61ab4d9e17954ad9885736ccd19a9a7e809105074b59d12ab78f4eefbe5d9581

Analysis

max time kernel
140s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
16-10-2023 01:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MicrosoftEdgeWebview2Setup.exe
Size

1.5MB
MD5

8b3b487e9dfd2852b5c8634b418e7c7e
SHA1

45ff4beb4125aed9fef91e88c03e93b8853ddeb8
SHA256

61ab4d9e17954ad9885736ccd19a9a7e809105074b59d12ab78f4eefbe5d9581
SHA512

2c041aeb5decf51134afbbf5583ed4a23d92ff5a7bcc35450a07f123b9950a57646522a5dcb34089e118ee353ecd1041e0eb020e55f9b9f8e67bb35cf519295d
SSDEEP

24576:3wy53G70SeiN9YqxCCg83udcWXDYajPF2410wuRpGfFki94qSe/wsNfzU:Ay53w24gQu3TPZ2psFkiSqwoz

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MicrosoftEdgeUpdate.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	MicrosoftEdgeUpdate.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MicrosoftEdgeUpdate.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe

Drops file in Program Files directory 64 IoCs

Processes:

setup.exeMicrosoftEdgeWebview2Setup.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.46\Trust Protection Lists\Mu\Other	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.46\edge_feedback\camera_mf_trace.wprp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.46\Locales\lb.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUD90A.tmp\msedgeupdateres_pt-PT.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUD90A.tmp\msedgeupdateres_lo.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.46\identity_proxy\win10\identity_helper.Sparse.Canary.msix	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.46\show_third_party_software_licenses.bat	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.46\Trust Protection Lists\Sigma\Other	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.46\VisualElements\SmallLogoBeta.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.46\Trust Protection Lists\Mu\TransparentAdvertisers	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.46\Notifications\SoftLandingAssetLight.gif	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.46\Locales\az.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.46\Locales\lt.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.46\identity_proxy\internal.identity_helper.exe.manifest	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUD90A.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUD90A.tmp\msedgeupdateres_ml.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.46\Locales\en-GB.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.46\Locales\hu.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.46\vk_swiftshader_icd.json	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.46\identity_proxy\win11\identity_helper.Sparse.Stable.msix	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.46\Trust Protection Lists\Sigma\Analytics	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.46\Locales\ug.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUD90A.tmp\msedgeupdateres_hi.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.46\identity_proxy\resources.pri	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.46\Locales\et.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.46\identity_proxy\win10\identity_helper.Sparse.Dev.msix	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.46\Locales\fil.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.46\Trust Protection Lists\Mu\Other	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.46\Locales\ka.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUD90A.tmp\msedgeupdateres_ca-Es-VALENCIA.dll	MicrosoftEdgeWebview2Setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.46\libEGL.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.46\Locales\th.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.46\Locales\tt.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.46\msedge_200_percent.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUD90A.tmp\msedgeupdateres_fil.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUD90A.tmp\msedgeupdateres_bn-IN.dll	MicrosoftEdgeWebview2Setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.46\Trust Protection Lists\Sigma\Staging	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUD90A.tmp\psmachine.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.46\Locales\th.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.46\Trust Protection Lists\Mu\Advertising	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.46\Locales\mk.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.46\Locales\el.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.46\Locales\sk.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.46\VisualElements\LogoDev.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.46\Locales\sk.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.46\Locales\nl.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.46\msedge.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.46\VisualElements\Logo.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.46\Trust Protection Lists\Mu\Cryptomining	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUD90A.tmp\msedgeupdateres_sl.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUD90A.tmp\msedgeupdateres_tt.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.46\Locales\pt-BR.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.46\Trust Protection Lists\Mu\Fingerprinting	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.46\identity_helper.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.46\Locales\sk.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUD90A.tmp\msedgeupdateres_ga.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.46\Locales\es.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.46\identity_proxy\stable.identity_helper.exe.manifest	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.46\resources.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.46\Locales\cs.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.46\Locales\gl.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.46\Locales\ne.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.46\Trust Protection Lists\Sigma\Content	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.46\msedge.dll	setup.exe

Executes dropped EXE 3 IoCs

Processes:

