1a828c7d13de59f9db34489ba5407bf2201181280aa6c6af1e4241982b0d1925

Analysis

max time kernel
130s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2025, 13:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

torguard-v4.8.29-build.286.1+g70e4e51-amd64-arch/opt/torguard/doc/offline_warning.html
Size

924B
MD5

3e72c14436d399576bfb253eabb7ca90
SHA1

35eadbe2008a7b754b85dfad7e791c9d698caede
SHA256

84256a738a5e2e7d60b9275a2981c491ded1921e2fee329156393d162cd1b34b
SHA512

ca2bdaf7e9a4f473744116171042428d70a45824af213edc7aa6a8d4714dcf9ebc9d7cfc450b64d215d9d0326c331b849bc3abf0b92050db11f34949a302a42e

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5440_1221178425\_locales\sr\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5440_1221178425\_locales\ja\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5440_1221178425\_locales\da\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5440_1221178425\_locales\ko\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5440_1221178425\_locales\am\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5440_1221178425\_locales\hi\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5440_1221178425\_locales\ta\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5440_1221178425\_locales\ar\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5440_1221178425\_locales\sw\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5440_1221178425\_locales\hy\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5440_1221178425\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5440_1221178425\_locales\fi\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5440_1221178425\_locales\km\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5440_1221178425\_locales\af\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5440_1221178425\_locales\tr\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5440_1221178425\_locales\lt\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5440_1221178425\_locales\be\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5440_1221178425\_locales\it\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5440_1221178425\_locales\cs\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5440_1221178425\_locales\pt_BR\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5440_1221178425\_locales\eu\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5440_1221178425\_locales\kn\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5440_1221178425\_locales\fa\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5440_1221178425\_locales\en\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5440_1221178425\_locales\sl\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5440_593096207\protocols.json	msedge.exe
File created	C:\Program Files\msedge_url_fetcher_5440_2100750730\GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_90_1_0.crx	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5440_1221178425\offscreendocument_main.js	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5440_1221178425\offscreendocument.html	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5440_1221178425\_locales\zh_HK\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5440_1221178425\_locales\hu\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5440_1221178425\_locales\ne\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5440_1221178425\_locales\iw\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5440_503159364\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5440_1221178425\service_worker_bin_prod.js	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5440_1221178425\_locales\hr\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5440_1221178425\_locales\nl\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5440_1221178425\_locales\cy\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5440_1221178425\_locales\gu\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5440_1221178425\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5440_503159364\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5440_1221178425\_locales\fr_CA\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5440_1221178425\_locales\vi\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5440_1221178425\_locales\zu\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5440_1221178425\_locales\id\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5440_1221178425\_locales\fr\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5440_593096207\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5440_1221178425\_locales\es_419\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5440_1221178425\_locales\te\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5440_1221178425\_locales\mn\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5440_1221178425\_metadata\verified_contents.