Overview

overview

8

Static

static

1

URLScan

urlscan

1

https://drive.google...

windows11-21h2-x64

8

Analysis

  • max time kernel
    153s
  • max time network
    155s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250211-en
  • resource tags

    arch:x64arch:x86image:win11-20250211-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    12-02-2025 00:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://drive.google.com/file/d/1asKaKxAPI6eOqUh04lK9dbhszDOhvCj8/view?usp=sharing

Score
8/10
adwarediscoverypersistenceprivilege_escalationstealer

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Downloads MZ/PE file 1 IoCs
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Executes dropped EXE 8 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 28 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 24 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 4 IoCs
    defense_evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://drive.google.com/file/d/1asKaKxAPI6eOqUh04lK9dbhszDOhvCj8/view?usp=sharing
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3008
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc606a3cb8,0x7ffc606a3cc8,0x7ffc606a3cd8
      2⤵
        PID:1232
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1836,1763608095075870899,93717809829922131,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1880 /prefetch:2
        2⤵
          PID:5024
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1836,1763608095075870899,93717809829922131,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:2836
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1836,1763608095075870899,93717809829922131,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2668 /prefetch:8
          2⤵
            PID:1312
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,1763608095075870899,93717809829922131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
            2⤵
              PID:4628
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,1763608095075870899,93717809829922131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
              2⤵
                PID:3224
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1836,1763608095075870899,93717809829922131,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 /prefetch:8
                2⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:564
              • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1836,1763608095075870899,93717809829922131,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5636 /prefetch:8
                2⤵
                  PID:348
                • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1836,1763608095075870899,93717809829922131,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5636 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:3832
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,1763608095075870899,93717809829922131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
                  2⤵
                    PID:5060
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,1763608095075870899,93717809829922131,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
                    2⤵
                      PID:2348
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,1763608095075870899,93717809829922131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1
                      2⤵
                        PID:4908
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,1763608095075870899,93717809829922131,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
                        2⤵
                          PID:232
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1836,1763608095075870899,93717809829922131,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=876 /prefetch:2
                          2⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:4904
                      • C:\Windows\System32\CompPkgSrv.exe
                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                        1⤵
                          PID:1988
                        • C:\Windows\System32\CompPkgSrv.exe
                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                          1⤵
                            PID:4484
                          • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
                            "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7M0YyOTg0MTMtQTY0RC00QTIyLUE0RTItRkRENEU2QUZFMzlBfSIgdXNlcmlkPSJ7QzU5MjRCRjAtQzU1OS00MzkzLUEyNTUtNjdBNDUyNzM0ODg0fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7RjQxQzE5MTAtMTBBNC00QkNDLUI5QTctMDNCQUJERTMxRUEwfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RSt4YkF6Nlk2c1UxMjg5YlM2cWw0VlJMYmtqZkJVR1RNSnNqckhyNDRpST0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIzLjAuNjMxMi4xMjMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjAiIGluc3RhbGxkYXRldGltZT0iMTczOTI4MjMwMiIgb29iZV9pbnN0YWxsX3RpbWU9IjEzMzgzNzUzNTk3Mjc0MDAwMCI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjIxNzk4NjIiIHN5c3RlbV91cHRpbWVfdGlja3M9IjQ4NjE2NTM3NDkiLz48L2FwcD48L3JlcXVlc3Q-
