7fa7a819d494

SHA256
c36944790c4a1fa2f2acec5f7809a4d6689ecb7fb3b2f19c831c9adb4e17fc54

SHA512
14f04e768956bdd9634f6a172104f2b630e2eeada2f73b9a249be2ec707f4a47ff60f2f700005ca95addd838db9438ad560e5136a10ed32df1d304d65f445780

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping2928_153931405\LICENSE

Filesize
1KB

MD5
ee002cb9e51bb8dfa89640a406a1090a

SHA1
49ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2

SHA256
3dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b

SHA512
d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping2928_153931405\manifest.json

Filesize
79B

MD5
7f4b594a35d631af0e37fea02df71e72

SHA1
f7bc71621ea0c176ca1ab0a3c9fe52dbca116f57

SHA256
530882d7f535ae57a4906ca735b119c9e36480cbb780c7e8ad37c9c8fdf3d9b1

SHA512
bf3f92f5023f0fbad88526d919252a98db6d167e9ca3e15b94f7d71ded38a2cfb0409f57ef24708284ddd965bda2d3207cd99c008b1c9c8c93705fd66ac86360

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping2928_1911491945\manifest.json

Filesize
176B

MD5
6607494855f7b5c0348eecd49ef7ce46

SHA1
2c844dd9ea648efec08776757bc376b5a6f9eb71

SHA256
37c30639ea04878b9407aecbcea4848b033e4548d5023ce5105ea79cab2c68dd

SHA512
8cb60725d958291b9a78c293992768cb03ff53ab942637e62eb6f17d80e0864c56a9c8ccafbc28246e9ce1fdb248e8d071d76764bcaf0243397d0f0a62b4d09a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\AutoLaunchProtocolsComponent\1.0.0.9\protocols.json

Filesize
3KB

MD5
f9fd82b572ef4ce41a3d1075acc52d22

SHA1
fdded5eef95391be440cc15f84ded0480c0141e3

SHA256
5f21978e992a53ebd9c138cb5391c481def7769e3525c586a8a94f276b3cd8d6

SHA512
17084cc74462310a608355fbeafa8b51f295fb5fd067dfc641e752e69b1ee4ffba0e9eafa263aab67daab780b9b6be370dd3b54dd4ba8426ab499e50ff5c7339

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
8625e8ce164e1039c0d19156210674ce

SHA1
9eb5ae97638791b0310807d725ac8815202737d2

SHA256
2f65f9c3c54fe018e0b1f46e3c593d100a87758346d3b00a72cb93042daf60a2

SHA512
3c52b8876982fe41d816f9dfb05cd888c551cf7efd266a448050c87c3fc52cc2172f53c83869b87d7643ce0188004c978570f35b0fcc1cb50c9fffea3dec76a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
40e2018187b61af5be8caf035fb72882

SHA1
72a0b7bcb454b6b727bf90da35879b3e9a70621e

SHA256
b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5

SHA512
a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
7ecdc90ea961a930b16af3c70363ac39

SHA1
d82b69d3988b7243dd90e3c5d9da8dfe385a52b4

SHA256
01e7b4a656cc1193d180d06a2b5d255b9d0b3051e33d0c907ce4f9e5bf84ae43

SHA512
2af00d51f654bce4df407e3328bfb31ba69a7e11ad3b7e4eaa02eea1be27e224eacd1597e643487b708061debf33851473353a9297f793f56e98969a0b9ad38e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
5c794d0e9e32388870d62bd5e8939334

SHA1
ca061486611974e2487755b889f438d3366bba5c

SHA256
1fb0f8b85070c1030bc123cbb3951b9fd13aea77edfaf0a7adaee27a42479cd5

SHA512
adea1594748afb2d135ef2ec7afe6bef78fea07cc379bfb004c040a206c355ff8f3911df28d9bc3d2203072d22026c923e375996015ae38df71dcee72cad3098

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
61ad9dd1f9f221a506be0a15f961f250

SHA1
60b7af25fc08420f1e20fd2387302e309514ca69

SHA256
a2fe1df59d8d3db404b2a1b44e3489e3f1df41fdef1e308db9341d777424aadd

SHA512
be3bbb5fc3dadcd0c536dc37ea9ef18e1bc77fbef5dd2906f1154404e625982cfb7b65b58b33f056938893c69c8e5a7532f42941c8ceb2e45022f948afdebe5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
36KB

MD5
82355edecbe9c68c1b2de3a24e28a317

SHA1
71993273edc0999275d30e001b98a5787d8b8b15

SHA256
7ab8b117ac180b0df213b0f3abd60026442023646f960089613e783ba80c0a41

SHA512
28cbc9f4224853c4c212c6d199e14a2ca9b2a6b0b0437ae3178c74e4883bd6363d7ec1a612c69c043f78e4ea67bfb0b2d8c5b7b5e07a8cac34357c3ade13f204