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5440_593096207\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5440_1221178425\_locales\pt_PT\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5440_1221178425\_locales\bn\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5440_1221178425\_locales\my\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5440_1221178425\_locales\ro\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5440_1221178425\_locales\ca\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5440_503159364\_metadata\verified_contents.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5440_1221178425\page_embed_script.js	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5440_1221178425\_locales\en_US\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5440_1221178425\_locales\lo\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5440_1221178425\_locales\si\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5440_1221178425\_locales\fil\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5440_1221178425\_locales\pa\messages.json	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133876433576209946"	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-814918696-1585701690-3140955116-1000\{88751F63-D057-49DF-8BFE-C0B7880C0B5F}	msedge.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2152	msedge.exe
2152	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5440 wrote to memory of 4276	5440	msedge.exe	88
PID 5440 wrote to memory of 4276	5440	msedge.exe	88
PID 5440 wrote to memory of 5964	5440	msedge.exe	89
PID 5440 wrote to memory of 5964	5440	msedge.exe	89
PID 5440 wrote to memory of 5604	5440	msedge.exe	90
PID 5440 wrote to memory of 5604	5440	msedge.exe	90
PID 5440 wrote to memory of 5604	5440	msedge.exe	90
PID 5440 wrote to memory of 5604	5440	msedge.exe	90
PID 5440 wrote to memory of 5604	5440	msedge.exe	90
PID 5440 wrote to memory of 5604	5440	msedge.exe	90
PID 5440 wrote to memory of 5604	5440	msedge.exe	90
PID 5440 wrote to memory of 5604	5440	msedge.exe	90
PID 5440 wrote to memory of 5604	5440	msedge.exe	90
PID 5440 wrote to memory of 5604	5440	msedge.exe	90
PID 5440 wrote to memory of 5604	5440	msedge.exe	90
PID 5440 wrote to memory of 5604	5440	msedge.exe	90
PID 5440 wrote to memory of 5604	5440	msedge.exe	90
PID 5440 wrote to memory of 5604	5440	msedge.exe	90
PID 5440 wrote to memory of 5604	5440	msedge.exe	90
PID 5440 wrote to memory of 5604	5440	msedge.exe	90
PID 5440 wrote to memory of 5604	5440	msedge.exe	90
PID 5440 wrote to memory of 5604	5440	msedge.exe	90
PID 5440 wrote to memory of 5604	5440	msedge.exe	90
PID 5440 wrote to memory of 5604	5440	msedge.exe	90
PID 5440 wrote to memory of 5604	5440	msedge.exe	90
PID 5440 wrote to memory of 5604	5440	msedge.exe	90
PID 5440 wrote to memory of 5604	5440	msedge.exe	90
PID 5440 wrote to memory of 5604	5440	msedge.exe	90
PID 5440 wrote to memory of 5604	5440	msedge.exe	90
PID 5440 wrote to memory of 5604	5440	msedge.exe	90
PID 5440 wrote to memory of 5604	5440	msedge.exe	90
PID 5440 wrote to memory of 5604	5440	msedge.exe	90
PID 5440 wrote to memory of 5604	5440	msedge.exe	90
PID 5440 wrote to memory of 5604	5440	msedge.exe	90
PID 5440 wrote to memory of 5604	5440	msedge.exe	90
PID 5440 wrote to memory of 5604	5440	msedge.exe	90
PID 5440 wrote to memory of 5604	5440	msedge.exe	90
PID 5440 wrote to memory of 5604	5440	msedge.exe	90
PID 5440 wrote to memory of 5604	5440	msedge.exe	90
PID 5440 wrote to memory of 5604	5440	msedge.exe	90
PID 5440 wrote to memory of 5604	5440	msedge.exe	90
PID 5440 wrote to memory of 5604	5440	msedge.exe	90
PID 5440 wrote to memory of 5604	5440	msedge.exe	90
PID 5440 wrote to memory of 5604	5440	msedge.exe	90
PID 5440 wrote to memory of 5604	5440	msedge.exe	90
PID 5440 wrote to memory of 5604	5440	msedge.exe	90
PID 5440 wrote to memory of 5604	5440	msedge.exe	90
PID 5440 wrote to memory of 5604	5440	msedge.exe	90
PID 5440 wrote to memory of 5604	5440	msedge.exe	90
PID 5440 wrote to memory of 5604	5440	msedge.exe	90
PID 5440 wrote to memory of 5604	5440	msedge.exe	90
PID 5440 wrote to memory of 5604	5440	msedge.exe	90
PID 5440 wrote to memory of 5604	5440	msedge.exe	90
PID 5440 wrote to memory of 5604	5440	msedge.exe	90
PID 5440 wrote to memory of 5604	5440	msedge.exe	90
PID 5440 wrote to memory of 5528	5440	msedge.exe	91
PID 5440 wrote to memory of 5528	5440	msedge.exe	91
PID 5440 wrote to memory of 5528	5440	msedge.exe	91
PID 5440 wrote to memory of 5528	5440	msedge.exe	91
PID 5440 wrote to memory of 5528	5440	msedge.exe	91
PID 5440 wrote to memory of 5528	5440	msedge.exe	91
PID 5440 wrote to memory of 5528	5440	msedge.exe	91
PID 5440 wrote to memory of 5528	5440	msedge.exe	91
PID 5440 wrote to memory of 5528	5440	msedge.exe	91