                            1⤵
                            • System Location Discovery: System Language Discovery
                            • System Network Configuration Discovery: Internet Connection Discovery
                            PID:924
                          • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{0D095F36-15E8-45BE-B226-29CA87D7CC9A}\MicrosoftEdge_X64_133.0.3065.59.exe
                            "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{0D095F36-15E8-45BE-B226-29CA87D7CC9A}\MicrosoftEdge_X64_133.0.3065.59.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
                            1⤵
                              PID:348
                              • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{0D095F36-15E8-45BE-B226-29CA87D7CC9A}\EDGEMITMP_A2DF3.tmp\setup.exe
                                "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{0D095F36-15E8-45BE-B226-29CA87D7CC9A}\EDGEMITMP_A2DF3.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{0D095F36-15E8-45BE-B226-29CA87D7CC9A}\MicrosoftEdge_X64_133.0.3065.59.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
                                2⤵
                                • Boot or Logon Autostart Execution: Active Setup
                                • Executes dropped EXE
                                • Installs/modifies Browser Helper Object
                                • Drops file in Program Files directory
                                • Drops file in Windows directory
                                • Modifies Internet Explorer settings
                                • Modifies registry class
                                • Suspicious use of AdjustPrivilegeToken
                                • System policy modification
                                PID:4116
                                • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{0D095F36-15E8-45BE-B226-29CA87D7CC9A}\EDGEMITMP_A2DF3.tmp\setup.exe
                                  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{0D095F36-15E8-45BE-B226-29CA87D7CC9A}\EDGEMITMP_A2DF3.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{0D095F36-15E8-45BE-B226-29CA87D7CC9A}\EDGEMITMP_A2DF3.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff715f66a68,0x7ff715f66a74,0x7ff715f66a80
                                  3⤵
                                  • Executes dropped EXE
                                  • Drops file in Windows directory
                                  PID:3996
                                • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{0D095F36-15E8-45BE-B226-29CA87D7CC9A}\EDGEMITMP_A2DF3.tmp\setup.exe
                                  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{0D095F36-15E8-45BE-B226-29CA87D7CC9A}\EDGEMITMP_A2DF3.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
                                  3⤵
                                  • Executes dropped EXE
                                  • Drops file in System32 directory
                                  • Drops file in Program Files directory
                                  • Drops file in Windows directory
                                  • Modifies data under HKEY_USERS
                                  PID:2472
                                  • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{0D095F36-15E8-45BE-B226-29CA87D7CC9A}\EDGEMITMP_A2DF3.tmp\setup.exe
                                    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{0D095F36-15E8-45BE-B226-29CA87D7CC9A}\EDGEMITMP_A2DF3.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{0D095F36-15E8-45BE-B226-29CA87D7CC9A}\EDGEMITMP_A2DF3.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff715f66a68,0x7ff715f66a74,0x7ff715f66a80
                                    4⤵
                                    • Executes dropped EXE
                                    • Drops file in Windows directory
                                    PID:1972
                                • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level
                                  3⤵
                                  • Executes dropped EXE
                                  • Drops file in Windows directory
                                  PID:4768
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff7d9656a68,0x7ff7d9656a74,0x7ff7d9656a80
                                    4⤵
                                    • Executes dropped EXE
