Overview

overview

10

Static

static

10

windows.zip

windows11-21h2-x64

8

windows/cf...ch.vbs

windows11-21h2-x64

3

windows/idc/ida.js

windows11-21h2-x64

3

windows/li...le.dll

windows11-21h2-x64

8

windows/libclang.dll

windows11-21h2-x64

8

windows/libdwarf.dll

windows11-21h2-x64

8

windows/li...le.dll

windows11-21h2-x64

8

windows/libz3.dll

windows11-21h2-x64

8

windows/lo...if.dll

windows11-21h2-x64

3

windows/lo...ga.dll

windows11-21h2-x64

3

windows/lo...of.dll

windows11-21h2-x64

3

windows/lo...ut.dll

windows11-21h2-x64

8

windows/lo...tar.py

windows11-21h2-x64

3

windows/lo...ip.dll

windows11-21h2-x64

8

windows/lo...ldr.py

windows11-21h2-x64

8

windows/lo...age.py

windows11-21h2-x64

8

windows/lo...rc.dll

windows11-21h2-x64

8

windows/lo...ff.dll

windows11-21h2-x64

8

windows/lo...x_m.py

windows11-21h2-x64

3

windows/lo...ex.dll

windows11-21h2-x64

8

windows/lo...os.dll

windows11-21h2-x64

3

windows/lo...lod.py

windows11-21h2-x64

3

windows/lo...mp.dll

windows11-21h2-x64

8

windows/lo...lf.dll

windows11-21h2-x64

8

windows/lo...oc.dll

windows11-21h2-x64

windows/lo...esp.py

windows11-21h2-x64

3

windows/lo...ad.dll

windows11-21h2-x64

8

windows/lo...os.dll

windows11-21h2-x64

8

windows/lo...ex.dll

windows11-21h2-x64

8

windows/lo...om.dll

windows11-21h2-x64

windows/lo...mf.dll

windows11-21h2-x64

3

windows/lo...dr.dll

windows11-21h2-x64

8

Analysis

  • max time kernel
    894s
  • max time network
    761s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250207-en
  • resource tags

    arch:x64arch:x86image:win11-20250207-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    09-02-2025 15:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    windows/loaders/dump.dll

  • Size

    14KB

  • MD5

    f4faa4b31e4f3ca357b457fa3468fc86

  • SHA1

    de3d3558e4ec597fb15b63c66bbe99cece70ba24

  • SHA256

    41dbf0dcb16d3891b5d143a6c339173b227e9933b9553e00a9a7e74b4614638c

  • SHA512

    3f134d8ac3e8b9d107fd93db94e0ae5e6d06f4fc3cdf775ca917b887290327876472bf0447b61f12e30a8973f311279808cac6303cd5df4217c061235e7082d9

  • SSDEEP

    192:gTXz2JWd8PGRxO8DlHpX/NpI5Qax/4IIo7MGqXVle+bpws+AHF/:gTjV8PoO8BHpXManK7k3b24HF/

