Overview

overview

10

Static

static

10

data-Setup/Setup.exe

windows10-2004-x64

10

data-Setup/Setup.exe

windows10-ltsc 2021-x64

10

data-Setup/Setup.exe

windows11-21h2-x64

10

data-Setup...za.dll

windows10-2004-x64

8

data-Setup...za.dll

windows10-ltsc 2021-x64

8

data-Setup...za.dll

windows11-21h2-x64

3

data-Setup...za.exe

windows10-2004-x64

8

data-Setup...za.exe

windows10-ltsc 2021-x64

8

data-Setup...za.exe

windows11-21h2-x64

3

data-Setup...SE.url

windows10-2004-x64

8

data-Setup...SE.url

windows10-ltsc 2021-x64

8

data-Setup...SE.url

windows11-21h2-x64

3

data-Setup...pt.ps1

windows10-2004-x64

10

data-Setup...pt.ps1

windows10-ltsc 2021-x64

10

data-Setup...pt.ps1

windows11-21h2-x64

10

data-Setup...ss.bat

windows10-2004-x64

10

data-Setup...ss.bat

windows10-ltsc 2021-x64

10

data-Setup...ss.bat

windows11-21h2-x64

10

data-Setup...cc.dll

windows10-2004-x64

8

data-Setup...cc.dll

windows10-ltsc 2021-x64

8

data-Setup...cc.dll

windows11-21h2-x64

1

data-Setup...kv.dll

windows10-2004-x64

8

data-Setup...kv.dll

windows10-ltsc 2021-x64

8

data-Setup...kv.dll

windows11-21h2-x64

3

data-Setup...mon.js

windows10-2004-x64

8

data-Setup...mon.js

windows10-ltsc 2021-x64

8

data-Setup...mon.js

windows11-21h2-x64

3

data-Setup...ub.dll

windows10-2004-x64

8

data-Setup...ub.dll

windows10-ltsc 2021-x64

8

data-Setup...ub.dll

windows11-21h2-x64

5

Analysis

  • max time kernel
    570s
  • max time network
    491s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20250207-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250207-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    10-02-2025 19:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    data-Setup/Setup.exe

  • Size

    44KB

  • MD5

    f86507ff0856923a8686d869bbd0aa55

  • SHA1

    d561b9cdbba69fdafb08af428033c4aa506802f8

  • SHA256

    94f4fd6f2cb781ae7839ad2ee0322df732c8c7297e62834457662f8cde29dcbb

  • SHA512

    6c1c073fc09498407b2c6b46d7a7e04c2db3c6f8d68c0dc0775211864c4508c48c2bd92e3849dc3805caacc856f9e31e1eea118661a55f526bfa61638f88c3da

  • SSDEEP

    384:RozxIpl4504JaAystntGecMJ6gjpS1BO2NjrLVXjW9VBhKigecicWwnWzYDTFu:Rg04PGeZQG2NDVXjWLu1imL

Score
10/10
vidaradwarediscoveryexecutionpersistenceprivilege_escalationspywarestealer

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

https://micfriosogprodnorthghostcom.top/kjgkjlKLkjfjkrhjHRGHKLNMREJGHKJnlGKL3454345BFJKKJnVBEKERJKRGEGREGRGERGERWBFDGGBTfgfbergsc4334ggd/lice
exe.dropper

https://micfriosogprodnorthghostcom.top/kjgkjlKLkjfjkrhjHRGHKLNMREJGHKJnlGKL3454345BFJKKJnVBEKERJKRGEGREGRGERGERWBFDGGBTfgfbergsc4334ggd/lice

Extracted

Family

vidar

C2

https://t.me/sok33tn

https://steamcommunity.com/profiles/76561199824159981
Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0

