Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    793s
  • max time network
    894s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250207-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/02/2025, 03:27

General

  • Target

    Predictor7.6.3/Check this Before Open!.png

  • Size

    106KB

  • MD5

    2aaf9dcbef5f0fb02725b516163d71fa

  • SHA1

    77a4f69078a4fb5e258c3196b42ec319589f60da

  • SHA256

    83471a3c48abf4f11c7a920ab907efcd183e058801f8711e467e9c2efa8b1ad8

  • SHA512

    ddc353c3fbc469dee34ee69d33be80997170194aaf8d580df0f044125698cdec6239f736e11e1dd01e2abd7c3a7e09f5d370f1a9d2f7bb43f6fdafa2ea0d5396

  • SSDEEP

    3072:K5GDgY9gZCAnoiicqJUcs6WOw91co1FpSOqycoiCq:OGtKZ7ozcAWOwPpHiB

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Downloads MZ/PE file 2 IoCs
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

  • Executes dropped EXE 10 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Modifies Internet Explorer settings 1 TTPs 26 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • System policy modification 1 TTPs 4 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\mspaint.exe
    "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\Predictor7.6.3\Check this Before Open!.png"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    PID:3696
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
    1⤵
      PID:624
    • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7Q0IxQTc2MEMtN0M0Qi00NzQwLUE4MTctMDBGREVDMjVFMDIyfSIgdXNlcmlkPSJ7NDcwRTdENTAtQzhEMS00MEUzLUE4OUMtMDEyMjU5MkU2MzgzfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7RkJFN0M0QjAtRENCMy00Q0YyLUJCRDctMjE0NzMxMTlGQzg2fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDY0MzMiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODc1OTU2NTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1Mjk0NDAxMjE1Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
      1⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      PID:1036
    • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FF7EAD3A-C410-4626-AA32-DACB4C0B0B1C}\MicrosoftEdge_X64_132.0.2957.140.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FF7EAD3A-C410-4626-AA32-DACB4C0B0B1C}\MicrosoftEdge_X64_132.0.2957.140.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:3092
      • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FF7EAD3A-C410-4626-AA32-DACB4C0B0B1C}\EDGEMITMP_21890.tmp\setup.exe
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FF7EAD3A-C410-4626-AA32-DACB4C0B0B1C}\EDGEMITMP_21890.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FF7EAD3A-C410-4626-AA32-DACB4C0B0B1C}\MicrosoftEdge_X64_132.0.2957.140.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
        2⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Installs/modifies Browser Helper Object
        • Drops file in Program Files directory
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:4128
        • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FF7EAD3A-C410-4626-AA32-DACB4C0B0B1C}\EDGEMITMP_21890.tmp\setup.exe
          "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FF7EAD3A-C410-4626-AA32-DACB4C0B0B1C}\EDGEMITMP_21890.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FF7EAD3A-C410-4626-AA32-DACB4C0B0B1C}\EDGEMITMP_21890.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff6322ba818,0x7ff6322ba824,0x7ff6322ba830
          3⤵
          • Executes dropped EXE
          PID:4124
        • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FF7EAD3A-C410-4626-AA32-DACB4C0B0B1C}\EDGEMITMP_21890.tmp\setup.exe
