Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

UpdaterTag.dll

windows10-ltsc 2021-x64

10

UpdaterTag.dll

windows11-21h2-x64

10

Analysis

  • max time kernel
    716s
  • max time network
    827s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20250207-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250207-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    09/02/2025, 02:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    UpdaterTag.dll

  • Size

    72KB

  • MD5

    4d3511cedaddff8cdd991c1bcbbbf274

  • SHA1

    9a6dcaa5d0a6bc5dc0e525d8495f81776c89f457

  • SHA256

    25df81bebae736bf7e5cc42ef18b4756d1de8cd2cd4f1e508b6bf5108bac69e7

  • SHA512

    3f201909ec716f5dd64df459d760ac44f9c2b14bec1a91ef68882c1817ed29564028bfc829be8998490f583895eb7f93a2b600c8472cd4781aaf1aa34a165918

  • SSDEEP

    768:Vz7vRTYS4Oi5ONdWJ7HRCRuVnjhaQu7SDqRefml4I4QDqauXj57CHf8Idi+a7dHU:Vzh7eO6hHRCwhBfml4I6z5If8INaJ0

Score
10/10
latrodectusadwarediscoveryloaderpersistenceprivilege_escalationstealer

Malware Config

Extracted

Family

latrodectus

Version

1.4

C2

https://apworsindos.com/test/

https://reminasolirol.com/test/
Attributes
  • group

    Mimikast

  • user_agent

    Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)

aes.hex

Signatures

  • Detects Latrodectus 2 IoCs

    Detects Latrodectus v1.4.

  • Latrodectus family
    latrodectus
  • Latrodectus loader

    Latrodectus is a loader written in C++.

