Overview

overview

10

Static

static

1

2435433.cmd

windows7-x64

7

2435433.cmd

windows10-2004-x64

10

Analysis

  • max time kernel
    260s
  • max time network
    300s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250211-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250211-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-02-2025 02:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2435433.cmd

  • Size

    1.4MB

  • MD5

    9c9536010d9af231f17acc84538df07f

  • SHA1

    67f9f971395e8d8ffcd2568c5ec7b29f4f27d4cf

  • SHA256

    27eefc56a98faa80d9c9156d351a99408dd35d2e899a8a3e8b34d56e740f3334

  • SHA512

    6f89a9750fd6ca4092ae701b65abcd5ca95bf2e0c2b99403cd4d4ca99c887c3dc40bdffd90cf9c991d20a854b4db16b84e40156380b45ec1be48359f4a8389e4

  • SSDEEP

    24576:aindj4JTlehuO9XnxLD8tGAFIVodVWCFL6JCW2pDt4K:j4+Vxqqo5FGA3

Score
10/10
guloaderadwarediscoverydownloaderexecutionpersistenceprivilege_escalationstealer

Malware Config

Signatures

  • Guloader family
    guloader
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Downloads MZ/PE file 1 IoCs
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 7 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • NSIS installer 2 IoCs
    installer
  • Modifies Internet Explorer settings 1 TTPs 26 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs
  • System policy modification 1 TTPs 4 IoCs
    defense_evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2435433.cmd"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1592
    • C:\Windows\system32\cscript.exe
      cscript p.js
      2⤵
        PID:336
      • C:\Users\Admin\AppData\Local\Temp\maxthon.pif
        maxthon.pif
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:692
        • C:\Users\Admin\AppData\Local\Temp\maxthon.pif
          maxthon.pif
          3⤵
          • Loads dropped DLL
          • Suspicious use of NtCreateThreadExHideFromDebugger
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:3848
    • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RTFBNDdBNUItMEY3Qi00MzIwLThCMDYtNjI2QzE2NUM5MDQyfSIgdXNlcmlkPSJ7MDk0ODkzMUItRUI3NC00NjI2LTgxNjktMTIwQkIzODY1OTI2fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NTM5QTFFNUQtRDFBMi00QUY3LThDOUItRjg1MkQ3RDQ5NTJFfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIwIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODMyMzYiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NDI1MTE0ODAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MDMyMTY0MjEwIi8-PC9hcHA-PC9yZXF1ZXN0Pg
      1⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      PID:4408
    • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{42185541-6B6A-45D9-829B-C3037939F202}\MicrosoftEdge_X64_132.0.2957.140.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{42185541-6B6A-45D9-829B-C3037939F202}\MicrosoftEdge_X64_132.0.2957.140.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1272
      • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{42185541-6B6A-45D9-829B-C3037939F202}\EDGEMITMP_9743B.tmp\setup.exe
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{42185541-6B6A-45D9-829B-C3037939F202}\EDGEMITMP_9743B.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{42185541-6B6A-45D9-829B-C3037939F202}\MicrosoftEdge_X64_132.0.2957.140.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
        2⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Installs/modifies Browser Helper Object
        • Drops file in Program Files directory
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:2868
        • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{42185541-6B6A-45D9-829B-C3037939F202}\EDGEMITMP_9743B.tmp\setup.exe
          "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{42185541-6B6A-45D9-829B-C3037939F202}\EDGEMITMP_9743B.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{42185541-6B6A-45D9-829B-C3037939F202}\EDGEMITMP_9743B.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff6b9e2a818,0x7ff6b9e2a824,0x7ff6b9e2a830
          3⤵
          • Executes dropped EXE
          PID:2532
        • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{42185541-6B6A-45D9-829B-C3037939F202}\EDGEMITMP_9743B.tmp\setup.exe
          "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{42185541-6B6A-45D9-829B-C3037939F202}\EDGEMITMP_9743B.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
          3⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious use of WriteProcessMemory
          PID:3052
          • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{42185541-6B6A-45D9-829B-C3037939F202}\EDGEMITMP_9743B.tmp\setup.exe
            "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{42185541-6B6A-45D9-829B-C3037939F202}\EDGEMITMP_9743B.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{42185541-6B6A-45D9-829B-C3037939F202}\EDGEMITMP_9743B.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff6b9e2a818,0x7ff6b9e2a824,0x7ff6b9e2a830
            4⤵
            • Executes dropped EXE
            PID:2656
        • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --register-package-identity --verbose-logging --system-level
          3⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:724
          • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff681cba818,0x7ff681cba824,0x7ff681cba830
            4⤵
            • Executes dropped EXE
            PID:3760
        • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level
          3⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious use of WriteProcessMemory
          PID:472
          • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff681cba818,0x7ff681cba824,0x7ff681cba830
            4⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            PID:1632
        • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --update-game-assist-package --verbose-logging --system-level
          3⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:1592
          • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff681cba818,0x7ff681cba824,0x7ff681cba830
            4⤵
            • Executes dropped EXE
            PID:224
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k AppReadiness -p -s AppReadiness
      1⤵
        PID:3016
      • C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe
        "C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe" /InvokerPRAID: Microsoft.MicrosoftOfficeHub prelaunch
        1⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:4728
      • C:\Windows\system32\wwahost.exe
        "C:\Windows\system32\wwahost.exe" -ServerName:Microsoft.MicrosoftOfficeHub.wwa
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:3512
      • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RTFBNDdBNUItMEY3Qi00MzIwLThCMDYtNjI2QzE2NUM5MDQyfSIgdXNlcmlkPSJ7MDk0ODkzMUItRUI3NC00NjI2LTgxNjktMTIwQkIzODY1OTI2fSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9InsxQ0RENDVFRS1CN0Q4LTRDOTgtQjBDOS0xQTE5MjAyOEE0MTd9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7VlBRb1AxRitmcTE1d1J6aDFrUEw0UE1wV2g4T1JNQjVpenZyT0MvY2hqUT0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iMS4zLjE5NS40MyIgbmV4dHZlcnNpb249IiIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjAiIGNvaG9ydD0icnJmQDAuMDEiPjx1cGRhdGVjaGVjay8-PHBpbmcgcj0iMSIgcmQ9IjY2MTYiIHBpbmdfZnJlc2huZXNzPSJ7N0Y0QjU2NEQtQjE1Mi00NUI0LUFEQ0UtN0ExNkM5M0RCOTAzfSIvPjwvYXBwPjxhcHAgYXBwaWQ9Ins1NkVCMThGOC1CMDA4LTRDQkQtQjZEMi04Qzk3RkU3RTkwNjJ9IiB2ZXJzaW9uPSI5Mi4wLjkwMi42NyIgbmV4dHZlcnNpb249IjEzMi4wLjI5NTcuMTQwIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgZXhwZXJpbWVudHM9ImNvbnNlbnQ9ZmFsc2UiIGluc3RhbGxhZ2U9IjAiIGlzX3Bpbm5lZF9zeXN0ZW09InRydWUiIGxhc3RfbGF1bmNoX2NvdW50PSIxIiBsYXN0X2xhdW5jaF90aW1lPSIxMzM4Mzc1ODE4MDUxMTk0ODAiPjx1cGRhdGVjaGVjay8-PGV2ZW50IGV2ZW50dHlwZT0iMTIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjUwNjQxOTU1OTkiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxMyIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTA2NDE5NTU5OSIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMCIgZXJyb3Jjb2RlPSItMjE0NzAyMzgzOCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNjAwNTI4OTY2OSIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlcj0iZG8iIHVybD0iaHR0cDovL21zZWRnZS5iLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzLzA3NDAwMzZhLTRlMTgtNDU2ZC05NmZhLWQxZDljNGNhNDY3Nj9QMT0xNzM5OTMxMDM2JmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PWxJMW9Bekpib0o1TWNsckhYOWh0ZFBEb0pOeVlUbWpKc09ZYmIyU1RPJTJmYzhJUUMyNWdLaVRMcG1CUVV1enNtR0g2eTU5NWd0cDJWMDJ1YnM5TllrZVElM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSIwIiB0b3RhbD0iMCIgZG93bmxvYWRfdGltZV9tcz0iMTUiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNjAwNTI4OTY2OSIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlcj0iYml0cyIgdXJsPSJodHRwOi8vbXNlZGdlLmIudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvMDc0MDAzNmEtNGUxOC00NTZkLTk2ZmEtZDFkOWM0Y2E0Njc2P1AxPTE3Mzk5MzEwMzYmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9bEkxb0F6SmJvSjVNY2xySFg5aHRkUERvSk55WVRtakpzT1liYjJTVE8lMmZjOElRQzI1Z0tpVExwbUJRVXV6c21HSDZ5NTk1Z3RwMlYwMnViczlOWWtlUSUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjE3NzE4MDIxNiIgdG90YWw9IjE3NzE4MDIxNiIgZG93bmxvYWRfdGltZV9tcz0iODgwNzgiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNjAwNTQ0NTgxMCIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjE1IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI2MDE5MzUyMDk4IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMyIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMTk2NzU3IiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI2NTkzNTcxMjk4IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiB1cGRhdGVfY2hlY2tfdGltZV9tcz0iMjYwOSIgZG93bmxvYWRfdGltZV9tcz0iOTQxMDkiIGRvd25sb2FkZWQ9IjE3NzE4MDIxNiIgdG90YWw9IjE3NzE4MDIxNiIgcGFja2FnZV9jYWNoZV9yZXN1bHQ9IjAiIGluc3RhbGxfdGltZV9tcz0iNTc0MjIiLz48cGluZyBhY3RpdmU9IjEiIGE9IjEiIHI9IjEiIGFkPSI2NjE2IiByZD0iNjYxNiIgcGluZ19mcmVzaG5lc3M9Ins5NkRFRTA1OS0zNTE4LTRBM0UtOEQwOC03MDE3MDMyNTlDOUR9Ii8-PC9hcHA-PGFwcCBhcHBpZD0ie0YzMDE3MjI2LUZFMkEtNDI5NS04QkRGLTAwQzNBOUE3RTRDNX0iIHZlcnNpb249IjEzMi4wLjI5NTcuMTQwIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMCIgaW5zdGFsbGRhdGU9IjY2MTUiIGNvaG9ydD0icnJmQDAuNTgiPjx1cGRhdGVjaGVjay8-PHBpbmcgcj0iMSIgcmQ9IjY2MTYiIHBpbmdfZnJlc2huZXNzPSJ7MDgwQTJFMEYtQTE1Qi00QkM3LTk5RjUtRDI1NkQ1QjlENDA0fSIvPjwvYXBwPjwvcmVxdWVzdD4
        1⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        PID:4916

