hxxps://web[.]archive[.]org/web/20160602102617/hxxps://www[.]microsoft[.]com/en-us/download/confirmation[.]aspx?id=18481

Analysis

max time kernel
70s
max time network
71s
platform
windows11-21h2_x64
resource
win11-20250411-en
resource tags

arch:x64arch:x86image:win11-20250411-enlocale:en-usos:windows11-21h2-x64system
submitted
12/04/2025, 13:21

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://web.archive.org/web/20160602102617/https://www.microsoft.com/en-us/download/confirmation.aspx?id=18481

Score

8^/10

microsoft defense_evasion discovery phishing

Malware Config

Signatures

Downloads MZ/PE file 1 IoCs

flow	pid	Process
31	4908	msedge.exe

Executes dropped EXE 2 IoCs

pid	Process
5448	setup.exe
3212	setup.exe

Use of msiexec (install) with remote resource 2 IoCs

pid	Process
5756	MSIEXEC.EXE
5320	MSIEXEC.EXE

Blocklisted process makes network request 4 IoCs

flow	pid	Process
60	5756	MSIEXEC.EXE
61	5756	MSIEXEC.EXE
69	5320	MSIEXEC.EXE
70	5320	MSIEXEC.EXE

Detected potential entity reuse from brand MICROSOFT. 1 IoCs

phishing microsoft

flow	pid	Process
31	4908	msedge.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	msedge.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\setup.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIEXEC.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIEXEC.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133889376863015495"	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "139"	LogonUI.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2316063146-1984817004-4437738-1000\{D5FD71DF-63EA-4EBF-A129-6F910CE1C131}	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\setup.exe:Zone.Identifier	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5756	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	5756	MSIEXEC.EXE
Token: SeShutdownPrivilege	5320	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	5320	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
5756	MSIEXEC.EXE
5756	MSIEXEC.EXE
5320	MSIEXEC.EXE
5320	MSIEXEC.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3036	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1464 wrote to memory of 5676	1464	msedge.exe	78
PID 1464 wrote to memory of 5676	1464	msedge.exe	78
PID 1464 wrote to memory of 4908	1464	msedge.exe	81
PID 1464 wrote to memory of 4908	1464	msedge.exe	81
PID 1464 wrote to memory of 3412	1464	msedge.exe	82
PID 1464 wrote to memory of 3412	1464	msedge.exe	82
PID 1464 wrote to memory of 4832	1464	msedge.exe	83
PID 1464 wrote to memory of 4832	1464	msedge.exe	83
PID 1464 wrote to memory of 3412	1464	msedge.exe	82
PID 1464 wrote to memory of 3412	1464	msedge.exe	82
PID 1464 wrote to memory of 3412	1464	msedge.exe	82
PID 1464 wrote to memory of 3412	1464	msedge.exe	82
PID 1464 wrote to memory of 3412	1464	msedge.exe	82
PID 1464 wrote to memory of 3412	1464	msedge.exe	82
PID 1464 wrote to memory of 3412	1464	msedge.exe	82
PID 1464 wrote to memory of 3412	1464	msedge.exe	82
PID 1464 wrote to memory of 3412	1464	msedge.exe	82
PID 1464 wrote to memory of 3412	1464	msedge.exe	82
PID 1464 wrote to memory of 3412	1464	msedge.exe	82
PID 1464 wrote to memory of 3412	1464	msedge.exe	82
PID 1464 wrote to memory of 3412	1464	msedge.exe	82
PID 1464 wrote to memory of 3412	1464	msedge.exe	82
PID 1464 wrote to memory of 3412	1464	msedge.exe	82
PID 1464 wrote to memory of 3412	1464	msedge.exe	82
PID 1464 wrote to memory of 3412	1464	msedge.exe	82
PID 1464 wrote to memory of 3412	1464	msedge.exe	82
PID 1464 wrote to memory of 3412	1464	msedge.exe	82
PID 1464 wrote to memory of 3412	1464	msedge.exe	82
PID 1464 wrote to memory of 3412	1464	msedge.exe	82
PID 1464 wrote to memory of 3412	1464	msedge.exe	82
PID 1464 wrote to memory of 3412	1464	msedge.exe	82
PID 1464 wrote to memory of 3412	1464	msedge.exe	82
PID 1464 wrote to memory of 3412	1464	msedge.exe	82
PID 1464 wrote to memory of 3412	1464	msedge.exe	82
PID 1464 wrote to memory of 3412	1464	msedge.exe	82
PID 1464 wrote to memory of 3412	1464	msedge.exe	82
PID 1464 wrote to memory of 3412	1464	msedge.exe	82
PID 1464 wrote to memory of 3412	1464	msedge.exe	82
PID 1464 wrote to memory of 3412	1464	msedge.exe	82
PID 1464 wrote to memory of 3412	1464	msedge.exe	82
PID 1464 wrote to memory of 3412	1464	msedge.exe	82
PID 1464 wrote to memory of 3412	1464	msedge.exe	82
PID 1464 wrote to memory of 3412	1464	msedge.exe	82
PID 1464 wrote to memory of 3412	1464	msedge.exe	82
PID 1464 wrote to memory of 3412	1464	msedge.exe	82
PID 1464 wrote to memory of 3412	1464	msedge.exe	82
PID 1464 wrote to memory of 3412	1464	msedge.exe	82
PID 1464 wrote to memory of 3412	1464	msedge.exe	82
PID 1464 wrote to memory of 3412	1464	msedge.exe	82
PID 1464 wrote to memory of 3412	1464	msedge.exe	82
PID 1464 wrote to memory of 3412	1464	msedge.exe	82
PID 1464 wrote to memory of 3412	1464	msedge.exe	82
PID 1464 wrote to memory of 3412	1464	msedge.exe	82
PID 1464 wrote to memory of 3412	1464	msedge.exe	82
PID 1464 wrote to memory of 3412	1464	msedge.exe	82
PID 1464 wrote to memory of 3412	1464	msedge.exe	82
PID 1464 wrote to memory of 3412	1464	msedge.exe	82
PID 1464 wrote to memory of 4928	1464	msedge.exe	84
PID 1464 wrote to memory of 4928	1464	msedge.exe	84
PID 1464 wrote to memory of 4832	1464	msedge.exe	83
PID 1464 wrote to memory of 4832	1464	msedge.exe	83
PID 1464 wrote to memory of 4832	1464	msedge.exe	83
PID 1464 wrote to memory of 4832	1464	msedge.exe	83
PID 1464 wrote to memory of 4832	1464	msedge.exe	83