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
22KB

MD5
01601bcd24b6767b58bc31f3a3e91ce4

SHA1
c39c0dad6329c6542b13637b6ddfe121bbd04872

SHA256
668f458c28e54aa112ed1eac3e90c83fe65b3ce08566fb242f251ebf44169e30

SHA512
fcd166b8c1a56395846f8528888ed83724732bb97fea6d4c03f5ae7b39f08d33453fe0dc724f5aef5093de1617a77cc0453364cd136385f4190a18e4b54729e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
23KB

MD5
92f45ee7b9623ec1ebc3aafa995ac098

SHA1
d31c5127d9fd4968ca7c2389fdb3e2a177a3fac1

SHA256
6ad514bef132319dd64eec783813f6501a7eca793d7698529c4883aea58da830

SHA512
35e36d36691ff145cb6162b2af782be2d872201703445eb6370a9ea045e330aabd52245229865e72fcc6ce9d97e4d2578dc1e53bb7439b339f7b075fbdccc66c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
898B

MD5
6ef3632e9cdba3bda420a5bde77d723d

SHA1
416618e70c6b790c931c7a0666748566f129e8ae

SHA256
986287ef025f589e8d65a3b6af061599ba86ebdac4b7aea56b0326ef0822cb3d

SHA512
86074a9b2798800efd565b9d46370d7d1ed1ab7d24dc99a2c76f8d468460efee1bd61c3295812eef9723a20d69d651c7010d7eb1ff3d0610693e7a06e58171c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
467B

MD5
505211e766206e80e5a257833a02f480

SHA1
ea2dd9751318dad0ca6e0063fcd47b51ca5ae6d9

SHA256
5dc6e55754600d68042316afe5bc0a57a14e96302758c8976f093f59557f1108

SHA512
1307c5f3217942e7b169ee0375a7836271a5fff76bad189c763d46d95c29e9959d3e4fb59ec8b64d9ff64443e0719875cd881198cd81f55ce009beb3e3719456

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig

Filesize
19KB

MD5
41c1930548d8b99ff1dbb64ba7fecb3d

SHA1
d8acfeaf7c74e2b289be37687f886f50c01d4f2f

SHA256
16cee17a989167242dd7ee2755721e357dd23bcfcb61f5789cc19deafe7ca502

SHA512
a684d61324c71ac15f3a907788ab2150f61e7e2b2bf13ca08c14e9822b22336d0d45d9ff2a2a145aa7321d28d6b71408f9515131f8a1bd9f4927b105e6471b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
41KB

MD5
74e07041413f3766c861abd590d392b8

SHA1
d2c9ff6fd5eb419acdaa34158a2e5c0d03939d9c

SHA256
87fb88d548050075958aec2a8e692b7f2d76e54c9ca5b7d5f4d60147b09e27eb

SHA512
305b9cf2aa361875d220c53e0a28bcceae413373f4023fe51782a1047a0f0932c8e296f77d2618830cfd2ac7fd1424eef24f71e0915879aa8488833e0f71ed2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
50KB

MD5
f759d57156d3140947b33dca5f1e97e7

SHA1
44b17b88718a5a9c8dfcc1b56171c696439a80d5

SHA256
eeb178810e643f24fe24c61a96e7448794466e5e7f5f5c5c4a9387820ea0de75

SHA512
b2384ee9b0c9421dd753882779a6e340b48f734026df4b4ef6b8e4c7f254dace16744c34936a0919b298943d04b7b0a2d1416904d4bb615fbec4869e892328a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
0816a5cfa35f53a4e32f9eb24c0052ac

SHA1
236565d823c6b8113b78790b36e8bd7b4602a262

SHA256
1aa47eebf574b493a726b6736a3f48a265aec93dc70b49ad9c7e896199b4b505

SHA512
6c76d6cf0238ea2ae1960a8a15ce9788baca43f857522e02dea46b4f519f91c051b1eaa403847120a642624a16ea05aa39000dd643a617fe04a1f6a9d4fcff8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\TrustTokenKeyCommitments\2025.1.17.1\keys.json

Filesize
6KB

MD5
bef4f9f856321c6dccb47a61f605e823

SHA1
8e60af5b17ed70db0505d7e1647a8bc9f7612939

SHA256
fd1847df25032c4eef34e045ba0333f9bd3cb38c14344f1c01b48f61f0cfd5c5

SHA512
bdec3e243a6f39bfea4130c85b162ea00a4974c6057cd06a05348ac54517201bbf595fcc7c22a4ab2c16212c6009f58df7445c40c82722ab4fa1c8d49d39755c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\extensions_crx_cache\ghbmnnjooekpmoecnnnilnnbdlolhkhi_1.fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
d3396f200f22ac078131224451e84fca

SHA1
308f86bda283afaae33f3e07222b6fe99ffa8ff9

SHA256
8fcd3d139144ba3983e23e9a55156c7dc51b90bf24d534b88b2b33a4c468ba3d

SHA512
db00d9536c28f02fce2f9087a088e3d997203aa9f8ea1a393a438ed96c0ca0e6736c08fc795c856d3f6ae4f1c77ef177c91dc4e91423304fd508c5f5004e9fc3

Download Submit