Score
8/10
adwarediscoverypersistenceprivilege_escalationstealer

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Downloads MZ/PE file 2 IoCs
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Executes dropped EXE 10 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 35 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 24 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • System policy modification 1 TTPs 4 IoCs
    defense_evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\windows\loaders\dump.dll,#1
    1⤵
      PID:3192
    • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RjNCRTk2NzYtNEMyOS00MTZGLUI3MzQtMUNENDA2RDI5OUQ2fSIgdXNlcmlkPSJ7NzE2MTEyNTQtQjJGNC00QkMyLTlBMDAtNTBCQzJCRjBGQzM3fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7Nzc2M0U5QzAtOEExMi00NTlGLUE4MzUtNEIyQkYwQjExNTNFfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RSt4YkF6Nlk2c1UxMjg5YlM2cWw0VlJMYmtqZkJVR1RNSnNqckhyNDRpST0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIzLjAuNjMxMi4xMjMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjEiIGluc3RhbGxkYXRldGltZT0iMTczODk1NDk2OSIgb29iZV9pbnN0YWxsX3RpbWU9IjEzMzgzNDI3NjY5NTc5MDAwMCI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjIxNzk4NjIiIHN5c3RlbV91cHRpbWVfdGlja3M9IjQ4ODExMjM2NTYiLz48L2FwcD48L3JlcXVlc3Q-
      1⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      PID:1816
    • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{23DC19F9-53C2-497C-9653-6F79DEE7B9E3}\MicrosoftEdge_X64_132.0.2957.140.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{23DC19F9-53C2-497C-9653-6F79DEE7B9E3}\MicrosoftEdge_X64_132.0.2957.140.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:3380
      • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{23DC19F9-53C2-497C-9653-6F79DEE7B9E3}\EDGEMITMP_7B20A.tmp\setup.exe
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{23DC19F9-53C2-497C-9653-6F79DEE7B9E3}\EDGEMITMP_7B20A.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{23DC19F9-53C2-497C-9653-6F79DEE7B9E3}\MicrosoftEdge_X64_132.0.2957.140.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
        2⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Installs/modifies Browser Helper Object
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:1548
        • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{23DC19F9-53C2-497C-9653-6F79DEE7B9E3}\EDGEMITMP_7B20A.tmp\setup.exe
          "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{23DC19F9-53C2-497C-9653-6F79DEE7B9E3}\EDGEMITMP_7B20A.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{23DC19F9-53C2-497C-9653-6F79DEE7B9E3}\EDGEMITMP_7B20A.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff7557aa818,0x7ff7557aa824,0x7ff7557aa830
          3⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          PID:3160
        • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{23DC19F9-53C2-497C-9653-6F79DEE7B9E3}\EDGEMITMP_7B20A.tmp\setup.exe
          "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{23DC19F9-53C2-497C-9653-6F79DEE7B9E3}\EDGEMITMP_7B20A.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
          3⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies data under HKEY_USERS
          • Suspicious use of WriteProcessMemory
          PID:3192
          • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{23DC19F9-53C2-497C-9653-6F79DEE7B9E3}\EDGEMITMP_7B20A.tmp\setup.exe
            "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{23DC19F9-53C2-497C-9653-6F79DEE7B9E3}\EDGEMITMP_7B20A.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{23DC19F9-53C2-497C-9653-6F79DEE7B9E3}\EDGEMITMP_7B20A.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff7557aa818,0x7ff7557aa824,0x7ff7557aa830
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:3376
        • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --register-package-identity --verbose-logging --system-level
          3⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4512
          • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff7b82ba818,0x7ff7b82ba824,0x7ff7b82ba830
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:1376
        • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level
          3⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of WriteProcessMemory
          PID:3588
          • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff7b82ba818,0x7ff7b82ba824,0x7ff7b82ba830
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:236
        • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --update-game-assist-package --verbose-logging --system-level
          3⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious use of WriteProcessMemory
          PID:1116
          • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff7b82ba818,0x7ff7b82ba824,0x7ff7b82ba830
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:4240
    • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RjNCRTk2NzYtNEMyOS00MTZGLUI3MzQtMUNENDA2RDI5OUQ2fSIgdXNlcmlkPSJ7NzE2MTEyNTQtQjJGNC00QkMyLTlBMDAtNTBCQzJCRjBGQzM3fSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9InsyRDlDQ0M2Ri1EMDVGLTQ2MzUtQjM0OS01MzI0Q0I2RjI5QTd9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjIyMDAwLjQ5MyIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtWUFFvUDFGK2ZxMTV3UnpoMWtQTDRQTXBXaDhPUk1CNWl6dnJPQy9jaGpRPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIxLjMuMTk1LjQzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMSIgY29ob3J0PSJycmZAMC42MCI-PHVwZGF0ZWNoZWNrLz48cGluZyByPSIyIiByZD0iNjYxMiIgcGluZ19mcmVzaG5lc3M9Ins2QjE1ODNCMy00MzA1LTRDNDYtQTg5NC0yMTMzNTBDM0VGRTB9Ii8-PC9hcHA-PGFwcCBhcHBpZD0iezU2RUIxOEY4LUIwMDgtNENCRC1CNkQyLThDOTdGRTdFOTA2Mn0iIHZlcnNpb249IjkwLjAuODE4LjY2IiBuZXh0dmVyc2lvbj0iMTMyLjAuMjk1Ny4xNDAiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY29uc2VudD1mYWxzZSIgaW5zdGFsbGFnZT0iMSIgaXNfcGlubmVkX3N5c3RlbT0idHJ1ZSIgbGFzdF9sYXVuY2hfY291bnQ9IjEiIGxhc3RfbGF1bmNoX3RpbWU9IjEzMzgzNDMxMzgyMjI3MTI5MCI-PHVwZGF0ZWNoZWNrLz48ZXZlbnQgZXZlbnR0eXBlPSIxMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNDkxMjIxNzI3NyIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjEzIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0OTEyMjE3Mjc3IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIwIiBlcnJvcmNvZGU9Ii0yMTQ3MDIzODM4IiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMTY1MzkzNTgyMCIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlcj0iZG8iIHVybD0iaHR0cDovL21zZWRnZS5iLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzLzA3NDAwMzZhLTRlMTgtNDU2ZC05NmZhLWQxZDljNGNhNDY3Nj9QMT0xNzM5NzIwMTk2JmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PVBIZ3k0Z005UW16S0FiUnVLN29rUjE3dkQlMmZrbkpjWlRaSDJEQk5IUERpMjRsNWlXN0lYUDM4ZUJUTWllY3dJWVR3R085UE9jRDVnaE41RkElMmIwSmp2ZyUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjAiIHRvdGFsPSIwIiBkb3dubG9hZF90aW1lX21zPSIxNSIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMCIgZXJyb3Jjb2RlPSItMjE0NzAxMjg5NCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTE2NTM5MzU4MjAiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9ImJpdHMiIHVybD0iaHR0cDovL21zZWRnZS5iLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzLzA3NDAwMzZhLTRlMTgtNDU2ZC05NmZhLWQxZDljNGNhNDY3Nj9QMT0xNzM5NzIwMTk2JmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PVBIZ3k0Z005UW16S0FiUnVLN29rUjE3dkQlMmZrbkpjWlRaSDJEQk5IUERpMjRsNWlXN0lYUDM4ZUJUTWllY3dJWVR3R085UE9jRDVnaE41RkElMmIwSmp2ZyUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjI4MjMwMSIgdG90YWw9IjE3NzE4MDIxNiIgZG93bmxvYWRfdGltZV9tcz0iNTcxODQzIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjExNjUzOTM1ODIwIiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJ3aW5odHRwIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuYi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy8wNzQwMDM2YS00ZTE4LTQ1NmQtOTZmYS1kMWQ5YzRjYTQ2NzY_UDE9MTczOTcyMDE5NiZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1QSGd5NGdNOVFtektBYlJ1Szdva1IxN3ZEJTJma25KY1pUWkgyREJOSFBEaTI0bDVpVzdJWFAzOGVCVE1pZWN3SVlUd0dPOVBPY0Q1Z2hONUZBJTJiMEpqdmclM2QlM2QiIHNlcnZlcl9pcF9oaW50PSI5MS44MS4xMjkuMTgxIiBjZG5fY2lkPSI5IiBjZG5fY2NjPSJpdCIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjE3NzE4MDIxNiIgdG90YWw9IjE3NzE4MDIxNiIgZG93bmxvYWRfdGltZV9tcz0iOTYwNzgiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTE2NTQwOTI0MTgiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTE2NjczNzM1MTMiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIzIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIxOTY3NTciIHN5c3RlbV91cHRpbWVfdGlja3M9IjEyMTg5NDA0NzY3IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiB1cGRhdGVfY2hlY2tfdGltZV9tcz0iMjE4NyIgZG93bmxvYWRfdGltZV9tcz0iNjc0MTg3IiBkb3dubG9hZGVkPSIxNzcxODAyMTYiIHRvdGFsPSIxNzcxODAyMTYiIHBhY2thZ2VfY2FjaGVfcmVzdWx0PSIwIiBpbnN0YWxsX3RpbWVfbXM9IjUyMjAzIi8-PHBpbmcgYWN0aXZlPSIxIiBhPSIyIiByPSIyIiBhZD0iNjYxMiIgcmQ9IjY2MTIiIHBpbmdfZnJlc2huZXNzPSJ7NTRBMDYyRDUtMzk1RS00REY4LUJEQzItNUMyN0FBNTE3NDI1fSIvPjwvYXBwPjxhcHAgYXBwaWQ9IntGMzAxNzIyNi1GRTJBLTQyOTUtOEJERi0wMEMzQTlBN0U0QzV9IiB2ZXJzaW9uPSIxMzIuMC4yOTU3LjE0MCIgbmV4dHZlcnNpb249IiIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjEiIGNvaG9ydD0icnJmQDAuNjgiIHVwZGF0ZV9jb3VudD0iMSI-PHVwZGF0ZWNoZWNrLz48cGluZyByPSIyIiByZD0iNjYxMiIgcGluZ19mcmVzaG5lc3M9InsyRTdERDMwQy01MkNDLTQ3RTktOUE4Ri0xMkYwRkRCRjc0RUR9Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
      1⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      PID:1772
    • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource scheduler
      1⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3152

