Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
21/05/2024, 04:59
General
-
Target
dec5f022a4ad783d8aa86ab942af058de15672bded1e658144be3bebe83f2576.exe
-
Size
1.5MB
-
MD5
afc2ee54ccc92ec64f9ff3af3917b004
-
SHA1
79fb0a9bff73caf7af789a03c32646790669afc1
-
SHA256
dec5f022a4ad783d8aa86ab942af058de15672bded1e658144be3bebe83f2576
-
SHA512
57ab8f2c527431bfdc74c7772562168970a8f1d48e50c0edc2cee18b6dec458d5f75499c77b211d77de1e29c0cb3fa564fa5da06ffc2a5b638c500d0862e166e
-
SSDEEP
24576:vY4zeSzdCi8pfHsEU8XtP39hzjMi+3DQvtjMq9kNZXIq587HyPnSfXxlAwMLVb4R:vbBzn2sF8Jjfl49v4q5WH4SPTAw8UBR
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 7 IoCs
-
Downloads MZ/PE file
-
Sets file execution options in registry 2 TTPs 2 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 17 IoCs
-
Loads dropped DLL 64 IoCs
-
Registers COM server for autorun 1 TTPs 33 IoCs
-
UPX packed file 7 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Blocklisted process makes network request 3 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Checks system information in the registry 2 TTPs 12 IoCs
System information is often read in order to detect sandboxing environments.
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 10 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Enumerates system info in registry 2 TTPs 10 IoCs
-
Kills process with taskkill 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 11 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 7 IoCs
-
Suspicious use of SendNotifyMessage 6 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 63 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\dec5f022a4ad783d8aa86ab942af058de15672bded1e658144be3bebe83f2576.exe"C:\Users\Admin\AppData\Local\Temp\dec5f022a4ad783d8aa86ab942af058de15672bded1e658144be3bebe83f2576.exe"1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\4286bfca-e79a-461e-81a7-21e361ede39c.msi" /quiet /norestart AUTOSTART_WITH_WINDOWS=false2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c timeout /NOBREAK /T 3 > nul & del /f /q "C:\Users\Admin\AppData\Local\Temp\dec5f022a4ad783d8aa86ab942af058de15672bded1e658144be3bebe83f2576.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /NOBREAK /T 33⤵
- Delays execution with timeout.exe
-
-
-
C:\Users\Admin\AppData\Local\Programs\Cisco Spark\CiscoCollabHost.exe"C:\Users\Admin\AppData\Local\Programs\Cisco Spark\CiscoCollabHost.exe" /protocolUri="webex://meet/?bt=12&bv=124&cr=b78dee4c-4867-44e7-a42d-9d5e3d83f910&dns=oncor.webex.com&en=3&flag=49&joinTXId=XpW4FhTgV9&jt=eyJkdDAiOjE3MTYyNjc1NTYsImR0MSI6NTIzLCJkdDIiOjIzNCwiZHQzIjozMTMyLCJkdDQiOjI5MjI0LCJkdDUiOjkwNTAsImR0NiI6MTcxNjI2NzU5OSwiZnQiOjEsInQiOjMyLCJ1cCI6MX0&od=1df51ee8-41e5-49a0-9494-38d1c4b68458&rc=4&[email