Signatures

  • Detect Vidar Stealer 6 IoCs
    stealer
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Vidar family
    vidar
  • Blocklisted process makes network request 2 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Downloads MZ/PE file 2 IoCs
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Executes dropped EXE 15 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 42 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 2 IoCs
    defense_evasion
  • Modifies Internet Explorer settings 1 TTPs 24 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 64 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of WriteProcessMemory 60 IoCs
  • System policy modification 1 TTPs 4 IoCs
    defense_evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3624
    • C:\Users\Admin\AppData\Local\Temp\data-Setup\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\data-Setup\Setup.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4224
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\data-Setup\data\extract_and_run.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4444
        • C:\Users\Admin\AppData\Local\Temp\data-Setup\data\7za.exe
          7za.exe e bin.zip -pYOUR_PASSWORD -oextracted_5897
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:1152
        • C:\Windows\system32\timeout.exe
          timeout /t 2
          4⤵
          • Delays execution with timeout.exe
          PID:4948
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /K "extracted_5897\sss.bat"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4568
          • C:\Windows\system32\net.exe
            net session
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1628
            • C:\Windows\system32\net1.exe
              C:\Windows\system32\net1 session
              6⤵
                PID:2612
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\data-Setup\data\extracted_5897\script.ps1"
              5⤵
              • Blocklisted process makes network request
              • Command and Scripting Interpreter: PowerShell
              • Downloads MZ/PE file
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1584
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
                6⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:856
              • C:\Users\Admin\AppData\Roaming\0Q7NV5HB.exe
                "C:\Users\Admin\AppData\Roaming\0Q7NV5HB.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:944
                • C:\Users\Admin\AppData\Roaming\0Q7NV5HB.exe
                  "C:\Users\Admin\AppData\Roaming\0Q7NV5HB.exe"
                  7⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Checks processor information in registry
                  • Suspicious behavior: EnumeratesProcesses
                  PID:4268
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 944 -s 808
                  7⤵
                  • Program crash
                  PID:544
              • C:\Users\Admin\AppData\Roaming\MPVNGTWD.exe
                "C:\Users\Admin\AppData\Roaming\MPVNGTWD.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of WriteProcessMemory
                PID:1936
          • C:\Windows\system32\timeout.exe
            timeout /t 2
            4⤵
            • Delays execution with timeout.exe
            PID:836
    • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7ODgzNTA2ODItRTU4QS00NzEyLTgxQzgtNUUxOTA3OTM3Rjk0fSIgdXNlcmlkPSJ7QzJGNEQxOTktRjVGQS00QUVELUIxNEMtMDg3N0YzNTcxM0EwfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7Q0VGMDdGMTYtNTAyMS00QjE1LUIxRTktMjA1RUIxODZEREU0fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0NC40NTI5IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iMTI1IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtyNDUydDErazJUZ3EvSFh6anZGTkJSaG9wQldSOXNialh4cWVVREg5dVgwPSZxdW90OyIvPjxhcHAgYXBwaWQ9Ins4QTY5RDM0NS1ENTY0LTQ2M2MtQUZGMS1BNjlEOUU1MzBGOTZ9IiB2ZXJzaW9uPSIxMjMuMC42MzEyLjEyMyIgbmV4dHZlcnNpb249IiIgbGFuZz0iZW4iIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMyIgaW5zdGFsbGRhdGV0aW1lPSIxNzM4OTM2MzkxIiBvb2JlX2luc3RhbGxfdGltZT0iMTMzODM0MDg5MTA1NjUwMDAwIj48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMjE3OTg2MiIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTA3MDM5MjcyNCIvPjwvYXBwPjwvcmVxdWVzdD4
