Overview

overview

10

Static

static

10

Release.zip

windows11-21h2-x64

8

plugins/Chat.dll

windows11-21h2-x64

8

plugins/Fi...er.dll

windows11-21h2-x64

8

plugins/Fun.dll

windows11-21h2-x64

3

plugins/Hvnc.dll

windows11-21h2-x64

8

plugins/InfoGrab.dll

windows11-21h2-x64

8

plugins/KeyLogger.dll

windows11-21h2-x64

8

plugins/Ke...ne.dll

windows11-21h2-x64

8

plugins/Li...ne.dll

windows11-21h2-x64

3

plugins/Pr...er.dll

windows11-21h2-x64

8

plugins/Re...er.dll

windows11-21h2-x64

8

plugins/Re...xy.dll

windows11-21h2-x64

8

plugins/Sc...ol.dll

windows11-21h2-x64

8

plugins/Shell.dll

windows11-21h2-x64

8

plugins/Startup.dll

windows11-21h2-x64

8

plugins/Sy...er.dll

windows11-21h2-x64

3

plugins/Uacbypass.dll

windows11-21h2-x64

8

plugins/WebCam.dll

windows11-21h2-x64

8

stub/xeno ...nt.exe

windows11-21h2-x64

10

xeno rat server.exe

windows11-21h2-x64

8

Analysis

  • max time kernel
    426s
  • max time network
    427s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250210-en
  • resource tags

    arch:x64arch:x86image:win11-20250210-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    15-02-2025 09:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    plugins/Shell.dll

  • Size

    9KB

  • MD5

    5e3e4438045c426410122210759cc0c8

  • SHA1

    c7858413c6b724135afeb1f878f986b0ae1bfa46

  • SHA256

    81bb6bed470afa97db39d7048dd8d9b7c7786fe8297f51390b5c83b450cdb5e0

  • SHA512

    d0a656048deaab2916bd98f5205bda41686891eff65ee7608117157e4f04ee22dfcd8b9bdccbce1bdd065a1573229c3996122b907a303b8494ad7b730fe5d929

  • SSDEEP

    96:25ATBzB7uwBHfse4hDjl2KQ1dndjVvIibvibKh0c9v5g+m2rwBGbEbrxtZfvPn2k:25kFDMlor1ZT5guvbEJtZ/2WYC