protected]&siteurl=oncor&tr=E7E7257C184B4BC6BEA6D8F5AE42B555_1715351073738&uuid=b35d2a8b14e943e2941774b2858619cf&vp=0"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\CiscoSparkLauncher\CiscoCollabHost.exe"C:\Users\Admin\AppData\Local\CiscoSparkLauncher\CiscoCollabHost.exe" "C:\Users\Admin\AppData\Local\CiscoSparkLauncher\44.5.0.29672_ad7d5d18-176d-4792-8444-870158a84d35" spark-windows-app.dll /Hosted=true "C:\Users\Admin\AppData\Local\Programs\Cisco Spark\CiscoCollabHost.exe" /protocolUri="webex://meet/?bt=12&bv=124&cr=b78dee4c-4867-44e7-a42d-9d5e3d83f910&dns=oncor.webex.com&en=3&flag=49&joinTXId=XpW4FhTgV9&jt=eyJkdDAiOjE3MTYyNjc1NTYsImR0MSI6NTIzLCJkdDIiOjIzNCwiZHQzIjozMTMyLCJkdDQiOjI5MjI0LCJkdDUiOjkwNTAsImR0NiI6MTcxNjI2NzU5OSwiZnQiOjEsInQiOjMyLCJ1cCI6MX0&od=1df51ee8-41e5-49a0-9494-38d1c4b68458&rc=4&[email protected]&siteurl=oncor&tr=E7E7257C184B4BC6BEA6D8F5AE42B555_1715351073738&uuid=b35d2a8b14e943e2941774b2858619cf&vp=0"3⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /c start /B /WAIT "WebView2Installer" "C:\Users\Admin\AppData\Local\Temp\\WebView2Runtime\MicrosoftEdgeWebView2RuntimeInstaller_118.0.2088.69.exe" /silent /install4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\WebView2Runtime\MicrosoftEdgeWebView2RuntimeInstaller_118.0.2088.69.exe"C:\Users\Admin\AppData\Local\Temp\\WebView2Runtime\MicrosoftEdgeWebView2RuntimeInstaller_118.0.2088.69.exe" /silent /install5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Temp\EUDE45.tmp\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\Temp\EUDE45.tmp\MicrosoftEdgeUpdate.exe" /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20WebView2%20Runtime&needsadmin=Prefers"6⤵
- Sets file execution options in registry
- Checks computer location settings
- Executes dropped EXE
- Checks system information in the registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc7⤵
- Executes dropped EXE
- Modifies registry class
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.177.11\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.177.11\MicrosoftEdgeUpdateComRegisterShell64.exe"8⤵
- Executes dropped EXE
- Registers COM server for autorun
- Modifies registry class
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.177.11\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.177.11\MicrosoftEdgeUpdateComRegisterShell64.exe"8⤵
- Executes dropped EXE
- Registers COM server for autorun
- Modifies registry class
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.177.11\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.177.11\MicrosoftEdgeUpdateComRegisterShell64.exe"8⤵
- Executes dropped EXE
- Registers COM server for autorun
- Modifies registry class
-