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\torguard-v4.8.29-build.286.1+g70e4e51-amd64-arch\opt\torguard\doc\offline_warning.html
1⤵
- Drops file in Program Files directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x2bc,0x7ffb0003f208,0x7ffb0003f214,0x7ffb0003f220
  2⤵
  PID:4276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1940,i,5414801257578891510,3257130355093893954,262144 --variations-seed-version --mojo-platform-channel-handle=2432 /prefetch:3
  2⤵
  PID:5964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2392,i,5414801257578891510,3257130355093893954,262144 --variations-seed-version --mojo-platform-channel-handle=2388 /prefetch:2
  2⤵
  PID:5604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2628,i,5414801257578891510,3257130355093893954,262144 --variations-seed-version --mojo-platform-channel-handle=2744 /prefetch:8
  2⤵
  PID:5528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3460,i,5414801257578891510,3257130355093893954,262144 --variations-seed-version --mojo-platform-channel-handle=3488 /prefetch:1
  2⤵
  PID:4940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3448,i,5414801257578891510,3257130355093893954,262144 --variations-seed-version --mojo-platform-channel-handle=3484 /prefetch:1
  2⤵
  PID:4736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4160,i,5414801257578891510,3257130355093893954,262144 --variations-seed-version --mojo-platform-channel-handle=5052 /prefetch:8
  2⤵
  PID:4908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4916,i,5414801257578891510,3257130355093893954,262144 --variations-seed-version --mojo-platform-channel-handle=5056 /prefetch:8
  2⤵
  PID:1928
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5664,i,5414801257578891510,3257130355093893954,262144 --variations-seed-version --mojo-platform-channel-handle=5684 /prefetch:8
  2⤵
  PID:2460
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5664,i,5414801257578891510,3257130355093893954,262144 --variations-seed-version --mojo-platform-channel-handle=5684 /prefetch:8
  2⤵
  PID:2204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6048,i,5414801257578891510,3257130355093893954,262144 --variations-seed-version --mojo-platform-channel-handle=6044 /prefetch:8
  2⤵
  PID:1448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6064,i,5414801257578891510,3257130355093893954,262144 --variations-seed-version --mojo-platform-channel-handle=6052 /prefetch:8
  2⤵
  PID:1244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6056,i,5414801257578891510,3257130355093893954,262144 --variations-seed-version --mojo-platform-channel-handle=5956 /prefetch:8
  2⤵
  PID:3140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5952,i,5414801257578891510,3257130355093893954,262144 --variations-seed-version --mojo-platform-channel-handle=5908 /prefetch:8
  2⤵
  PID:4248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5800,i,5414801257578891510,3257130355093893954,262144 --variations-seed-version --mojo-platform-channel-handle=5892 /prefetch:8
  2⤵
  PID:4756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5804,i,5414801257578891510,3257130355093893954,262144 --variations-seed-version --mojo-platform-channel-handle=4792 /prefetch:8
  2⤵
  PID:4700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5052,i,5414801257578891510,3257130355093893954,262144 --variations-seed-version --mojo-platform-channel-handle=6268 /prefetch:8
  2⤵
  PID:1552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5604,i,5414801257578891510,3257130355093893954,262144 --variations-seed-version --mojo-platform-channel-handle=3008 /prefetch:8
  2⤵
  PID:3300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=756,i,5414801257578891510,3257130355093893954,262144 --variations-seed-version --mojo-platform-channel-handle=5644 /prefetch:8
  2⤵
  PID:4916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=5608,i,5414801257578891510,3257130355093893954,262144 --variations-seed-version --mojo-platform-channel-handle=5260 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2152

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:4964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
1⤵
PID:1292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
  2⤵
  PID:4200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\chrome_Unpacker_BeginUnzipping5440_593096207\manifest.fingerprint

Filesize
66B

MD5
496b05677135db1c74d82f948538c21c

SHA1
e736e675ca5195b5fc16e59fb7de582437fb9f9a

SHA256
df55a9464ee22a0f860c0f3b4a75ec62471d37b4d8cb7a0e460eef98cb83ebe7

SHA512
8bd1b683e24a8c8c03b0bc041288296448f799a6f431bacbd62cb33e621672991141c7151d9424ad60ab65a7a6a30298243b8b71d281f9e99b8abb79fe16bd3c

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping5440_593096207\manifest.json

