fb8bea0350766a97ad53467bad9e916c5e8f50d4c7956d455182ab29374d1962

Analysis

max time kernel
145s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20250410-en
resource tags

arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
submitted
22/04/2025, 23:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

InstallUtil_exe_PIDf24_InstallUtil.exe_400000_x86.exe
Size

264KB
MD5

aa42412f68b45b4239642b70e77f5650
SHA1

2edbf5cd0c49433807d828ab72fb2dc18ed90973
SHA256

fb8bea0350766a97ad53467bad9e916c5e8f50d4c7956d455182ab29374d1962
SHA512

c4f602bbdef1e90d2085c1330f126ac518049baa33cd3c7902f3e36721a505e5e4f1a449a097771d8aecb9cdc9729906d46aef0273a70306fa363686ef5fe778
SSDEEP

1536:V9Tyzlxf7vj1TD7b87c5Qmb8XCuCqyW/kqqJHkn4Byq5Xbgc9XmJI3wZ2/eK:vKrf7vj1TPbccVbXWxunyq5rgSmJIv

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
4416	msedge.exe

Drops file in Windows directory 17 IoCs

description	ioc	Process
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4416_31888249\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4416_965809042\deny_etld1_domains.list	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4416_965809042\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4416_1321618933\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4416_1321618933\typosquatting_list.pb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4416_1321618933\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4416_1290302787\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4416_31888249\LICENSE	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4416_31888249\_metadata\verified_contents.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4416_31888249\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4416_965809042\deny_domains.list	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4416_965809042\deny_full_domains.list	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4416_965809042\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4416_1290302787\well_known_domains.dll	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4416_31888249\sets.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4416_1290302787\manifest.fingerprint	msedge.exe
File opened for modification	C:\Windows\SystemTemp	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil_exe_PIDf24_InstallUtil.exe_400000_x86.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133898384301712187"	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3582532709-2637047242-3508314386-1000\{C0093215-2431-43FA-947A-6D6EC6E0F67B}	msedge.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
6032	msedge.exe
6032	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4416	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5736 wrote to memory of 4416	5736	InstallUtil_exe_PIDf24_InstallUtil.exe_400000_x86.exe	84
PID 5736 wrote to memory of 4416	5736	InstallUtil_exe_PIDf24_InstallUtil.exe_400000_x86.exe	84
PID 4416 wrote to memory of 6132	4416	msedge.exe	85
PID 4416 wrote to memory of 6132	4416	msedge.exe	85
PID 4416 wrote to memory of 704	4416	msedge.exe	86