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://web.archive.org/web/20160602102617/https://www.microsoft.com/en-us/download/confirmation.aspx?id=18481
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2e0,0x36c,0x7ff978bef208,0x7ff978bef214,0x7ff978bef220
  2⤵
  PID:5676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1824,i,11466496304293377443,9571132490937659805,262144 --variations-seed-version --mojo-platform-channel-handle=3892 /prefetch:11
  2⤵
  - Downloads MZ/PE file
  - Detected potential entity reuse from brand MICROSOFT.
  PID:4908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=3868,i,11466496304293377443,9571132490937659805,262144 --variations-seed-version --mojo-platform-channel-handle=3744 /prefetch:2
  2⤵
  PID:3412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2320,i,11466496304293377443,9571132490937659805,262144 --variations-seed-version --mojo-platform-channel-handle=3952 /prefetch:13
  2⤵
  PID:4832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3036,i,11466496304293377443,9571132490937659805,262144 --variations-seed-version --mojo-platform-channel-handle=3992 /prefetch:1
  2⤵
  PID:4928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3044,i,11466496304293377443,9571132490937659805,262144 --variations-seed-version --mojo-platform-channel-handle=4048 /prefetch:1
  2⤵
  PID:4936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4744,i,11466496304293377443,9571132490937659805,262144 --variations-seed-version --mojo-platform-channel-handle=4836 /prefetch:14
  2⤵
  PID:3820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4748,i,11466496304293377443,9571132490937659805,262144 --variations-seed-version --mojo-platform-channel-handle=4828 /prefetch:14
  2⤵
  PID:4408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5596,i,11466496304293377443,9571132490937659805,262144 --variations-seed-version --mojo-platform-channel-handle=5604 /prefetch:14
  2⤵
  PID:3548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5784,i,11466496304293377443,9571132490937659805,262144 --variations-seed-version --mojo-platform-channel-handle=5628 /prefetch:14
  2⤵
  PID:752
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\cookie_exporter.exe
    cookie_exporter.exe --cookie-json=1096
    3⤵
    PID:3624
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5588,i,11466496304293377443,9571132490937659805,262144 --variations-seed-version --mojo-platform-channel-handle=5640 /prefetch:14
  2⤵
  PID:4844
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5588,i,11466496304293377443,9571132490937659805,262144 --variations-seed-version --mojo-platform-channel-handle=5640 /prefetch:14
  2⤵
  PID:1200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6096,i,11466496304293377443,9571132490937659805,262144 --variations-seed-version --mojo-platform-channel-handle=6252 /prefetch:14
  2⤵
  PID:3604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --always-read-main-dll --field-trial-handle=5636,i,11466496304293377443,9571132490937659805,262144 --variations-seed-version --mojo-platform-channel-handle=6272 /prefetch:1
  2⤵
  PID:4324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6244,i,11466496304293377443,9571132490937659805,262144 --variations-seed-version --mojo-platform-channel-handle=6772 /prefetch:14
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:1524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=732,i,11466496304293377443,9571132490937659805,262144 --variations-seed-version --mojo-platform-channel-handle=6760 /prefetch:14
  2⤵
  PID:5356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6720,i,11466496304293377443,9571132490937659805,262144 --variations-seed-version --mojo-platform-channel-handle=6772 /prefetch:14
  2⤵
  PID:3044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6556,i,11466496304293377443,9571132490937659805,262144 --variations-seed-version --mojo-platform-channel-handle=6800 /prefetch:14
  2⤵
  PID:6108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6328,i,11466496304293377443,9571132490937659805,262144 --variations-seed-version --mojo-platform-channel-handle=4980 /prefetch:14
  2⤵
  PID:1500