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{23DC19F9-53C2-497C-9653-6F79DEE7B9E3}\EDGEMITMP_7B20A.tmp\setup.exe
      Filesize

      6.6MB

      MD5

      b4c8ad75087b8634d4f04dc6f92da9aa

      SHA1

      7efaa2472521c79d58c4ef18a258cc573704fb5d

      SHA256

      522a25568bb503cf8b44807661f31f0921dee91d37691bf399868733205690bf

      SHA512

      5094505b33a848badcffd6b3b93aad9ad73f391e201dee052376c4f8573ba351f0b8c102131216088ffb38d0ed7b5fe70ba95c3ac2c33a50c993584fe7c435e3

      Download Submit

    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      Filesize

      3.7MB

      MD5

      3646786aea064c0845f5bb1b8e976985

      SHA1

      a31ba2d2192898d4c0a01511395bdf87b0e53873

      SHA256

      a129a6de7b90500483226192b260eaca1ee116a007771d421aa3eee38af48d6f

      SHA512

      145f8abf2ecffd8ecc3745dbd9ab2e360826fa46d6f21dbebece7802b9b5980f4ab19e2dfd180ce0cfb84366f3ac5c87cd1b74a085e1a0dd620b6c097900e0f4

      Download Submit

    • C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log
      Filesize

      753KB

      MD5

      e1c8ecc48bda3b75643c51063b505d9e

      SHA1

      ebc13c483e158c25303b4ec958582a0decfc6a03

      SHA256

      1caa2af47cfdfd2b98ebec9a8a77b23af5d83ba5aea3a73dbbe7ce1bbd26e46e

      SHA512

      2aa35dff3be33227c864cb0cc8af5f445d8493cb7bf0c6d84cafd606f14c85eeee85be5cd6502cf2ba2eb3116225599f658c83b0cdcfdbddd538e4e35e7b4698

      Download Submit

    • C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log
      Filesize

      764KB

      MD5

      240a3fd5f7230fd169dac4a628c24920

      SHA1

      b3155f95d413fba45f825e57f69ba063385b0a94

      SHA256

      611fbb6a12270bc72463fa61dced088f1fc713aa16b6578aad8993610641c49c

      SHA512

      e62c711f8ab0652f24de81daa5e170a4b9058466fb8a86777bb0a51b39d0729e20cd31641a60f06fa25cf8e716c803de17038b089f18f43b24e710a96f1b36c3

      Download Submit

    • C:\Windows\SystemTemp\msedge_installer.log
      Filesize

      72KB

      MD5

      00e5ce8a615aef5e5c24c191279e2612

      SHA1

      dc9dcca7713c2a0f4ece4daa60dc9ebca767babc

      SHA256

      4c0d7c5f96914a7b1511fa7b89ad36dfdc5e3d538979ecbd8d331e837a0767e2

      SHA512

      db965d61a1b60ec5b6660853315f2598a0bd0326086031082c24b03a9e5352ebfd7833ab0772099acf8491a19b7e5ccb60d4f8cffe28ec75007dfabf6f7ae060

      Download Submit

    • C:\Windows\SystemTemp\msedge_installer.log
      Filesize

      98KB

      MD5

      49a842998423e7572adb14cbb9c3eb9a

      SHA1

      19662959c394dd36dc015b95b4447d3f8cf9cff3

      SHA256

      5bbb9b1c7777dc6305d7a277b6e057e34117a1512add72790b2adcfaca95e8fe

      SHA512

      e26361d0a318ba673a4bc9eca7dcf7eca1f59d50b146aecc699a1cad9e8e917890583b5cb43f7d7395cff62115ea0e1f2bedbeacce24dc682686a134beb22041

      Download Submit

    • C:\Windows\SystemTemp\msedge_installer.log
      Filesize

      103KB

      MD5

      2e42d66657fafb98bb73ace51452d259

      SHA1

      70a3b8819dd48a365c1430069f0cb00eea69cd0a

      SHA256

      59673b1eb77da4b049e020ce7874d042856b09db494ac0ec10a06c39513d3c7f

      SHA512

      745ebe89f76a2ee0c83c9a4471e09a022bcb15d815ac003a6ba3224fd669d72f1f33b6147e6798efb5ee9d90b16e94b8f946f4b12dba434ced1eb34979910bd8

      Download Submit

    • C:\Windows\SystemTemp\msedge_installer.log
      Filesize

      104KB

      MD5

      8f6f42ec5f8ff81e0c6822eae03414be

      SHA1

      6e90db8f054c556659312d3597ad2612bc972a00

      SHA256

      6234b9fbe1518a2c656a4eeb0c7b013220b184bda9d16ba31880ce4c4e540424

      SHA512

      7751712a48efe8b160407a2776665f4a0d8b071dc3781a2f6b9378afb68c8b5fb85ff2ddf59b4393a880fb3f738fba33e6f9428c511645e051553b7442b32f9d

      Download Submit