PID 4416 wrote to memory of 704	4416	msedge.exe	86
PID 4416 wrote to memory of 2372	4416	msedge.exe	87
PID 4416 wrote to memory of 2372	4416	msedge.exe	87
PID 4416 wrote to memory of 2372	4416	msedge.exe	87
PID 4416 wrote to memory of 2372	4416	msedge.exe	87
PID 4416 wrote to memory of 2372	4416	msedge.exe	87
PID 4416 wrote to memory of 2372	4416	msedge.exe	87
PID 4416 wrote to memory of 2372	4416	msedge.exe	87
PID 4416 wrote to memory of 2372	4416	msedge.exe	87
PID 4416 wrote to memory of 2372	4416	msedge.exe	87
PID 4416 wrote to memory of 2372	4416	msedge.exe	87
PID 4416 wrote to memory of 2372	4416	msedge.exe	87
PID 4416 wrote to memory of 2372	4416	msedge.exe	87
PID 4416 wrote to memory of 2372	4416	msedge.exe	87
PID 4416 wrote to memory of 2372	4416	msedge.exe	87
PID 4416 wrote to memory of 2372	4416	msedge.exe	87
PID 4416 wrote to memory of 2372	4416	msedge.exe	87
PID 4416 wrote to memory of 2372	4416	msedge.exe	87
PID 4416 wrote to memory of 2372	4416	msedge.exe	87
PID 4416 wrote to memory of 2372	4416	msedge.exe	87
PID 4416 wrote to memory of 2372	4416	msedge.exe	87
PID 4416 wrote to memory of 2372	4416	msedge.exe	87
PID 4416 wrote to memory of 2372	4416	msedge.exe	87
PID 4416 wrote to memory of 2372	4416	msedge.exe	87
PID 4416 wrote to memory of 2372	4416	msedge.exe	87
PID 4416 wrote to memory of 2372	4416	msedge.exe	87
PID 4416 wrote to memory of 2372	4416	msedge.exe	87
PID 4416 wrote to memory of 2372	4416	msedge.exe	87
PID 4416 wrote to memory of 2372	4416	msedge.exe	87
PID 4416 wrote to memory of 2372	4416	msedge.exe	87
PID 4416 wrote to memory of 2372	4416	msedge.exe	87
PID 4416 wrote to memory of 2372	4416	msedge.exe	87
PID 4416 wrote to memory of 2372	4416	msedge.exe	87
PID 4416 wrote to memory of 2372	4416	msedge.exe	87
PID 4416 wrote to memory of 2372	4416	msedge.exe	87
PID 4416 wrote to memory of 2372	4416	msedge.exe	87
PID 4416 wrote to memory of 2372	4416	msedge.exe	87
PID 4416 wrote to memory of 2372	4416	msedge.exe	87
PID 4416 wrote to memory of 2372	4416	msedge.exe	87
PID 4416 wrote to memory of 2372	4416	msedge.exe	87
PID 4416 wrote to memory of 2372	4416	msedge.exe	87
PID 4416 wrote to memory of 2372	4416	msedge.exe	87
PID 4416 wrote to memory of 2372	4416	msedge.exe	87
PID 4416 wrote to memory of 2372	4416	msedge.exe	87
PID 4416 wrote to memory of 2372	4416	msedge.exe	87
PID 4416 wrote to memory of 2372	4416	msedge.exe	87
PID 4416 wrote to memory of 2372	4416	msedge.exe	87
PID 4416 wrote to memory of 2372	4416	msedge.exe	87
PID 4416 wrote to memory of 2372	4416	msedge.exe	87
PID 4416 wrote to memory of 2372	4416	msedge.exe	87
PID 4416 wrote to memory of 2372	4416	msedge.exe	87
PID 4416 wrote to memory of 2372	4416	msedge.exe	87
PID 4416 wrote to memory of 4548	4416	msedge.exe	88
PID 4416 wrote to memory of 4548	4416	msedge.exe	88
PID 4416 wrote to memory of 4548	4416	msedge.exe	88
PID 4416 wrote to memory of 4548	4416	msedge.exe	88
PID 4416 wrote to memory of 4548	4416	msedge.exe	88
PID 4416 wrote to memory of 4548	4416	msedge.exe	88
PID 4416 wrote to memory of 4548	4416	msedge.exe	88