Filesize
134B

MD5
049c307f30407da557545d34db8ced16

SHA1
f10b86ebfe8d30d0dc36210939ca7fa7a819d494

SHA256
c36944790c4a1fa2f2acec5f7809a4d6689ecb7fb3b2f19c831c9adb4e17fc54

SHA512
14f04e768956bdd9634f6a172104f2b630e2eeada2f73b9a249be2ec707f4a47ff60f2f700005ca95addd838db9438ad560e5136a10ed32df1d304d65f445780

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\AutoLaunchProtocolsComponent\1.0.0.9\protocols.json

Filesize
3KB

MD5
f9fd82b572ef4ce41a3d1075acc52d22

SHA1
fdded5eef95391be440cc15f84ded0480c0141e3

SHA256
5f21978e992a53ebd9c138cb5391c481def7769e3525c586a8a94f276b3cd8d6

SHA512
17084cc74462310a608355fbeafa8b51f295fb5fd067dfc641e752e69b1ee4ffba0e9eafa263aab67daab780b9b6be370dd3b54dd4ba8426ab499e50ff5c7339

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
60d40d2b37759323c10800b75df359b8

SHA1
f5890e7d8fc1976fe036fea293832d2e9968c05c

SHA256
c3a2f26d5aef8b5ed1d23b59ed6fce952b48194bed69e108a48f78aec72126e0

SHA512
0c339563594cc9f930a64903281589886308d4412ee267e976520a58d86b2c339d7b2320e1b3fd6fbf81f092ff1735f0710c669af2986ea5b63d2c1e0a6df902

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
40e2018187b61af5be8caf035fb72882

SHA1
72a0b7bcb454b6b727bf90da35879b3e9a70621e

SHA256
b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5

SHA512
a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
6fae787df7ceed641878ee217b397495

SHA1
7a1f3438a6e9aff608c9a6461064f38083e2bdbe

SHA256
f62e347b3f3132a4cc989787b86bb8e4a2f671690f6c015237962a10223b418a

SHA512
235188d0c6b07c6db5a6bb51324e09d1934679bca60a14f42db1b5f14328ba800ad6eb63ee131450c2e672f816480c7f06dd0767166998289e5bad898a825699

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
01d4bf2ad75da3f032c16370d509617e

SHA1
d378ff1ac8d921038648b61b253cba6dcf1ea676

SHA256
f0d2c179e0c8a4d93bb5a8280f71f9d80c20e761367f92400e87caea79d354ad

SHA512
c5a9e319fabfbbce4e56b3d6773f060c9bcb915a41caf6a0746dcc80c1f6ea2abdc1d4bf377de3d6a7956df7231d5f65489837036a02a285f709cab33ef67357

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
da231db747a58b92cd072781c5ba1173

SHA1
f0d68664d9cffeff5313ffc669ef39518fd3351d

SHA256
16c1ffdd897f8efcf9ad77fb9518033ebc5903b8b7fd7f5ed0ea9232af02871e

SHA512
bdcef895f09e25698fc83f2bdba7d409a5c28eab16ffe479abbbca94ce679c44fe2334ffdf3f58fbf611595843a9d2a19d841b9fd8d2caa8ab97fad3b0a5c6b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
157718d601793260c3048356ae5da204

SHA1
08cd8535c85e86a712e36b3499436a3f479eabc5

SHA256
2f81a68c7513353fc82dcb9c4c957c2b4dbf42f74ff108b6f45eb162796eeefc

SHA512
0a011e288fbe14bb2e6db83d67342491444bd85645fb3e748b884c1801f4c28f8d1ff6c3c821be2594f6e97a4dbdc798956395235e4e44ab625c872c7edd1514

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
36KB

MD5
a83bf6a40a4ae7890af14bfccb9123f6

SHA1
37a37b10a86491f865845c8becba266206561fdf

SHA256
b1c3415bde011ceb6c91182c13be2935b51baf5cad612136fa5eb6440cef1e81

SHA512
8e01db62bfb59cc86a6ece486068057b1263bd2288503c809153d37ac832c8cb5698733dddea995d803384d773f77572988145050cc405b2b65520fedc03ec18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
22KB

MD5
0ba8258ed11d29dd14934dd31cf1326a

SHA1
6f2f2d467857acc9ac28fccf33996638565360c3

SHA256
1834e5df1ef2f5802225655feb287965a2bb7e0935664aadcefcd13242085ed4

SHA512
b7e5d71bb71bc896bceb8d7bba4f5ec9ea525516761ff91fee98acddfdbfe96e018116fe9c8f71454c7cf76363d9f038bc04786232a16028f0744b35a6b390f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
469B