      1⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      PID:776
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 944 -ip 944
      1⤵
        PID:2084
      • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5C607E09-631F-4DC1-A955-63E4C4DE2405}\MicrosoftEdge_X64_132.0.2957.140.exe
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5C607E09-631F-4DC1-A955-63E4C4DE2405}\MicrosoftEdge_X64_132.0.2957.140.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:2512
        • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5C607E09-631F-4DC1-A955-63E4C4DE2405}\EDGEMITMP_242DC.tmp\setup.exe
          "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5C607E09-631F-4DC1-A955-63E4C4DE2405}\EDGEMITMP_242DC.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5C607E09-631F-4DC1-A955-63E4C4DE2405}\MicrosoftEdge_X64_132.0.2957.140.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
          2⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Installs/modifies Browser Helper Object
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:1936
          • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5C607E09-631F-4DC1-A955-63E4C4DE2405}\EDGEMITMP_242DC.tmp\setup.exe
            "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5C607E09-631F-4DC1-A955-63E4C4DE2405}\EDGEMITMP_242DC.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5C607E09-631F-4DC1-A955-63E4C4DE2405}\EDGEMITMP_242DC.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff6a579a818,0x7ff6a579a824,0x7ff6a579a830
            3⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:1628
          • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5C607E09-631F-4DC1-A955-63E4C4DE2405}\EDGEMITMP_242DC.tmp\setup.exe
            "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5C607E09-631F-4DC1-A955-63E4C4DE2405}\EDGEMITMP_242DC.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
            3⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • Drops file in Windows directory
            • Modifies data under HKEY_USERS
            • Suspicious use of WriteProcessMemory
            PID:4784
            • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5C607E09-631F-4DC1-A955-63E4C4DE2405}\EDGEMITMP_242DC.tmp\setup.exe
              "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5C607E09-631F-4DC1-A955-63E4C4DE2405}\EDGEMITMP_242DC.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5C607E09-631F-4DC1-A955-63E4C4DE2405}\EDGEMITMP_242DC.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff6a579a818,0x7ff6a579a824,0x7ff6a579a830
              4⤵
              • Executes dropped EXE
              • Drops file in Windows directory
              PID:4500
          • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --register-package-identity --verbose-logging --system-level
            3⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:968
            • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff6b9d1a818,0x7ff6b9d1a824,0x7ff6b9d1a830
              4⤵
              • Executes dropped EXE
              • Drops file in Windows directory
              PID:4224
          • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level
            3⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of WriteProcessMemory
            PID:3596
            • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff6b9d1a818,0x7ff6b9d1a824,0x7ff6b9d1a830
              4⤵
              • Executes dropped EXE
              • Drops file in Windows directory