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Command and Scripting Interpreter

      1
      T1059

      JavaScript

      1
      T1059.007

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Active Setup

      1
      T1547.014

      Browser Extensions

      1
      T1176

      Event Triggered Execution

      1
      T1546

      Component Object Model Hijacking

      1
      T1546.015

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Active Setup

      1
      T1547.014

      Event Triggered Execution

      1
      T1546

      Component Object Model Hijacking

      1
      T1546.015

      Defense Evasion

      Modify Registry

      4
      T1112

      Credential Access

      Discovery

      Query Registry

      2
      T1012

      System Information Discovery

      1
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      System Network Configuration Discovery

      1
      T1016

      Internet Connection Discovery

      1
      T1016.001

      Lateral Movement

      Collection

      Command and Control

      Web Service

      1
      T1102

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{42185541-6B6A-45D9-829B-C3037939F202}\EDGEMITMP_9743B.tmp\setup.exe
        Filesize

        6.6MB

        MD5

        b4c8ad75087b8634d4f04dc6f92da9aa

        SHA1

        7efaa2472521c79d58c4ef18a258cc573704fb5d

        SHA256

        522a25568bb503cf8b44807661f31f0921dee91d37691bf399868733205690bf

        SHA512

        5094505b33a848badcffd6b3b93aad9ad73f391e201dee052376c4f8573ba351f0b8c102131216088ffb38d0ed7b5fe70ba95c3ac2c33a50c993584fe7c435e3

        Download Submit

      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        Filesize

        3.7MB

        MD5

        3646786aea064c0845f5bb1b8e976985

        SHA1

        a31ba2d2192898d4c0a01511395bdf87b0e53873

        SHA256

        a129a6de7b90500483226192b260eaca1ee116a007771d421aa3eee38af48d6f

        SHA512

        145f8abf2ecffd8ecc3745dbd9ab2e360826fa46d6f21dbebece7802b9b5980f4ab19e2dfd180ce0cfb84366f3ac5c87cd1b74a085e1a0dd620b6c097900e0f4