C:\Users\Admin\AppData\Local\Temp\InstallUtil_exe_PIDf24_InstallUtil.exe_400000_x86.exe
"C:\Users\Admin\AppData\Local\Temp\InstallUtil_exe_PIDf24_InstallUtil.exe_400000_x86.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=InstallUtil_exe_PIDf24_InstallUtil.exe_400000_x86.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4416
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2e0,0x2f8,0x7ffed2d4f208,0x7ffed2d4f214,0x7ffed2d4f220
    3⤵
    PID:6132
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1840,i,15616230537464087802,7118214911343478618,262144 --variations-seed-version --mojo-platform-channel-handle=2100 /prefetch:11
    3⤵
    PID:704
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2064,i,15616230537464087802,7118214911343478618,262144 --variations-seed-version --mojo-platform-channel-handle=2056 /prefetch:2
    3⤵
    PID:2372
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2196,i,15616230537464087802,7118214911343478618,262144 --variations-seed-version --mojo-platform-channel-handle=2420 /prefetch:13
    3⤵
    PID:4548
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3372,i,15616230537464087802,7118214911343478618,262144 --variations-seed-version --mojo-platform-channel-handle=3420 /prefetch:1
    3⤵
    PID:5196
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3364,i,15616230537464087802,7118214911343478618,262144 --variations-seed-version --mojo-platform-channel-handle=3444 /prefetch:1
    3⤵
    PID:5040
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4856,i,15616230537464087802,7118214911343478618,262144 --variations-seed-version --mojo-platform-channel-handle=4796 /prefetch:1
    3⤵
    PID:2396
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3332,i,15616230537464087802,7118214911343478618,262144 --variations-seed-version --mojo-platform-channel-handle=4864 /prefetch:14
    3⤵
    PID:1540
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3600,i,15616230537464087802,7118214911343478618,262144 --variations-seed-version --mojo-platform-channel-handle=3492 /prefetch:14
    3⤵
    PID:1256
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5628,i,15616230537464087802,7118214911343478618,262144 --variations-seed-version --mojo-platform-channel-handle=5676 /prefetch:14
    3⤵
    PID:1872
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\cookie_exporter.exe
      cookie_exporter.exe --cookie-json=1132
      4⤵
      PID:4204
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5384,i,15616230537464087802,7118214911343478618,262144 --variations-seed-version --mojo-platform-channel-handle=5880 /prefetch:14
    3⤵
    PID:484
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5384,i,15616230537464087802,7118214911343478618,262144 --variations-seed-version --mojo-platform-channel-handle=5880 /prefetch:14
    3⤵
    PID:5388
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5968,i,15616230537464087802,7118214911343478618,262144 --variations-seed-version --mojo-platform-channel-handle=5980 /prefetch:14
    3⤵
    PID:232
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --always-read-main-dll --field-trial-handle=5456,i,15616230537464087802,7118214911343478618,262144 --variations-seed-version --mojo-platform-channel-handle=4508 /prefetch:1
    3⤵
    PID:5688
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --always-read-main-dll --field-trial-handle=5740,i,15616230537464087802,7118214911343478618,262144 --variations-seed-version --mojo-platform-channel-handle=5744 /prefetch:1
    3⤵
    PID:2804
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4672,i,15616230537464087802,7118214911343478618,262144 --variations-seed-version --mojo-platform-channel-handle=6268 /prefetch:14
    3⤵
    PID:2968
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6316,i,15616230537464087802,7118214911343478618,262144 --variations-seed-version --mojo-platform-channel-handle=3396 /prefetch:14
    3⤵
    PID:4984
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5880,i,15616230537464087802,7118214911343478618,262144 --variations-seed-version --mojo-platform-channel-handle=4784 /prefetch:14
    3⤵
    PID:2348
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5044,i,15616230537464087802,7118214911343478618,262144 --variations-seed-version --mojo-platform-channel-handle=3616 /prefetch:14
    3⤵
    PID:3868
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5972,i,15616230537464087802,7118214911343478618,262144 --variations-seed-version --mojo-platform-channel-handle=6652 /prefetch:14
    3⤵
    PID:3576
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5736,i,15616230537464087802,7118214911343478618,262144 --variations-seed-version --mojo-platform-channel-handle=6116 /prefetch:14
    3⤵
    PID:1932
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6668,i,15616230537464087802,7118214911343478618,262144 --variations-seed-version --mojo-platform-channel-handle=5060 /prefetch:14
    3⤵
    PID:2120
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=6212,i,15616230537464087802,7118214911343478618,262144 --variations-seed-version --mojo-platform-channel-handle=6024 /prefetch:10
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6032
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3448,i,15616230537464087802,7118214911343478618,262144 --variations-seed-version --mojo-platform-channel-handle=4488 /prefetch:14
    3⤵
    PID:4688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=InstallUtil_exe_PIDf24_InstallUtil.exe_400000_x86.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
  2⤵
  PID:4772