                                    • Drops file in Windows directory
                                    PID:2084
                                • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --update-game-assist-package --verbose-logging --system-level
                                  3⤵
                                  • Executes dropped EXE
                                  • Drops file in Windows directory
                                  PID:2180
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff7d9656a68,0x7ff7d9656a74,0x7ff7d9656a80
                                    4⤵
                                    • Executes dropped EXE
                                    • Drops file in Windows directory
                                    PID:4744
                            • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
                              "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7M0YyOTg0MTMtQTY0RC00QTIyLUE0RTItRkRENEU2QUZFMzlBfSIgdXNlcmlkPSJ7QzU5MjRCRjAtQzU1OS00MzkzLUEyNTUtNjdBNDUyNzM0ODg0fSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9Ins0NzQ1OTA4OC0xMjcwLTRCMjMtQjZGMC1DRTUxNjU4QjFCQzR9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjIyMDAwLjQ5MyIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtWUFFvUDFGK2ZxMTV3UnpoMWtQTDRQTXBXaDhPUk1CNWl6dnJPQy9jaGpRPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIxLjMuMTk1LjQzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMCIgY29ob3J0PSJycmZAMC40NCI-PHVwZGF0ZWNoZWNrLz48cGluZyByPSIxIiByZD0iNjYxNiIgcGluZ19mcmVzaG5lc3M9Ins1MkQ0NjVGOS0wMUYxLTQ1MTQtODVCMi0zRkU1QjVEMzlERUZ9Ii8-PC9hcHA-PGFwcCBhcHBpZD0iezU2RUIxOEY4LUIwMDgtNENCRC1CNkQyLThDOTdGRTdFOTA2Mn0iIHZlcnNpb249IjkwLjAuODE4LjY2IiBuZXh0dmVyc2lvbj0iMTMzLjAuMzA2NS41OSIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjb25zZW50PWZhbHNlIiBpbnN0YWxsYWdlPSIwIiBpc19waW5uZWRfc3lzdGVtPSJ0cnVlIiBsYXN0X2xhdW5jaF9jb3VudD0iMSIgbGFzdF9sYXVuY2hfdGltZT0iMTMzODM3OTIzMjg4MDA2ODQwIj48dXBkYXRlY2hlY2svPjxldmVudCBldmVudHR5cGU9IjEyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0ODc1NDE4MzI1IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTMiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjQ4NzU0MTgzMjUiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjAiIGVycm9yY29kZT0iLTIxNDcwMjM4MzgiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjU0NjYxMzU0MjIiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9ImRvIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuYi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy9mZWQ1NTgwNS0yZTg1LTQxZDgtYjRlMy00ZWY2YjVlYmY2M2E_UDE9MTczOTkyMzU0MyZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1Ha212dVk5YXEwcTkySkhsUlJnJTJiQWhyZ29lM29yWFkyT2c1JTJmY2ZMZDUlMmZWRSUyYkZDanglMmJPOFdBVlpIN0VPRWJhNkpJdkZPMUU3YnBrTEtKUjNMbiUyZkVWdyUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjAiIHRvdGFsPSIwIiBkb3dubG9hZF90aW1lX21zPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjU0NjYxMzU0MjIiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9ImJpdHMiIHVybD0iaHR0cDovL21zZWRnZS5iLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzL2ZlZDU1ODA1LTJlODUtNDFkOC1iNGUzLTRlZjZiNWViZjYzYT9QMT0xNzM5OTIzNTQzJmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PUdrbXZ1WTlhcTBxOTJKSGxSUmclMmJBaHJnb2Uzb3JYWTJPZzUlMmZjZkxkNSUyZlZFJTJiRkNqeCUyYk84V0FWWkg3RU9FYmE2Skl2Rk8xRTdicGtMS0pSM0xuJTJmRVZ3JTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iMTc4NjA0MDg4IiB0b3RhbD0iMTc4NjA0MDg4IiBkb3dubG9hZF90aW1lX21zPSI1MjM3NyIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NDY2MTM1NDIyIiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTUiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjU0Nzg5NDg1MDgiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIzIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIxOTY3NTciIHN5c3RlbV91cHRpbWVfdGlja3M9IjYwOTczODU2NDUiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIHVwZGF0ZV9jaGVja190aW1lX21zPSI5NTgiIGRvd25sb2FkX3RpbWVfbXM9IjU5MDU3IiBkb3dubG9hZGVkPSIxNzg2MDQwODgiIHRvdGFsPSIxNzg2MDQwODgiIHBhY2thZ2VfY2FjaGVfcmVzdWx0PSIwIiBpbnN0YWxsX3RpbWVfbXM9IjYxODQ0Ii8-PHBpbmcgYWN0aXZlPSIxIiBhPSIxIiByPSIxIiBhZD0iNjYxNiIgcmQ9IjY2MTYiIHBpbmdfZnJlc2huZXNzPSJ7M0E0NjNBREItQTE1My00NkY1LUI2MjEtNTg0NUFFMDNDQkUwfSIvPjwvYXBwPjxhcHAgYXBwaWQ9IntGMzAxNzIyNi1GRTJBLTQyOTUtOEJERi0wMEMzQTlBN0U0QzV9IiB2ZXJzaW9uPSIxMzIuMC4yOTU3LjE0MCIgbmV4dHZlcnNpb249IiIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjAiIGNvaG9ydD0icnJmQDAuNTciIHVwZGF0ZV9jb3VudD0iMSI-PHVwZGF0ZWNoZWNrLz48cGluZyByPSIxIiByZD0iNjYxNiIgcGluZ19mcmVzaG5lc3M9Ins1NjREQkY2RC0zODUzLTQ0ODQtQjE2OC01NDdERDQ5ODY0NDZ9Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
                              1⤵
                              • System Location Discovery: System Language Discovery
                              • System Network Configuration Discovery: Internet Connection Discovery
                              PID:1544

