Overview

overview

10

Static

static

10

𝙄𝙉�...οΏ½οΏ½).7z

windows10-2004-x64

8

All Files/...ll.dll

windows10-2004-x64

8

All Files/...RT.dll

windows10-2004-x64

8

All Files/...es.dll

windows10-2004-x64

8

All Files/...ar.exe

windows10-2004-x64

6

All Files/...32.dll

windows10-2004-x64

6

All Files/...re.pkg

windows10-2004-x64

8

All Files/...ar.dll

windows10-2004-x64

6

All Files/...me.dll

windows10-2004-x64

8

All Files/...re.dll

windows10-2004-x64

8

All Files/...tp.exe

windows10-2004-x64

6

All Files/...017.js

windows10-2004-x64

8

All Files/...st.dll

windows10-2004-x64

8

All Files/...ng.dll

windows10-2004-x64

8

All Files/...er.exe

windows10-2004-x64

6

All Files/...64.dll

windows10-2004-x64

8

All Files/...556.js

windows10-2004-x64

8

All Files/...ts.dll

windows10-2004-x64

8

All Files/...ed.dll

windows10-2004-x64

6

All Files/...tp.exe

windows10-2004-x64

6

All Files/...32.dll

windows10-2004-x64

6

All Files/...pa.dll

windows10-2004-x64

8

All Files/...sm.dll

windows10-2004-x64

8

All Files/...ble.js

windows10-2004-x64

8

All Files/...dor.js

windows10-2004-x64

8

All Files/...xt.exe

windows10-2004-x64

8

All Files/...nv.exe

windows10-2004-x64

8

All Files/...sh.exe

windows10-2004-x64

8

All Files/...-2.dll

windows10-2004-x64

8

All Files/...sm.dll

windows10-2004-x64

8

All Files/...32.dll

windows10-2004-x64

6

All Files/...58.dll

windows10-2004-x64

6

Resubmissions

13-02-2025 00:07

250213-aetjqazndp 10

13-02-2025 00:06

250213-adthbs1jbt 10

13-02-2025 00:02

250213-abyn9szrhw 10

Analysis

  • max time kernel
    860s
  • max time network
    663s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250211-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250211-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-02-2025 00:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    All Files/Assets/Data/TMRegEx64.dll

  • Size

    803KB

  • MD5

    75e94d3ca12a7b80d5779302bad90495

  • SHA1

    3e85b6a3e84d455b6d5f6e3566f6309876d343ed

  • SHA256

    eab6419cd005e8a1ed4757cbb8d787036e61fa43e6555cb2689f3716054c1c04

  • SHA512

    3dada2a921c513642ef328d36854cda25533b67f68c33adeed75206b71e55ac2c002d29381b976374cc5683676abccb9b0049c664225dbdc512e6be75c357eb0