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:3164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
1⤵
PID:3648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
  2⤵
  PID:3180

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4780

C:\Users\Admin\Downloads\setup.exe
"C:\Users\Admin\Downloads\setup.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5448
- C:\Windows\SysWOW64\MSIEXEC.EXE
  MSIEXEC.EXE /i "http://download.microsoft.com/download/7/4/4/744a8606-9c52-4d59-8abb-8ca71ab5f2ab/Microsoft Windows CE 5.0 Emulator.msi" SETUPEXEDIR="C:\Users\Admin\Downloads"
  2⤵
  - Use of msiexec (install) with remote resource
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:5756

C:\Users\Admin\Downloads\setup.exe
"C:\Users\Admin\Downloads\setup.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3212
- C:\Windows\SysWOW64\MSIEXEC.EXE
  MSIEXEC.EXE /i "http://download.microsoft.com/download/7/4/4/744a8606-9c52-4d59-8abb-8ca71ab5f2ab/Microsoft Windows CE 5.0 Emulator.msi" SETUPEXEDIR="C:\Users\Admin\Downloads"
  2⤵
  - Use of msiexec (install) with remote resource
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:5320

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39c0055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3036

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
f0a264821ad56f587ef8a5f5000b3cbd

SHA1
fa8ccbacc8036038543f20fea54b289f0b4fc0f8

SHA256
4a198d269b94f672544ed22c86c64f30b4e6fb3db8c4ffbde13759c6e16a2e48

SHA512
91f708803cc29b551649f039a8579c122f850698b580335813f90b9993a0b6b132ba119185f845666ddaaca5aa255ed14f3a0b34c8cccdd95ac24e0c53574117

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
caa5d82341c47c78525a73bf7d5560e6

SHA1
ce6ac99d6d9235797c046777d54d01ce49573291

SHA256
bf9b8d4b7d5a17361fd1a32523b174d63ce017eb12f11b50ce62832d5a66cb35

SHA512
28e0af01ebe7f6926f05a5aa8eefac2617d2a9179430a5b0bbd92833d3ad5c161c1c68e52947cc0e8513109cced93397586c29b4384829a8db9306a7201e8e19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe58753b.TMP