MD5
b3321a588f9caa2da2fbe8bf50b53540

SHA1
ca27f262f9ac5c2e05fd5a1bf69a45945c3d1921

SHA256
2aafa395f27106e163ddfb93cb0610da81cf10f0bb4dc4568aecb4edac5b254d

SHA512
e8b4f9f2a22761329115bac353a828eebd0b91c74e26e064a1e986212dc00c587b107ad6b27eaca987246644bc6e9fc86307f30546183565e120d247885240be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
904B

MD5
26e500efe2b31af48f61ab1165be1e5b

SHA1
62f0f2ac323103abc743275808ceb5c33251f63e

SHA256
57b1cf10269fa3a070e8f071ab412e91566ba4df9829b0a27348e1925af031bb

SHA512
e8545b8a042d6cf44ba266855a982607e28677c950beec9e54e559566babd6f6f3bf7850520cfafeef36ed46c41bc741520afa174cf73734d227f0df04d64ed6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
23KB

MD5
7949c752ffffb7863e08af1292f34d6d

SHA1
d22f8d093c292518887d34538cb8b00ecc39bd9d

SHA256
6155f205df01421ef0ae5941d563c6f92213dde1f4eebf5859a80e4d32653429

SHA512
8128ef6d8ab8ae8281354c0c92dcb6f54c346bbcdd8cb77744ecbd8a5cc20e871b9861246a345b0575d7ce781c9f975f87f1f0f424790ea85d4462a804e278db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig

Filesize
19KB

MD5
41c1930548d8b99ff1dbb64ba7fecb3d

SHA1
d8acfeaf7c74e2b289be37687f886f50c01d4f2f

SHA256
16cee17a989167242dd7ee2755721e357dd23bcfcb61f5789cc19deafe7ca502

SHA512
a684d61324c71ac15f3a907788ab2150f61e7e2b2bf13ca08c14e9822b22336d0d45d9ff2a2a145aa7321d28d6b71408f9515131f8a1bd9f4927b105e6471b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
49KB

MD5
0772db843498f590c05362b3254ab0af

SHA1
ea1a64332f7b345920977670b8dc6bf1dfa17258

SHA256
08567c1669d96f7d74399b30e16abdcd57bbc94660ec61a52a0fdde3ae0101d2

SHA512
b19c9d7ec5b5ad791bcf10bdd4d0a2a22639ed2b5b8b65b082d93828109c2d779dffb2e76f023b7eb529048e81fd181302c05a339716d348e605b8d02ceccdd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
fc6251ddd64391046e29208fe552b009

SHA1
c153cb99709ea95777b08518989aaec779b4860a

SHA256
9a4654733792c34da66eea04ae139737f5a9040b12117ee10a9b86181e587f8d

SHA512
529d97177b13150f0cba5e2aaec81a9a9077890089034080c902f0818bdfccd09c8b61fb51f62d7aa0c73ffd4000d34d1289bb04a53e252bb0d40cc99be09705

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
0086d316eca19cb5573d33e74b2eebb2

SHA1
7fefee106185b08a45edffc00f1cbba6ec0d7559

SHA256
3c081199f369710e8139fadf264b438933205a1de7531fcdb1dece22af254f33

SHA512
3f0b2bef24746967d9c1b68cdf9f87fca556ae7cef27519c6ade307509e8b36450d50b435b2c1c3fef140ddbbe7055624bed87750212fefa7160a5a92acdbf93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\extensions_crx_cache\ghbmnnjooekpmoecnnnilnnbdlolhkhi_1.fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
d984c17b3621450c09e7109a8b9a16f2

SHA1
5b6e4b75ac1cba8d331df1bcc515b0451ab255da

SHA256
537a10d41ac846ba50faedeb387979105e24fbef5d8675018e25d7b222b60801

SHA512
6120ac8dbf9631cfbfd11f96b9609b3f900bd6a6f4c293e2c5e1957fb23a34787f771f56653435a7e3797898ca81a2e77e22c3a83b6fc0f4349bc97e57e35b2a

Download Submit