  • SSDEEP

    12288:6Wnt7tAjsdZNZlEXgof7J9S1rAsiAoSxQmJfXTOTxB91yj6L7P:6WltrZVEwgyAsiOJe263

Score
8/10
adwarediscoverypersistenceprivilege_escalationstealer

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Downloads MZ/PE file 2 IoCs
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Executes dropped EXE 12 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 26 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • System policy modification 1 TTPs 4 IoCs
    defense_evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\All Files\Assets\Data\TMRegEx64.dll",#1
    1⤵
      PID:3612
    • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7Q0Y2MTExMEYtMzM2QS00QkEzLTg5QTktMkYyOTBDRkU5ODA2fSIgdXNlcmlkPSJ7QkZCRUM2QzEtREQ0MS00MzE5LUFBQTgtRDBBRUU5Q0UzNzZBfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NjQyODE1ODktRkE0MS00RkEzLTlBQTYtQTM2Qjc1Q0Y4OTU0fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODM0MTAiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NTUzNjg2NzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MTc0MTA0MTMyIi8-PC9hcHA-PC9yZXF1ZXN0Pg
      1⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      PID:1384
    • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9958DB5F-D15B-436A-A3F4-830BD9F6F39D}\MicrosoftEdge_X64_133.0.3065.59.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9958DB5F-D15B-436A-A3F4-830BD9F6F39D}\MicrosoftEdge_X64_133.0.3065.59.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
      1⤵
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:2132
      • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9958DB5F-D15B-436A-A3F4-830BD9F6F39D}\EDGEMITMP_A4335.tmp\setup.exe
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9958DB5F-D15B-436A-A3F4-830BD9F6F39D}\EDGEMITMP_A4335.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9958DB5F-D15B-436A-A3F4-830BD9F6F39D}\MicrosoftEdge_X64_133.0.3065.59.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
        2⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Installs/modifies Browser Helper Object
        • Drops file in Program Files directory
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:3168
        • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9958DB5F-D15B-436A-A3F4-830BD9F6F39D}\EDGEMITMP_A4335.tmp\setup.exe
          "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9958DB5F-D15B-436A-A3F4-830BD9F6F39D}\EDGEMITMP_A4335.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9958DB5F-D15B-436A-A3F4-830BD9F6F39D}\EDGEMITMP_A4335.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff65d8a6a68,0x7ff65d8a6a74,0x7ff65d8a6a80
          3⤵
          • Executes dropped EXE
          PID:4352
        • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9958DB5F-D15B-436A-A3F4-830BD9F6F39D}\EDGEMITMP_A4335.tmp\setup.exe
          "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9958DB5F-D15B-436A-A3F4-830BD9F6F39D}\EDGEMITMP_A4335.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
          3⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Program Files directory
          • Modifies data under HKEY_USERS
          • Suspicious use of WriteProcessMemory
          PID:1732
          • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9958DB5F-D15B-436A-A3F4-830BD9F6F39D}\EDGEMITMP_A4335.tmp\setup.exe
            "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9958DB5F-D15B-436A-A3F4-830BD9F6F39D}\EDGEMITMP_A4335.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9958DB5F-D15B-436A-A3F4-830BD9F6F39D}\EDGEMITMP_A4335.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff65d8a6a68,0x7ff65d8a6a74,0x7ff65d8a6a80
            4⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            PID:112
        • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --register-package-identity --verbose-logging --system-level
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3648
          • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0xcc,0x230,0x7ff635536a68,0x7ff635536a74,0x7ff635536a80
            4⤵
            • Executes dropped EXE
            PID:2164
        • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level
          3⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2280
          • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff635536a68,0x7ff635536a74,0x7ff635536a80
            4⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            PID:1648
        • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --update-game-assist-package --verbose-logging --system-level
          3⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:956
          • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff635536a68,0x7ff635536a74,0x7ff635536a80
            4⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            PID:2500
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k AppReadiness -p -s AppReadiness
      1⤵
        PID:3312
      • C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe
        "C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe" /InvokerPRAID: Microsoft.MicrosoftOfficeHub prelaunch
        1⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:4864
      • C:\Windows\system32\wwahost.exe
        "C:\Windows\system32\wwahost.exe" -ServerName:Microsoft.MicrosoftOfficeHub.wwa
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2624
      • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{97BEAB26-029D-40E1-92A4-16A84FF125EB}\MicrosoftEdge_X64_133.0.3065.59_132.0.2957.140.exe
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{97BEAB26-029D-40E1-92A4-16A84FF125EB}\MicrosoftEdge_X64_133.0.3065.59_132.0.2957.140.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:1472
        • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{97BEAB26-029D-40E1-92A4-16A84FF125EB}\EDGEMITMP_2F55C.tmp\setup.exe
          "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{97BEAB26-029D-40E1-92A4-16A84FF125EB}\EDGEMITMP_2F55C.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{97BEAB26-029D-40E1-92A4-16A84FF125EB}\MicrosoftEdge_X64_133.0.3065.59_132.0.2957.140.exe" --previous-version="132.0.2957.140" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
          2⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3048
          • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{97BEAB26-029D-40E1-92A4-16A84FF125EB}\EDGEMITMP_2F55C.tmp\setup.exe
            "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{97BEAB26-029D-40E1-92A4-16A84FF125EB}\EDGEMITMP_2F55C.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{97BEAB26-029D-40E1-92A4-16A84FF125EB}\EDGEMITMP_2F55C.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff71fa46a68,0x7ff71fa46a74,0x7ff71fa46a80
            3⤵
            • Executes dropped EXE
            PID:4904
      • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7Q0Y2MTExMEYtMzM2QS00QkEzLTg5QTktMkYyOTBDRkU5ODA2fSIgdXNlcmlkPSJ7QkZCRUM2QzEtREQ0MS00MzE5LUFBQTgtRDBBRUU5Q0UzNzZBfSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9Ins4REZGRTQyMS0zREQ3LTQyNTMtOTdGRS01REIzNEE4OThDQTR9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7VlBRb1AxRitmcTE1d1J6aDFrUEw0UE1wV2g4T1JNQjVpenZyT0MvY2hqUT0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iMS4zLjE5NS40MyIgbmV4dHZlcnNpb249IiIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjEiIGNvaG9ydD0icnJmQDAuMjUiPjx1cGRhdGVjaGVjay8-PHBpbmcgcj0iMiIgcmQ9IjY2MTYiIHBpbmdfZnJlc2huZXNzPSJ7ODhBQTU3QjUtRUVDRS00NTkyLThBOUMtQUI0QzdCMDRBMTVGfSIvPjwvYXBwPjxhcHAgYXBwaWQ9Ins1NkVCMThGOC1CMDA4LTRDQkQtQjZEMi04Qzk3RkU3RTkwNjJ9IiB2ZXJzaW9uPSI5Mi4wLjkwMi42NyIgbmV4dHZlcnNpb249IjEzMy4wLjMwNjUuNTkiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY29uc2VudD1mYWxzZSIgaW5zdGFsbGFnZT0iMSIgaXNfcGlubmVkX3N5c3RlbT0idHJ1ZSIgbGFzdF9sYXVuY2hfY291bnQ9IjEiIGxhc3RfbGF1bmNoX3RpbWU9IjEzMzgzNzYxODQyNjQ1NDQyMCI-PHVwZGF0ZWNoZWNrLz48ZXZlbnQgZXZlbnR0eXBlPSIxMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTQ0Mjg1NDAzNCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjEzIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NDQzMDEwMjA0IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIwIiBlcnJvcmNvZGU9Ii0yMTQ3MDIzODM4IiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI2MzU0NzI4NjE3IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJkbyIgdXJsPSJodHRwOi8vbXNlZGdlLmIudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvZmVkNTU4MDUtMmU4NS00MWQ4LWI0ZTMtNGVmNmI1ZWJmNjNhP1AxPTE3NDAwMTAxNjcmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9aFh2OG9MeEFyajhwJTJmS1B3TCUyZkw2b3E2SVBBOXA0R0xtbUpqQlBmYlZDa09YRXhLWTJDTDRPdjRhQzBhZ3JOYjllRmNUQVVRZzhHWTElMmZCTUlRWGtEY0ElM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSIwIiB0b3RhbD0iMCIgZG93bmxvYWRfdGltZV9tcz0iMCIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI2MzU0NzI4NjE3IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJiaXRzIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuYi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy9mZWQ1NTgwNS0yZTg1LTQxZDgtYjRlMy00ZWY2YjVlYmY2M2E_UDE9MTc0MDAxMDE2NyZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1oWHY4b0x4QXJqOHAlMmZLUHdMJTJmTDZvcTZJUEE5cDRHTG1tSmpCUGZiVkNrT1hFeEtZMkNMNE92NGFDMGFnck5iOWVGY1RBVVFnOEdZMSUyZkJNSVFYa0RjQSUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjE3ODYwNDA4OCIgdG90YWw9IjE3ODYwNDA4OCIgZG93bmxvYWRfdGltZV9tcz0iODUxNTciLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNjM1NDg4NTA4OCIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjE1IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI2MzY4NDc4ODQ0IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMyIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMTk2NzU3IiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI2OTc2NDQ3OTM3IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiB1cGRhdGVfY2hlY2tfdGltZV9tcz0iMTY4OTEiIGRvd25sb2FkX3RpbWVfbXM9IjkxMTg3IiBkb3dubG9hZGVkPSIxNzg2MDQwODgiIHRvdGFsPSIxNzg2MDQwODgiIHBhY2thZ2VfY2FjaGVfcmVzdWx0PSIwIiBpbnN0YWxsX3RpbWVfbXM9IjYwNzk2Ii8-PHBpbmcgYWN0aXZlPSIxIiBhPSIyIiByPSIyIiBhZD0iNjYxNiIgcmQ9IjY2MTYiIHBpbmdfZnJlc2huZXNzPSJ7NThFQTkwMTUtMjQ5Qy00RjgxLTk5RjgtNTY5MjRGNkJCOEY4fSIvPjwvYXBwPjxhcHAgYXBwaWQ9IntGMzAxNzIyNi1GRTJBLTQyOTUtOEJERi0wMEMzQTlBN0U0QzV9IiB2ZXJzaW9uPSIxMzIuMC4yOTU3LjE0MCIgbmV4dHZlcnNpb249IjEzMy4wLjMwNjUuNTkiIGxhbmc9IiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZT0iNjYxNSIgY29ob3J0PSJycmZAMC41MCI-PHVwZGF0ZWNoZWNrLz48ZXZlbnQgZXZlbnR0eXBlPSIxMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTQ0Mjg1NDAzNCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjEzIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI2OTc2NDQ3OTM3IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIwIiBlcnJvcmNvZGU9Ii0yMTQ3MDIzODM4IiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI3NDA5MTA0MDQwIiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJkbyIgdXJsPSJodHRwOi8vbXNlZGdlLmIudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvYTQ3MmVjZWMtYWU2OS00NDllLWI3YTItNGU4NmRmZWU1OGE5P1AxPTE3NDAwMTAxNjcmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9aiUyZmdjZU5GR095aXBjQUo1eWFoUXNCcVUlMmZaWVJkaERWS3JyaGx0QXh5OU9tVXhVcVhQREhGcmZ3UHpQcmdKb3MlMmYyQmlrb25FRGRMWTdKQUIlMmJaYnVaQSUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjAiIHRvdGFsPSIwIiBkb3dubG9hZF90aW1lX21zPSIxNiIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI3NDA5MTA0MDQwIiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJiaXRzIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuYi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy9hNDcyZWNlYy1hZTY5LTQ0OWUtYjdhMi00ZTg2ZGZlZTU4YTk_UDE9MTc0MDAxMDE2NyZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1qJTJmZ2NlTkZHT3lpcGNBSjV5YWhRc0JxVSUyZlpZUmRoRFZLcnJobHRBeHk5T21VeFVxWFBESEZyZndQelByZ0pvcyUyZjJCaWtvbkVEZExZN0pBQiUyYlpidVpBJTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iNTg0OTgxMjgiIHRvdGFsPSI1ODQ5ODEyOCIgZG93bmxvYWRfdGltZV9tcz0iNDI2ODgiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNzQwOTEwNDA0MCIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjE1IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI3NDE2OTE2MzkxIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMyIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMTk2NzU3IiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI3OTIzMzIyNzg3IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiB1cGRhdGVfY2hlY2tfdGltZV9tcz0iMTY4OTEiIGRvd25sb2FkX3RpbWVfbXM9IjQzMjY2IiBkb3dubG9hZGVkPSI1ODQ5ODEyOCIgdG90YWw9IjU4NDk4MTI4IiBwYWNrYWdlX2NhY2hlX3Jlc3VsdD0iMCIgaW5zdGFsbF90aW1lX21zPSI1MDY0MSIvPjxwaW5nIHI9IjIiIHJkPSI2NjE2IiBwaW5nX2ZyZXNobmVzcz0iezQ4RTI3QzA2LTdBRTUtNEFCMi05OUEyLUI5NkZDOUE5ODRBMX0iLz48L2FwcD48L3JlcXVlc3Q-
        1⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        PID:4660