MicrosoftEdgeUpdate.exeMicrosoftEdge_X64_118.0.2088.46.exesetup.exe

pid process

4624 MicrosoftEdgeUpdate.exe
724 MicrosoftEdge_X64_118.0.2088.46.exe
4824 setup.exe
Loads dropped DLL 1 IoCs

Processes:

MicrosoftEdgeUpdate.exe

pid process

4624 MicrosoftEdgeUpdate.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

MicrosoftEdgeUpdate.exe

pid process

4624 MicrosoftEdgeUpdate.exe
4624 MicrosoftEdgeUpdate.exe
4624 MicrosoftEdgeUpdate.exe
4624 MicrosoftEdgeUpdate.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

MicrosoftEdgeUpdate.exe

description pid process

Token: SeDebugPrivilege 4624 MicrosoftEdgeUpdate.exe

pid	process
4624	MicrosoftEdgeUpdate.exe
724	MicrosoftEdge_X64_118.0.2088.46.exe
4824	setup.exe

pid	process
4624	MicrosoftEdgeUpdate.exe

pid	process
4624	MicrosoftEdgeUpdate.exe
4624	MicrosoftEdgeUpdate.exe
4624	MicrosoftEdgeUpdate.exe
4624	MicrosoftEdgeUpdate.exe

description	pid	process
Token: SeDebugPrivilege	4624	MicrosoftEdgeUpdate.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

MicrosoftEdgeWebview2Setup.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdge_X64_118.0.2088.46.exe

description	pid	process	target process
PID 1528 wrote to memory of 4624	1528	MicrosoftEdgeWebview2Setup.exe	MicrosoftEdgeUpdate.exe
PID 1528 wrote to memory of 4624	1528	MicrosoftEdgeWebview2Setup.exe	MicrosoftEdgeUpdate.exe
PID 1528 wrote to memory of 4624	1528	MicrosoftEdgeWebview2Setup.exe	MicrosoftEdgeUpdate.exe
PID 4624 wrote to memory of 1116	4624	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 4624 wrote to memory of 1116	4624	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 4624 wrote to memory of 1116	4624	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 4624 wrote to memory of 4644	4624	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 4624 wrote to memory of 4644	4624	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 4624 wrote to memory of 4644	4624	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 4624 wrote to memory of 1504	4624	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 4624 wrote to memory of 1504	4624	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 4624 wrote to memory of 1504	4624	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 1504 wrote to memory of 2800	1504	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 1504 wrote to memory of 2800	1504	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 1504 wrote to memory of 2800	1504	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 1504 wrote to memory of 724	1504	MicrosoftEdgeUpdate.exe	MicrosoftEdge_X64_118.0.2088.46.exe
PID 1504 wrote to memory of 724	1504	MicrosoftEdgeUpdate.exe	MicrosoftEdge_X64_118.0.2088.46.exe
PID 724 wrote to memory of 4824	724	MicrosoftEdge_X64_118.0.2088.46.exe	setup.exe
PID 724 wrote to memory of 4824	724	MicrosoftEdge_X64_118.0.2088.46.exe	setup.exe
PID 1504 wrote to memory of 3388	1504	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 1504 wrote to memory of 3388	1504	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 1504 wrote to memory of 3388	1504	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe

C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe
"C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1528

C:\Program Files (x86)\Microsoft\Temp\EUD90A.tmp\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\Temp\EUD90A.tmp\MicrosoftEdgeUpdate.exe" /installsource taggedmi /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"
2⤵
- Checks computer location settings
- Checks system information in the registry
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4624

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /healthcheck
3⤵
PID:1116

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzcuMTEiIHNoZWxsX3ZlcnNpb249IjEuMy4xNDcuMzciIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RjVBRjQyQzEtNTc5Qi00NUIxLUIwMDItQkJDNDg0MDFFMkNDfSIgdXNlcmlkPSJ7QzZCMzVEQjEtQkU4Ny00QTFGLUEwNTEtNDBBREM2Mzk5REM3fSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0ie0I5NENDMDQ4LThCMTAtNEZENy04MEQyLTgyOURCMDlDMTBENH0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgbG9naWNhbF9jcHVzPSI4IiBwaHlzbWVtb3J5PSI4IiBkaXNrX3R5cGU9IjIiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMTkwNDEuMTI4OCIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBvc19yZWdpb25fbmFtZT0iVVMiIG9zX3JlZ2lvbl9uYXRpb249IjI0NCIgb3NfcmVnaW9uX2RtYT0iMCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREFEWSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiZxdW90O3FXSlN6V3dQZmRjTFIrWEdJdjZ4clpmaVlPeGhQVTJzMU5XbWpXY2FGUGc9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0ie0YzQzRGRTAwLUVGRDUtNDAzQi05NTY5LTM5OEEyMEYxQkE0QX0iIHZlcnNpb249IjEuMy4xNzcuMTEiIG5leHR2ZXJzaW9uPSIxLjMuMTc3LjExIiBsYW5nPSIiIGJyYW5kPSIiIGNsaWVudD0iIj48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MDQxOTgyODg4IiBpbnN0YWxsX3RpbWVfbXM9IjMxMiIvPjwvYXBwPjwvcmVxdWVzdD4
3⤵
PID:4644

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" /installsource taggedmi /sessionid "{F5AF42C1-579B-45B1-B002-BBC48401E2CC}"
3⤵
- Suspicious use of WriteProcessMemory
PID:1504

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzcuMTEiIHNoZWxsX3ZlcnNpb249IjEuMy4xNDcuMzciIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RjVBRjQyQzEtNTc5Qi00NUIxLUIwMDItQkJDNDg0MDFFMkNDfSIgdXNlcmlkPSJ7QzZCMzVEQjEtQkU4Ny00QTFGLUEwNTEtNDBBREM2Mzk5REM3fSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0iezQyQTFGQ0RELUE2MzEtNDM0Ny05RUVGLUJDMERFNzI5MEI5Mn0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgbG9naWNhbF9jcHVzPSI4IiBwaHlzbWVtb3J5PSI4IiBkaXNrX3R5cGU9IjIiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMTkwNDEuMTI4OCIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBvc19yZWdpb25fbmFtZT0iVVMiIG9zX3JlZ2lvbl9uYXRpb249IjI0NCIgb3NfcmVnaW9uX2RtYT0iMCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREFEWSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiZxdW90O3FXSlN6V3dQZmRjTFIrWEdJdjZ4clpmaVlPeGhQVTJzMU5XbWpXY2FGUGc9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEwNi4wLjUyNDkuMTE5IiBuZXh0dmVyc2lvbj0iMTA2LjAuNTI0OS4xMTkiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSI1IiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MDU2MzU3MzkyIi8-PC9hcHA-PC9yZXF1ZXN0Pg
4⤵
PID:2800

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{76A51F2E-0250-4B5A-B09C-3497570C7147}\MicrosoftEdge_X64_118.0.2088.46.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{76A51F2E-0250-4B5A-B09C-3497570C7147}\MicrosoftEdge_X64_118.0.2088.46.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:724

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{76A51F2E-0250-4B5A-B09C-3497570C7147}\EDGEMITMP_08848.tmp\setup.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{76A51F2E-0250-4B5A-B09C-3497570C7147}\EDGEMITMP_08848.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{76A51F2E-0250-4B5A-B09C-3497570C7147}\MicrosoftEdge_X64_118.0.2088.46.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
5⤵
- Drops file in Program Files directory
- Executes dropped EXE
PID:4824