Filesize
3KB

MD5
88733b5760c25794e7ebf87654135c8e

SHA1
d5fbd1e5edbec42058419aa7effe00797183a56c

SHA256
58bd1682a791ea0202cf9491d1cf5abd811efe72abb21829129d17146486dc60

SHA512
9ad39ffe6af62f9322cc1a9c2e1369681f2be748410dc310545bd2f556e71bea350dae2b4faf8b191de88eea01f03d41c33a9a9dc1916dfc4cb4916cd1be66e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
2b66d93c82a06797cdfd9df96a09e74a

SHA1
5f7eb526ee8a0c519b5d86c845fea8afd15b0c28

SHA256
d4c064db769b3c109da2ed80a53fbab00987c17421a47921e41e213781d67954

SHA512
95e45c0aea0e704be5f512dffaae377d4abef78da99b3bca769264d69be20f2570daf2f47905645217e1b2696e42b101f26149219f148b4d6dd97a6c2868b6f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
15KB

MD5
53b24ce0e499f87f21d7c94270655849

SHA1
15319f6ea4de769766b97804936adc9ed5aa798f

SHA256
8d8572ce634b72f47285dee3327a68c35339a50d8e49861fa36b3655fb066339

SHA512
f4af4de423bb421149e78f546b5db874c02cf3f142fcfbd640b805e63735bb13970ab20b9f9fd87b0afe75db438e3a5136459e328d8914119a9c05f945ce1656

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
e2bbccada52b0d9e4435c5496aa1a6c1

SHA1
f9733bc3c206b61c2476963886c9a976991a452e

SHA256
186af6eb90237a1a59b35bf4269ca970410623fa8b3928a14f87897969d32dff

SHA512
4501bd16f471a11ea9d806161a04894bca403662922171a17347115a8d251f0f067217f5bde7c34e17bfe8f0380d3afcb559b603544bf47ed40c05f947eebe26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
df7fcd59df4c90c88b5bfb6739e7df46

SHA1
64e3e2af6e74be181023897f09419f8c9c6a3293

SHA256
c63ac7c614b7feb760a12f3e65679e7a84ada725f77d19aff2f452c6dcb7848b

SHA512
21b56715cc85a94d326bf624a408e50a46308fc1eb68031108ddef3d71e8df670886cf37a8d332aaf61e9ad6bb85666722973278a6e3681675206123221fa3cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
37KB

MD5
2bf0769ab70151dc9a153d3a9715b2ab

SHA1
85a187ba4535d95599e430e07e728afaedb71b4c

SHA256
166356725358542b11254274c40a480794348002abf77b808e716f724f450cbc

SHA512
dc07b0e551b3ff837ab5024a16b248680a88bb9729bcb58ca56d57758a8a7a700ceddd6ae63dab00a86f8bb97db36e322d74ec55bf5196d20f5069f1841a1d2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
22KB

MD5
73693719d6071be32455c1ca441864ce

SHA1
9dac9d4dc88d32164157b6f6e11fa5907de7718f

SHA256
1f33c7346c019ca3e164af32ce808e6847a25225335cecd2e01058d2557b048b

SHA512
1ad95e52c9683e32b2b2c95f4b416042014f1231065617fcebf7d639917ebd6f93003fc24010654b26513a103051e3932d18b84b3aeca48a6b6e7fcd1b62c144

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
464B

MD5
558d2648c82c11a0af4878f87402edc8

SHA1
3d343e9965198524296e50fe97d7248a4ebe4a96

SHA256
f7ffc382e43ca71edece3f960bfc45fff57915c418bf69700346fc8670b937ba

SHA512
7ef26fd998e9dfa46d89f08229d2e5c1a8bfce33bdd71b0209fdc43f426812441b7d0265a07cdc2f649137433903ebd9d373caa5a161434137af0c8197aa6158

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
41KB

MD5
cce67b9d8374ad223124a99bdabc3126

SHA1
25d7d6aad0c8eb64d68935d0e9ab500df410c0da

SHA256
8686f986c53ef134e63ee71a8a12c3d4957b83286c4ec0f09beb996171c71046

SHA512
9890fc79b7af2eec0dcba9a47af581c6c2aa0786dd5ab9a61b2ddc4c0edc01388a2f1cbf3a9131d45ef756e333ff2f7bbc457693ee5005f4a985f1f408d17283