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Installer\msedge_7z.data
        Filesize

        3KB

        MD5

        a43e9ce8d33ed6eb2b8f5133450d64dd

        SHA1

        f2b9a2eab4b80d7bef0a6e076423993b77f66332

        SHA256

        39bace95aa685a42bb379404c0e4f2a11254a7d5ab9a9b5551d311d1dbc05bb6

        SHA512

        9db1c9de9521cd7bd4af5062693d3557ab196fd552bb6000c1d4266426127c9c7c6eada263e90f99bf941fb1c863d10463940e164a03e0742ee070a35fbcdf6e

        Download Submit

      • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{97BEAB26-029D-40E1-92A4-16A84FF125EB}\EDGEMITMP_2F55C.tmp\SETUP.EX_
        Filesize

        2.7MB

        MD5

        1a59a8af3c58b30ff0fe71db2196b24b

        SHA1

        6b0e5ba36f4fc5328ec494272054a50cafa13e68

        SHA256

        ba25974b29a25cb7bc1f58a0990a8ce758354aa6ec5b8b8af210f2c1466ba49d

        SHA512

        f173fe15db8d7aeef4f6fa62a41246550ccee207e6388095a5f87036362d4c95da646e1a7c68764054556e024da80b749646425076e9bfac42fb77be8f2c0355

        Download Submit

      • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9958DB5F-D15B-436A-A3F4-830BD9F6F39D}\EDGEMITMP_A4335.tmp\setup.exe
        Filesize