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzcuMTEiIHNoZWxsX3ZlcnNpb249IjEuMy4xNDcuMzciIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RjVBRjQyQzEtNTc5Qi00NUIxLUIwMDItQkJDNDg0MDFFMkNDfSIgdXNlcmlkPSJ7QzZCMzVEQjEtQkU4Ny00QTFGLUEwNTEtNDBBREM2Mzk5REM3fSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0iezE0NTY2Q0FCLTlEQjgtNDg3OC05RDk5LTMwNkFFMzNGNEU3Qn0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgbG9naWNhbF9jcHVzPSI4IiBwaHlzbWVtb3J5PSI4IiBkaXNrX3R5cGU9IjIiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMTkwNDEuMTI4OCIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBvc19yZWdpb25fbmFtZT0iVVMiIG9zX3JlZ2lvbl9uYXRpb249IjI0NCIgb3NfcmVnaW9uX2RtYT0iMCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREFEWSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiZxdW90O1ZQUW9QMUYrZnExNXdSemgxa1BMNFBNcFdoOE9STUI1aXp2ck9DL2NoalE9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0ie0YzMDE3MjI2LUZFMkEtNDI5NS04QkRGLTAwQzNBOUE3RTRDNX0iIHZlcnNpb249IiIgbmV4dHZlcnNpb249IjExOC4wLjIwODguNDYiIGxhbmc9IiIgYnJhbmQ9IiIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjb25zZW50PWZhbHNlIiBpbnN0YWxsYWdlPSIzMCIgaW5zdGFsbGRhdGU9IjYwOTciPjx1cGRhdGVjaGVjay8-PGV2ZW50IGV2ZW50dHlwZT0iOSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTA2ODA3NzQ1NSIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjUiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjUwNjgyMzM3MjgiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxIiBldmVudHJlc3VsdD0iMCIgZXJyb3Jjb2RlPSItMjE0NzAxMjg2NiIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTMzMDI2NDYyOSIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlcj0iYml0cyIgdXJsPSJodHRwOi8vbXNlZGdlLmYudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvM2UwMzVjMmYtZWJjMC00MWFhLWExYzQtNTM2NWU0NGI2MWMyP1AxPTE2OTgwMjI4NzMmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9YkJETXM0SUJzOFgzM3VvMEVHZG1lWnRjYlE3bU9uOHdyVE9GNjB3aHRZJTJmblRoS3ZVaGRXOHFEUjBKdHFjeGhpQW9mNWZUVllTUE4wWldsd0FKWThSdyUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjUyNDI4OCIgdG90YWw9IjE1NjUzMzcyMCIgZG93bmxvYWRfdGltZV9tcz0iMzc1Ii8-PGV2ZW50IGV2ZW50dHlwZT0iMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTMzMDQxOTk4MyIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlcj0id2luaHR0cCIgdXJsPSJodHRwOi8vbXNlZGdlLmYudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvM2UwMzVjMmYtZWJjMC00MWFhLWExYzQtNTM2NWU0NGI2MWMyP1AxPTE2OTgwMjI4NzMmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9YkJETXM0SUJzOFgzM3VvMEVHZG1lWnRjYlE3bU9uOHdyVE9GNjB3aHRZJTJmblRoS3ZVaGRXOHFEUjBKdHFjeGhpQW9mNWZUVllTUE4wWldsd0FKWThSdyUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IjIwOS4xOTcuMy44IiBjZG5fY2lkPSI5IiBjZG5fY2NjPSJOTCIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjE1NjUzMzcyMCIgdG90YWw9IjE1NjUzMzcyMCIgZG93bmxvYWRfdGltZV9tcz0iMTA3NTAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MzM2NjcwNDE0IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iNiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTM2MDQyMDEyMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjE5Njc1NyIgc3lzdGVtX3VwdGltZV90aWNrcz0iNjI1OTE2OTcyOSIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgdXBkYXRlX2NoZWNrX3RpbWVfbXM9IjczNCIgZG93bmxvYWRfdGltZV9tcz0iMjY4MTIiIGRvd25sb2FkZWQ9IjE1NjUzMzcyMCIgdG90YWw9IjE1NjUzMzcyMCIgcGFja2FnZV9jYWNoZV9yZXN1bHQ9IjAiIGluc3RhbGxfdGltZV9tcz0iODk4NTkiLz48L2FwcD48L3JlcXVlc3Q-
4⤵
PID:3388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.46\Installer\setup.exe
Filesize
4.7MB

MD5
df264761aa2a78f7b5d20422ff8974ce

SHA1
022d02e1362ae6397bd420e9fde345e9e14cb5b9

SHA256
f05073a90daf176d08eb101709e2136b11fa94d1b3948be1586ad5cbf0f68d6d

SHA512
7d3746649ff4f535ef5a048b43b868e7c50f8e25eede57981a53f2f85b7f2bd58ff5249bd6f2226512fa82c1842ee6cee2ff613d629381ac9cd6a55e72372e5b

Download Submit
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{76A51F2E-0250-4B5A-B09C-3497570C7147}\EDGEMITMP_08848.tmp\setup.exe
Filesize
4.7MB