        Download Submit

      • C:\Program Files\msedge_installer.log
        Filesize

        70KB

        MD5

        d290791201c884a77b7cc134a890c8ee

        SHA1

        c0779b60612926516076f79306a743693f3bf877

        SHA256

        c4197a4e30d9b3f7adea0c149fdc5c0d55762d90ed7ce951107711006c4804ac

        SHA512

        ae487200c94818ae2bdb971263affc1e67e0c2f4cf8264a3ed8535a8c2f5a9800f61dc1a86df3f722c9eedacc77ea12cbaee9f2feed25d780d8ea62b2733af7a

        Download Submit

      • C:\Program Files\msedge_installer.log
        Filesize

        96KB

        MD5

        62b3f2ac4f0eef292de6fdebdb22a749

        SHA1

        1f7a413cb29983f2be84a03480aec1504401472d

        SHA256

        a602f7fdc82a6ff159983e62fbf14a6c08b66fe839d4c45f4890f64e92d56e9a

        SHA512

        c482b1b97d2056a1020ea55a3cace5946cdff493e7d19d684ed5ca90184cedaa4a2c793591630ebe38f7dc9e8ca0f2006c3e0821410175a8a29dddd156f1f898

        Download Submit

      • C:\Program Files\msedge_installer.log
        Filesize

        101KB

        MD5

        daa68ea4ad38db222d5d1e853dca4d76

        SHA1

        b71ec85e71e5480a5475abe9534b4ddf9ca6c5d4

        SHA256

        c0fcd9927373a501bb36a57d2b8a7a3961ab2d6313144cb0850a9cdea3bd1add

        SHA512

        484ded662c8ab135de6e15e41df5c56e0a584299688d40a61d5534e0fd2035cd9d2c3acb6f2f7358f4b894fbe6aa0a1033f61aef915bd177e39677e7dd112d1f

        Download Submit

      • C:\Program Files\msedge_installer.log
        Filesize

        102KB

        MD5

        832b8bb817fe2414978e65ccd9b2ad68

        SHA1

        6d04fca129cba5c507b17411cfcf3221282811b9

        SHA256

        bbdab6c7b23820e7a0b1b98b3c65f3275ac342de93ddb3b03c926ecaefe4d9f1

        SHA512

        1b32553c3753594981c7bf4e6aab247fa4b67c5c3e0f70bb69a6074d254f349fa5d0acae34774702c23e5b85d4f7a92936028a19aac719414f91d4e856143f2b

        Download Submit

      • C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log
        Filesize

        520KB

        MD5

        5c6c04ad59c68be95d01153e9e70a33e

        SHA1

        8035769de2b9482be6d3ad1ad4ff692c5c0b7aaa

        SHA256

        33361bc49955447e10b02b8c09b30a6c0810230d30f8bc9d5c77a65563447193

        SHA512

        d2cda4bae0935c3a121aeeb922eab08c0f3202008da68b5fe7eb71e3e27e192fee782ca82437547e3ec4e0c25b1a2a6bdb719a6cd134ae472263475a2fa9ee65

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\furriery.ini
        Filesize

        38B

        MD5

        b1ef763e50c5aabcdf24507256cdecb5

        SHA1

        544323e0812a2d71bc5e156e42bbe25f6082afab

        SHA256

        65724906ac58f577bd6b805237a1d03107bd94276121ef81e1fbfd368672abb4

        SHA512

        71c29b23cc8d2f16bb9f4667d25a7d01cf593134425359fc735c6056d154addb113dce0a9899f90d0dac4b3e46a3849fdee9190f3bf067fdba3b89f5b1170c67

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\maxthon.pif
        Filesize

        935KB

        MD5

        b2133aba6fde5e6b68bb3f5b1ed8ed29

        SHA1

        cce05c4dfe8286601e5e36d1d2f2486758cd53d1

        SHA256

        0cd8b00f33a98cc494f251b51a95d4454f2bee979dbee98555accee3dfe37db4

        SHA512

        3c51c879a3fdeff67b2b29a08fb0c48cfd83a4331832313c75df692fd429d89e24481c67ed7829a9de3c01c3ebabcd0d42459bbd3fa5b5713545568543bd1813

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nsk4571.tmp\LangDLL.dll
        Filesize