              PID:3188
          • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --update-game-assist-package --verbose-logging --system-level
            3⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of WriteProcessMemory
            PID:5040
            • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff6b9d1a818,0x7ff6b9d1a824,0x7ff6b9d1a830
              4⤵
              • Executes dropped EXE
              • Drops file in Windows directory
              PID:4664
      • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4F0AB372-1854-485B-875C-4354B0994C52}\MicrosoftEdge_X64_133.0.3065.59_132.0.2957.140.exe
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4F0AB372-1854-485B-875C-4354B0994C52}\MicrosoftEdge_X64_133.0.3065.59_132.0.2957.140.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:1108
        • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4F0AB372-1854-485B-875C-4354B0994C52}\EDGEMITMP_EA1F8.tmp\setup.exe
          "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4F0AB372-1854-485B-875C-4354B0994C52}\EDGEMITMP_EA1F8.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4F0AB372-1854-485B-875C-4354B0994C52}\MicrosoftEdge_X64_133.0.3065.59_132.0.2957.140.exe" --previous-version="132.0.2957.140" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
          2⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2964
          • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4F0AB372-1854-485B-875C-4354B0994C52}\EDGEMITMP_EA1F8.tmp\setup.exe
            "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4F0AB372-1854-485B-875C-4354B0994C52}\EDGEMITMP_EA1F8.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4F0AB372-1854-485B-875C-4354B0994C52}\EDGEMITMP_EA1F8.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff7d68d6a68,0x7ff7d68d6a74,0x7ff7d68d6a80
            3⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:3328
      • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7ODgzNTA2ODItRTU4QS00NzEyLTgxQzgtNUUxOTA3OTM3Rjk0fSIgdXNlcmlkPSJ7QzJGNEQxOTktRjVGQS00QUVELUIxNEMtMDg3N0YzNTcxM0EwfSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9Ins3QTk5OEMzNC1CRjYwLTQ0QzgtQjY5Mi0zMzFBNjQxNUUwMUJ9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQ0LjQ1MjkiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSIxMjUiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O1ZQUW9QMUYrZnExNXdSemgxa1BMNFBNcFdoOE9STUI1aXp2ck9DL2NoalE9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0ie0YzQzRGRTAwLUVGRDUtNDAzQi05NTY5LTM5OEEyMEYxQkE0QX0iIHZlcnNpb249IjEuMy4xOTUuNDMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIzIiBjb2hvcnQ9InJyZkAwLjk1Ij48dXBkYXRlY2hlY2svPjxwaW5nIHI9IjMiIHJkPSI2NjEyIiBwaW5nX2ZyZXNobmVzcz0iezI4NUVENzdGLUUzQUUtNDZDQi04QjhBLUREREIyNUYwMDIyNX0iLz48L2FwcD48YXBwIGFwcGlkPSJ7NTZFQjE4RjgtQjAwOC00Q0JELUI2RDItOEM5N0ZFN0U5MDYyfSIgdmVyc2lvbj0iOTIuMC45MDIuNjciIG5leHR2ZXJzaW9uPSIxMzIuMC4yOTU3LjE0MCIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjb25zZW50PWZhbHNlIiBpbnN0YWxsYWdlPSIzIiBsYXN0X2xhdW5jaF9jb3VudD0iMSIgbGFzdF9sYXVuY2hfdGltZT0iMTMzODM0MTMyNzk1Mzg1NDEwIj48dXBkYXRlY2hlY2svPjxldmVudCBldmVudHR5cGU9IjEyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MTU4MzYyMTIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTMiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjUxNTgzNjIxMjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjAiIGVycm9yY29kZT0iLTIxNDcwMjM4MzgiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjgwMjQ5MjQ2ODYiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9ImRvIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuYi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy8wNzQwMDM2YS00ZTE4LTQ1NmQtOTZmYS1kMWQ5YzRjYTQ2NzY_UDE9MTczOTgyMjI1MSZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1pJTJmb3pFaWN0dHRISUY1TERDMk1PYVEzUm5rVkZjdGlWQW1adGl2YXNWRFBTMHltNTlPd2h0aGpxT3dVWWtBa3B3bHRrT3FXbk5jaU1mWFVjeHhGNlF3JTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iMCIgdG90YWw9IjAiIGRvd25sb2FkX3RpbWVfbXM9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iODAyNTA4MDUyMSIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlcj0iYml0cyIgdXJsPSJodHRwOi8vbXNlZGdlLmIudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvMDc0MDAzNmEtNGUxOC00NTZkLTk2ZmEtZDFkOWM0Y2E0Njc2P1AxPTE3Mzk4MjIyNTEmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9aSUyZm96RWljdHR0SElGNUxEQzJNT2FRM1Jua1ZGY3RpVkFtWnRpdmFzVkRQUzB5bTU5T3dodGhqcU93VVlrQWtwd2x0a09xV25OY2lNZlhVY3h4RjZRdyUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjE3NzE4MDIxNiIgdG90YWw9IjE3NzE4MDIxNiIgZG93bmxvYWRfdGltZV9tcz0iMjgwNTkzIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjgwMjUwODA1MjEiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iODAzOTE0MzA0OSIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjMiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjE5Njc1NyIgc3lzdGVtX3VwdGltZV90aWNrcz0iODU2MzA0OTM5MiIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgdXBkYXRlX2NoZWNrX3RpbWVfbXM9IjUxNzIiIGRvd25sb2FkX3RpbWVfbXM9IjI4NjY1NyIgZG93bmxvYWRlZD0iMTc3MTgwMjE2IiB0b3RhbD0iMTc3MTgwMjE2IiBwYWNrYWdlX2NhY2hlX3Jlc3VsdD0iMCIgaW5zdGFsbF90aW1lX21zPSI1MjM5MSIvPjxwaW5nIGFjdGl2ZT0iMSIgYT0iMyIgcj0iMyIgYWQ9IjY2MTIiIHJkPSI2NjEyIiBwaW5nX2ZyZXNobmVzcz0ie0U4Q0QzNDc0LUVFMjYtNERBQS1BREIxLTgyNTRBQTkwRTVEN30iLz48L2FwcD48YXBwIGFwcGlkPSJ7RjMwMTcyMjYtRkUyQS00Mjk1LThCREYtMDBDM0E5QTdFNEM1fSIgdmVyc2lvbj0iMTMyLjAuMjk1Ny4xNDAiIG5leHR2ZXJzaW9uPSIxMzMuMC4zMDY1LjU5IiBsYW5nPSIiIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMyIgaW5zdGFsbGRhdGU9IjY2MDgiIGNvaG9ydD0icnJmQDAuMDEiPjx1cGRhdGVjaGVjay8-PGV2ZW50IGV2ZW50dHlwZT0iMTIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjUxNTgzNjIxMjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxMyIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iODU2MzA0OTM5MiIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMCIgZXJyb3Jjb2RlPSItMjE0NzAyMzgzOCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iODY3OTc2Nzk5NyIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlcj0iZG8iIHVybD0iaHR0cDovL21zZWRnZS5iLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzL2E0NzJlY2VjLWFlNjktNDQ5ZS1iN2EyLTRlODZkZmVlNThhOT9QMT0xNzM5ODIyMjUxJmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PVdlJTJmMFFZJTJmODhBMWJiOFNvTHJxSGZkOGxROXBPJTJiWXBpJTJmZmxrZEJtbnVVQWUxZHR2T1VnS01uUUhYYnZKZm1ZMjNnZkVra25yUVdjZDJIZG55SWdMdkElM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSIwIiB0b3RhbD0iMCIgZG93bmxvYWRfdGltZV9tcz0iMTUiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iODY3OTc2Nzk5NyIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlcj0iYml0cyIgdXJsPSJodHRwOi8vbXNlZGdlLmIudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvYTQ3MmVjZWMtYWU2OS00NDllLWI3YTItNGU4NmRmZWU1OGE5P1AxPTE3Mzk4MjIyNTEmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9V2UlMmYwUVklMmY4OEExYmI4U29McnFIZmQ4bFE5cE8lMmJZcGklMmZmbGtkQm1udVVBZTFkdHZPVWdLTW5RSFhidkpmbVkyM2dmRWtrbnJRV2NkMkhkbnlJZ0x2QSUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjU4NDk4MTI4IiB0b3RhbD0iNTg0OTgxMjgiIGRvd25sb2FkX3RpbWVfbXM9IjExMTA5Ii8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9Ijg2Nzk3Njc5OTciIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iODY4NzU4MTA2MSIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjMiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjE5Njc1NyIgc3lzdGVtX3VwdGltZV90aWNrcz0iOTMyODM2MTg0OSIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgdXBkYXRlX2NoZWNrX3RpbWVfbXM9IjUxNzIiIGRvd25sb2FkX3RpbWVfbXM9IjExNjcxIiBkb3dubG9hZGVkPSI1ODQ5ODEyOCIgdG90YWw9IjU4NDk4MTI4IiBwYWNrYWdlX2NhY2hlX3Jlc3VsdD0iMCIgaW5zdGFsbF90aW1lX21zPSI2NDA3OCIvPjxwaW5nIHI9IjMiIHJkPSI2NjEyIiBwaW5nX2ZyZXNobmVzcz0iezNDOTQ0MTI3LUM0NjUtNDY3Ny05RjMwLTk0OTVBNjY3Q0U5Nn0iLz48L2FwcD48L3JlcXVlc3Q-
        1⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        PID:2796

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Command and Scripting Interpreter

      1
      T1059

      PowerShell

      1
      T1059.001

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Active Setup

      1
      T1547.014

      Browser Extensions

      1
      T1176

      Event Triggered Execution

      1
      T1546

      Component Object Model Hijacking

      1
      T1546.015

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Active Setup

      1
      T1547.014

      Event Triggered Execution

      1
      T1546

      Component Object Model Hijacking

      1
      T1546.015

      Defense Evasion

      Modify Registry

      4
      T1112

      Credential Access

      Credentials from Password Stores

      1
      T1555

      Credentials from Web Browsers

      1
      T1555.003

      Unsecured Credentials

      1
      T1552

      Credentials In Files

      1
      T1552.001

      Discovery

      Query Registry

      3
      T1012

      System Information Discovery

      2
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      System Network Configuration Discovery

      1
      T1016

      Internet Connection Discovery

      1
      T1016.001

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Command and Control

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4F0AB372-1854-485B-875C-4354B0994C52}\EDGEMITMP_EA1F8.tmp\setup.exe
        Filesize

        6.8MB

        MD5

        1b3e9c59f9c7a134ec630ada1eb76a39

        SHA1

        a7e831d392e99f3d37847dcc561dd2e017065439

        SHA256

        ce78ccfb0c9cdb06ea61116bc57e50690650b6b5cf37c1aebfb30c19458ee4ae

        SHA512

        c0e50410dc92d80ff7bc854907774fc551564e078a8d38ca6421f15cea50282c25efac4f357b52b066c4371f9b8d4900fa8122dd80ab06ecbd851c6e049f7a3e

        Download Submit

      • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5C607E09-631F-4DC1-A955-63E4C4DE2405}\EDGEMITMP_242DC.tmp\setup.exe
        Filesize

        6.6MB

        MD5

        b4c8ad75087b8634d4f04dc6f92da9aa

        SHA1

        7efaa2472521c79d58c4ef18a258cc573704fb5d

        SHA256

        522a25568bb503cf8b44807661f31f0921dee91d37691bf399868733205690bf

        SHA512

        5094505b33a848badcffd6b3b93aad9ad73f391e201dee052376c4f8573ba351f0b8c102131216088ffb38d0ed7b5fe70ba95c3ac2c33a50c993584fe7c435e3

        Download Submit

      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.VisualElementsManifest.xml
        Filesize

        444B

        MD5

        57ccd4f37e1059ec69bba4f05729c8bf

        SHA1

        f6d9211aa9b3c1cf039cb90567689aa16910532d

        SHA256

        71763943d29a1a07edb32c22a42f223d401e1d435cb060ffeb328f0e9c75ea28

        SHA512

        eb9dd893bd41c5f6852582292536f28f89487b76caf1104519f702597ecc9e760e51e13046ed54516a8e7b816364295528461006561a6e33a7437cebd4dea1a7

        Download Submit

      • C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log
        Filesize

        759KB

        MD5

        dbb6056fa0cc43623a59cbe2dfc242ae

        SHA1

        fcdc3e5b15ff02c0d8376a3d2e7e21a18ec919f8

        SHA256

        137dd4bfe7bf4abeec00bbd860948fd9bd71c23315f7a3f1e19e06373a39d048

        SHA512

        d03753c7fe02172d363a8fb02b0c5551dc4015a4c643985b0b9a9e1b6f83fce2c93decb3910890aebbc90c5badbeee00d985fd4f268510ef8f46faf33cc92f1e

        Download Submit

      • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk
        Filesize

        2KB

        MD5

        443025c773ee7d0f48079aa49a64508a

        SHA1

        c2607b1e8c8026af1de5b37e1e50801eb7786e19

        SHA256

        f5f41995371440767829d1a9ac81cfaf28b29b6e6fbea4fe6177f9335589448e

        SHA512

        2bf199d0b8eae13cc31d137212fab47273f9b55ff1fde0d527c25188a576646678afec6705d74a668b8a215bf5dfbaf2d6965e98bb27c9ebd226ec8d27ffc026

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        3KB

        MD5

        3eb3833f769dd890afc295b977eab4b4

        SHA1

        e857649b037939602c72ad003e5d3698695f436f

        SHA256

        c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

        SHA512

        c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        5ad80c2c7a4f2bd682c0499263e423f8

        SHA1

        101f698488ca299fa869aec2d10442f39bffb7bf

        SHA256

        39c547b555f2e6e33d04f58c06b78dbf9a0e81f5620fc7f830d7a33642eb3a17

        SHA512

        b1494c99aa974805f9d0b6b0b3729ff4bf696c07ed50362a0ff72a972b7d88baa43460bc34fd5ac1fd201f69ce749541681ae751c893a4e18e1af1f8ed0b9b45

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gta0t0df.k2u.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\data-Setup\data\extract_and_run.bat
        Filesize

        952B

        MD5

        fae61599308bbc78cae99ebdcb666f43

        SHA1

        de0a1d2344b09b29b1040bd4904f604a47a6d8c6

        SHA256

        f65af4a3d9d7f4464de4f7c136122f548c3b662a389e569d842be7e3a60d7863

        SHA512

        8e3d8d8ed97e65acd719d60624fa5c5506696e6fbbad5b0466748cccc24832e130bdf584fe0ce55f14628c68ca0a602310f7cb964cd38cf56735a6c64e4ddbf3

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\data-Setup\data\extracted_5897\script.ps1
        Filesize

        2KB

        MD5

        d11c3a63c5ba659b5fe7b5534cb03df5

        SHA1

        d08b1e6af9e5c66454236e5ba64e4c3659db4c47

        SHA256

        02fba22cf32e907760e64c7e4bc4803e2b5395a7eef2091f3f0c9c103aaa3187

        SHA512

        a62a807f7ec5ca51ae392f10b68f3b6a326ae596ee2fdd4da662e58662142d5842d8e8abf1f7a84aba85ef2b067803733301b769024ae8c7bc3ce625c485b4ec

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\data-Setup\data\extracted_5897\sss.bat
        Filesize

        405B

        MD5

        9ca3883fd45a5a455e64704ac6151ac9

        SHA1

        e7f89032ce544253a51020d7e894f6919fc35839

        SHA256

        c981688479756c987d6207e5804ed2b97fb50dfc80469309646c3f79d5ed05b4

        SHA512

        e5746faaae0680f68295db94f3865a7ec56663553d7401f996cce18bdc67ade23aef10c81018da28992e82a8178dc8a567b5b355479c7ceedfb87e46be9efa5a

        Download Submit

      • C:\Users\Admin\AppData\Roaming\0Q7NV5HB.exe
        Filesize

        200KB

        MD5

        00affd80e21068e56ae72712509f7a98

        SHA1

        ca6af85f9f2a735f258e1a43043a4b54cdffa9df

        SHA256

        a03ce36025010929a9cc0d286ed02100d259ffc7693beb3623ea7007dce4802c

        SHA512

        07c3f0336e4a6d85bc7c14f1fcba924e45e077f0ada157fa17c4b989fced5d1ac59054c7e90729e63ce3d4f0de7e280a35776c614f681609714418d9a847b7d6

        Download Submit

      • C:\Users\Admin\AppData\Roaming\MPVNGTWD.exe
        Filesize

        11.8MB

        MD5

        eca54760f1e96a78e3f6bc537debc6bc

        SHA1

        82ef61482d781849a80f9f9cff67e2f76ffb7035

        SHA256

        b9b69e4088f61ce32506078d301f9cfc7db064945d6e608724e213aab5852db5

        SHA512

        f70749a89d7d66c2089981fc161db8c88cdf4a3ff6ae6df18b2c6f30b351ad9dd33e527ebea0052db2b60896f7caa44ca2edafa9381db689867d2f9806e36944

        Download Submit

      • C:\Windows\SystemTemp\msedge_installer.log
        Filesize

        70KB

        MD5

        9b70c5969059cb0b93867371e36f3ed4

        SHA1

        f9db3bf820d5342dfd0d036dbbd9f8df00ddad39

        SHA256

        459a1e717deaae4c4e7a7c66c11fbcd2c1d5766938335b75cd5714d2c3b46eb8

        SHA512

        c11870274947757df7ff974dbb5d6ef4fa417c1ef5c3de3b00c29a4c1502b2839d3aed5ff70bc65c4a474d3d726ef98d12b1ec8d0776ed8d103ab5e057db54dd