MD5
df264761aa2a78f7b5d20422ff8974ce

SHA1
022d02e1362ae6397bd420e9fde345e9e14cb5b9

SHA256
f05073a90daf176d08eb101709e2136b11fa94d1b3948be1586ad5cbf0f68d6d

SHA512
7d3746649ff4f535ef5a048b43b868e7c50f8e25eede57981a53f2f85b7f2bd58ff5249bd6f2226512fa82c1842ee6cee2ff613d629381ac9cd6a55e72372e5b

Download Submit
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{76A51F2E-0250-4B5A-B09C-3497570C7147}\EDGEMITMP_08848.tmp\setup.exe
Filesize
4.7MB

MD5
df264761aa2a78f7b5d20422ff8974ce

SHA1
022d02e1362ae6397bd420e9fde345e9e14cb5b9

SHA256
f05073a90daf176d08eb101709e2136b11fa94d1b3948be1586ad5cbf0f68d6d

SHA512
7d3746649ff4f535ef5a048b43b868e7c50f8e25eede57981a53f2f85b7f2bd58ff5249bd6f2226512fa82c1842ee6cee2ff613d629381ac9cd6a55e72372e5b

Download Submit
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{76A51F2E-0250-4B5A-B09C-3497570C7147}\MicrosoftEdge_X64_118.0.2088.46.exe
Filesize
149.3MB

MD5
9d212440acefce35d553c6a1f639ba17

SHA1
dc320a51cf293b6a38b96f942a19ed17c7fbd563

SHA256
1fd052b884571ec38862187d38a73e506f41a019bae9102457938627c2c09055

SHA512
ac2392239544b1f13b2ccb256790262124da90558203f51e23c8f1771ef9ea178dbf0bca0014ed091ea8b334c8c1e80216b6ee891504954590fa90cff0b8ea20

Download Submit
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{76A51F2E-0250-4B5A-B09C-3497570C7147}\MicrosoftEdge_X64_118.0.2088.46.exe
Filesize
149.3MB

MD5
9d212440acefce35d553c6a1f639ba17

SHA1
dc320a51cf293b6a38b96f942a19ed17c7fbd563

SHA256
1fd052b884571ec38862187d38a73e506f41a019bae9102457938627c2c09055

SHA512
ac2392239544b1f13b2ccb256790262124da90558203f51e23c8f1771ef9ea178dbf0bca0014ed091ea8b334c8c1e80216b6ee891504954590fa90cff0b8ea20

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUD90A.tmp\MicrosoftEdgeUpdate.exe
Filesize
201KB

MD5
d182a0d12ca3a95fe1f2f5134861ae1b

SHA1
0c5f3e8a767a2b5ab7510d6139f47336e333e906

SHA256
14ba66344ddd4816d823d5ecc97bf94da5d441299401e8955f44b1df7969be06

SHA512
ab33ae1e3684c40b1a1d801d8b0ad8e0d624c9b3db60945a0c30a3efa02a2d69d284620859421407c9891db0fab4c4c57ece10b22b7b801dcb34ccd6f4ea2f12

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUD90A.tmp\msedgeupdate.dll
Filesize
2.1MB

MD5
c22f37ef0b285b63962ddf7e062ae29f

SHA1
ef9598d7b2ce54bd3ea4706ee863962d2cf272f6

SHA256
475f414a874da59ce0822f583d503edec46ac8583b6e6a0f64710f5ca2528594

SHA512
4c95c6e5439215c2c8cdb4db45de0631af4c2ab9ec25a4e0a495298cc6363d47000a454d1e6b79f503e4e76402a63ea3d90ce16c179c923f9d8a9b09e77f1564

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUD90A.tmp\msedgeupdate.dll
Filesize
2.1MB

MD5
c22f37ef0b285b63962ddf7e062ae29f

SHA1
ef9598d7b2ce54bd3ea4706ee863962d2cf272f6

SHA256
475f414a874da59ce0822f583d503edec46ac8583b6e6a0f64710f5ca2528594

SHA512
4c95c6e5439215c2c8cdb4db45de0631af4c2ab9ec25a4e0a495298cc6363d47000a454d1e6b79f503e4e76402a63ea3d90ce16c179c923f9d8a9b09e77f1564

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUD90A.tmp\msedgeupdateres_en.dll
Filesize
27KB