        5KB

        MD5

        b21a3377e66b941df6d5b7cf8ba7a43a

        SHA1

        e7ed27fce2db9cdc11ca3c640806731dcef3864a

        SHA256

        ba46a03088f690ce966043f49761ff3a3a0dca236160794de841dfecc3588d1e

        SHA512

        f011a824c0ff7f87c6da112898f4afc87e12c5b39fb40ffcc0955012e79a4302597d892224b3b47e8143480605c73275d3799d6d2000cdf179c2912241f86916

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nsk4571.tmp\System.dll
        Filesize

        12KB

        MD5

        792b6f86e296d3904285b2bf67ccd7e0

        SHA1

        966b16f84697552747e0ddd19a4ba8ab5083af31

        SHA256

        c7a20bcaa0197aedddc8e4797bbb33fdf70d980f5e83c203d148121c2106d917

        SHA512

        97edc3410b88ca31abc0af0324258d2b59127047810947d0fb5e7e12957db34d206ffd70a0456add3a26b0546643ff0234124b08423c2c9ffe9bdec6eb210f2c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\p.js
        Filesize

        454B

        MD5

        512de64f32a0387d27f0d77251ea264c

        SHA1

        1f394a3cff8a9c0d7b5126859ec10356b9885cc4

        SHA256

        fc89b98b929495596a34a2dff20fe6100c79b730d7e5734d0bf7f0c001a5ad7d

        SHA512

        8b9f78ad373c1e11f441ef6fa9ea1d57776e11a1c0e39bc6de92aeba95a6d0c5228942869abd3e7ff82ca66b59545a9e8c0c5f6281b79baf3dbc7cfd933cabe9

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\x
        Filesize

        1.3MB

        MD5

        ba1ce6811dc9aaa05b7d4cdfb7ae968a

        SHA1

        29a5707e4e64373a5078d681a2298606a3114e37

        SHA256

        a37670491331e8cffeb8c3f88cf0b6a370c2194e7a7defa9edded3fa3a0ad584

        SHA512

        c1148d1f44b4a1aacfb7e742b16b6c1440953cac403dfcdb5db84506bbe739a1657017724f64d6d147c6d711ddbe1a11cdd3d89c1a1ea2b266cef644e5f534f5

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\x
        Filesize

        4KB

        MD5

        41a97e1be224a10b5d85c299777be2f5

        SHA1

        17b3fa04e615ca25dd3df863cf6f4cd44a8e1559

        SHA256

        45f6ff5579c3f4d01e9b098f96c5cc080ce1eba19f97231f95bcf152fd097ec6

        SHA512

        e93f28c2dc56a92f06f53e6ef9851bdc901f62dec94d784e0e85f3e1d4d23c37b36cd58368d865cc1c5b92cbc6460d74923be74abdbc889929c6e1b4488e097d

        Download Submit

      • memory/3848-16674-0x0000000000400000-0x0000000001654000-memory.dmp

        Filesize

        18.3MB

        Download

      • memory/3848-16675-0x0000000000400000-0x0000000001654000-memory.dmp

        Filesize

        18.3MB

        Download

      • memory/3848-16673-0x0000000001660000-0x0000000005BD7000-memory.dmp

        Filesize

        69.5MB

        Download

      • memory/3848-16710-0x0000000000400000-0x0000000001654000-memory.dmp

        Filesize

        18.3MB

        Download

      • memory/3848-16672-0x0000000000400000-0x0000000001654000-memory.dmp

        Filesize

        18.3MB

        Download

      • memory/3848-16667-0x0000000000400000-0x0000000001654000-memory.dmp

        Filesize

        18.3MB

        Download

      • memory/3848-16657-0x0000000000400000-0x0000000001654000-memory.dmp

        Filesize

        18.3MB

        Download

      • memory/3848-16655-0x0000000001660000-0x0000000005BD7000-memory.dmp

        Filesize

        69.5MB

        Download

      • memory/4728-16736-0x000001CF41AA0000-0x000001CF41AAE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/4728-16738-0x000001CF41F80000-0x000001CF41F88000-memory.dmp

        Filesize

        32KB

        Download

      • memory/4728-16737-0x000001CF41F50000-0x000001CF41F5A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4728-16739-0x000001CF5D340000-0x000001CF5D589000-memory.dmp

        Filesize

        2.3MB

        Download