Score
8/10
adwarediscoverypersistenceprivilege_escalationstealer

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Downloads MZ/PE file 2 IoCs
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Executes dropped EXE 12 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 44 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 24 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • System policy modification 1 TTPs 4 IoCs
    defense_evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\Shell.dll,#1
    1⤵
      PID:1844
    • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NkMxRUZBNzQtOTA2MC00MEY0LTk1RTctQ0JGNUVCMTM5MTM1fSIgdXNlcmlkPSJ7RUU1MDk5RTYtNDBCQy00QjdCLTg5RDMtQkVFRUJFQUYwODEyfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7Q0I2MjU4N0EtOUVFOC00RjhGLTg0RTgtODI0NTNDMkYzOEVBfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RSt4YkF6Nlk2c1UxMjg5YlM2cWw0VlJMYmtqZkJVR1RNSnNqckhyNDRpST0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIzLjAuNjMxMi4xMjMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjQiIGluc3RhbGxkYXRldGltZT0iMTczOTE4NDA0OCIgb29iZV9pbnN0YWxsX3RpbWU9IjEzMzgzNjU1NTg2OTkzMDAwMCI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjIxNzk4NjIiIHN5c3RlbV91cHRpbWVfdGlja3M9IjUzMzY3OTQ2NDgiLz48L2FwcD48L3JlcXVlc3Q-
      1⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      PID:4644
    • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F59D63AE-6329-4142-9EE2-1DE76671C1B2}\MicrosoftEdge_X64_133.0.3065.59.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F59D63AE-6329-4142-9EE2-1DE76671C1B2}\MicrosoftEdge_X64_133.0.3065.59.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1680
      • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F59D63AE-6329-4142-9EE2-1DE76671C1B2}\EDGEMITMP_27883.tmp\setup.exe
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F59D63AE-6329-4142-9EE2-1DE76671C1B2}\EDGEMITMP_27883.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F59D63AE-6329-4142-9EE2-1DE76671C1B2}\MicrosoftEdge_X64_133.0.3065.59.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
        2⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Installs/modifies Browser Helper Object
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:1640
        • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F59D63AE-6329-4142-9EE2-1DE76671C1B2}\EDGEMITMP_27883.tmp\setup.exe
          "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F59D63AE-6329-4142-9EE2-1DE76671C1B2}\EDGEMITMP_27883.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F59D63AE-6329-4142-9EE2-1DE76671C1B2}\EDGEMITMP_27883.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff6d8996a68,0x7ff6d8996a74,0x7ff6d8996a80
          3⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          PID:1820
        • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F59D63AE-6329-4142-9EE2-1DE76671C1B2}\EDGEMITMP_27883.tmp\setup.exe
          "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F59D63AE-6329-4142-9EE2-1DE76671C1B2}\EDGEMITMP_27883.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
          3⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Windows directory
          • Modifies data under HKEY_USERS
          • Suspicious use of WriteProcessMemory
          PID:3720
          • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F59D63AE-6329-4142-9EE2-1DE76671C1B2}\EDGEMITMP_27883.tmp\setup.exe
            "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F59D63AE-6329-4142-9EE2-1DE76671C1B2}\EDGEMITMP_27883.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F59D63AE-6329-4142-9EE2-1DE76671C1B2}\EDGEMITMP_27883.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff6d8996a68,0x7ff6d8996a74,0x7ff6d8996a80
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:2948
        • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --register-package-identity --verbose-logging --system-level
          3⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1924
          • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff74f4a6a68,0x7ff74f4a6a74,0x7ff74f4a6a80
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:388
        • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level
          3⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of WriteProcessMemory
          PID:1944
          • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff74f4a6a68,0x7ff74f4a6a74,0x7ff74f4a6a80
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:3504
        • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --update-game-assist-package --verbose-logging --system-level
          3⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of WriteProcessMemory
          PID:4316
          • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff74f4a6a68,0x7ff74f4a6a74,0x7ff74f4a6a80
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:2232
    • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1059A09C-A33D-402B-9BD6-FEDF08BD611E}\MicrosoftEdge_X64_133.0.3065.59_132.0.2957.140.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1059A09C-A33D-402B-9BD6-FEDF08BD611E}\MicrosoftEdge_X64_133.0.3065.59_132.0.2957.140.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:3136
      • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1059A09C-A33D-402B-9BD6-FEDF08BD611E}\EDGEMITMP_7EC30.tmp\setup.exe
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1059A09C-A33D-402B-9BD6-FEDF08BD611E}\EDGEMITMP_7EC30.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1059A09C-A33D-402B-9BD6-FEDF08BD611E}\MicrosoftEdge_X64_133.0.3065.59_132.0.2957.140.exe" --previous-version="132.0.2957.140" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
        2⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:416
        • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1059A09C-A33D-402B-9BD6-FEDF08BD611E}\EDGEMITMP_7EC30.tmp\setup.exe
          "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1059A09C-A33D-402B-9BD6-FEDF08BD611E}\EDGEMITMP_7EC30.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1059A09C-A33D-402B-9BD6-FEDF08BD611E}\EDGEMITMP_7EC30.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff603486a68,0x7ff603486a74,0x7ff603486a80