        6.8MB

        MD5

        1b3e9c59f9c7a134ec630ada1eb76a39

        SHA1

        a7e831d392e99f3d37847dcc561dd2e017065439

        SHA256

        ce78ccfb0c9cdb06ea61116bc57e50690650b6b5cf37c1aebfb30c19458ee4ae

        SHA512

        c0e50410dc92d80ff7bc854907774fc551564e078a8d38ca6421f15cea50282c25efac4f357b52b066c4371f9b8d4900fa8122dd80ab06ecbd851c6e049f7a3e

        Download Submit

      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        Filesize

        3.9MB

        MD5

        ad5f7dc7ca3e67dce70c0a89c04519e0

        SHA1

        a10b03234627ca8f3f8034cd5637cda1b8246d83

        SHA256

        663fe0f4e090583e6aa5204b9a80b7a76f677259066e56a7345aebc6bc3e7d31

        SHA512

        ad5490e9865caa454c47ec2e96364b9c566b553e64801da60c295acd570017747be1aff6f22ca6c20c6eee6f6d05a058af72569fd6e656f66e48010978c7fd51

        Download Submit

      • C:\Program Files\msedge_installer.log
        Filesize

        107KB

        MD5

        a93b2e049848c8909afaf708096819f2

        SHA1

        8f221c58b95d8d038d9ad3e5478d82efbfea26b0

        SHA256

        a66ee426e2c80dd823a3cc9639ad7b9867e7ba0c4566cbaaf10d4e081f43e12d

        SHA512

        0522e99c0efa9a7a4121d571b736b926c63a1294bf9967f11e154b4f84682c6061342c91010295d0c1334c51ba6c4ea3213be792712e4fec9a81ceef5d940d23

        Download Submit

      • C:\Program Files\msedge_installer.log
        Filesize

        72KB

        MD5

        10c4833733e15c93333320a5709a4038

        SHA1

        8665cb6257c097293138bf0b75fee5ce466efa66

        SHA256

        5c4e2f5edb3efa9e3e29bd78040d90559b455cc3cd7273a7935139a1bd9d9599

        SHA512

        a17857ad87af05909e14217901592eee733e24dca2d0b5ea42963e58e43f03c262046974fc997eff0f4bffb8a424e894a50034f4fe3e8bb3ac5fa6d5a179a895

        Download Submit

      • C:\Program Files\msedge_installer.log
        Filesize

        104KB

        MD5

        2a0eda08691f2f82d346209a674c7c59

        SHA1

        7e4558afcf529f56587dc9cbd3c0e386af20936e

        SHA256

        8d18ff4813d0e0e7b78d3c9847ccffcbc689636f96cbdef5ea691124543a44c1

        SHA512

        af28e91d452a9176b878fef1132dff39e5ff6ab8e1021c392236825926c2f6667a94e9a7dab1c67914d8175983ac063a46c423ace5f1f2dcde2841272d943c71

        Download Submit

      • C:\Program Files\msedge_installer.log
        Filesize

        103KB

        MD5

        9ddd676f71ad818ab3dcfb255408b329

        SHA1

        07944f20e86e1aafd3beba0fe6d6eed3487beb49

        SHA256

        5d97c2a2c48564658b1d36eaa7ab5f82bb7ac8b515187ca20c0fa171f933fa96

        SHA512

        29921c9cc25ea4e26ada5fc7b080925cf93c97a12fe3fb6761d5c3805050d7276c3d6872b312532fa717828303d6d08f37b54a52e727066d237745836def907e

        Download Submit

      • C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log
        Filesize

        631KB

        MD5

        9e44bfa8ec63eb4bdda36874b09903cc

        SHA1

        f75eae86760ed6c82f1c83586ad2c2dc7e6bd02f

        SHA256

        b6094bc6b989c997e77bb8854321d546387a4e341371484e048e20388848f5fd

        SHA512

        4227e10e3a4f8d79b7a9a1e254afc65d7594961c695f327b3a9de14fa8d11d08d9e5ae37f87a68be8984db41ef0a276c31ce0e5f56d619da0ca6c03db0331e36

        Download Submit

      • memory/4864-72-0x000001E1F95E0000-0x000001E1F95EE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/4864-75-0x000001E1FD000000-0x000001E1FD249000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/4864-73-0x000001E1FBAF0000-0x000001E1FBAFA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4864-74-0x000001E1FBB20000-0x000001E1FBB28000-memory.dmp

        Filesize

        32KB

        Download