MD5
3ba56c8fa89e5f66323ef47861af55ad

SHA1
2b4931cac944d06133ad5ecbf5f28296e0330631

SHA256
9bf804c655057b03f356c9b513621186ab80a3595fd44784b79babf3ed9d919b

SHA512
4aaeebf7031891f18dc28547c67df47d773952abbe38c04a723f840c75c78439f1d8f430f56a343d0592147b5d113d91348ae17c7effa331c8dbedee902916c1

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log
Filesize
147KB

MD5
11b9fcdd70e51aa6b8c555078c5b02b5

SHA1
8b5bde0aa3d7b31f97dbe83a5377f2ee4f269229

SHA256
89112be4f0b3b1746759942af9b3c98976ac215d850bb3e350951b4b50f70dbf

SHA512
191418209422f22b7be14392c5f8b9bd115b4e8ba6f337713da1067db395f1434c2f4c1f862943a8ec801fb0a9c30fbe88e93bc662bab6565286154d1217bbe7

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log
Filesize
151KB

MD5
1ba1ba97ade5a38cae72e1ff994cfe9f

SHA1
3abce6cca3f72ea8be11ad6b882af1c7d42c488a

SHA256
f3db26596f67b376333a331381658190eaf09e28dc58289617fe1992ae5a0ac5

SHA512
24ab5d6b4ee0461cd46a5a8839416868b0d49457ea9bd33dcbec7576594ad3f9ec74b9dc169db8520ffdf32ada1e70481d4e934308308fa404172c8ac66dd2f5

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log
Filesize
160KB

MD5
7f0bd498ef1ac9d83a3f7aa674499710

SHA1
8cd094ec4036396112aefa7a653e706b28c4ea3c

SHA256
5e0edfa7329e2b5be4f85a5b23b7e5ec2b41cecf70ffdad1c5e5f3ebc73101ac

SHA512
a4a6532c82ccd0d45420ede53fad706558d27432d3bb5227244784106bb6bc245e28bd568011180f95857bfa439e9ad1679c4b693a5bbf105c5b7eb3bd994dc1

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log
Filesize
166KB

MD5
6a9ceed8ae01ec5ddad835aee7a2e95a

SHA1
cc654c9d7b459336b267476d1ae368389bdedf26

SHA256
ef2387d5047457f8235f3161654e0971b75527b36d4f0ef1ba45c89ca77d97dd

SHA512
7abc17a175c56fa79942eddfb4245f0eb37c7fa837a1291c5d9df7ed7e01dc23eda35a6482959d5df65eaa176927692628ad18cf7eb899d8b4c1563fe776c115

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log
Filesize
213KB

MD5
7d5cd45d290872c532436b1a94e9155f

SHA1
43d474f967f2a91cbc2c752d0a1c5a2b500dac67

SHA256
dd773c8d4e7e2a4e5fb513fb9ea3a5ac57f0d4b289b1664142743a1635152434

SHA512
d316d29ec7c37aaa1fdd507b13ecf5d79f170c8fe55d3720e8ac55e28a0a3d631e992d26d941fe1ba5d2caee7d6537ca3108d87e3dd8e2d29310c8f81d0a4202

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log
Filesize
219KB

MD5
233b7a63f861202d77a1c9f624454033

SHA1
5a184dac4796280818f9cf60fd27f8989099e38b

SHA256
7ec6acba87fadb584b04c3a0e4985a7055e719da47eaa6d806743b462f9be930

SHA512
e35aa417c7fe24fb15f6eb05a214f2cfd2ad495221dd6c27322d6b928d4d12e63666a0e3f81ef425334448cf48e13ffb2ee3c3e85f6031aa952ad0bd9a924598

Download Submit
C:\Users\Admin\AppData\Local\Temp\{AD0BAFFA-2367-4A95-9DBD-9B2A8E7248FA}-MicrosoftEdge_X64_118.0.2088.46.exe
Filesize
149.3MB

MD5
9d212440acefce35d553c6a1f639ba17

SHA1
dc320a51cf293b6a38b96f942a19ed17c7fbd563

SHA256
1fd052b884571ec38862187d38a73e506f41a019bae9102457938627c2c09055

SHA512
ac2392239544b1f13b2ccb256790262124da90558203f51e23c8f1771ef9ea178dbf0bca0014ed091ea8b334c8c1e80216b6ee891504954590fa90cff0b8ea20

Download Submit