Overview

overview

10

Static

static

10

UpdaterTag.dll

windows10-2004-x64

10

UpdaterTag.dll

windows11-21h2-x64

10

Analysis

  • max time kernel
    839s
  • max time network
    900s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250207-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/02/2025, 01:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    UpdaterTag.dll

  • Size

    72KB

  • MD5

    baff48ded319cdc1eb2372e16c833260

  • SHA1

    6ffbbee909e8225337a61da43f18d48bd403b32d

  • SHA256

    16bf1c6d22074a7532c158c0f8ffd7f1e1c36deab934ea5abad5c0d2cea11a62

  • SHA512

    ce560c27b4403ba9e9b14a7398e469e6fc42f79b70586266ae2d2b2210a9f81ea88e92a6f50b077e8480bc5fa9117d64acf1a6b3b3530807bd1534e5aac2cce6

  • SSDEEP

    768:Tz7vRTYS4Oi5ONdWJ7HRCRuVnxsaQu7SDqRefml4I4QDqauXj57CHf8IdAtY5h82:Tzh7eO6hHRCSsBfml4I6z5If8I6oVTt

Score
10/10
latrodectusadwarediscoveryloaderpersistenceprivilege_escalationstealer

Malware Config

Extracted

Family

latrodectus

Version

1.4

C2

https://apworsindos.com/test/

https://reminasolirol.com/test/
Attributes
  • group

    Mimikast

  • user_agent

    Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)

aes.hex

Signatures

  • Detects Latrodectus 2 IoCs

    Detects Latrodectus v1.4.

  • Latrodectus family
    latrodectus
  • Latrodectus loader

    Latrodectus is a loader written in C++.