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzcuMTEiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzcuMTEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RDUxNUNFMUYtREM1Ni00RkFFLUIwMjAtN0QxQzhDNDc3MDI4fSIgdXNlcmlkPSJ7N0U0RDVFRjItQ0UzMS00MTc0LTkzMEItQkE2MjZGOEY1QjQ0fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9IntEQkMyRTBBQy05RUM1LTQxNDktOEQwOC0xNjE4QTY5QkMwNUF9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgb3NfcmVnaW9uX25hbWU9IlVTIiBvc19yZWdpb25fbmF0aW9uPSIyNDQiIG9zX3JlZ2lvbl9kbWE9IjAiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0R4T2JqSEdhK25SYTJhdEMzd28rSUVwQzc4K1pZZUFVYmtYcERDMmNqN1U9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0ie0YzQzRGRTAwLUVGRDUtNDAzQi05NTY5LTM5OEEyMEYxQkE0QX0iIHZlcnNpb249IjEuMy4xODcuMzciIG5leHR2ZXJzaW9uPSIxLjMuMTc3LjExIiBsYW5nPSIiIGJyYW5kPSIiIGNsaWVudD0iIj48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NzAxMzk2NDAyIiBpbnN0YWxsX3RpbWVfbXM9IjU5MyIvPjwvYXBwPjwvcmVxdWVzdD47⤵
- Executes dropped EXE
- Checks system information in the registry
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20WebView2%20Runtime&needsadmin=Prefers" /installsource offline /sessionid "{D515CE1F-DC56-4FAE-B020-7D1C8C477028}" /silent /offlinedir "{523B33CC-EDBD-445D-81C1-42AB6F6047D0}"7⤵
- Executes dropped EXE
-
-
-
-
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 49868B1DEF2218A2A652AF6CF5ED53BE2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\system32\\taskkill.exe" /F /IM CiscoCollabHost.exe /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding D6360462DC184112F4D62B730CE8920C2⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3764,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=1280 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc1⤵
- Executes dropped EXE
- Checks system information in the registry
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzcuMTEiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzcuMTEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RDUxNUNFMUYtREM1Ni00RkFFLUIwMjAtN0QxQzhDNDc3MDI4fSIgdXNlcmlkPSJ7N0U0RDVFRjItQ0UzMS00MTc0LTkzMEItQkE2MjZGOEY1QjQ0fSIgaW5zdGFsbHNvdXJjZT0ib2ZmbGluZSIgcmVxdWVzdGlkPSJ7NEVDQzUxQTktNTU0RS00QzlELTg1NDAtNDBDOUUwREUwRkFBfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjgiIHBoeXNtZW1vcnk9IjgiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIG9zX3JlZ2lvbl9uYW1lPSJVUyIgb3NfcmVnaW9uX25hdGlvbj0iMjQ0IiBvc19yZWdpb25fZG1hPSIwIiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtFK3hiQXo2WTZzVTEyODliUzZxbDRWUkxia2pmQlVHVE1Kc2pySHI0NGlJPSZxdW90OyIvPjxhcHAgYXBwaWQ9Ins4QTY5RDM0NS1ENTY0LTQ2M2MtQUZGMS1BNjlEOUU1MzBGOTZ9IiB2ZXJzaW9uPSIxMTAuMC41NDgxLjEwNCIgbmV4dHZlcnNpb249IjExMC4wLjU0ODEuMTA0IiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIj48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iNSIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTcwNTQ1ODk5OSIvPjwvYXBwPjwvcmVxdWVzdD42⤵
- Executes dropped EXE
- Checks system information in the registry
-
-
C:\Windows\SysWOW64\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "0" "4828" "1104" "1036" "1108" "0" "0" "0" "0" "0" "0" "0" "0"2⤵
- Checks processor information in registry
- Enumerates system info in registry
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzcuMTEiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzcuMTEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RDUxNUNFMUYtREM1Ni00RkFFLUIwMjAtN0QxQzhDNDc3MDI4fSIgdXNlcmlkPSJ7N0U0RDVFRjItQ0UzMS00MTc0LTkzMEItQkE2MjZGOEY1QjQ0fSIgaW5zdGFsbHNvdXJjZT0ib2ZmbGluZSIgcmVxdWVzdGlkPSJ7OUREQUJCOUYtMTg2MS00QkIzLUJENjctMkIwMTIyOEJCMjJEfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjgiIHBoeXNtZW1vcnk9IjgiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIG9zX3JlZ2lvbl9uYW1lPSJVUyIgb3NfcmVnaW9uX25hdGlvbj0iMjQ0IiBvc19yZWdpb25fZG1hPSIwIiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtWUFFvUDFGK2ZxMTV3UnpoMWtQTDRQTXBXaDhPUk1CNWl6dnJPQy9jaGpRPSZxdW90OyIvPjxhcHAgYXBwaWQ9Ins1NkVCMThGOC1CMDA4LTRDQkQtQjZEMi04Qzk3RkU3RTkwNjJ9IiB2ZXJzaW9uPSIxMjQuMC4yNDc4LjgwIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMTIiIGluc3RhbGxkYXRldGltZT0iMTcxNTE5NTMwMyI-PGV2ZW50IGV2ZW50dHlwZT0iMzIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjQiIHN5c3RlbV91cHRpbWVfdGlja3M9IjU3MTQ4MzM5ODEiLz48L2FwcD48L3JlcXVlc3Q-2⤵
- Executes dropped EXE
- Checks system information in the registry
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{59BBD5AD-76FE-4A60-B211-ACE719360507}\MicrosoftEdgeWebview_X64_118.0.2088.69.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{59BBD5AD-76FE-4A60-B211-ACE719360507}\MicrosoftEdgeWebview_X64_118.0.2088.69.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{59BBD5AD-76FE-4A60-B211-ACE719360507}\EDGEMITMP_4E8B6.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{59BBD5AD-76FE-4A60-B211-ACE719360507}\EDGEMITMP_4E8B6.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{59BBD5AD-76FE-4A60-B211-ACE719360507}\MicrosoftEdgeWebview_X64_118.0.2088.69.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level3⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzcuMTEiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzcuMTEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RDUxNUNFMUYtREM1Ni00RkFFLUIwMjAtN0QxQzhDNDc3MDI4fSIgdXNlcmlkPSJ7N0U0RDVFRjItQ0UzMS00MTc0LTkzMEItQkE2MjZGOEY1QjQ0fSIgaW5zdGFsbHNvdXJjZT0ib2ZmbGluZSIgcmVxdWVzdGlkPSJ7REFENDBFMjMtM0Q1Ny00MDdELTg5RjYtNEQ0Q0UxQjE2MTFEfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjgiIHBoeXNtZW1vcnk9IjgiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIG9zX3JlZ2lvbl9uYW1lPSJVUyIgb3NfcmVnaW9uX25hdGlvbj0iMjQ0IiBvc19yZWdpb25fZG1hPSIwIiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtWUFFvUDFGK2ZxMTV3UnpoMWtQTDRQTXBXaDhPUk1CNWl6dnJPQy9jaGpRPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGMzAxNzIyNi1GRTJBLTQyOTUtOEJERi0wMEMzQTlBN0U0QzV9IiB2ZXJzaW9uPSIiIG5leHR2ZXJzaW9uPSIxMTguMC4yMDg4LjY5IiBsYW5nPSIiIGJyYW5kPSIiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY29uc2VudD1mYWxzZSIgaW5zdGFsbGFnZT0iLTEiIGluc3RhbGxkYXRlPSItMSI-PHVwZGF0ZWNoZWNrLz48ZXZlbnQgZXZlbnR0eXBlPSI5IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NzE3MzMzOTQ1IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iNSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTcxNzMzMzk0NSIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjU3MjY4NjU1MDMiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSI2IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NzM5NTIxOTcwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMTk2NzU3IiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1OTkxMDg0NTMzIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVkPSIxNjMwMjg5MzYiIHRvdGFsPSIxNjMwMjg5MzYiIHBhY2thZ2VfY2FjaGVfcmVzdWx0PSIxIiBpbnN0YWxsX3RpbWVfbXM9IjI1MTU2Ii8-PC9hcHA-PC9yZXF1ZXN0Pg2⤵
- Executes dropped EXE
- Checks system information in the registry
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
23KB
MD52cf90e9082f448052daa924b473e26eb
SHA1253a96a3e7851960d54e55cda7e7f14d694b3e9f
SHA25613fe34cd44c118f4dab5cbf26a7ec1660c8c9d36db52de813835030b65f3888e
SHA5128dec3938ce4cab6f38578b58ce57f8bcb96f7a63ca41ad40b8af30613fbf2a95edad5c0794f9709a2be8c11723398666dc462797b92fe4e20155b3d8d28f0591
-
Filesize
4.8MB
MD5e8c30e0e3e4ebb34ba39a8f4cee94ab2
SHA12d3a4b8d1b3f444be7e1cf59220241eeef015caa
SHA256d58056771cd2160579c4838307273e4a24119dab8d40729fe71431f60322f7e9
SHA512422a7e51212eec4889baaf1aad0e592537ccfa2f3a1eacdeb8d58c75fc31d97850fa26577d3f1de1f36e461523d6ae4aefb343b859c40f67bada3fc7ca5815cb
-
Filesize
201KB
MD5d182a0d12ca3a95fe1f2f5134861ae1b
SHA10c5f3e8a767a2b5ab7510d6139f47336e333e906
SHA25614ba66344ddd4816d823d5ecc97bf94da5d441299401e8955f44b1df7969be06
SHA512ab33ae1e3684c40b1a1d801d8b0ad8e0d624c9b3db60945a0c30a3efa02a2d69d284620859421407c9891db0fab4c4c57ece10b22b7b801dcb34ccd6f4ea2f12
-
Filesize
163KB
MD57aa7c241de80410e18d8ee56a4e7d89f
SHA1792b1e7633c3966449cc7bd4a509ce87d147d631
SHA2563bd14a5738f8e1922b03182ae28bc67c0f17edf2f0a9e3d66ac480d7740c3cf6
SHA512319172b0c07334258cbbab5fadfe237262232615a7ed4f34c01eb0649d8d62de3ea69d9efdb15fd0700fe97980ffbdcc7b8af013031859bef52d5dd8a245bc98
-
Filesize
53KB
MD53aa01fcdd115c60b160f9ae424bceeb3
SHA118b06f45b500bd58bd18c729d669410cd8bc28bb
SHA256484b84235da9da9e797249ad454341d3117695180b69ed5d4228e2763f14ebca
SHA512a61a6415ee2105d5b0d0e904f8a2bee8ee70838bacffa83bc627d07300ade58f6d39ec94dacc6bf27ec7c5d2c3936089ff6d8269dd369455bb2aedf0b808de52
-
Filesize
1.7MB
MD5d7a69eb5c82b084fd3902e7e27507aa3
SHA12a8fbc1b0fac702efbeb70a92d9cafa05a96bfe6
SHA256fe8b0789fdbe46c9cc4e62d38f270f2ea8f83698a7689159e19e060ce6539080
SHA51239e4a64236732ad60bf9afc1fd005f3d5ed0ad4715e253de7bbd1c05a2c860f5ab84a6dde74497bc7b360bb81bcef91633ce2864d5c3cb5fa0cd56801fe4b225
-
Filesize
27KB
MD51f500080fe37e176275e620ae4e650a8
SHA1020aede627f67f166da17e3708e366efdda801f5
SHA256f2743a2ea3f31ff8623fb57c7561fc0ed2876338189303d6a36b33a1ce376402
SHA512217c91dfe7dabf2f5b3ea36997a5135563f388435e05e3a912096e66f9649f23cef7b661ea959fe7e65c9063319d20eedddb5e694e2c00eb4839063e55443bad