                            Network

                            MITRE ATT&CK Enterprise v15

                            Reconnaissance

                            Resource Development

                            Initial Access

                            Execution

                            Persistence

                            Boot or Logon Autostart Execution

                            1
                            T1547

                            Active Setup

                            1
                            T1547.014

                            Browser Extensions

                            1
                            T1176

                            Event Triggered Execution

                            1
                            T1546

                            Component Object Model Hijacking

                            1
                            T1546.015

                            Privilege Escalation

                            Boot or Logon Autostart Execution

                            1
                            T1547

                            Active Setup

                            1
                            T1547.014

                            Event Triggered Execution

                            1
                            T1546

                            Component Object Model Hijacking

                            1
                            T1546.015

                            Defense Evasion

                            Modify Registry

                            4
                            T1112

                            Credential Access

                            Discovery

                            Browser Information Discovery

                            1
                            T1217

                            Query Registry

                            3
                            T1012

                            System Information Discovery

                            2
                            T1082

                            System Location Discovery

                            1
                            T1614

                            System Language Discovery

                            1
                            T1614.001

                            System Network Configuration Discovery

                            1
                            T1016

                            Internet Connection Discovery

                            1
                            T1016.001

                            Lateral Movement

                            Collection

                            Command and Control

                            Web Service

                            1
                            T1102

                            Exfiltration

                            Impact

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{0D095F36-15E8-45BE-B226-29CA87D7CC9A}\EDGEMITMP_A2DF3.tmp\setup.exe
                              Filesize

                              6.8MB

                              MD5

                              1b3e9c59f9c7a134ec630ada1eb76a39

                              SHA1

                              a7e831d392e99f3d37847dcc561dd2e017065439

                              SHA256

                              ce78ccfb0c9cdb06ea61116bc57e50690650b6b5cf37c1aebfb30c19458ee4ae

                              SHA512

                              c0e50410dc92d80ff7bc854907774fc551564e078a8d38ca6421f15cea50282c25efac4f357b52b066c4371f9b8d4900fa8122dd80ab06ecbd851c6e049f7a3e

                              Download Submit

                            • C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log
                              Filesize

                              618KB

                              MD5

                              9337a12f4d5760c2565be4f5183201f9

                              SHA1

                              388f7740c673df9098ee73c0517d100b0a49ec07

                              SHA256

                              57c6b3dfdc89cd19a9de70ee7a384af7be791c19dbc8d4ac22121922d6946d9f

                              SHA512

                              b8533b4c7dabd1dd86f94dc4958ff4c34bf6f59f4db6ab3a1290db5522fa4d277f91702e4c0957b6868cfa9e6ccbe5a4480a5a89ab9acd9347f0c2589e56f74d

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                              Filesize

                              152B

                              MD5

                              c743f011d7ed53768d6263de076110e3

                              SHA1

                              06a2242398c6120019439f767d965dca0b09be9e

                              SHA256

                              50a22e70855487f9a451bcd09fb033c0aea8a1f3743821fd99faf0a4eb396813

                              SHA512

                              339942620fccb0c49d87f0c99370feeb5cb3aebf60064bf5ab3fddad7f8c3c1330284690b148068fc94e64fc2d9bc9657f5a6d038e1a653f314f5fe0c394f240

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                              Filesize

                              152B

                              MD5

                              601ce2abb603e36824720f68d9572fab

                              SHA1

                              9139cb22b081ccba9c548252df3f74678c101cad

                              SHA256

                              fad8ae5bf8471db17a344746a32fdfae1b0e457498a25b5129909209506fbfc9

                              SHA512

                              17765022996fe81a0ce8e30d60970c19ef6b4df9ca2782063c6a724d70e2a1aad1db4282a7875caafde192dfb17cf495b6b53b71f0967b9411bfd963ba949b97

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                              Filesize