    loaderlatrodectus
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Downloads MZ/PE file 1 IoCs
  • Deletes itself 1 IoCs
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Executes dropped EXE 10 IoCs
  • Loads dropped DLL 3 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 26 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs
  • System policy modification 1 TTPs 4 IoCs
    defense_evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\UpdaterTag.dll,#1
    1⤵
    • Deletes itself
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:3396
    • C:\Windows\system32\rundll32.exe
      rundll32.exe "C:\Users\Admin\AppData\Roaming\Custom_update\Update_5dd2300b.dll", #1
      2⤵
      • Loads dropped DLL
      PID:2092
  • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RURBN0Q2ODgtNTYxQi00MUVELUFGMzMtMTQ2QzE3REU3RjI1fSIgdXNlcmlkPSJ7NjE5QjI4ODItN0M3NS00NkIzLUExMjQtNTJDMTBDRTY3REY2fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7ODAxODQ0M0YtN0M5NS00MTE5LTlBNDAtRDI1OTY3NTk0MDJEfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU5ODUiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODQ0NDQzNjAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MzA4NTY5MjczIi8-PC9hcHA-PC9yZXF1ZXN0Pg
    1⤵
    • System Location Discovery: System Language Discovery
    • System Network Configuration Discovery: Internet Connection Discovery
    PID:3016
  • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{C81F692B-C649-4B8C-8A38-60E46197416B}\MicrosoftEdge_X64_132.0.2957.140.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{C81F692B-C649-4B8C-8A38-60E46197416B}\MicrosoftEdge_X64_132.0.2957.140.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1060
    • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{C81F692B-C649-4B8C-8A38-60E46197416B}\EDGEMITMP_79358.tmp\setup.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{C81F692B-C649-4B8C-8A38-60E46197416B}\EDGEMITMP_79358.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{C81F692B-C649-4B8C-8A38-60E46197416B}\MicrosoftEdge_X64_132.0.2957.140.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Installs/modifies Browser Helper Object
      • Drops file in Program Files directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:4840
      • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{C81F692B-C649-4B8C-8A38-60E46197416B}\EDGEMITMP_79358.tmp\setup.exe
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{C81F692B-C649-4B8C-8A38-60E46197416B}\EDGEMITMP_79358.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{C81F692B-C649-4B8C-8A38-60E46197416B}\EDGEMITMP_79358.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff7149aa818,0x7ff7149aa824,0x7ff7149aa830
        3⤵
        • Executes dropped EXE
        PID:3836
      • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{C81F692B-C649-4B8C-8A38-60E46197416B}\EDGEMITMP_79358.tmp\setup.exe
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{C81F692B-C649-4B8C-8A38-60E46197416B}\EDGEMITMP_79358.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Modifies data under HKEY_USERS
        • Suspicious use of WriteProcessMemory
        PID:548
        • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{C81F692B-C649-4B8C-8A38-60E46197416B}\EDGEMITMP_79358.tmp\setup.exe
          "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{C81F692B-C649-4B8C-8A38-60E46197416B}\EDGEMITMP_79358.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{C81F692B-C649-4B8C-8A38-60E46197416B}\EDGEMITMP_79358.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff7149aa818,0x7ff7149aa824,0x7ff7149aa830
          4⤵
          • Executes dropped EXE
          PID:3680
      • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --register-package-identity --verbose-logging --system-level
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1460
        • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff6f17fa818,0x7ff6f17fa824,0x7ff6f17fa830
          4⤵
          • Executes dropped EXE
          PID:4408
      • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:2520
        • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff6f17fa818,0x7ff6f17fa824,0x7ff6f17fa830
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          PID:1092
      • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --update-game-assist-package --verbose-logging --system-level
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:3064
        • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff6f17fa818,0x7ff6f17fa824,0x7ff6f17fa830
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          PID:3760
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k AppReadiness -p -s AppReadiness
    1⤵
      PID:2288
    • C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe
      "C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe" /InvokerPRAID: Microsoft.MicrosoftOfficeHub prelaunch
      1⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:3584
    • C:\Windows\system32\wwahost.exe