-
Filesize
18KB
MD5f4169b11a69559ccb3e0ef0d1119287f
SHA128a46fdd43fde59116a4e2bebb380fa9af9e96d6
SHA256326e84d44b451564aafa562d2092c065cc093ee380d93711cdff1ef07dda7e68
SHA512607afa1b88c44ce246e4526779df9e658fea3efca83395f3ae0f0dc3d19ebeca74a490df576be8a09a24b7bceb2a7f239b6a2c876e0c930be74c2e4a9d2c5750
-
Filesize
6.2MB
MD54c77d9ec3f185779fc6cee2a2828e025
SHA1896b3ff0eaf1cf2448340c78123c3fc932e5159b
SHA25668bcdd97bd146aaac9b849da005798d7e8f2d68d12579b5ea0976ab6f15ffdff
SHA512b63cb404e69b9730e09eca9af34a9fa8ff00f5abf827edaf5f5ca98bb315bf5f038e66a08b6fc45fb6b3dda9cdb398c1e3b5953a814a87602c81fabf8d8fb9d9
-
Filesize
6.9MB
MD546bb2500a8d936910129b15876369635
SHA111343ecf1c61e40a6a85463433181ca747844288
SHA256b7563d5ffc92168f5e3bd396133f0cf7a5050094d33cd7b1774e754ddb4a40d5
SHA512acd06dfa697129395a99676ebb494391dcf45eae8df569d8e198a1bc066b36f497c199e4bcbd84978e7af7e090bbf4c57e94e42652b851bc46e709321e48b23c
-
Filesize
1.1MB
MD517b3cf34fdfbff97c081fcd418cf49bc
SHA17b9fe495c79a7c64a190a495cbd34d44a0579ce5
SHA256148201b21d2ba55481341ebc81169db54d8c0c336ffe7fd2d2371e40812347ff
SHA5128cf8dac76809662fa9ada9f0452fb164aeb37e35073467d124bdc8e31b60ee8fd6ada6c475e411bfe1ed7cb163a0001134151048984d4b8e16eb401a13fffc32
-
Filesize
3.5MB
MD530022c8c8770b084ae7edd4ddfdf4f6e
SHA1bf29c3d05a09613bf2dc6f97f7fdc98a4252fb7f
SHA256a89af5fc59638ea992ce39ea3406829ca90dbd94d18f40193a82263ab44c8469
SHA512107e29eb9810afa46a707cd7a5f8b9b6777187ad6642864d18bbf9a7bf127ddb5268db408caaa9d77b00e08432be0a6c2fbce080614aee36f7369407f1b71833
-
Filesize
4.1MB
MD5d1a2e280a5cd128e5d9b967cea024456
SHA1f5067c307fe7d37ae3c1b4a232ac57390f0851cb
SHA2565dbea7e62aebe74ec55a6bc16bfe8330ad6520e57e02dd3bed495d45b277854c
SHA5123d204892bbf10672af33a1f691543e93936aa8b8e9fbe43c908156d2a31cd702518728688b76276c05d98ea22d8880c29bb592e74ffe02ef3f54042937aa2123
-
Filesize
91KB
MD5f8d7f42bdb2122e11efc9d086ec92f64
SHA12dd572aa2b77b11e4b304612627efe1e7d179a8c
SHA25635ef3d4442f6b73566b86695d92d70bdd27acd7ebf821aa5c2a55bba40eabc97
SHA512d1bbc123157bf47ddabda9b9daaeeca158884c35e99117b57604f3fa43acaa5911f3c02810cce573c36cc1d59629fbc8661928321901cfe469e5ae3e38498c70
-
Filesize
332KB
MD506d76b26b0c217ca5f009a30a361a7b6
SHA1d9785b6aa3526de214f510adfed41cc7e5c2e89c
SHA25670b34f2ae1911e447f11958cfb5dc075cb5439089ea08132e10f14f2c2f88bfe
SHA512c122aaf5d52dad87982ae28df67f5317dc049940b056e7abc06dedf7e25e5e82ad1891d62eb731532eafd5603d6230ed83b34d6b8429faac0e51883cdac3ad13
-
Filesize
5.5MB
MD58e8dfb04e1f4f254911fd1daec1bfe0c
SHA1ef67c26eeeac54294a7e6a607595a8ab6ca60de8
SHA25608f606e0cd68616bf17aa4fb46cbb88b9e6c0668f76bf5e76588bd38b9ac8a34
SHA512675450eb1e8501efe279ac993a8a63954478a715426e4fdcc30221ee22ba65fb1b72fbe9cbdbf58870cc3c5358cfcbcfe369ba717f5092a22d6046c9c420e6b7
-
Filesize
264KB
MD5f6d3a1b090059d879c95538ad0e4eeb1