          "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FF7EAD3A-C410-4626-AA32-DACB4C0B0B1C}\EDGEMITMP_21890.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
          3⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Program Files directory
          • Modifies data under HKEY_USERS
          • Suspicious use of WriteProcessMemory
          PID:1368
          • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FF7EAD3A-C410-4626-AA32-DACB4C0B0B1C}\EDGEMITMP_21890.tmp\setup.exe
            "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FF7EAD3A-C410-4626-AA32-DACB4C0B0B1C}\EDGEMITMP_21890.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FF7EAD3A-C410-4626-AA32-DACB4C0B0B1C}\EDGEMITMP_21890.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff6322ba818,0x7ff6322ba824,0x7ff6322ba830
            4⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            PID:4568
        • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --register-package-identity --verbose-logging --system-level
          3⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4916
          • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff7f665a818,0x7ff7f665a824,0x7ff7f665a830
            4⤵
            • Executes dropped EXE
            PID:640
        • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level
          3⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:4832
          • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff7f665a818,0x7ff7f665a824,0x7ff7f665a830
            4⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            PID:4664
        • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --update-game-assist-package --verbose-logging --system-level
          3⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2412
          • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff7f665a818,0x7ff7f665a824,0x7ff7f665a830
            4⤵
            • Executes dropped EXE
            PID:3448
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k AppReadiness -p -s AppReadiness
      1⤵
        PID:4100
      • C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe
        "C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe" /InvokerPRAID: Microsoft.MicrosoftOfficeHub prelaunch
        1⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:3768
      • C:\Windows\system32\wwahost.exe
        "C:\Windows\system32\wwahost.exe" -ServerName:Microsoft.MicrosoftOfficeHub.wwa
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:4464
      • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7Q0IxQTc2MEMtN0M0Qi00NzQwLUE4MTctMDBGREVDMjVFMDIyfSIgdXNlcmlkPSJ7NDcwRTdENTAtQzhEMS00MEUzLUE4OUMtMDEyMjU5MkU2MzgzfSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9Ins1QjQzNjI5OS1CQjA0LTQ0MzctQTFDMi1DQkFCRUEyMjUxMjB9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7VlBRb1AxRitmcTE1d1J6aDFrUEw0UE1wV2g4T1JNQjVpenZyT0MvY2hqUT0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iMS4zLjE5NS40MyIgbmV4dHZlcnNpb249IiIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjEiIGNvaG9ydD0icnJmQDAuMjciPjx1cGRhdGVjaGVjay8-PHBpbmcgcj0iMiIgcmQ9IjY2MTIiIHBpbmdfZnJlc2huZXNzPSJ7RjVBRUEzNTEtMDI3MC00MzM0LTkwMkQtRkQ2RjlBMDEwMjMyfSIvPjwvYXBwPjxhcHAgYXBwaWQ9Ins1NkVCMThGOC1CMDA4LTRDQkQtQjZEMi04Qzk3RkU3RTkwNjJ9IiB2ZXJzaW9uPSI5Mi4wLjkwMi42NyIgbmV4dHZlcnNpb249IjEzMi4wLjI5NTcuMTQwIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgZXhwZXJpbWVudHM9ImNvbnNlbnQ9ZmFsc2UiIGluc3RhbGxhZ2U9IjEiIGlzX3Bpbm5lZF9zeXN0ZW09InRydWUiIGxhc3RfbGF1bmNoX2NvdW50PSIxIiBsYXN0X2xhdW5jaF90aW1lPSIxMzM4MzQyMTkyMTE3ODM1MzAiPjx1cGRhdGVjaGVjay8-PGV2ZW50IGV2ZW50dHlwZT0iMTIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjU1MjQwODkwNzEiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxMyIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTUyNDI0NTI4MyIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMCIgZXJyb3Jjb2RlPSItMjE0NzAyMzgzOCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTEzMDAxODI2MDkiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9ImRvIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuYi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy8wNzQwMDM2YS00ZTE4LTQ1NmQtOTZmYS1kMWQ5YzRjYTQ2NzY_UDE9MTczOTcwNTMwMiZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1jbVJJQSUyYndpYnRvWHNOMnl1Q2x6cDk5SG93WSUyZkRsSUFxWllua0IxZHNIVER4aHJuTldaWjdqMiUyZkxHNlVnc2NpbTVvcjRyNUE1OThTT3p6V0hmWUdtUSUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjAiIHRvdGFsPSIwIiBkb3dubG9hZF90aW1lX21zPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIwIiBlcnJvcmNvZGU9Ii0yMTQ3MDEyODk0IiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMTMwMDE4MjYwOSIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlcj0iYml0cyIgdXJsPSJodHRwOi8vbXNlZGdlLmIudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvMDc0MDAzNmEtNGUxOC00NTZkLTk2ZmEtZDFkOWM0Y2E0Njc2P1AxPTE3Mzk3MDUzMDImYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9Y21SSUElMmJ3aWJ0b1hzTjJ5dUNsenA5OUhvd1klMmZEbElBcVpZbmtCMWRzSFREeGhybk5XWlo3ajIlMmZMRzZVZ3NjaW01b3I0cjVBNTk4U096eldIZllHbVElM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSI1OTc5NDIyMCIgdG90YWw9IjE3NzE4MDIxNiIgZG93bmxvYWRfdGltZV9tcz0iNTM1OTM4Ii8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjExMzAwMTgyNjA5IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJ3aW5odHRwIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuYi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy8wNzQwMDM2YS00ZTE4LTQ1NmQtOTZmYS1kMWQ5YzRjYTQ2NzY_UDE9MTczOTcwNTMwMiZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1jbVJJQSUyYndpYnRvWHNOMnl1Q2x6cDk5SG93WSUyZkRsSUFxWllua0IxZHNIVER4aHJuTldaWjdqMiUyZkxHNlVnc2NpbTVvcjRyNUE1OThTT3p6V0hmWUdtUSUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IjIuMjAuMTIuNzQiIGNkbl9jaWQ9IjIiIGNkbl9jY2M9IkdCIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iMTc3MTgwMjE2IiB0b3RhbD0iMTc3MTgwMjE2IiBkb3dubG9hZF90aW1lX21zPSIzNTUwMCIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMTMwMDMzOTA3MCIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjE1IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMTMxNDA4ODkzMyIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjMiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjE5Njc1NyIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTE4NzQ1NTc2NDAiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIHVwZGF0ZV9jaGVja190aW1lX21zPSIyMjM3NSIgZG93bmxvYWRfdGltZV9tcz0iNTc3NjA5IiBkb3dubG9hZGVkPSIxNzcxODAyMTYiIHRvdGFsPSIxNzcxODAyMTYiIHBhY2thZ2VfY2FjaGVfcmVzdWx0PSIwIiBpbnN0YWxsX3RpbWVfbXM9IjU2MDMxIi8-PHBpbmcgYWN0aXZlPSIxIiBhPSIyIiByPSIyIiBhZD0iNjYxMiIgcmQ9IjY2MTIiIHBpbmdfZnJlc2huZXNzPSJ7MEJBNkIyMkEtN0QxNi00OTUzLTg2NDAtNDVBRTc3NkYzN0U4fSIvPjwvYXBwPjxhcHAgYXBwaWQ9IntGMzAxNzIyNi1GRTJBLTQyOTUtOEJERi0wMEMzQTlBN0U0QzV9IiB2ZXJzaW9uPSIxMzIuMC4yOTU3LjE0MCIgbmV4dHZlcnNpb249IiIgbGFuZz0iIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjEiIGluc3RhbGxkYXRlPSI2NjA4IiBjb2hvcnQ9InJyZkAwLjkyIj48dXBkYXRlY2hlY2svPjxwaW5nIHI9IjIiIHJkPSI2NjEyIiBwaW5nX2ZyZXNobmVzcz0ie0I5OEQ3OUE1LTZGMTAtNEIzNi04RTQ1LUUxREYzMjQ3NUZCOX0iLz48L2FwcD48L3JlcXVlc3Q-
        1⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        PID:1868
      • C:\Windows\system32\werfault.exe
        werfault.exe /hc /shared Global\322d21b7b6ed424da17f14d2c29c377c /t 4572 /p 4464
        1⤵
          PID:4076