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:2452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
1⤵
PID:3104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
  2⤵
  PID:5164

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
978d790ea9bbd3b3113b1d32773304fa

SHA1
61c9b3724e684c2a0507d7c9ae294e668e6c6e58

SHA256
36c686a276e904607d2a18c2a2fc54467fb8dc1698607f5d5a6cefb75aa513c8

SHA512
d50740255d20d2a5e6abdc78f4fe9ef6e832f2ffe9ecc200916a73db1e0dd37d67d88996b315e128bf5b77bb110e4e8c29905aa5d90b83019be2cc8127d0dfc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
e695903ad7236bba7b93edfe4c4794d4

SHA1
d39082af04bade55fb8e63ec229b3f2e49e12994

SHA256
cb027cea91ef6b540fdf549e93a2439cdefc32322437fb0d7ac8eeabe4cb4db3

SHA512
4f5f47bd750b1a2466e34237dc2222e6e825c6a1c2d12a7d13635162c6751ae5717f8f12a3ff9109d2f022503b1318fbe5142e1be0c64e3b846ae74c4ac4f0e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe580328.TMP

Filesize
3KB

MD5
b976b5eb11070324d2ecfbda83cafef0

SHA1
96d03cd895fa50d00217e96a0e0c1a9596f25c38

SHA256
a89355cb94a20d44d47f04dd281683aac796e95b1f3342eabf23a32cdc681f74

SHA512
8ffbaa0683b5e4cdc61fe9dbd37ebf64bcf16d976777e3920847e97b088dd17dc0987e4dfdfd879317414ccc19bd5ab696e9fd5f9b08eea79346bfe26fd231f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
108KB

MD5
06d55006c2dec078a94558b85ae01aef

SHA1
6a9b33e794b38153f67d433b30ac2a7cf66761e6

SHA256
088bb586f79dd99c5311d14e1560bbe0bb56225a1b4432727d2183341c762bcd

SHA512
ec190652af9c213ccbb823e69c21d769c64e3b9bae27bea97503c352163bf70f93c67cebbf327bfc73bfd632c9a3ae57283b6e4019af04750fe18a2410a68e60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
bbea749ebb40590db95af86857614bb2

SHA1
89609b0f70d27b4af89ef178823535a9df6ea771

SHA256
820be435e84aa7bed93186aec3df441182abc3bf3ea1aefcf12855b8fe6ddb27

SHA512
d0a5e0f76d90d24cd87de826151b83a38ee637bddd3c125cb9cd2350f23d8ec11266d068a3f78ca7912320724b3e043e4d9eb80846d2469fb8e5fbcd7ef72b3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
21cfc2e80fa98f85704b1db7f92ac40d

SHA1
1629333c4a5ca3b4f810d833ca39a6ad9e71ec19

SHA256
9d87a1132f8478ba5ad3027b66277e8560b0cd4a547edec9daa4bf2fb4ae6323

SHA512
e8d8b42ab93b41848461402914f8e4ba1d47a50b1cb9773f268c67507c0adb8c1a7663868076f60f853d4030ad32608e89da134e6a93bb5ce57e05155b8f8da2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
d91a1d3f65638011c84dcc9b0bf2a795

SHA1
5cf43526b7855b9068b7db2b8a03d2f5248d2e8f

SHA256
9342ec1b9a826903ad8518943db69a07bbd7c53a16cb8147d9b66ac52f65fba4

SHA512
add2dd715fee950f8629ca74184640a113ca670338eee1d421c7540f9357e7b260609e4bbb2958be11f1c8d70a96a0ff1645a5b325d930d0aa22ecbe76075c80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
18KB

MD5
92309a6ecd998e2de4515b959d07e194

SHA1
b516844ecab029c96589beb8d080d51bb117f93c

SHA256
c3733ee98f5086aae44efb76ce1261ef83cc2a12ed162ecfb645f61a2f2c3eec

SHA512
ffe5bfbaa2a3da0a75519a5a7a9cebe2aa6acc1f8997b68d5980ca9df71536a65e72afac8f72964e64a17f6e2ba13bd54ec1431566f69b5f9e2e7bed17f7a3f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
37KB

MD5
a20066776e7c94a2a13e7ebbfd634475

SHA1
44055e33f511c45b8cef9b18e60fda309cbbb6e4

SHA256
63bb1ccab203a9bd221d4c5e99b6ce0ea65f906a20d9c6c99abb9491eabf64dc

SHA512
512ecd8ab4a6697a6c0993649235288e5a7fe258d8d215e68566b47febff3b0efefd094609b563e55630a7b12b9f7f4427e6f2074c42a88d93b76fd0b675376d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
22KB

