Overview

overview

8

Static

static

3

Cryptic.zip

windows11-21h2-x64

8

Cryptic Re...rprint

windows11-21h2-x64

3

Cryptic Re...t.json

windows11-21h2-x64

3

Cryptic Re...s.json

windows11-21h2-x64

3

Cryptic Re...re.pma

windows11-21h2-x64

3

Cryptic Re...rl-set

windows11-21h2-x64

1

Cryptic Re...rprint

windows11-21h2-x64

3

Cryptic Re...t.json

windows11-21h2-x64

3

Cryptic Re...gs.dat

windows11-21h2-x64

3

Cryptic Re...re.dat

windows11-21h2-x64

3

Cryptic Re...data_0

windows11-21h2-x64

1

Cryptic Re...data_1

windows11-21h2-x64

1

Cryptic Re...data_2

windows11-21h2-x64

1

Cryptic Re...data_3

windows11-21h2-x64

1

Cryptic Re...000001

windows11-21h2-x64

1

Cryptic Re...000002

windows11-21h2-x64

8

Cryptic Re...000003

windows11-21h2-x64

1

Cryptic Re...000004

windows11-21h2-x64

1

Cryptic Re.../index

windows11-21h2-x64

1

Cryptic Re.../index

windows11-21h2-x64

1

Cryptic Re...-index

windows11-21h2-x64

1

Cryptic Re.../index

windows11-21h2-x64

1

Cryptic Re...-index

windows11-21h2-x64

1

Cryptic Re...t/DIPS

windows11-21h2-x64

1

Cryptic Re...data_0

windows11-21h2-x64

1

Cryptic Re...data_1

windows11-21h2-x64

1

Cryptic Re...data_2

windows11-21h2-x64

8

Cryptic Re...data_3

windows11-21h2-x64

1

Cryptic Re.../index

windows11-21h2-x64

1

Cryptic Re...up.exe

windows11-21h2-x64

7

Cryptic Re...er.dll

windows11-21h2-x64

1

Cryptic Re...er.dll

windows11-21h2-x64

1

Analysis

  • max time kernel
    1036s
  • max time network
    443s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250210-en
  • resource tags

    arch:x64arch:x86image:win11-20250210-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    18-02-2025 07:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Cryptic.zip

  • Size

    14.1MB

  • MD5

    830a611cd4ae32ba1fad3a1bd3114b89

  • SHA1

    373049160c86bef47ab4d5a024ce09eff311b48b

  • SHA256

    10627f29effe5b03d5ec51ac8ad6d23116d1dca62bc39cd8014163d57e0ad504

  • SHA512

    dad790a69134286fde7540f4dcd4a28b81bab2363e813f4aee5c7345879808e340e82733fb36b543ccfa75adf41c5fca275d8c16cf4aba6e6174f0c7d37b0eb5