      "C:\Windows\system32\wwahost.exe" -ServerName:Microsoft.MicrosoftOfficeHub.wwa
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1440
    • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RURBN0Q2ODgtNTYxQi00MUVELUFGMzMtMTQ2QzE3REU3RjI1fSIgdXNlcmlkPSJ7NjE5QjI4ODItN0M3NS00NkIzLUExMjQtNTJDMTBDRTY3REY2fSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9Ins2REY0QUY4NS1EMTJFLTQ5NjQtOTQ4NS05NDVDNjg3MDJEMkV9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7VlBRb1AxRitmcTE1d1J6aDFrUEw0UE1wV2g4T1JNQjVpenZyT0MvY2hqUT0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iMS4zLjE5NS40MyIgbmV4dHZlcnNpb249IiIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjEiIGNvaG9ydD0icnJmQDAuNDAiPjx1cGRhdGVjaGVjay8-PHBpbmcgcj0iMiIgcmQ9IjY2MTIiIHBpbmdfZnJlc2huZXNzPSJ7RTgwOEM0QTYtRTg2RC00MTZFLUJGNDUtMTg1MjlDQTcxRDMyfSIvPjwvYXBwPjxhcHAgYXBwaWQ9Ins1NkVCMThGOC1CMDA4LTRDQkQtQjZEMi04Qzk3RkU3RTkwNjJ9IiB2ZXJzaW9uPSI5Mi4wLjkwMi42NyIgbmV4dHZlcnNpb249IjEzMi4wLjI5NTcuMTQwIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgZXhwZXJpbWVudHM9ImNvbnNlbnQ9ZmFsc2UiIGluc3RhbGxhZ2U9IjEiIGlzX3Bpbm5lZF9zeXN0ZW09InRydWUiIGxhc3RfbGF1bmNoX2NvdW50PSIxIiBsYXN0X2xhdW5jaF90aW1lPSIxMzM4MzQyMDgwODAzNDk3OTAiPjx1cGRhdGVjaGVjay8-PGV2ZW50IGV2ZW50dHlwZT0iMTIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjUzMzk5NzU2MDciIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxMyIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTMzOTk3NTYwNyIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMCIgZXJyb3Jjb2RlPSItMjE0NzAyMzgzOCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTk2MzEwMDM1NiIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlcj0iZG8iIHVybD0iaHR0cDovL21zZWRnZS5iLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzLzA3NDAwMzZhLTRlMTgtNDU2ZC05NmZhLWQxZDljNGNhNDY3Nj9QMT0xNzM5NzEwNzMyJmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PWhHOXBJYm9rSkRHcEpydHA4dWJUNEhmWUd2VHFFZTROZ1BCVTQzaU84VGplVllhOENiWnp6aVU0VzJ4eGRsNGFHelRhTE5ENXFYanhGcUppY21zRElnJTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iMCIgdG90YWw9IjAiIGRvd25sb2FkX3RpbWVfbXM9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjAiIGVycm9yY29kZT0iLTIxNDcwMTI4ODkiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjU5NjMxMDAzNTYiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9ImJpdHMiIHVybD0iaHR0cDovL21zZWRnZS5iLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzLzA3NDAwMzZhLTRlMTgtNDU2ZC05NmZhLWQxZDljNGNhNDY3Nj9QMT0xNzM5NzEwNzMyJmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PWhHOXBJYm9rSkRHcEpydHA4dWJUNEhmWUd2VHFFZTROZ1BCVTQzaU84VGplVllhOENiWnp6aVU0VzJ4eGRsNGFHelRhTE5ENXFYanhGcUppY21zRElnJTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iMCIgdG90YWw9Ii0xIiBkb3dubG9hZF90aW1lX21zPSIxMjA2MyIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1OTYzMTAwMzU2IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJ3aW5odHRwIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuYi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy8wNzQwMDM2YS00ZTE4LTQ1NmQtOTZmYS1kMWQ5YzRjYTQ2NzY_UDE9MTczOTcxMDczMiZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1oRzlwSWJva0pER3BKcnRwOHViVDRIZllHdlRxRWU0TmdQQlU0M2lPOFRqZVZZYThDYlp6emlVNFcyeHhkbDRhR3pUYUxORDVxWGp4RnFKaWNtc0RJZyUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IjE5OS4yMzIuMjEwLjE3MiIgY2RuX2NpZD0iMyIgY2RuX2NjYz0iREUiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IkhJVCIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSIxNzcxODAyMTYiIHRvdGFsPSIxNzcxODAyMTYiIGRvd25sb2FkX3RpbWVfbXM9IjQzNzk3Ii8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjU5NjMyNTY4MDIiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTk3ODI1NjY2MSIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjMiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjE5Njc1NyIgc3lzdGVtX3VwdGltZV90aWNrcz0iNjUzOTY2MzA5OCIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgdXBkYXRlX2NoZWNrX3RpbWVfbXM9IjEzNTkiIGRvd25sb2FkX3RpbWVfbXM9IjYyMjk3IiBkb3dubG9hZGVkPSIxNzcxODAyMTYiIHRvdGFsPSIxNzcxODAyMTYiIHBhY2thZ2VfY2FjaGVfcmVzdWx0PSIwIiBpbnN0YWxsX3RpbWVfbXM9IjU2MTQwIi8-PHBpbmcgYWN0aXZlPSIxIiBhPSIyIiByPSIyIiBhZD0iNjYxMiIgcmQ9IjY2MTIiIHBpbmdfZnJlc2huZXNzPSJ7ODJGMzZCMEUtNjdCMy00MDU5LUE5NTYtQjA2NEFFNkQwMjI5fSIvPjwvYXBwPjxhcHAgYXBwaWQ9IntGMzAxNzIyNi1GRTJBLTQyOTUtOEJERi0wMEMzQTlBN0U0QzV9IiB2ZXJzaW9uPSIxMzIuMC4yOTU3LjE0MCIgbmV4dHZlcnNpb249IiIgbGFuZz0iIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjEiIGluc3RhbGxkYXRlPSI2NjA4IiBjb2hvcnQ9InJyZkAwLjE1Ij48dXBkYXRlY2hlY2svPjxwaW5nIHI9IjIiIHJkPSI2NjEyIiBwaW5nX2ZyZXNobmVzcz0iezUxOTY4Nzk1LTA2M0UtNENGRC04MTBELTRDMjAzNzhBMDQ5NX0iLz48L2FwcD48L3JlcXVlc3Q-
      1⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      PID:2776
    • C:\Windows\system32\rundll32.exe
      rundll32.exe "C:\Users\Admin\AppData\Roaming\Custom_update\Update_5dd2300b.dll", #1
      1⤵
      • Loads dropped DLL
      PID:3628
    • C:\Windows\system32\rundll32.exe
      rundll32.exe "C:\Users\Admin\AppData\Roaming\Custom_update\Update_5dd2300b.dll", #1
      1⤵
      • Loads dropped DLL
      PID:3620