          3⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          PID:2988
    • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NkMxRUZBNzQtOTA2MC00MEY0LTk1RTctQ0JGNUVCMTM5MTM1fSIgdXNlcmlkPSJ7RUU1MDk5RTYtNDBCQy00QjdCLTg5RDMtQkVFRUJFQUYwODEyfSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9IntEOUNBRDg5MS00QTg0LTREMkUtQTgxNi05NDRFODFCQ0FDN0R9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjIyMDAwLjQ5MyIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtWUFFvUDFGK2ZxMTV3UnpoMWtQTDRQTXBXaDhPUk1CNWl6dnJPQy9jaGpRPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIxLjMuMTk1LjQzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iNCIgY29ob3J0PSJycmZAMC41MiI-PHVwZGF0ZWNoZWNrLz48cGluZyByPSI1IiByZD0iNjYxNSIgcGluZ19mcmVzaG5lc3M9Ins0NzY3QTlEMi1BN0U1LTRGNkEtQUYxRi1FMTFGOTFCRjA4RkN9Ii8-PC9hcHA-PGFwcCBhcHBpZD0iezU2RUIxOEY4LUIwMDgtNENCRC1CNkQyLThDOTdGRTdFOTA2Mn0iIHZlcnNpb249IjkwLjAuODE4LjY2IiBuZXh0dmVyc2lvbj0iMTMzLjAuMzA2NS41OSIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjb25zZW50PWZhbHNlIiBpbnN0YWxsYWdlPSI0IiBpc19waW5uZWRfc3lzdGVtPSJ0cnVlIiBsYXN0X2xhdW5jaF9jb3VudD0iMSIgbGFzdF9sYXVuY2hfdGltZT0iMTMzODM2NjAwMDA3NzY0OTYwIj48dXBkYXRlY2hlY2svPjxldmVudCBldmVudHR5cGU9IjEyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NDAwNzAxMTU1IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTMiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjU0MDA3MDExNTUiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjAiIGVycm9yY29kZT0iLTIxNDcwMjM4MzgiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjYzMDQ0NTEwMTIiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9ImRvIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuYi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy9mZWQ1NTgwNS0yZTg1LTQxZDgtYjRlMy00ZWY2YjVlYmY2M2E_UDE9MTc0MDIxODIxNCZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1JaTY0N2N0MDRMbGF4JTJmNERKWUslMmZaR0JRNkxrc1pEMTZHUzIySlYlMmY4em5ZNyUyZjJaRWZVM2tUSmR6OTdVMjNCbGclMmIwSE9lTlRGVnlwJTJiN0MlMmJIQmM3d25BJTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iMCIgdG90YWw9IjAiIGRvd25sb2FkX3RpbWVfbXM9IjE1Ii8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjYzMDQ2MDcxMzkiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9ImJpdHMiIHVybD0iaHR0cDovL21zZWRnZS5iLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzL2ZlZDU1ODA1LTJlODUtNDFkOC1iNGUzLTRlZjZiNWViZjYzYT9QMT0xNzQwMjE4MjE0JmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PUlpNjQ3Y3QwNExsYXglMmY0REpZSyUyZlpHQlE2TGtzWkQxNkdTMjJKViUyZjh6blk3JTJmMlpFZlUza1RKZHo5N1UyM0JsZyUyYjBIT2VOVEZWeXAlMmI3QyUyYkhCYzd3bkElM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSIxNzg2MDQwODgiIHRvdGFsPSIxNzg2MDQwODgiIGRvd25sb2FkX3RpbWVfbXM9IjgzOTg1Ii8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjYzMDQ2MDcxMzkiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNjMxNzU3NjU5NCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjMiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjE5Njc1NyIgc3lzdGVtX3VwdGltZV90aWNrcz0iNjk1MTMyNjEyNSIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgdXBkYXRlX2NoZWNrX3RpbWVfbXM9IjU4NzUiIGRvd25sb2FkX3RpbWVfbXM9IjkwMzkwIiBkb3dubG9hZGVkPSIxNzg2MDQwODgiIHRvdGFsPSIxNzg2MDQwODgiIHBhY2thZ2VfY2FjaGVfcmVzdWx0PSIwIiBpbnN0YWxsX3RpbWVfbXM9IjYzMzc1Ii8-PHBpbmcgYWN0aXZlPSIxIiBhPSI1IiByPSI1IiBhZD0iNjYxNSIgcmQ9IjY2MTUiIHBpbmdfZnJlc2huZXNzPSJ7MkJFRkJDMEYtNUI0Ni00QTQzLUJDQUUtMjc0MkEwMDBCRTg2fSIvPjwvYXBwPjxhcHAgYXBwaWQ9IntGMzAxNzIyNi1GRTJBLTQyOTUtOEJERi0wMEMzQTlBN0U0QzV9IiB2ZXJzaW9uPSIxMzIuMC4yOTU3LjE0MCIgbmV4dHZlcnNpb249IjEzMy4wLjMwNjUuNTkiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI0IiBjb2hvcnQ9InJyZkAwLjUzIiB1cGRhdGVfY291bnQ9IjEiPjx1cGRhdGVjaGVjay8-PGV2ZW50IGV2ZW50dHlwZT0iMTIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjU0MDA3MDExNTUiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxMyIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNjk1MTMyNjEyNSIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMCIgZXJyb3Jjb2RlPSItMjE0NzAyMzgzOCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNzMxMTQ4MjMwMCIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlcj0iZG8iIHVybD0iaHR0cDovL21zZWRnZS5iLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzL2E0NzJlY2VjLWFlNjktNDQ5ZS1iN2EyLTRlODZkZmVlNThhOT9QMT0xNzQwMjE4MjE0JmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PWRIWGI5anBNYUlvQUtVMVc0VUxqdFlZNnNCVDJkZ3lKUDZpOXpBVDhPRFVxZDVKanRaWGdLOVNkZjJxMmVoQ2xFNVhoUk9hamJjeDdRcUV1QWF1ZEhnJTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iMCIgdG90YWw9IjAiIGRvd25sb2FkX3RpbWVfbXM9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNzMxMTQ4MjMwMCIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlcj0iYml0cyIgdXJsPSJodHRwOi8vbXNlZGdlLmIudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvYTQ3MmVjZWMtYWU2OS00NDllLWI3YTItNGU4NmRmZWU1OGE5P1AxPTE3NDAyMTgyMTQmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9ZEhYYjlqcE1hSW9BS1UxVzRVTGp0WVk2c0JUMmRneUpQNmk5ekFUOE9EVXFkNUpqdFpYZ0s5U2RmMnEyZWhDbEU1WGhST2FqYmN4N1FxRXVBYXVkSGclM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSI1ODQ5ODEyOCIgdG90YWw9IjU4NDk4MTI4IiBkb3dubG9hZF90aW1lX21zPSIzNTQ4NCIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI3MzExNjM4NDQ5IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTUiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjczMTkyOTQ4NDQiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIzIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIxOTY3NTciIHN5c3RlbV91cHRpbWVfdGlja3M9Ijc4MjM4MzAwMjYiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIHVwZGF0ZV9jaGVja190aW1lX21zPSI1ODc1IiBkb3dubG9hZF90aW1lX21zPSIzNjAzMiIgZG93bmxvYWRlZD0iNTg0OTgxMjgiIHRvdGFsPSI1ODQ5ODEyOCIgcGFja2FnZV9jYWNoZV9yZXN1bHQ9IjAiIGluc3RhbGxfdGltZV9tcz0iNTA0NTQiLz48cGluZyByPSI1IiByZD0iNjYxNSIgcGluZ19mcmVzaG5lc3M9IntCMDY1MTgxOC1FRkNELTQzNUYtOUM4Mi00RjAzQUY4RUFENER9Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
      1⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      PID:2192

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Installer\msedge_7z.data
      Filesize

      3KB

      MD5

      a43e9ce8d33ed6eb2b8f5133450d64dd

      SHA1

      f2b9a2eab4b80d7bef0a6e076423993b77f66332

      SHA256

      39bace95aa685a42bb379404c0e4f2a11254a7d5ab9a9b5551d311d1dbc05bb6

      SHA512

      9db1c9de9521cd7bd4af5062693d3557ab196fd552bb6000c1d4266426127c9c7c6eada263e90f99bf941fb1c863d10463940e164a03e0742ee070a35fbcdf6e

      Download Submit

    • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1059A09C-A33D-402B-9BD6-FEDF08BD611E}\EDGEMITMP_7EC30.tmp\SETUP.EX_
      Filesize

      2.7MB

      MD5

      1a59a8af3c58b30ff0fe71db2196b24b

      SHA1

      6b0e5ba36f4fc5328ec494272054a50cafa13e68

      SHA256

      ba25974b29a25cb7bc1f58a0990a8ce758354aa6ec5b8b8af210f2c1466ba49d

      SHA512

      f173fe15db8d7aeef4f6fa62a41246550ccee207e6388095a5f87036362d4c95da646e1a7c68764054556e024da80b749646425076e9bfac42fb77be8f2c0355

      Download Submit

    • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F59D63AE-6329-4142-9EE2-1DE76671C1B2}\EDGEMITMP_27883.tmp\setup.exe
      Filesize

      6.8MB

      MD5

      1b3e9c59f9c7a134ec630ada1eb76a39

      SHA1

      a7e831d392e99f3d37847dcc561dd2e017065439

      SHA256

      ce78ccfb0c9cdb06ea61116bc57e50690650b6b5cf37c1aebfb30c19458ee4ae

      SHA512

      c0e50410dc92d80ff7bc854907774fc551564e078a8d38ca6421f15cea50282c25efac4f357b52b066c4371f9b8d4900fa8122dd80ab06ecbd851c6e049f7a3e