                              1KB

                              MD5

                              709e93910f0946a67e6a55bd86f8cc30

                              SHA1

                              f83195686a2e0d4fce7b3f10b79fd27fefb8a4b7

                              SHA256

                              76989b2c6cc7f2868e8a879c52a0d1463d651727f4d18bf01956891d5d077498

                              SHA512

                              77d98aa0972ff0154ea7d06e475a1e16da31a7958c32c4d2972e1369c5daae94536989b6c37bf6981afc3f9dcd4380f6ea7adc9ee71be55f062fb32a0032dbe1

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                              Filesize

                              5KB

                              MD5

                              043cf8c6667bc1db4367e9cf7104cd8f

                              SHA1

                              91117b4ded01371d0cf926c08d8cfc655e6f4cbe

                              SHA256

                              469de96bb62ebf4b3e9370679a041d2730dd440bca886d3de452255c3eca7a16

                              SHA512

                              c93a7b601565b5ec2c61226b0db3e6cb5a6a62fd899fa9b37f049ce14b2eb32b994b6f212489cb2d811db06abfff2f69822e539fa685c4684f994bc1f25b94a5

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                              Filesize

                              6KB

                              MD5

                              373c522e199b5aef0185b0f5c906b7f2

                              SHA1

                              c0c74df7b113bbc5494ef7df477c7753ffdb787f

                              SHA256

                              d1c750b7d2aecfcf7bedf2eaece2169a51fd1ab1e60e418bdf2427ca9903f29b

                              SHA512

                              c257bda74047aedda5e3a6995809440f5dd045ae43b61736dafa7745fb513db17a02703f9af00670f1a9f126ef93e88822a724d1925ad1db5f2df32e2ecff388

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                              Filesize

                              16B

                              MD5

                              6752a1d65b201c13b62ea44016eb221f

                              SHA1

                              58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                              SHA256

                              0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                              SHA512

                              9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                              Filesize

                              11KB

                              MD5

                              92db8aa00201b1b9a28228fddaf6ba94

                              SHA1

                              9e4aeb272a87510310496d74974c8aa5bdc5757c

                              SHA256

                              00c442a0a71fdc191726b3e7cb8baee0a14caea8c77543f661193068cc9561ae

                              SHA512

                              9c92e5e1756ca91885feca3c4fd54b3abf0028a8e46f834d8e371bc3297654581251cefcd562da2247c37e177e10fc35f47b11e62c00def921f00b844731a4b1

                              Download Submit

                            • C:\Windows\SystemTemp\msedge_installer.log
                              Filesize

                              72KB

                              MD5

                              dba6923e5bc6b35749143d51f085ad54

                              SHA1

                              69b97df6afa9cb13e08a858e4e28c36563263a9e

                              SHA256

                              f5dcb72366f02f3c6294eb18126bf1c2b6f19e8a5c1ad40def8715474a855934

                              SHA512

                              24219e221955feec6bda59ce248cabaf0d1b4fd6580507a17205b21b1e2afce37498d428732a1b91fc047594642ff808dcdb41f8cc05b1fa4466588606b70d91

                              Download Submit

                            • C:\Windows\SystemTemp\msedge_installer.log
                              Filesize

                              101KB

                              MD5

                              8ea7a54ac163425c4f6683aba0c96f8a

                              SHA1

                              b671b6a1945337851fa4d839e523827151b36d10

                              SHA256

                              4f4204827ed9033e92de77def779157d2a96e3f739b8a18f72c74ab98597d1a0

                              SHA512

                              d234e5e0c454eea86c5dd94643e600153ec39abcee786fa232bd12c97ce3190d3abc4880e396f653669686e097321160b96f6c3e8a53a639c4e999f5cf91d6c4

                              Download Submit

                            • C:\Windows\SystemTemp\msedge_installer.log
                              Filesize

                              104KB

                              MD5

                              937868a2240eaff0d9c23b339aba476f

                              SHA1

                              dc54da72282380ae3d61431cf95280985668d3dd

                              SHA256

                              d853e2350bbd3ee49ef2d7715b734c2d686e22ac49583a31ed5a2ab73a5af395

                              SHA512

                              b6d7d022a0395fd692fdf353d867c8b77957f69d7fd6859d21aad48fd207d65a25f56cda84f3a4c1699976f1b9f82515e2f4bf3c7fdcb089e6ba62069e42b691

                              Download Submit