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
41KB

MD5
7e68200b1d6f2a175448239261d29083

SHA1
8ba73ba58ae35552af345bd49152ddffcb3bba2a

SHA256
27d0aebb1706af72fecf6d2095589d02688e775478eeab3c1d4bb901b0edc933

SHA512
86960bc5672a8757da8119baf1100ad62f2c1ea503a611b06ae6b3e2754abc5e2dfea8e483020f22b36c29468bbdf979e6c6673fb8842c4bef05c3f71cca4849

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
41KB

MD5
e80d0028864be5364a392c2b4441e40c

SHA1
dc4d4baf83fef23fbae65c0d12a40706082e3a6e

SHA256
be0a091f816041942f59d631fca990edbd0ef863461f682c1fcccae1b79640c9

SHA512
87f70819960be885472cd34b5f296fb04a9837bc6c14ff6025fe5c39bdc7eacde2bfc1c5152d9a69e387406d336397b8fb5635e224fbbd8b39a82b664309454f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
6a6b4c9c95a278f7bcdd964840035756

SHA1
5548b8e5994f71b82e4ce8aeb8b8b1f84206bf8f

SHA256
a77f688dbecd4213ac4f8a4e72332ebe30bb586711977cfdcc84aa355788d293

SHA512
17942b57b15872a331f6a1917c99a40ed9e2af9fcee8f60009f72c563a58b81d2350bb84e025c35036db6cc0b9935a78b843fbe6faa1fa61baef6aabb297a6e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
46KB

MD5
d5d5bb333f278b006670cedcc36fe124

SHA1
5960dc21dd2144c646e9bc48c619136b2ab5735d

SHA256
37c8c4aec9df598b33f7a42d784af81a5cae02ce58674d4d5ff6d04fd86ec0c0

SHA512
78af0bbb22bb594a8a0a9cff79c1fc4c2ef3934aeaf5b6afb1279f3601953136ea129216acd7253790bd86840129f9d8fbf65b6d3940a4083cf75fbaa138f6aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_is393C\0x0409.ini

Filesize
4KB

MD5
7a858ca524beb223533a2ac6138c4b73

SHA1
aa7a7e8e7c6c2324d2906a78c243b187a072aa59

SHA256
97eca8e6d33a2761f94831f3f82e030a8e79b5cbc12dcbed4eb1de9c4edf4d1a

SHA512
d3861daf5e0754388f1719450cbfebe629090e41249ef2a206a86dc3fc5f68b3a98c29ddc159d44348080e48bc84a8e0815aa39d535187eb4737cdf4d486bf88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_is393C\Setup.INI

Filesize
1KB

MD5
92e51d2e97df982af17d4acacb72736a

SHA1
38dba33e34eac1ef58670e7ad9ca7272649f26ac

SHA256
7d2fba556af4541484b9197e8d5d9a7a20c361931da225972491a013d836caea

SHA512
c7473946a7610938641cc55715238b8a8a69ab9b2b536392b60a6c68ea952848a657addd01775c1401bd1525c4ea82a9ac1150a2bf5799e6febce8a9d7bae42b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_is393C\_ISMSIDEL.INI

Filesize
9B

MD5
ed5602cb0540d203f85998db92821f1d

SHA1
6090ee19d2e0d2fc3c65cb0bdf8242abc849ba9d

SHA256
39dc0aa1c73f37aca1528e6b1dbece97e523cd1324e9b577f5dc5e2217197868

SHA512
14fd93c45a129a88defac989f01df8f4a25580b83ad6b5eb5a9d1d28f6a6c68f840b2f6c71ec77558f8d4f35f8fc3f8ddcece19f3b687e40f396b153b4f79746

Download Submit
C:\Users\Admin\Downloads\setup.exe.crdownload

Filesize
3.6MB

MD5
424030556dd67a9b77726cca76379a9c

SHA1
27d58b35ea4bac0ab338544b9c8e69bf0d71af85

SHA256
f0cac4c20e4a678dd84e66a34bef25238331683be47be3577f1430cd0b93be37

SHA512
7d74207f3b685d4f8adc6b32e491d3fcdb76addc09d0c9aa886b49abc1f10476a0fa429cc76059d4fcf2932d2a91d2f38900c06dec554a40fca6cba5dd6a2140

Download Submit
C:\Users\Admin\Downloads\setup.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit