Overview

overview

10

Static

static

3

db0d72bc7d...d1.exe

windows7-x64

10

db0d72bc7d...d1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250211-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250211-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-02-2025 22:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    db0d72bc7d10209f7fa354ec100d57abbb9fe2e57ce72789f5f88257c5d3ebd1.exe

  • Size

    2.7MB

  • MD5

    48d8f7bbb500af66baa765279ce58045

  • SHA1

    2cdb5fdeee4e9c7bd2e5f744150521963487eb71

  • SHA256

    db0d72bc7d10209f7fa354ec100d57abbb9fe2e57ce72789f5f88257c5d3ebd1

  • SHA512

    aef8aa8e0d16aab35b5cc19487e53583691e4471064bc556a2ee13e94a0546b54a33995739f0fa3c4de6ff4c6abf02014aef3efb0d93ca6847bad2220c3302bd

  • SSDEEP

    49152:bbevayZlMTWkygVy0nQZfVY2BtZzpPL4PuQ65+6Dv7m0KXTn:bbexZlMQcEVY2BtZzpPL4WQI9U

Score
10/10
danabotadwarebankerbotnetdiscoverypersistenceprivilege_escalationstealertrojan

Malware Config

Extracted

Family

danabot

C2

51.178.195.151

51.222.39.81

149.255.35.125

38.68.50.179

51.77.7.204
rsa_pubkey.plain

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

    trojanbankerdanabot
  • Danabot family
    danabot
  • Danabot x86 payload 1 IoCs

    Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

    botnet
  • Blocklisted process makes network request 8 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Downloads MZ/PE file 1 IoCs
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Executes dropped EXE 10 IoCs
  • Loads dropped DLL 3 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 26 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • System policy modification 1 TTPs 4 IoCs
    defense_evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\db0d72bc7d10209f7fa354ec100d57abbb9fe2e57ce72789f5f88257c5d3ebd1.exe
    "C:\Users\Admin\AppData\Local\Temp\db0d72bc7d10209f7fa354ec100d57abbb9fe2e57ce72789f5f88257c5d3ebd1.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1756
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\DB0D72~1.DLL f1 C:\Users\Admin\AppData\Local\Temp\DB0D72~1.EXE@1756
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4468
      • C:\Windows\SysWOW64\rundll32.exe
        C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\DB0D72~1.DLL,f0
        3⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:516
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 464
      2⤵
      • Program crash
      PID:4844
  • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NEQ4QjdCNUMtRTBERC00QTEzLUE4N0EtMDQyNDI1ODNCNUU0fSIgdXNlcmlkPSJ7Mzg2MTFCMEQtNkU0Ri00OTcyLUJCRUYtRjAwQjE0NkJFQzlGfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7RDQyNjRCNDctOTVGQS00NjE0LTlDOEItRDI4NDJGNTBDNjI4fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODMyMzYiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NDI1MTE0ODAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MDA5ODUxOTIxIi8-PC9hcHA-PC9yZXF1ZXN0Pg
    1⤵
    • System Location Discovery: System Language Discovery
    • System Network Configuration Discovery: Internet Connection Discovery
    PID:460
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1756 -ip 1756
    1⤵
      PID:1088
    • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{036CD456-9F97-4345-8213-608CD675EDEC}\MicrosoftEdge_X64_133.0.3065.59.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{036CD456-9F97-4345-8213-608CD675EDEC}\MicrosoftEdge_X64_133.0.3065.59.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:3376
      • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{036CD456-9F97-4345-8213-608CD675EDEC}\EDGEMITMP_B2835.tmp\setup.exe
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{036CD456-9F97-4345-8213-608CD675EDEC}\EDGEMITMP_B2835.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{036CD456-9F97-4345-8213-608CD675EDEC}\MicrosoftEdge_X64_133.0.3065.59.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
        2⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Installs/modifies Browser Helper Object
        • Drops file in Program Files directory
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:3812
        • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{036CD456-9F97-4345-8213-608CD675EDEC}\EDGEMITMP_B2835.tmp\setup.exe
          "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{036CD456-9F97-4345-8213-608CD675EDEC}\EDGEMITMP_B2835.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{036CD456-9F97-4345-8213-608CD675EDEC}\EDGEMITMP_B2835.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff64ccb6a68,0x7ff64ccb6a74,0x7ff64ccb6a80
          3⤵
          • Executes dropped EXE
          PID:3696
        • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{036CD456-9F97-4345-8213-608CD675EDEC}\EDGEMITMP_B2835.tmp\setup.exe
          "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{036CD456-9F97-4345-8213-608CD675EDEC}\EDGEMITMP_B2835.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
          3⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious use of WriteProcessMemory
          PID:3544
          • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{036CD456-9F97-4345-8213-608CD675EDEC}\EDGEMITMP_B2835.tmp\setup.exe
            "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{036CD456-9F97-4345-8213-608CD675EDEC}\EDGEMITMP_B2835.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{036CD456-9F97-4345-8213-608CD675EDEC}\EDGEMITMP_B2835.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff64ccb6a68,0x7ff64ccb6a74,0x7ff64ccb6a80
            4⤵
            • Executes dropped EXE
            PID:4424
        • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --register-package-identity --verbose-logging --system-level
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2836
          • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff74abf6a68,0x7ff74abf6a74,0x7ff74abf6a80
            4⤵
            • Executes dropped EXE
            PID:1620
        • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level
          3⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious use of WriteProcessMemory
          PID:4280
          • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff74abf6a68,0x7ff74abf6a74,0x7ff74abf6a80
            4⤵
            • Executes dropped EXE
            PID:2668
        • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --update-game-assist-package --verbose-logging --system-level
          3⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious use of WriteProcessMemory
          PID:1164
          • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff74abf6a68,0x7ff74abf6a74,0x7ff74abf6a80
            4⤵
            • Executes dropped EXE
            PID:928
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k AppReadiness -p -s AppReadiness
      1⤵
        PID:3092
      • C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe
        "C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe" /InvokerPRAID: Microsoft.MicrosoftOfficeHub prelaunch
        1⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:4804
      • C:\Windows\system32\wwahost.exe
        "C:\Windows\system32\wwahost.exe" -ServerName:Microsoft.MicrosoftOfficeHub.wwa
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:3920
      • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NEQ4QjdCNUMtRTBERC00QTEzLUE4N0EtMDQyNDI1ODNCNUU0fSIgdXNlcmlkPSJ7Mzg2MTFCMEQtNkU0Ri00OTcyLUJCRUYtRjAwQjE0NkJFQzlGfSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9InsyRkQ2NzZBOC04NzU3LTQzRDItOTlBOC02QzQ4NTI4OURGQkV9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7VlBRb1AxRitmcTE1d1J6aDFrUEw0UE1wV2g4T1JNQjVpenZyT0MvY2hqUT0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iMS4zLjE5NS40MyIgbmV4dHZlcnNpb249IiIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjEiIGNvaG9ydD0icnJmQDAuMDEiPjx1cGRhdGVjaGVjay8-PHBpbmcgcj0iMSIgcmQ9IjY2MTYiIHBpbmdfZnJlc2huZXNzPSJ7N0Y0QjU2NEQtQjE1Mi00NUI0LUFEQ0UtN0ExNkM5M0RCOTAzfSIvPjwvYXBwPjxhcHAgYXBwaWQ9Ins1NkVCMThGOC1CMDA4LTRDQkQtQjZEMi04Qzk3RkU3RTkwNjJ9IiB2ZXJzaW9uPSI5Mi4wLjkwMi42NyIgbmV4dHZlcnNpb249IjEzMy4wLjMwNjUuNTkiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY29uc2VudD1mYWxzZSIgaW5zdGFsbGFnZT0iMSIgaXNfcGlubmVkX3N5c3RlbT0idHJ1ZSIgbGFzdF9sYXVuY2hfY291bnQ9IjEiIGxhc3RfbGF1bmNoX3RpbWU9IjEzMzgzNzU4MTgwNTExOTQ4MCI-PHVwZGF0ZWNoZWNrLz48ZXZlbnQgZXZlbnR0eXBlPSIxMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTAyMDk0NjEyMSIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjEzIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MDIwOTQ2MTIxIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIwIiBlcnJvcmNvZGU9Ii0yMTQ3MDIzODM4IiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NTkxMjU3OTU3IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJkbyIgdXJsPSJodHRwOi8vbXNlZGdlLmIudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvZmVkNTU4MDUtMmU4NS00MWQ4LWI0ZTMtNGVmNmI1ZWJmNjNhP1AxPTE3NDAwMDUzOTUmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9anl3UUpDdnpXVlE3YU5yTUt2a1g4RDlZYVl0cDJPUFRvUmFPZFZFRlMxOXJ5MDVXV1gxcklJSThFUEglMmZYNmthZnh2VkJWYyUyYiUyYmFWMkFFMVVVSHluU3clM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSIwIiB0b3RhbD0iMCIgZG93bmxvYWRfdGltZV9tcz0iMCIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NTkxMjU3OTU3IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJiaXRzIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuYi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy9mZWQ1NTgwNS0yZTg1LTQxZDgtYjRlMy00ZWY2YjVlYmY2M2E_UDE9MTc0MDAwNTM5NSZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1qeXdRSkN2eldWUTdhTnJNS3ZrWDhEOVlhWXRwMk9QVG9SYU9kVkVGUzE5cnkwNVdXWDFySUlJOEVQSCUyZlg2a2FmeHZWQlZjJTJiJTJiYVYyQUUxVVVIeW5TdyUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjE3ODYwNDA4OCIgdG90YWw9IjE3ODYwNDA4OCIgZG93bmxvYWRfdGltZV9tcz0iNTAyOTciLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTU5MTI1Nzk1NyIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjE1IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NjA0Njk1ODM2IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMyIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMTk2NzU3IiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI2MjU5Njk1ODE5IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiB1cGRhdGVfY2hlY2tfdGltZV9tcz0iNDIyIiBkb3dubG9hZF90aW1lX21zPSI1NzAxNSIgZG93bmxvYWRlZD0iMTc4NjA0MDg4IiB0b3RhbD0iMTc4NjA0MDg4IiBwYWNrYWdlX2NhY2hlX3Jlc3VsdD0iMCIgaW5zdGFsbF90aW1lX21zPSI2NTUwMCIvPjxwaW5nIGFjdGl2ZT0iMSIgYT0iMSIgcj0iMSIgYWQ9IjY2MTYiIHJkPSI2NjE2IiBwaW5nX2ZyZXNobmVzcz0iezk2REVFMDU5LTM1MTgtNEEzRS04RDA4LTcwMTcwMzI1OUM5RH0iLz48L2FwcD48YXBwIGFwcGlkPSJ7RjMwMTcyMjYtRkUyQS00Mjk1LThCREYtMDBDM0E5QTdFNEM1fSIgdmVyc2lvbj0iMTMyLjAuMjk1Ny4xNDAiIG5leHR2ZXJzaW9uPSIiIGxhbmc9IiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZT0iNjYxNSIgY29ob3J0PSJycmZAMC41OCI-PHVwZGF0ZWNoZWNrLz48cGluZyByPSIxIiByZD0iNjYxNiIgcGluZ19mcmVzaG5lc3M9InswODBBMkUwRi1BMTVCLTRCQzctOTlGNS1EMjU2RDVCOUQ0MDR9Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
        1⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        PID:1980

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{036CD456-9F97-4345-8213-608CD675EDEC}\EDGEMITMP_B2835.tmp\setup.exe
        Filesize

        6.8MB

        MD5

        1b3e9c59f9c7a134ec630ada1eb76a39

        SHA1

        a7e831d392e99f3d37847dcc561dd2e017065439

        SHA256

        ce78ccfb0c9cdb06ea61116bc57e50690650b6b5cf37c1aebfb30c19458ee4ae

        SHA512

        c0e50410dc92d80ff7bc854907774fc551564e078a8d38ca6421f15cea50282c25efac4f357b52b066c4371f9b8d4900fa8122dd80ab06ecbd851c6e049f7a3e

        Download Submit

      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        Filesize

        3.9MB

        MD5

        ad5f7dc7ca3e67dce70c0a89c04519e0

        SHA1

        a10b03234627ca8f3f8034cd5637cda1b8246d83

        SHA256

        663fe0f4e090583e6aa5204b9a80b7a76f677259066e56a7345aebc6bc3e7d31

        SHA512

        ad5490e9865caa454c47ec2e96364b9c566b553e64801da60c295acd570017747be1aff6f22ca6c20c6eee6f6d05a058af72569fd6e656f66e48010978c7fd51

        Download Submit

      • C:\Program Files\msedge_installer.log
        Filesize

        73KB

        MD5

        856b7c88eeda269d70b823371908c6af

        SHA1

        14583635dfc37840491b59390d0e37b9175d3a80

        SHA256

        b2350e3292f1d4c0046fc8a85323ccd7d47a5d3e7776ae486228521f36bdfd11

        SHA512

        62d089ca9d5769716be9ea54f17460e1584b416b5eda50aff0a16bcc6db469579298d8412504976a18ef45760001cfbdc70d002e36a805b55d1cced4229388c6

        Download Submit

      • C:\Program Files\msedge_installer.log
        Filesize

        98KB

        MD5

        67289cdb6b4a9c913b260edc6c87ed7e

        SHA1

        697b927832a841e5fb3f6c6fb8a53fb3b72748b9

        SHA256

        19b43c9cdae8873991d9a6920d66e3ccc8ae22d4348ee606a2e7fa64fa42d51f

        SHA512

        93f0be089d11dc652ef1030ba9ffe0ba56e0a49b22889cdfe9bb52ef3a90aa6bc6bf420bb6a6732e32531f45abea1d0dab981da49a539fa16ebd05c2e7a0248c

        Download Submit

      • C:\Program Files\msedge_installer.log
        Filesize

        102KB

        MD5

        b4f98d5d03190d9038567e9727fcc0ad

        SHA1

        bcc94c38e28587b66f112e7e3a66c70e490c4444

        SHA256

        98a4391e8437681c3af4b082e4de40a8480dddf266437547bf64b35fbcb90cd4

        SHA512

        f6bba88c6982464870b6e375dd2b3857ab72c25f0d85aa62b862778a2362206b1cd6d7be87548f9dc5fafb8109106cc17a60f80695c01fcab52b53f7629a2a1d

        Download Submit

      • C:\Program Files\msedge_installer.log
        Filesize

        104KB

        MD5

        e8ef83c1278f7093a6bf3eea7da43a5f

        SHA1

        5d9b4c4169c669681419adbcd540917bd5aff079

        SHA256

        66b4afea60919b15fe2984d38a15b3d82c3e9b38262e1b7431df7760b330b2ab

        SHA512

        d49213d01fa87fb9d3ab78fcc5267847ace30a9d4836a90d8abacf98515f7d6e78ff71a8fca8de5ea47ed747cb7a911610322218446d9c96cc3d3a81f95fa282

        Download Submit

      • C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log
        Filesize

        474KB

        MD5

        7ebf8d203aa7d6a95354fce842961d56

        SHA1

        c01a1834b764d00d901ffd792b0791d9bd63c656

        SHA256

        d8a3a34de3c0c7ee3c4dc0e9f532349447afcbdee7923ab5fc428b20b8e977f0

        SHA512

        2a6635001b28a3f2731f640892fab2bdfb85ecf1b0e6ca61079a1d9da1e01df5b99b30ce439c3ff65f9fa889bd4371db4f1530002a89729e13223e06e17f1b82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\DB0D72~1.DLL
        Filesize

        2.4MB

        MD5

        7e76f7a5c55a5bc5f5e2d7a9e886782b

        SHA1

        fc500153dba682e53776bef53123086f00c0e041

        SHA256

        abd75572f897cdda88cec22922d15b509ee8c840fa5894b0aecbef6de23908a3

        SHA512

        0318e0040f4dbf954f27fb10a69bce2248e785a31d855615a1eaf303a772ad51d47906a113605d7bfd3c2b2265bf83c61538f78b071f85ee3c4948f5cde3fb24

        Download Submit

      • memory/516-17-0x0000000000400000-0x000000000066B000-memory.dmp

        Filesize

        2.4MB

        Download

      • memory/516-15-0x0000000000400000-0x000000000066B000-memory.dmp

        Filesize

        2.4MB

        Download

      • memory/1756-4-0x0000000000400000-0x000000000069A000-memory.dmp

        Filesize

        2.6MB

        Download

      • memory/1756-12-0x0000000000400000-0x0000000000AAD000-memory.dmp

        Filesize

        6.7MB

        Download

      • memory/1756-14-0x0000000000400000-0x000000000069A000-memory.dmp

        Filesize

        2.6MB

        Download

      • memory/1756-13-0x0000000002960000-0x0000000002BED000-memory.dmp

        Filesize

        2.6MB

        Download

      • memory/1756-3-0x0000000002960000-0x0000000002BED000-memory.dmp

        Filesize

        2.6MB

        Download

      • memory/1756-2-0x00000000026D0000-0x0000000002955000-memory.dmp

        Filesize

        2.5MB

        Download

      • memory/4468-9-0x00000000025F0000-0x000000000285B000-memory.dmp

        Filesize

        2.4MB

        Download

      • memory/4468-10-0x00000000009F0000-0x00000000009F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4804-92-0x00000187D58B0000-0x00000187D58BE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/4804-93-0x00000187D5D60000-0x00000187D5D6A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4804-94-0x00000187D5D90000-0x00000187D5D98000-memory.dmp

        Filesize

        32KB

        Download

      • memory/4804-95-0x00000187F1200000-0x00000187F1449000-memory.dmp

        Filesize

        2.3MB

        Download