MD5
e831ba26454bb3b4a23fe44afae09e61

SHA1
59f667aa0bd0dc9a0e0f88eab057049535d4e770

SHA256
ba00bb325fbcd40ebf0a251217890b293fa2b022ae44af702f3376c77e37bcf1

SHA512
abebc3ca9a6e6451cef72987b8b147e523b912d281389a1e72f1ed160ff621155954e8bc6b59c77431febeee6e3cdd197728174c6f5d46ba499c9d3d4aaa3ed0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
902B

MD5
35e54a460a91e40bd4d2b5be549e3355

SHA1
ca839c30ba8330b2c9da2b6b50fd0d91a02b9e45

SHA256
b4637a9c578a63636653676ad1d8919e085f9280a27f33c83587d8789626de6e

SHA512
6de9dafc91a65199d789b2e1f818596352d6ad9559f661d26a3c3c73cd28949383174600121241b6fadbaa3c0b1f296d24110fac48002243cf6c95d388eba1fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
20KB

MD5
86376564d52fbc5bdb4baf83c464ed6a

SHA1
134fa91cb8cc8e09926242f5accf3abc9af54027

SHA256
938997bda8ca14dfca75d7175dd7d11caeefc9f795fac879f952af7bbd1834e0

SHA512
12307f679b29dd307c78db498a64d779e684800ca08cf289d6400c120923c1b091b215f4f6cefe37fce9b56f95e9fe7418d2368624b768aa7cc055e3c3894e9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
467B

MD5
4908c6034390342b4644a44c42b1e44e

SHA1
8ef3696a57d0ed27b8c154b54a1cbad49ad19cd0

SHA256
9de5fb77cde993ebb462456b1a334ea04b0397996250f262b2c731789aff0d1e

SHA512
ebbf37aad31e2dab523071ad8363794d4c75d295756cb6e8c63c9579f86cdc0352282039f900ad89dc82df5d2437c951e0c0ea9dae6df92c8899151c3a06c9f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig

Filesize
22KB

MD5
3f8927c365639daa9b2c270898e3cf9d

SHA1
c8da31c97c56671c910d28010f754319f1d90fa6

SHA256
fc80d48a732def35ab6168d8fd957a6f13f3c912d7f9baf960c17249e4a9a1f2

SHA512
d75b93f30989428883cb5e76f6125b09f565414cf45d59053527db48c6cf2ac7f54ed9e8f6a713c855cd5d89531145592ef27048cf1c0f63d7434cfb669dbd72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
54KB

MD5
80289c242dd6a3851f00e814faf4b72a

SHA1
e884fe72c28161f7359485761544628d1d101061

SHA256
3015819933dd411a630a355372c9fc80294ab5eb85eb025ee68f79a043b5e57d

SHA512
f6f0536d3502142fb30af707c71920c1313867de391acc94bcf8ac36c3082dbad786e5a0d6583828a80bbe104620d4fe2a00d1e7079b62effa06167a06e77e5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
9489b4b87f13b31589e2970e997d6696

SHA1
8e30b33d7d6693e182ee17556a8bb5e3309840cd

SHA256
7c05a43d588445dd731564f7a02b3602ea6132e8c478023c0a894d3e858fa9d8

SHA512
8ec7aed0d658c23698ed61dfa08569c46e22a4ccb13ec5cf0d1b878f2d57410f181f5a9de0fb5b4a3659e965661b17c557d7a4ebe42fc81e5e0f543ae68bc4a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
3ad18984963a90a6bbf2104ebd9e3766

SHA1
7ebf7eee5287e64fd644ce2bdc08899a60f3035e

SHA256
851fa8ffaa98ab14ce947528f33ee97bdc600bac029b4cf51d949e0be75428e9

SHA512
021fa1c7ab62feaf55732995b60ce4adb882d689109ebd40ed0f08bdf1596966ea24600c67e3e74f5fea096b5d821b517498e090ab5219e77d0c5cdec44af0c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
49KB

MD5
3334d6bc8eb8827a0552ad7f16c89fa4

SHA1
0dd13846b7986cbe26db0269269c486f789e8e22

SHA256
86b42f741dd792cfb446eac675914915a651efa324490598faa7a7563a5f1276

SHA512
e6081310fbdf5e4c22291e60dcfbe0019312b11d603e7d0e140d2dc37e722ce77b75ce57d187b68091476fb6f4a2aa1e41ff1b08fb40647280eb22f8133b9d52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
49KB