      Download Submit

    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      Filesize

      3.9MB

      MD5

      ad5f7dc7ca3e67dce70c0a89c04519e0

      SHA1

      a10b03234627ca8f3f8034cd5637cda1b8246d83

      SHA256

      663fe0f4e090583e6aa5204b9a80b7a76f677259066e56a7345aebc6bc3e7d31

      SHA512

      ad5490e9865caa454c47ec2e96364b9c566b553e64801da60c295acd570017747be1aff6f22ca6c20c6eee6f6d05a058af72569fd6e656f66e48010978c7fd51

      Download Submit

    • C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log
      Filesize

      513KB

      MD5

      caf76cc108a7d6805eba14f29f4be9ba

      SHA1

      062e34ecc53da9861f72a594068a19ead1230b83

      SHA256

      41cde9c09dd556e1bcc43fcbeaf570ea3a87edc8bd92e7a186538adecc9baee5

      SHA512

      da7672fb8c87f87a2d5a218bf05547b0ef54f9d4f71e5e0383669ef87daa89248481ed5d32e697822aa84b01172d4d6dc4aedca9979fad4b60ee35a2569203de

      Download Submit

    • C:\Windows\SystemTemp\msedge_installer.log
      Filesize

      76KB

      MD5

      7eba6f746f191cd0f7058d4d35bc4a4c

      SHA1

      4da09708043cf45dd4bfa1c17f58cd8a92ac81d5

      SHA256

      3089f2581baab4f000972459b6ccf0b0595805350246495a64b35a08934c8d68

      SHA512

      a9d4ac46786e8f2ff0dd543e1799172f8f86574de63df0182bbeaa2eb0cfa5dcb10032d53ad94fbac5539bdee4bfe7ffebd61bcae98b3a8423eb83a8f01408b2

      Download Submit

    • C:\Windows\SystemTemp\msedge_installer.log
      Filesize

      101KB

      MD5

      851886225b2649187d8a53457b2e5d29

      SHA1

      ec22a3dc43e6d32610969f260957d38e09dd9018

      SHA256

      c55239e0e5bfd9a8c02b970f694656e74ea803f7cc066d8b9ccf004875573cad

      SHA512

      08d2b1a67bc5473a3dd97b0ed6d6b2852bde4fda561338edac4bd603fbcfe0d7faa03fe59371c06d4cc0c62eb4d2469d1ebfffcdd18feafa5c3066dbb7700cff

      Download Submit

    • C:\Windows\SystemTemp\msedge_installer.log
      Filesize

      104KB

      MD5

      6f3184783f27ba921081b0cf3737c486

      SHA1

      9a37fb33316a67dcb8842704aeeb145ed532f335

      SHA256

      24242e2abb152fd915a715699f34befae98ddc2a37202641b5f4ad30f9706f22

      SHA512

      834b7a38aac25a8a61d550d4af5725d30b59d277847f7d76140109d5da5703ea2ccab4eff7e35a3b532414530efcf42134fed8fd3ac532bd3af84882d96e0bc0

      Download Submit

    • C:\Windows\SystemTemp\msedge_installer.log
      Filesize

      106KB

      MD5

      8a388c51440f4a26271e5a15e3e4d06e

      SHA1

      463102cd056fac67232c39f348732a8b2662e270

      SHA256

      9264a435cfddd7294e474c6a5cc39ae15813cbd63dca042927230bc6077364f8

      SHA512

      d0ece3cdee31b9cdf6f9be00e9610b490227e7a9ea3947b51df96a57b18158d97d0240bf4a642f44bd737a89ee47cf9c1b2333b751d9bb89c5d256121b043945

      Download Submit

    • C:\Windows\SystemTemp\msedge_installer.log
      Filesize

      113KB

      MD5

      dddae75d829c0c62e316f351f2075ed0

      SHA1

      8b9adaa4c9e6ffeec533976a0fbbac97b0f0b062

      SHA256

      b0853579716c43d55c34f84fc90ce68aed3a7c688b7b06cb442ae37a5d786eb9

      SHA512

      9480b93d094abe0bdb5d14adc36e362b903a5421f61447ebaafe0562ab9ab46e75bcee45a407df606a0c1ab6a979e3f01b2f0cd4643474c6d1962a883146fee0

      Download Submit