SHA1351b700cf046030423cfd3e7573af49ac78aebb9
SHA256adb6e0871aa42875b8eda2c9ade49f1565eb45451f6af81a786bbcb845f6b21e
SHA5123c1338b88cb7ed20e54a096a0153d4b7ad8a411110b13a705d565682da3da9bafd60d527e2cd8c1a86c3a41c1d70b792c3d19c8183267580c477df2418fa2ae5
-
Filesize
696KB
MD5c635ac979617226badff918e46163386
SHA16c64ba27c64a29f70fd72ffe000da77f58fb6b46
SHA256fd7570305f3e0d379ccc6721991b3baffa7a9f6382a45c70258c675a0af65284
SHA512bb40e3f7ee788946afde08b3d399b6763aa54eb8bdf25e5d0d1f3ecba35a899f14b3c61af07677f310de092c7abfe8137201611bf2d22a280c25a681b4872c1b
-
Filesize
1.3MB
MD5ef1a65f7750810de554c1f209805357d
SHA1c70f5c2868c1153105cce5ba8ed26f1361762789
SHA256db2835332ce2b3c99986a014aab2576dc04de11b0990c7bf790d1be9e94c47ab
SHA512c315341ad4713060278b40d84003368c7196fda22a49e08010d2b035e0145928f7db665908fc4b2bd65d0ae44633d9b08b68c5bb19b36359c698769136cccde6
-
Filesize
716KB
MD5a623aa94a43b61119a774637850370fe
SHA1a495da02037d8831a317207e7b8314ca7ec3e5bc
SHA256b7b2938df1b17e668d3ec8be5a74509f456a6219a9dcc148cbca53b5b53d62b5
SHA51237c9b023d9550c671e0143975e12fabad2c62fe5ed352fd5dcbbfe67ab8c65b644c3b159079e351886428b6541b9981552547c219a041aba5dc9237d1b1f69eb
-
Filesize
4.7MB
MD52191e768cc2e19009dad20dc999135a3
SHA1f49a46ba0e954e657aaed1c9019a53d194272b6a
SHA2567353f25dc5cf84d09894e3e0461cef0e56799adbc617fce37620ca67240b547d
SHA5125adcb00162f284c16ec78016d301fc11559dd0a781ffbeff822db22efbed168b11d7e5586ea82388e9503b0c7d3740cf2a08e243877f5319202491c8a641c970
-
Filesize
416KB
MD50cf989ae9779e463112d2bcd5eef8c66
SHA13dfa638ffbd864e042a14dab62bfba9012e2a928
SHA256bd277aa3ee9eda4400c2af572adb831c5114782c32c078f5fe625a6f69a39593
SHA512ff77dfa58443bc274a3b75f1cb1eefb6890076d6e6212e8753b3e5bf907b50b7c66ac6b9575796c3fc8230e360fe0f31ef816ea878aa6c3adfca68afb16d2752
-
Filesize
3.2MB
MD59b20085515967b09ad1b165ae3a654a6
SHA1edddad4c8bf03fbe52b68f7573be5abc94d074f2
SHA256c7c64ee6beee4b557f1cc6d5160f334323a30ac8a94ea5c8e89fab7fea8aec78
SHA512255a09377a1be33afb9ee03d7e6c47ba92d7a1a52cbdb1aa7c70134c6895cac1fa43d14e0a72a1b22d9bf90fb20e97241ecf818703e750221f370b7c10622ba9
-
Filesize
780KB
MD541c70f9b61d383180be1d14a49e188dd
SHA1d18805cce3c0437346495eecb4f1266cdd195137
SHA2569e6e4f2c27a596b84bf895247c664660f2c562af4623d8b33a743a6cfed472a3
SHA512d0deffecd23232189b816aa9db5697afc8a30ccd1fe8e73ec0238133a65e7774ffba21e87d0002534c4fe293c1a18abbd86fb57e60ce1598ef730ed7d00e2eeb
-
Filesize
670KB
MD595cc516c62dd8a98d7c1a70b3c086734
SHA123e2297d80f2515cc7c1b5aa2106c3db85625318
SHA256686d8193eea627bde2396311292d168ba9aedc42f3d9cbfb748cf1618f0327a1
SHA5121c12b2404d510d57676f35433f0093f6f1a88f238ab92732436322685362daeee01e9b681a3c210a520c7494ff609c0cdf84068220d1c25d186226bd41c5863a
-
Filesize
20KB
MD50dc11d4126996b709f26169fdf3a4e52
SHA152038d833d4dc28291595d0883d6f66136c342ab
SHA256d1f0597057365e50d838861927e49552ee19440cd1a665b7fa0d2231e47594f0