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{C81F692B-C649-4B8C-8A38-60E46197416B}\EDGEMITMP_79358.tmp\setup.exe
      Filesize

      6.6MB

      MD5

      b4c8ad75087b8634d4f04dc6f92da9aa

      SHA1

      7efaa2472521c79d58c4ef18a258cc573704fb5d

      SHA256

      522a25568bb503cf8b44807661f31f0921dee91d37691bf399868733205690bf

      SHA512

      5094505b33a848badcffd6b3b93aad9ad73f391e201dee052376c4f8573ba351f0b8c102131216088ffb38d0ed7b5fe70ba95c3ac2c33a50c993584fe7c435e3

      Download Submit

    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      Filesize

      3.7MB

      MD5

      3646786aea064c0845f5bb1b8e976985

      SHA1

      a31ba2d2192898d4c0a01511395bdf87b0e53873

      SHA256

      a129a6de7b90500483226192b260eaca1ee116a007771d421aa3eee38af48d6f

      SHA512

      145f8abf2ecffd8ecc3745dbd9ab2e360826fa46d6f21dbebece7802b9b5980f4ab19e2dfd180ce0cfb84366f3ac5c87cd1b74a085e1a0dd620b6c097900e0f4

      Download Submit

    • C:\Program Files\msedge_installer.log
      Filesize

      70KB

      MD5

      92f4c951606a73e5a53b357e75d7a88b

      SHA1

      e6229d2d0eefff5a694fcf276313da1e101cea5c

      SHA256

      09971fb3011c6058413159695e234d771cfd56472cda44f7e3e1925946c30a5c

      SHA512

      edff7c7ba3b7ac9fd4c8ddb284f89e387c3b78f42d5bc37a527d908732e581dc9cedde0df983ca0f10b75712efdc008798f43a9512794fba226009e737658ff6

      Download Submit

    • C:\Program Files\msedge_installer.log
      Filesize

      101KB

      MD5

      361fc971138d0b8eca71bd61c8d8e922

      SHA1

      e665916a397a5ce7d9ff2fc2a55f1173e97469d8

      SHA256

      24c5409e7381eb05251b7a5e44f01468ce8f9d3dfa2bdc18ffdc86187aea4167

      SHA512

      e82fc04943e4eddaf46a34c3f7a5b5cbd31a6d5669dab72c6d7af057af671a722e98cd4df035c6e49d9b3243a15dc9f1be37c5e7e16f2b927c74b63181fc3d5e

      Download Submit

    • C:\Program Files\msedge_installer.log
      Filesize

      100KB

      MD5

      c84439387be068005bf7b4af392a361d

      SHA1

      804b8043da200415a86013d870c441cb56f36635

      SHA256

      393b1b5017d7fbb234e7ade12eee2812025188a57458d59592dd36957ebfbbe5

      SHA512

      9a91b63186a607f7da24e196c4ad0532e58e596f40e3e57b61e1ee3d7148feccc0066370c59885d3a0810bf60c95046fc5d4a99327604eac2bc8d2b871397f15

      Download Submit

    • C:\Program Files\msedge_installer.log
      Filesize

      101KB

      MD5

      3de7e50ecdab1e9dfadf5afe332d8106

      SHA1

      abfd73a84fc2d58df0aae4ead7192ab7f828b00a

      SHA256

      a2292fe37bca6f0dfa31f451bc49b3c713cbb9e247467092990815a5c0b7b62b

      SHA512

      273313a79fea78ed18ef707726ba6eef76e21114a155ba7d584790ded144a212b62c5c06405eea61dd0a2740b3bdbbe9ce93f360b5e185a2126ef1589bbfd34e

      Download Submit

    • C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log
      Filesize

      455KB

      MD5

      d2a62591e234c55a904163a03e7ab894

      SHA1

      b9a5798538a67cb4a9f4168de2bbc3fda1b0266e

      SHA256

      b87845c515f24cbe2544388ec959da8d44e98ef295d6a8567990937d392c9593

      SHA512

      02ff0f02db7fdb6333f3978e62de6d817de205c210861c6a830b155d0fa216652500e4a5ed5ee45f89a88c7fe822826079cbec54157f16e39d898886403a223f

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Custom_update\Update_5dd2300b.dll
      Filesize

      72KB

      MD5

      baff48ded319cdc1eb2372e16c833260

      SHA1

      6ffbbee909e8225337a61da43f18d48bd403b32d

      SHA256

      16bf1c6d22074a7532c158c0f8ffd7f1e1c36deab934ea5abad5c0d2cea11a62

      SHA512

      ce560c27b4403ba9e9b14a7398e469e6fc42f79b70586266ae2d2b2210a9f81ea88e92a6f50b077e8480bc5fa9117d64acf1a6b3b3530807bd1534e5aac2cce6

      Download Submit

    • memory/3396-1-0x00007FF923E80000-0x00007FF923E96000-memory.dmp

      Filesize

      88KB

      Download

    • memory/3584-62-0x0000020B72F80000-0x0000020B72F8E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/3584-64-0x0000020B754C0000-0x0000020B754C8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/3584-63-0x0000020B75490000-0x0000020B7549A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3584-65-0x0000020B75800000-0x0000020B75A49000-memory.dmp

      Filesize

      2.3MB

      Download