  • SSDEEP

    393216:A/NNQWhVm54TCbEjMVyaV/UDiQFyrjY9G7LhmQ91:HWm5ZV8TFyrMaLhd

Score
8/10
adwarediscoverypersistenceprivilege_escalationstealer

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Downloads MZ/PE file 2 IoCs
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Executes dropped EXE 12 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 44 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 24 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • System policy modification 1 TTPs 4 IoCs
    defense_evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Cryptic.zip
    1⤵
      PID:4292
    • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NkQ3QzREMjUtMDJFQi00NkI2LUE3OUYtM0Y0QjU5MkVFNTlCfSIgdXNlcmlkPSJ7NERBMjE0NUItMTQyOS00ODZGLUFGMzMtRTU4NjZBRDE5ODlCfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MTk1RjQzNUYtRUQxRi00NkI3LUFGNzAtMzUwRjBGODU0MDE3fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RSt4YkF6Nlk2c1UxMjg5YlM2cWw0VlJMYmtqZkJVR1RNSnNqckhyNDRpST0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIzLjAuNjMxMi4xMjMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjciIGluc3RhbGxkYXRldGltZT0iMTczOTE4NDA0OCIgb29iZV9pbnN0YWxsX3RpbWU9IjEzMzgzNjU1NTg2OTkzMDAwMCI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjIxNzk4NjIiIHN5c3RlbV91cHRpbWVfdGlja3M9IjQ4Njc5NDkxODUiLz48L2FwcD48L3JlcXVlc3Q-
      1⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      PID:1156
    • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{811F0C2F-765B-4752-83E5-6A7DBA89C6F1}\MicrosoftEdge_X64_133.0.3065.69.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{811F0C2F-765B-4752-83E5-6A7DBA89C6F1}\MicrosoftEdge_X64_133.0.3065.69.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:3980
      • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{811F0C2F-765B-4752-83E5-6A7DBA89C6F1}\EDGEMITMP_3C9E3.tmp\setup.exe
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{811F0C2F-765B-4752-83E5-6A7DBA89C6F1}\EDGEMITMP_3C9E3.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{811F0C2F-765B-4752-83E5-6A7DBA89C6F1}\MicrosoftEdge_X64_133.0.3065.69.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
        2⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Installs/modifies Browser Helper Object
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:3408
        • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{811F0C2F-765B-4752-83E5-6A7DBA89C6F1}\EDGEMITMP_3C9E3.tmp\setup.exe
          "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{811F0C2F-765B-4752-83E5-6A7DBA89C6F1}\EDGEMITMP_3C9E3.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{811F0C2F-765B-4752-83E5-6A7DBA89C6F1}\EDGEMITMP_3C9E3.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff681a86a68,0x7ff681a86a74,0x7ff681a86a80
          3⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          PID:2516
        • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{811F0C2F-765B-4752-83E5-6A7DBA89C6F1}\EDGEMITMP_3C9E3.tmp\setup.exe
          "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{811F0C2F-765B-4752-83E5-6A7DBA89C6F1}\EDGEMITMP_3C9E3.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
          3⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Windows directory
          • Modifies data under HKEY_USERS
          • Suspicious use of WriteProcessMemory
          PID:3320
          • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{811F0C2F-765B-4752-83E5-6A7DBA89C6F1}\EDGEMITMP_3C9E3.tmp\setup.exe
            "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{811F0C2F-765B-4752-83E5-6A7DBA89C6F1}\EDGEMITMP_3C9E3.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{811F0C2F-765B-4752-83E5-6A7DBA89C6F1}\EDGEMITMP_3C9E3.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff681a86a68,0x7ff681a86a74,0x7ff681a86a80
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:1540
        • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --msedge --channel=stable --register-package-identity --verbose-logging --system-level
          3⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2512
          • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff769106a68,0x7ff769106a74,0x7ff769106a80
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:2760
        • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level
          3⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of WriteProcessMemory
          PID:1432
          • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff769106a68,0x7ff769106a74,0x7ff769106a80
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:2144
        • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --msedge --channel=stable --update-game-assist-package --verbose-logging --system-level
          3⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious use of WriteProcessMemory
          PID:2020
          • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff769106a68,0x7ff769106a74,0x7ff769106a80
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:2808
    • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{21708BC3-41F6-4ECA-B827-D32B7C740D2F}\MicrosoftEdge_X64_133.0.3065.69_132.0.2957.140.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{21708BC3-41F6-4ECA-B827-D32B7C740D2F}\MicrosoftEdge_X64_133.0.3065.69_132.0.2957.140.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:3496
      • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{21708BC3-41F6-4ECA-B827-D32B7C740D2F}\EDGEMITMP_CC09F.tmp\setup.exe
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{21708BC3-41F6-4ECA-B827-D32B7C740D2F}\EDGEMITMP_CC09F.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{21708BC3-41F6-4ECA-B827-D32B7C740D2F}\MicrosoftEdge_X64_133.0.3065.69_132.0.2957.140.exe" --previous-version="132.0.2957.140" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
        2⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4452
        • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{21708BC3-41F6-4ECA-B827-D32B7C740D2F}\EDGEMITMP_CC09F.tmp\setup.exe
          "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{21708BC3-41F6-4ECA-B827-D32B7C740D2F}\EDGEMITMP_CC09F.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{21708BC3-41F6-4ECA-B827-D32B7C740D2F}\EDGEMITMP_CC09F.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff6e6826a68,0x7ff6e6826a74,0x7ff6e6826a80
          3⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          PID:3872
    • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NkQ3QzREMjUtMDJFQi00NkI2LUE3OUYtM0Y0QjU5MkVFNTlCfSIgdXNlcmlkPSJ7NERBMjE0NUItMTQyOS00ODZGLUFGMzMtRTU4NjZBRDE5ODlCfSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9Ins5NDdDMjgyRS00RTM1LTQ0NUMtODlBOC1GNERENkY1MUIyQzR9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjIyMDAwLjQ5MyIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtWUFFvUDFGK2ZxMTV3UnpoMWtQTDRQTXBXaDhPUk1CNWl6dnJPQy9jaGpRPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIxLjMuMTk1LjQzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iNyIgY29ob3J0PSJycmZAMC41MiI-PHVwZGF0ZWNoZWNrLz48cGluZyByPSI4IiByZD0iNjYxNSIgcGluZ19mcmVzaG5lc3M9Ins0NzY3QTlEMi1BN0U1LTRGNkEtQUYxRi1FMTFGOTFCRjA4RkN9Ii8-PC9hcHA-PGFwcCBhcHBpZD0iezU2RUIxOEY4LUIwMDgtNENCRC1CNkQyLThDOTdGRTdFOTA2Mn0iIHZlcnNpb249IjkwLjAuODE4LjY2IiBuZXh0dmVyc2lvbj0iMTMzLjAuMzA2NS42OSIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjb25zZW50PWZhbHNlIiBpbnN0YWxsYWdlPSI3IiBpc19waW5uZWRfc3lzdGVtPSJ0cnVlIiBsYXN0X2xhdW5jaF9jb3VudD0iMSIgbGFzdF9sYXVuY2hfdGltZT0iMTMzODM2NTkwMDM3NDA3NjQwIj48dXBkYXRlY2hlY2svPjxldmVudCBldmVudHR5cGU9IjEyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0ODgzNzM1NjUwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTMiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjQ4ODM4ODY4MzciIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjAiIGVycm9yY29kZT0iLTIxNDcwMjM4MzgiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjUyNzMyNzk4OTIiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9ImRvIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuYi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy9hZjhlNWYyYy04YjdmLTQ3OGYtOGY2Yy1mMWRjNTY3ZTBkNjU_UDE9MTc0MDQ3MTAxNiZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1udUM0WEpwJTJicFZCVkt3VE83Q1R0JTJmbjdFVHRUWDdRZEt5ZkVpdmNwdjFNaHhmOVFMSmM5cFlsN3k5cUFCMTh3S2p4RjVTcFdCRm01bjFLaFFOdXNwTnclM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSIwIiB0b3RhbD0iMCIgZG93bmxvYWRfdGltZV9tcz0iMCIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MjczMjc5ODkyIiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJiaXRzIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuYi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy9hZjhlNWYyYy04YjdmLTQ3OGYtOGY2Yy1mMWRjNTY3ZTBkNjU_UDE9MTc0MDQ3MTAxNiZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1udUM0WEpwJTJicFZCVkt3VE83Q1R0JTJmbjdFVHRUWDdRZEt5ZkVpdmNwdjFNaHhmOVFMSmM5cFlsN3k5cUFCMTh3S2p4RjVTcFdCRm01bjFLaFFOdXNwTnclM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSIxNzg2MTEyODAiIHRvdGFsPSIxNzg2MTEyODAiIGRvd25sb2FkX3RpbWVfbXM9IjMyNjU4Ii8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjUyNzM0MzYxMjkiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTI4NjQwNTM0MSIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjMiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjE5Njc1NyIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTkwMzU5ODM0MiIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgdXBkYXRlX2NoZWNrX3RpbWVfbXM9IjcxOSIgZG93bmxvYWRfdGltZV9tcz0iMzg5NTUiIGRvd25sb2FkZWQ9IjE3ODYxMTI4MCIgdG90YWw9IjE3ODYxMTI4MCIgcGFja2FnZV9jYWNoZV9yZXN1bHQ9IjAiIGluc3RhbGxfdGltZV9tcz0iNjE3MDQiLz48cGluZyBhY3RpdmU9IjEiIGE9IjgiIHI9IjgiIGFkPSI2NjE1IiByZD0iNjYxNSIgcGluZ19mcmVzaG5lc3M9InsyQkVGQkMwRi01QjQ2LTRBNDMtQkNBRS0yNzQyQTAwMEJFODZ9Ii8-PC9hcHA-PGFwcCBhcHBpZD0ie0YzMDE3MjI2LUZFMkEtNDI5NS04QkRGLTAwQzNBOUE3RTRDNX0iIHZlcnNpb249IjEzMi4wLjI5NTcuMTQwIiBuZXh0dmVyc2lvbj0iMTMzLjAuMzA2NS42OSIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjciIGNvaG9ydD0icnJmQDAuNTMiIHVwZGF0ZV9jb3VudD0iMSI-PHVwZGF0ZWNoZWNrLz48ZXZlbnQgZXZlbnR0eXBlPSIxMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNDg4Mzg4NjgzNyIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjEzIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1OTAzNTk4MzQyIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIwIiBlcnJvcmNvZGU9Ii0yMTQ3MDIzODM4IiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1OTU5ODQ4MDA4IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJkbyIgdXJsPSJodHRwOi8vbXNlZGdlLmIudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvYjYyNDIwNTctOThkMC00YmFiLTk4ZTEtNzAxNDU2MWRjNjYzP1AxPTE3NDA0NzEwMTYmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9VkV2SDVJWiUyZldnRjhVYzkzcWl3SURrUzNyNElnWVJ1JTJmRUtxS010TnQlMmJRQWxNMWtKaW9sd1FwcDhsRmdTUDhFSjVoSWVHR1V0cmdTaVRzQXVRUjZWVXclM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSIwIiB0b3RhbD0iMCIgZG93bmxvYWRfdGltZV9tcz0iMCIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1OTU5ODQ4MDA4IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJiaXRzIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuYi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy9iNjI0MjA1Ny05OGQwLTRiYWItOThlMS03MDE0NTYxZGM2NjM_UDE9MTc0MDQ3MTAxNiZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1WRXZINUlaJTJmV2dGOFVjOTNxaXdJRGtTM3I0SWdZUnUlMmZFS3FLTXROdCUyYlFBbE0xa0ppb2x3UXBwOGxGZ1NQOEVKNWhJZUdHVXRyZ1NpVHNBdVFSNlZVdyUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjU4NDk5NjY0IiB0b3RhbD0iNTg0OTk2NjQiIGRvd25sb2FkX3RpbWVfbXM9IjUwOTQiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTk2MDAwMzkzMiIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjE1IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1OTY3NjYwNDMwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMyIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMTk2NzU3IiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI2NDcxNDExMzM1IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiB1cGRhdGVfY2hlY2tfdGltZV9tcz0iNzE5IiBkb3dubG9hZF90aW1lX21zPSI1NjQwIiBkb3dubG9hZGVkPSI1ODQ5OTY2NCIgdG90YWw9IjU4NDk5NjY0IiBwYWNrYWdlX2NhY2hlX3Jlc3VsdD0iMCIgaW5zdGFsbF90aW1lX21zPSI1MDM3NSIvPjxwaW5nIHI9IjgiIHJkPSI2NjE1IiBwaW5nX2ZyZXNobmVzcz0ie0IwNjUxODE4LUVGQ0QtNDM1Ri05QzgyLTRGMDNBRjhFQUQ0RH0iLz48L2FwcD48L3JlcXVlc3Q-
      1⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      PID:2740

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Installer\msedge_7z.data
      Filesize

      3KB

      MD5

      fdafd3d3a736e5c75d913779fcfd942c

      SHA1

      712989296d8bbb3990f000a16e1a9808fd2c3393

      SHA256

      97be491fb1b44a105e615cde0a08d3439e3ab5f311216cad0954366a3d1a71c6

      SHA512

      36317b8cc623aef13aaa00c51bc7906fd6e93a1c9836051ff7953ebddff1ed2e165b44165a402ae1fb62eb6877a0477966788eb4967b820d4d9049d3fc6d85a8

      Download Submit

    • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{21708BC3-41F6-4ECA-B827-D32B7C740D2F}\EDGEMITMP_CC09F.tmp\SETUP.EX_
      Filesize

      2.7MB

      MD5

      8b1abae1ce12dd175032f274dfbbea25

      SHA1

      b22d211f9819cd791b9cbfcfb13a1f4922ce3f1c

      SHA256

      121f1d31e93c40320699538153b201ffe9d47bb281c7841fac111da2f6fa44c0

      SHA512

      f1fd5fa18d687a629144b018db92327e50f0c8f6fdbb3c4a4bb46090b2bc0d367efd7bd3e85eeb41cbaf7a24c9bc943c755f87cb4f511b2ca3393d4a064c937f

      Download Submit

    • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{811F0C2F-765B-4752-83E5-6A7DBA89C6F1}\EDGEMITMP_3C9E3.tmp\setup.exe
      Filesize

      6.8MB

      MD5

      bdb1aecedc15fc82a63083452dad45c2

      SHA1

      a074fcd78665ff90ee3e50ffcccad5f6c3e7ddcb

      SHA256

      4ea0907c3fc2c2f6a4259002312671c82e008846d49957bb3b9915612e35b99f

      SHA512

      50909640c2957fc35dd5bcac3b51797aa5daa2fb95364e69df95d3577482e13f0c36a70ae098959cb9c2aaeb4cfe43025c1d8d55b5f8858b474bcb702609749d