MD5
21833141baaf6ab6b03f77c393906adb

SHA1
019bc704e70df59076db81ce013544bc3a7313af

SHA256
3b700e278ee34688214c694686cfb7cf7d901c557812b375f42ce212f168e7c1

SHA512
9a2f83cc98b6c28d7637f6a3b2b7c568e715154f8695e61bb6b0e99297fe6b721fc2079ad7c460046524326efd9c21319aed349b65788ca0883ec6eca54c087c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Typosquatting\2025.4.22.1\typosquatting_list.pb

Filesize
623KB

MD5
f09c8c228b47e93d18c59147ef986cf4

SHA1
c7e871c0201605c9cfbc22211d01d941e7bbfd24

SHA256
3490402f1d2bf48a4f97df2ba85f1338c42dfffdc8ba941ec0b33eaaead9de9d

SHA512
ec164c719c0c83fbbe01c053bb0038990b941aa4264e9bfa28ca5c569636235cd0898a6cd61282079f057959f6955a67c9bc97f59871404a0a0b5051756596be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Well Known Domains\1.2.0.0\well_known_domains.dll

Filesize
572KB

MD5
f5f5b37fd514776f455864502c852773

SHA1
8d5ed434173fd77feb33cb6cb0fad5e2388d97c6

SHA256
2778063e5ded354d852004e80492edb3a0f731b838bb27ba3a233bc937592f6e

SHA512
b0931f1cae171190e6ec8880f4d560cc7b3d5bffe1db11525bd133eaf51e2e0b3c920ea194d6c7577f95e7b4b4380f7845c82eb2898ad1f5c35d4550f93a14b6

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4416_1290302787\manifest.json

Filesize
141B

MD5
811f0436837c701dc1cea3d6292b3922

SHA1
4e51a3e9f5cbf8c9c96985dabe8ffc2de28dae87

SHA256
dbfb38a16e33a39c35ac50bd81782e4608be14954f1df69ac8272c0b9ce87a5d

SHA512
21e7bf2f8333b2900bcbcb871ede14684073249597d105095dc7d3f101e7ccc326068732f11d4a167365f245a3f2205793f520c7666d7f948e70919b40b43d35

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4416_1321618933\manifest.json

Filesize
118B

MD5
75b1d4b23e65bdb25a36719a533e38b3

SHA1
0add8ea1a7d19841b17bb8b1649b1528755ce0fc

SHA256
287a1fc029487cff92e59abd7a2ca7531b398502227a105603634628d4b20eef

SHA512
c49c5ff85ac40ef984c6751dae8a6c96b2aca28cdc54f7467878dec09bc0c1498598d52c1793b754bf33bce2b2e226d04eed52b196fdcfc1baa26d0f51785bee

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4416_31888249\LICENSE

Filesize
1KB

MD5
ee002cb9e51bb8dfa89640a406a1090a

SHA1
49ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2

SHA256
3dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b

SHA512
d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4416_31888249\manifest.json

Filesize
85B

MD5
c3419069a1c30140b77045aba38f12cf

SHA1
11920f0c1e55cadc7d2893d1eebb268b3459762a

SHA256
db9a702209807ba039871e542e8356219f342a8d9c9ca34bcd9a86727f4a3a0f

SHA512
c5e95a4e9f5919cb14f4127539c4353a55c5f68062bf6f95e1843b6690cebed3c93170badb2412b7fb9f109a620385b0ae74783227d6813f26ff8c29074758a1

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4416_965809042\manifest.json

Filesize
176B

MD5
6607494855f7b5c0348eecd49ef7ce46

SHA1
2c844dd9ea648efec08776757bc376b5a6f9eb71

SHA256
37c30639ea04878b9407aecbcea4848b033e4548d5023ce5105ea79cab2c68dd

SHA512
8cb60725d958291b9a78c293992768cb03ff53ab942637e62eb6f17d80e0864c56a9c8ccafbc28246e9ce1fdb248e8d071d76764bcaf0243397d0f0a62b4d09a

Download Submit