    loaderlatrodectus
  • Blocklisted process makes network request 2 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Downloads MZ/PE file 1 IoCs
  • Deletes itself 1 IoCs
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Executes dropped EXE 10 IoCs
  • Loads dropped DLL 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 35 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 24 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs
  • System policy modification 1 TTPs 4 IoCs
    defense_evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\UpdaterTag.dll,#1
    1⤵
    • Deletes itself
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:832
    • C:\Windows\system32\rundll32.exe
      rundll32.exe "C:\Users\Admin\AppData\Roaming\Custom_update\Update_31846770.dll", #1
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      PID:808
  • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MzMwNzZGQkUtMDg2Ni00OEUxLTk5NTItMUVFNDgxMkJCNjVGfSIgdXNlcmlkPSJ7MkQwNkY3MzQtNUE3RC00Q0RCLTk2QTAtQkFCRjVDQThGOEU5fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7RjYxNDRBMDYtMkJGNi00NkM5LUEzOUMtMkE0NkE1REQ1RjcyfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0NC40NTI5IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iMTI1IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtyNDUydDErazJUZ3EvSFh6anZGTkJSaG9wQldSOXNialh4cWVVREg5dVgwPSZxdW90OyIvPjxhcHAgYXBwaWQ9Ins4QTY5RDM0NS1ENTY0LTQ2M2MtQUZGMS1BNjlEOUU1MzBGOTZ9IiB2ZXJzaW9uPSIxMjMuMC42MzEyLjEyMyIgbmV4dHZlcnNpb249IiIgbGFuZz0iZW4iIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMSIgaW5zdGFsbGRhdGV0aW1lPSIxNzM4OTM1NjE1IiBvb2JlX2luc3RhbGxfdGltZT0iMTMzODM0MDc5NTE4NzcwMDAwIj48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMjE3OTg2MiIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTA0MzgwNDg3MCIvPjwvYXBwPjwvcmVxdWVzdD4
    1⤵
    • System Location Discovery: System Language Discovery
    • System Network Configuration Discovery: Internet Connection Discovery
    PID:3848
  • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BDC41D5D-FD69-4D65-9965-09B596B294CB}\MicrosoftEdge_X64_132.0.2957.140.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BDC41D5D-FD69-4D65-9965-09B596B294CB}\MicrosoftEdge_X64_132.0.2957.140.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4908
    • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BDC41D5D-FD69-4D65-9965-09B596B294CB}\EDGEMITMP_6F35F.tmp\setup.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BDC41D5D-FD69-4D65-9965-09B596B294CB}\EDGEMITMP_6F35F.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BDC41D5D-FD69-4D65-9965-09B596B294CB}\MicrosoftEdge_X64_132.0.2957.140.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Installs/modifies Browser Helper Object
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2704
      • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BDC41D5D-FD69-4D65-9965-09B596B294CB}\EDGEMITMP_6F35F.tmp\setup.exe
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BDC41D5D-FD69-4D65-9965-09B596B294CB}\EDGEMITMP_6F35F.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BDC41D5D-FD69-4D65-9965-09B596B294CB}\EDGEMITMP_6F35F.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff79797a818,0x7ff79797a824,0x7ff79797a830
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:4160
      • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BDC41D5D-FD69-4D65-9965-09B596B294CB}\EDGEMITMP_6F35F.tmp\setup.exe
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BDC41D5D-FD69-4D65-9965-09B596B294CB}\EDGEMITMP_6F35F.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Modifies data under HKEY_USERS
        • Suspicious use of WriteProcessMemory
        PID:2340
        • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BDC41D5D-FD69-4D65-9965-09B596B294CB}\EDGEMITMP_6F35F.tmp\setup.exe
          "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BDC41D5D-FD69-4D65-9965-09B596B294CB}\EDGEMITMP_6F35F.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BDC41D5D-FD69-4D65-9965-09B596B294CB}\EDGEMITMP_6F35F.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff79797a818,0x7ff79797a824,0x7ff79797a830
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          PID:1064
      • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --register-package-identity --verbose-logging --system-level
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4564
        • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff74316a818,0x7ff74316a824,0x7ff74316a830
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          PID:1932
      • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:3048
        • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff74316a818,0x7ff74316a824,0x7ff74316a830
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          PID:1616
      • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --update-game-assist-package --verbose-logging --system-level
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2548
        • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff74316a818,0x7ff74316a824,0x7ff74316a830
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          PID:1800
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k AppReadiness -p -s AppReadiness
    1⤵
      PID:540
    • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MzMwNzZGQkUtMDg2Ni00OEUxLTk5NTItMUVFNDgxMkJCNjVGfSIgdXNlcmlkPSJ7MkQwNkY3MzQtNUE3RC00Q0RCLTk2QTAtQkFCRjVDQThGOEU5fSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9InswRUM5ODgwOC02NjVELTQyNUEtQjI5Ni0yNkJDQTkxODQ4Nzd9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQ0LjQ1MjkiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSIxMjUiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O1ZQUW9QMUYrZnExNXdSemgxa1BMNFBNcFdoOE9STUI1aXp2ck9DL2NoalE9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0ie0YzQzRGRTAwLUVGRDUtNDAzQi05NTY5LTM5OEEyMEYxQkE0QX0iIHZlcnNpb249IjEuMy4xOTUuNDMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBjb2hvcnQ9InJyZkAwLjUwIj48dXBkYXRlY2hlY2svPjxwaW5nIHI9IjIiIHJkPSI2NjEyIiBwaW5nX2ZyZXNobmVzcz0ie0NFNTI5RTJFLTgxRjktNDc1NS05OURDLTE4Mzc0MTA0MDNDOX0iLz48L2FwcD48YXBwIGFwcGlkPSJ7NTZFQjE4RjgtQjAwOC00Q0JELUI2RDItOEM5N0ZFN0U5MDYyfSIgdmVyc2lvbj0iOTIuMC45MDIuNjciIG5leHR2ZXJzaW9uPSIxMzIuMC4yOTU3LjE0MCIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjb25zZW50PWZhbHNlIiBpbnN0YWxsYWdlPSIxIiBsYXN0X2xhdW5jaF9jb3VudD0iMSIgbGFzdF9sYXVuY2hfdGltZT0iMTMzODM0MTEwMzM0OTM0MTkwIj48dXBkYXRlY2hlY2svPjxldmVudCBldmVudHR5cGU9IjEyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MDU1ODM2MjQyIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTMiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjUwNTU4MzYyNDIiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjAiIGVycm9yY29kZT0iLTIxNDcwMjM4MzgiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjU0ODY2MTc0NDUiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9ImRvIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuYi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy8wNzQwMDM2YS00ZTE4LTQ1NmQtOTZmYS1kMWQ5YzRjYTQ2NzY_UDE9MTczOTY3MTg2OCZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1WQTl5OW85NTh4OVhuTEJ1M2x5TWlpUHJ6d2w5ck1NaFNrNGM0SzliOXdRa3RBRTB4eEFBSkFsbnVGejA5NnBWOCUyZlFSazQyVSUyZmNDT2MlMmZIbWVWOEVIdyUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjAiIHRvdGFsPSIwIiBkb3dubG9hZF90aW1lX21zPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjU0ODY2MTc0NDUiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9ImJpdHMiIHVybD0iaHR0cDovL21zZWRnZS5iLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzLzA3NDAwMzZhLTRlMTgtNDU2ZC05NmZhLWQxZDljNGNhNDY3Nj9QMT0xNzM5NjcxODY4JmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PVZBOXk5bzk1OHg5WG5MQnUzbHlNaWlQcnp3bDlyTU1oU2s0YzRLOWI5d1FrdEFFMHh4QUFKQWxudUZ6MDk2cFY4JTJmUVJrNDJVJTJmY0NPYyUyZkhtZVY4RUh3JTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iMTc3MTgwMjE2IiB0b3RhbD0iMTc3MTgwMjE2IiBkb3dubG9hZF90aW1lX21zPSIzNjQ2OSIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NDg2NjE3NDQ1IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTUiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjU0OTk4OTkyODEiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIzIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIxOTY3NTciIHN5c3RlbV91cHRpbWVfdGlja3M9IjYwNDcyNDI3NjMiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIHVwZGF0ZV9jaGVja190aW1lX21zPSI2MjUiIGRvd25sb2FkX3RpbWVfbXM9IjQzMDc4IiBkb3dubG9hZGVkPSIxNzcxODAyMTYiIHRvdGFsPSIxNzcxODAyMTYiIHBhY2thZ2VfY2FjaGVfcmVzdWx0PSIwIiBpbnN0YWxsX3RpbWVfbXM9IjU0NzM1Ii8-PHBpbmcgYWN0aXZlPSIxIiBhPSIyIiByPSIyIiBhZD0iNjYxMiIgcmQ9IjY2MTIiIHBpbmdfZnJlc2huZXNzPSJ7RUNCODU1NUEtOThBOC00QzZFLUI4N0EtQzlGNTEyRDFBNDdBfSIvPjwvYXBwPjxhcHAgYXBwaWQ9IntGMzAxNzIyNi1GRTJBLTQyOTUtOEJERi0wMEMzQTlBN0U0QzV9IiB2ZXJzaW9uPSIxMzIuMC4yOTU3LjE0MCIgbmV4dHZlcnNpb249IiIgbGFuZz0iIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjEiIGluc3RhbGxkYXRlPSI2NjA4IiBjb2hvcnQ9InJyZkAwLjI4Ij48dXBkYXRlY2hlY2svPjxwaW5nIHI9IjIiIHJkPSI2NjEyIiBwaW5nX2ZyZXNobmVzcz0iezk1RDJBNENELUY4RjYtNDE3NC1BNkQ5LTg2MDk1MjhFMThGNX0iLz48L2FwcD48L3JlcXVlc3Q-
      1⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      PID:1032