        Download Submit

      • C:\Windows\SystemTemp\msedge_installer.log
        Filesize

        96KB

        MD5

        e566a6c424d839182654fedd3fb740d5

        SHA1

        1dc3e234e71648c33e38b16ce071d26a671e38c0

        SHA256

        b41edc9d1fd7b1daa33bed2d4b6dea76aa385e8b2740b185860727b780bff41a

        SHA512

        be63a437ffbfacc34a455245603755538ec09c0aaf7af08c82da01db0b06f2d454abb0e520f558c635cf3700c41cb8954cf9263e5de7f9d514fd1c92b4df9bc9

        Download Submit

      • C:\Windows\SystemTemp\msedge_installer.log
        Filesize

        100KB

        MD5

        f22b39c1e575b756c9aad90b6c531d62

        SHA1

        9160155e8bec5c2b3f62e80fefba6339556a8e9b

        SHA256

        7de60080820b561b4df8c001980eb9994b120cc52780e2b675652a81cbfe537d

        SHA512

        f233875e52341a3ee0026ba1727cc5448ea0daef2af6d6b279347115e85eacba7bd1d25bd1d309bf0b8bc1ff60d150203d3bc2f326e716b4132e076a9326c0d7

        Download Submit

      • C:\Windows\SystemTemp\msedge_installer.log
        Filesize

        101KB

        MD5

        c9b3915893a3786264a0c53090213127

        SHA1

        fddd059a4659f84a01a2e8c0c1360ced2561b18a

        SHA256

        a790d89a97ac94ca75f20b183ee349c1f732a5d8a7f3396c80e9700cc7b3fc4f

        SHA512

        f0c7caf0923814f7f6bb136731c114399b3a73bcf649cbc26471ce5a3ae884199fb78162b32f39c6a497fcb32ddf831147ef31fbc45194944d9cb204ec6e90cf

        Download Submit

      • C:\Windows\SystemTemp\msedge_installer.log
        Filesize

        105KB

        MD5

        22e30343921d0b81da467a528a7634b2

        SHA1

        377d903607727e85b832bbe516652a1dbd09598e

        SHA256

        51b10f87310da13c2826361303a011d263e5f423344d6636c6d015651610cceb

        SHA512

        c4fd8fc98716ffb89e501f6e96d17ab3228582661d1e7085888980e40b95ac984199028bb952a88f3eadddbe4b1ff53169544edd5e11b6f6b49bb2bbc59d662a

        Download Submit

      • memory/944-50-0x00000000052F0000-0x0000000005896000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/944-49-0x0000000000320000-0x0000000000356000-memory.dmp

        Filesize

        216KB

        Download

      • memory/1584-23-0x00007FF9EBCF0000-0x00007FF9EC7B2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1584-22-0x00007FF9EBCF3000-0x00007FF9EBCF5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1584-79-0x00007FF9EBCF0000-0x00007FF9EC7B2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1584-8-0x00007FF9EBCF3000-0x00007FF9EBCF5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1584-9-0x00000235CBAD0000-0x00000235CBAF2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/1584-19-0x00007FF9EBCF0000-0x00007FF9EC7B2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1584-20-0x00007FF9EBCF0000-0x00007FF9EC7B2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1936-81-0x00007FFA0A2D0000-0x00007FFA0A2D2000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1936-82-0x00007FF67FDF0000-0x00007FF6810CD000-memory.dmp

        Filesize

        18.9MB

        Download

      • memory/3624-85-0x00007FF67FDF0000-0x00007FF6810CE000-memory.dmp

        Filesize

        18.9MB

        Download

      • memory/4268-63-0x0000000000400000-0x0000000000422000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4268-52-0x0000000000400000-0x0000000000422000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4268-54-0x0000000000400000-0x0000000000422000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4268-62-0x0000000000400000-0x0000000000422000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4268-65-0x0000000000400000-0x0000000000422000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4268-64-0x0000000000400000-0x0000000000422000-memory.dmp

        Filesize

        136KB

        Download