SHA5125d53571ad690677beef3cf840e7bb485fec62d6dbca28656a7dc5151f52f1d8836fe3516df2b9bd17e0125e1fa05d92501caab71e6880fd4639c062ee370fd13
-
Filesize
21.0MB
MD53437b563f89f0690321b41bccbd57912
SHA1d91b2e2cb84dd378204822adb1d3360b34c2c83a
SHA256d69b05e0875365b633d2208fd411e03c3fe0b394391c30f93ee517416dd40d64
SHA512ce59d554a5070fc8018a0b7a82d1671d9e9ddd4bb26b7f4a7dbfb0fc80c7d7cde4e65c51ed6c12939d5631a956a18ba4a1d77eb5c219ccd35919d346f77c93d5
-
Filesize
96KB
MD59fbacc6830481b1105cb7228ed7fad69
SHA16c198c255d23771c164659185a4b072608385286
SHA2561c6e3876bc85cb229bbcbf508971db218c77d3b582c7ad1ae69dc2cec13c4f6d
SHA512e20f189554cf185603d25aef2eb4ac94e72c82e52336ae83fc4c208eaeb9decf5d1e1a49c1d8d7a3c9d1a64a6880775cc9c33eacf2793e668e20ba92d4092652
-
Filesize
482KB
MD52cb604e82547d58f1ab4711d5c09f6e1
SHA11950fceca17ad0283574c4b20c6053ee01837d42
SHA25606629187062e4a2e36c76bdd8a04f3f9845d3d4c2078697c9e9666216f7ed711
SHA51227e7b4d7497a779b2e2b92376cd283333d4bef9807c005466e258cfc0a5c4dfcba0605625748a4c6a5079b6d85b2c1d4406c2e98f664a3adfdae8ce521095ec8
-
Filesize
23KB
MD5e7669af2a91557ed9636ca18a2e4da32
SHA1865a011cec5f1edb2cd298b535f20fbf76a58383
SHA2569623be38e402b8c63fbac2ddc3d0deabb0a7af385a19f79aefd50ed23b47c558
SHA5127fde262a59bb8ae0180f6715df418f1cb0ecc64d8682c97143cd219c28207a0fbd26f3ca9ff70cc704b1208d41c88fb1bc82cdb75d6f5a524828369f221eff58
-
Filesize
2.6MB
MD5d46b787a90104fa0b7bf8694f76d5c76
SHA134d275503e5000732ea71da5bd5b3207053e3f5e
SHA2565a44d14a6435f04486621294eb59a5cb6853416a375d9567df21f255e7c68a6a
SHA512bdbdf622ace60b59468f00be7db5ec67a2f612d3cdc67c702e636ff28a6f007fc1f3f6fd45a9bb864a39e60d951ab8f5dcf32399211a6e723c97a9fee290766d
-
Filesize
119KB
MD5309513ce428b34a3fe286dbd4e56539b
SHA1a64e46131ba8c912f1c1c4ec1283c7d7e9a1d055
SHA256c5ed8472aa7a22cc0d86aad6e2deb2e953f069b7b8b50fc756d016fa0d6f2e08
SHA512b755acfbd7c1a2e1e3d79728debf0c21047af4e88b5cdc2d9d99a4ac0a048f6e0151d518f5d19c018a2724c27c97f5ed73b88125d75266d736c4ab44b9f14d9a
-
Filesize
1.0MB
MD5734d89f77ebc27c4746992fb0bc8d77a
SHA1893aad691ad3ecb9cce30f340e8752c57123a7ca
SHA25673eff87365e6852f71186d6e9b6b616fd730c016c7e76667090779acb194ceb0
SHA5127579df9062dc7d7f6e1355bca666ffb17898cb6a14bec38cb0620266834e61eb0b3b43955f9ebec6254daec2645c22108ac943c7b0f2b43da74ba18cb140aa77
-
Filesize
22.6MB
MD5bbe6dc49ac96deeb82766fb641bc28ab
SHA1c0b5072158e212cda9cdca541d5b1df1586f3466
SHA256cd26dca2a2e7199481b6269064e129900f6992d49e6b487cb0a7ecf148514c5d
SHA51220cd4df8ec373de549f0083d19fe100b853005d9fd71df9b36e62b28f627cb2e1a5ff3d18786d3d3ca8612421428588af41b8a345614d8f46cec42d75ec6b908
-
Filesize
211KB
MD5a3ae5d86ecf38db9427359ea37a5f646
SHA1eb4cb5ff520717038adadcc5e1ef8f7c24b27a90
SHA256c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74
SHA51296ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
2.1MB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
16.0MB
-
Filesize
5.5MB
-
Filesize
4.1MB