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FF7EAD3A-C410-4626-AA32-DACB4C0B0B1C}\EDGEMITMP_21890.tmp\setup.exe

          Filesize

          6.6MB

          MD5

          b4c8ad75087b8634d4f04dc6f92da9aa

          SHA1

          7efaa2472521c79d58c4ef18a258cc573704fb5d

          SHA256

          522a25568bb503cf8b44807661f31f0921dee91d37691bf399868733205690bf

          SHA512

          5094505b33a848badcffd6b3b93aad9ad73f391e201dee052376c4f8573ba351f0b8c102131216088ffb38d0ed7b5fe70ba95c3ac2c33a50c993584fe7c435e3

        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

          Filesize

          3.7MB

          MD5

          3646786aea064c0845f5bb1b8e976985

          SHA1

          a31ba2d2192898d4c0a01511395bdf87b0e53873

          SHA256

          a129a6de7b90500483226192b260eaca1ee116a007771d421aa3eee38af48d6f

          SHA512

          145f8abf2ecffd8ecc3745dbd9ab2e360826fa46d6f21dbebece7802b9b5980f4ab19e2dfd180ce0cfb84366f3ac5c87cd1b74a085e1a0dd620b6c097900e0f4

        • C:\Program Files\msedge_installer.log

          Filesize

          70KB

          MD5

          ef747b3dcefc27758b191f4c2ff1711e

          SHA1

          0836d161f7f91c7584aadd7e50bb59c286e25c26

          SHA256

          78d4ade499ecede2b955528469fff673a852203ab6fd46e7e4fe63bae47762f7

          SHA512

          6a1fbdddfb9868ba207bb32b328f0f457f28df8c5ba5ee57ef4208f7ab7d631eeb806c8df54bb0245ae0bece70bb74ec426325b884c2a1d8da2ea5ac85e8c667

        • C:\Program Files\msedge_installer.log

          Filesize

          100KB

          MD5

          e232445b2736cbf568e133020462b037

          SHA1

          964ce1345dc7c9c78741eefd9049be9c4631ef89

          SHA256

          0825c29fcaa682844c7a7223c24a9318f9c394d239d5d0413e5e1683623ed4ea

          SHA512

          59f22b6ebabab278a9046b5daac7120b60a159e480ab47c4d1a6daca69e49c9e8caa513f1da5798bbfca0690e709e1f69a2056167acbc7b694acb71a9e1f41c6

        • C:\Program Files\msedge_installer.log

          Filesize

          101KB

          MD5

          b1eb153bf9f5a00fa0141411aacfe09f

          SHA1

          35dff8af800cdc4e1098998fd95642fec5375bcf

          SHA256

          6512861da7a08ee9d002a24981349613c1222a9b2f1e4df8b73492a965f3c48b

          SHA512

          6157cafd26ba73695de37df849e09cdcf791e976bf2aca79fd30decea22eccc8e4774de6ffa6346fe4c1e22c007b39d45798addb104d02a96b56bb61cd8dc7fe

        • C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

          Filesize

          945KB

          MD5

          e78e128fe5af78bb5b1194b365fa51f8

          SHA1

          e7db378bb2eaaa9b3d4a67cbb11461a75b90159d

          SHA256

          8eced23b5cc53db7d6cec304282836b3fd150900dbca2929ebcbe185f5ef4e99

          SHA512

          b980eb03edaf4c558f6a11256dcb61ae3692d24a772f3030c97b379d34cc983f1c3c1b34b2d7091f3c8339a988c25694b957fac4170d71d0736f4c751e126afc

        • memory/3768-58-0x000001A175500000-0x000001A17550E000-memory.dmp

          Filesize

          56KB

        • memory/3768-60-0x000001A1759E0000-0x000001A1759E8000-memory.dmp

          Filesize

          32KB

        • memory/3768-59-0x000001A1759B0000-0x000001A1759BA000-memory.dmp

          Filesize

          40KB

        • memory/3768-61-0x000001A179000000-0x000001A179249000-memory.dmp

          Filesize

          2.3MB