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BDC41D5D-FD69-4D65-9965-09B596B294CB}\EDGEMITMP_6F35F.tmp\setup.exe
      Filesize

      6.6MB

      MD5

      b4c8ad75087b8634d4f04dc6f92da9aa

      SHA1

      7efaa2472521c79d58c4ef18a258cc573704fb5d

      SHA256

      522a25568bb503cf8b44807661f31f0921dee91d37691bf399868733205690bf

      SHA512

      5094505b33a848badcffd6b3b93aad9ad73f391e201dee052376c4f8573ba351f0b8c102131216088ffb38d0ed7b5fe70ba95c3ac2c33a50c993584fe7c435e3

      Download Submit

    • C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log
      Filesize

      462KB

      MD5

      4189c7c2f13845a0b9f9e4fe72d9581b

      SHA1

      bff193049db1983917dee1176ed4494d05738597

      SHA256

      afe10953406c27612fd974b45868981be5da0864ce6435aba03ea3a32527fe62

      SHA512

      d92c0d352ce0a79c0f5c8c4c26586c51d63dfdc28bcca9b54a3e712ad9105f6c92ca79dc2f7fd5539374fc2bd3442ef292bbbf76ceb7f047079edf39376a6cb4

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Custom_update\Update_31846770.dll
      Filesize

      72KB

      MD5

      4d3511cedaddff8cdd991c1bcbbbf274

      SHA1

      9a6dcaa5d0a6bc5dc0e525d8495f81776c89f457

      SHA256

      25df81bebae736bf7e5cc42ef18b4756d1de8cd2cd4f1e508b6bf5108bac69e7

      SHA512

      3f201909ec716f5dd64df459d760ac44f9c2b14bec1a91ef68882c1817ed29564028bfc829be8998490f583895eb7f93a2b600c8472cd4781aaf1aa34a165918

      Download Submit

    • C:\Windows\SystemTemp\msedge_installer.log
      Filesize

      71KB

      MD5

      b187b6bc04fc252ec9d2768fd55271b1

      SHA1

      b8f34e77a019c446ed6196fe3746e86be40cb53c

      SHA256

      cdb41a7a5391384f5d37ca5f316c8dc2c3064dcf54307cb32383ed0dd1772f8f

      SHA512

      6d90ca24d836c973d706694bf42221c2b56e5dfe06b39c926b5b10e06b0a641bfe5e9dc7d30e176af48743d6b0a66a81cd96390bef1e223f995a8e820529b136

      Download Submit

    • C:\Windows\SystemTemp\msedge_installer.log
      Filesize

      96KB

      MD5

      353dce647571475ddf02506d010da12e

      SHA1

      2fddca2b15818597bdadf8d0d64a8a71f3d9b657

      SHA256

      e03e4eceab39f3bb16e78028403dae0b94e2e857e9da929b206a0625b66ce243

      SHA512

      5aa0c0a209cacc9b24e700e59ea46928926c9bcd8346749c36db9a83a1ffcdf005124ee8fd648abc6b83d9efc17043bcc62964218c54e61504f9ddd5fe51b7b2

      Download Submit

    • C:\Windows\SystemTemp\msedge_installer.log
      Filesize

      99KB

      MD5

      f04c9a2e67b532184e464cecf5504783

      SHA1

      86d5ab9d54fccb9d327f22b6eb4e19cf3eecadec

      SHA256

      7a61dd4ae642cf4d902472adbf02e380ccb16c9794a1c94192d785046ed7f9a3

      SHA512

      13ce604b95f24b3dcb90e037bdd6f7e0cc6e0bc6ed1e6003e3dae3a96bc6afc35c3898cbd8bcd56c3afdb8e0fcdde2cdeea397e7787753f0407342d543feeb8e

      Download Submit

    • C:\Windows\SystemTemp\msedge_installer.log
      Filesize

      102KB

      MD5

      56b6f108f9c8ffafeda94d246427362e

      SHA1

      208c70cb7e8200d466684d4dffb094b93ed9ca2b

      SHA256

      4eda5224f55781982e4aafbfc91d98ebc8ba8267006cc347a4fcd5f21e7c13ba

      SHA512

      0444c7d4b50be811fef566d7e4b9c457d4b36c51dbbb359f1332e8af71aa9974281e78514331619b1cde4ed97563ef303dc0de93f602bdcd521ce5adf6c732fb

      Download Submit

    • memory/832-2-0x00007FFC044D0000-0x00007FFC044E6000-memory.dmp

      Filesize

      88KB

      Download