      Download Submit

    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      Filesize

      3.9MB

      MD5

      4aaa893417cccc147989f876c6a7b295

      SHA1

      b1e35c83518bb275924ead0cd6206bf0c982d30f

      SHA256

      2c38e3c3f18e2d3fb7f04336356b9b5186cabe06b3343beec318ef0def1a9eeb

      SHA512

      109e0c88977fae65a4950fc38393ca32a70d68ef41aeb75b28e6566e0fa626e32e31be38308e7ed5b6a8ba1f56fb5f2133a07aa8bb643224c3dbb089ce9cfd0e

      Download Submit

    • C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log
      Filesize

      436KB

      MD5

      0475070db382ecc8cdc6e46034e3bc2b

      SHA1

      871106b115c4536b332e4542fd62980fb8064ebe

      SHA256

      4355fcc3713aa0b871c5f0a487d94f628be99928d99f7a283d99081a8f060e78

      SHA512

      1c4d3d0f7b0ad5f2eca6b96c272795a62d2a60ec5567f81bd63601d9311908266ba8bf3f943c345ac07033a5e99a89c0904a7316112d3fa99ec3ec17d5f6c0e9

      Download Submit

    • C:\Windows\SystemTemp\msedge_installer.log
      Filesize

      74KB

      MD5

      3e34d2c2afd9782f9b91ee6b06739948

      SHA1

      acfb108276e986f7712155d350c4a08d67943de4

      SHA256

      2a190372836d7174eeb1b9158e41481b6dd212ebbd7e79b5c960f8b066c1dde5

      SHA512

      03c554e2fb9b0e4ae9df7824b429cbff4c206ccb81c0cc31187e66f13f3e4c9ec81858dbe155c9480e49da3aaa00bf36fbfee0e62d2a9138d2f435748127a27b

      Download Submit

    • C:\Windows\SystemTemp\msedge_installer.log
      Filesize

      101KB

      MD5

      bed50d19a72eafe673ce4a415a2b3135

      SHA1

      5d408f23d5931a98b3a2064b56f86460269a53c0

      SHA256

      948484288712977633b2ef8d65dfa3fecf8a4a98e4057360c7ee55a2fbed5b93

      SHA512

      f5f356d9fa2c1e1711849fa7e564a667c273cde0c0f19716d86cc1f765c5cc973e5a74f45a1d05d0577d432870a24d2d6a0fb0c0fe9ab3889727a303d078c0bf

      Download Submit

    • C:\Windows\SystemTemp\msedge_installer.log
      Filesize

      104KB

      MD5

      f2f4334c6b26e569794651b0fd09df7f

      SHA1

      a31e7c9dbbb915c530802ef7f5424f6f7ae5a348

      SHA256

      1b155bf1a293daa29be56562d033341d1df6d9904348ca1a2433112c4228c99d

      SHA512

      73912407f15ae0aa249d9aec40ab0aaad331f853b25797825e32440ba6ab3c98580e36d1402f716562e556f6df8aa47bc1244513f4986dded2cbe60bef47b3f7

      Download Submit

    • C:\Windows\SystemTemp\msedge_installer.log
      Filesize

      106KB

      MD5

      d0fad505731659cf721e5a84452c8878

      SHA1

      c6c9822f92072811993782da5eb96b31fb8ea321

      SHA256

      47c85f47a24c7c4d835f3baf7015ad7eca53495ca46343887f12237587a77eb3

      SHA512

      8cba87585dd998c45c4b1f278906f82b48d27554d673aa31b1a81d23b224d3f939e74244f0fd1c9e177125c4de1a571b04091608f18d448a0508ff12ca6f038e

      Download Submit

    • C:\Windows\SystemTemp\msedge_installer.log
      Filesize

      110KB

      MD5

      660dc670da70147b261f3fcdbbdd4d23

      SHA1

      7c02a3a8e2a61031aed6c88e9b99f00f991b8ffe

      SHA256

      f496cbca38e33c6e02231d33a9026e9877b013fdfe0bb758f174726b165e26f3

      SHA512

      3e8390d79ede0e2e62954ecf450ca66343a8729c46b015cf25e2cc8ffd6b9eb01beb99e586bcc06274325b536d2515853c21b9f5990d95db3052a3e2103adc66

      Download Submit